Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Windows 7 Security Ronen Gottlib, CISSP Information Security Lead Microsoft.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Microsoft Windows 7 Security Ronen Gottlib, CISSP Information Security Lead Microsoft."— Presentation transcript:

1 Microsoft Windows 7 Security Ronen Gottlib, CISSP Information Security Lead Microsoft

2 Enhance Security & Control Protect Users & Infrastructure AppLocker™ (Windows 7 Enterprise) controls what applications run Internet Explorer 8 helps keep users safe online Protect Data on PCs & Devices BitLocker To Go™ (Windows 7 Enterprise) protects data on removable drives BitLocker™ simplifies encryptions and key management for all drives Build on Windows Vista Security Foundation User Account Control prompts less Security Development Lifecycle for defense in depth

3 Data Protection Protect data on internal and removable drives Mandate the use of encryption with Group Policies Store recovery information in Active Directory for manageability Simplify BitLocker setup and configuration of primary hard drive BitLocker To Go™ (Windows 7 Enterprise) Worldwide Shipments (000s) Gartner “Forecast: USB Flash Drives, Worldwide, 2001-2011” 24 September 2007, Joseph Unsworth Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III +

4 Application Control Eliminate unwanted/unknown applications in your network Enforce application standardization within your organization Easily create and manage flexible rules using Group Policy AppLocker™ (Windows 7 Enterprise) Users can install and run unapproved applications Even standard users can install some types of software Unauthorized applications may: Introduce malware Increase helpdesk calls Reduce user productivity Undermine compliance efforts

5 Advanced Group Policy Management Enable group policy change management Provides granular administrative control Reduce risk of widespread failure Versioning, history & rollback of group policy changes Role-based administration & templates Flexible delegation model What it DoesBenefits Enhancing group policy through change management

6 Today’s Challenges Network Access Protection o Unprotected network taps within an organization’s buildings o Administrators have limited control over the health of systems joining the network o Result: hardware/network upgrades and increased operational costs, reduced productivity Solution: end-to-end, authenticated, tamper-resistant communication o Improved isolation using IPSec o Network access protection across IPSec, 802.1X, DHCP, VPN o Increased manageability

7 Forefront UAG 2010 DirectAccess and RDG Idan Plotnik Security Engineer Forefront MVP

8 Help us to help you to help others …

9 A word on wording In Windows 7 / Windows Server 2008 R2, Terminal Service (TS) was renamed to Remote Desktop Services (RDS) Other terminology changes: − Terminal Services Gateway (TSG)  Remote Desktop Gateway (RDG) − Terminal Services Server  Remote Desktop Session Host − TS Broker  RD Connection Broker

10 How SSLVPN works … RD/TS is published by tunneling its traffic without IAG or any other SSLVPN being able to control the traffic. IAGIAG RD/TS Client (MSTSC) (MSTSC) RD Session Host (TS Server) RD Session Host (TS Server) HTTPS Tunnel RDPRDP

11 What’s new in UAG In UAG RD/TS client traffic goes over HTTPS. The HTTPS tunnel is terminated at UAG, therefore, we can inspect the traffic. The traffic is then passed to the backend RD Session Host using the RDP protocol. UAG+RDGUAG+RDG RD/TS Client (MSTSC) (MSTSC) RDP over HTTPS RDPRDP RD Session Host (TS Server) RD Session Host (TS Server)

12 New functionality application level gateway UAG seamlessly integrates Terminal Services / Remote Desktop Gateway (TSG/RDG) to provide application level gateway for RDS applications. Enables employees to securely access applications that are hosted on Terminal Server or their internal workstation Benefits: − Enhanced security − Granular policies based on client health: no anti-virus  no driver sharing − TS RemoteApps are integrated into UAG portal side-by-side with Web applications − Single sign-on experience

13 DirectAccess Providing seamless, secure access to enterprise resources from anywhere

14 Always On Always connected No user action required Adapts to changing networks

15 Secure Encrypted by default 2 Factor AuthN Strong Authentication! −Computer AuthN −User AuthN Granular access control Coexists with existing edge, health, and access policies

16 Manageable Reach out to previously untouchable machines Allows remote clients to process Group Policies Ongoing updates (AV/WSUS etc …) from the internal infrastructure NAP integration for health compliance Consolidate Edge Infrastructure

17 VPN vs. DirectAccess - Value VPNDirectAccess Manageability Granular Security Ease of use Installation / Configuration / Troubleshooting

18 Forefront UAG DirectAccess DirectAccess Client (Windows 7) Internet Native IPv6 6to46to4 TeredoTeredo IP-HTTPSIP-HTTPS Tunnel over IPv4 UDP, HTTPS, etc. Encrypted IPsec+ESP

19 Enterprise Network Forefront UAG DirectAccess Line of Business Applications No IPsec IPsec Integrity Only (Auth) IPsec Integrity + Encryption Windows Server 2003 Windows Server 2008 Non-Windows Server

20 3 Deployment Models

21 End-to-Edge encryption No overhead of encryption on application servers Edge enforces machine/user authentication and data encryption Least change from existing edge deployments Trusted, compliant, healthy machine Windows 7 client Applications & Data (non-IPsec enabled) DC & DNS (Server 2008 SP2/R2) Internet Forefront UAG DirectAccess IPsec ESP tunnel encryption using machine cert (DC/DNS access) Clear Text traffic from client flows through encrypted tunnel to Corporate network resources IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access Corporate Network

22 End-to-Edge Encryption + End to End IPsec No overhead of encryption on application servers (just authentication) DirectAccess Edge Encryption combined with End to End IPsec Server and Domain Isolation Trusted, compliant, healthy machine Windows 7 client Corporate Network Applications & Data IPsec-enabled Internet IPsec ESP-Null AuthIP Transport Traffic flows through encrypted tunnel to Corporate network resources Forefront UAG DirectAccess IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access IPsec ESP tunnel encryption using machine cert (DC/DNS access) DC & DNS (Server 2008 SP2/R2)

23 End-To-End IPsec Transport Encryption Thin edge solution using IPsec Denial of Service Protection (DoSP) Service only allows IPSec & ICMP traffic Full End to End IPsec Encryption IP-HTTPS tunnel used for proxy scenarios only Trusted, compliant, healthy machine Windows 7 client Corporate Network Applications & Data IPsec-enabled Internet IPsec ESP-encrypted transport to access Corporate network resources Forefront UAG DirectAccess DC & DNS (Server 2008 SP2/R2)

24 IPv6 IPv6 Always On Windows7 IPv4 IPv4 IPv4 Forefront UAG DirectAccess Extend support to IPv4 servers UAG improves adoption and extends access to existing infrastructure Extends access to LOB servers with IPv4 support Access for down level and non Windows clients Enhances scalability and management Simplifies deployment and administration Hardened Edge SolutionMANAGED Vista XP UNMANAGED Non Windows PDA DirectAccess SSL VPN UAG provides access for down level and non Windows clients UAG enhances scale and management with integrated LB and array capabilities. UAG uses wizards and tools to simplify deployments and ongoing management. UAG is a hardened edge appliance available in HW and virtual options Windows7

25 DEMO

Download ppt "Microsoft Windows 7 Security Ronen Gottlib, CISSP Information Security Lead Microsoft."

Similar presentations

Ljubomir Ivaniš CPU d.o.o.

Ljubomir Ivaniš CPU d.o.o.
WMS02: Direct Access Always Connected: Death of the VPN

WMS02: Direct Access Always Connected: Death of the VPN
Scott Roberts Lead Program Manager Microsoft Session Code: WSV320.

Scott Roberts Lead Program Manager Microsoft Session Code: WSV320.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
The future of Desktops Transform Your Desktop with Virtualization.

The future of Desktops Transform Your Desktop with Virtualization.
Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft

Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Understand Virtualized Clients 10753 Windows Operating System Fundamentals LESSON 2.4.

Understand Virtualized Clients Windows Operating System Fundamentals LESSON 2.4.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Benefits, Risks and Service Desk Impact. Robert Half Technology Kelly O’Connell Robert Half International Branch Manager 2/11/2010.

Benefits, Risks and Service Desk Impact. Robert Half Technology Kelly O’Connell Robert Half International Branch Manager 2/11/2010.
Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.

Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation

Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
Jason Leznek, Group Product Manager, Windows Client Justin Graham, Senior Product Manager, Windows Server.

Jason Leznek, Group Product Manager, Windows Client Justin Graham, Senior Product Manager, Windows Server.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers Vendors.

Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers Vendors.
Agenda Understanding the optimized desktop Windows 7 To Date Office 2010 Windows 7 Resources, Resources, Resources.

Agenda Understanding the optimized desktop Windows 7 To Date Office 2010 Windows 7 Resources, Resources, Resources.

Similar presentations

Ads by Google