Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and Compliance Bruce Cowper Senior Program Manager; Security Initiative Microsoft Canada Rodney Buike IT Pro Advisor Microsoft Canada.

Published byShawn Montgomery Modified over 8 years ago

Similar presentations

Presentation on theme: "Security and Compliance Bruce Cowper Senior Program Manager; Security Initiative Microsoft Canada Rodney Buike IT Pro Advisor Microsoft Canada."— Presentation transcript:

1 Security and Compliance Bruce Cowper Senior Program Manager; Security Initiative Microsoft Canada Rodney Buike IT Pro Advisor Microsoft Canada

2 Enabling Security and Compliance FundamentalsThreat and Vulnerability Mitigation Information ProtectionIdentity and Access Control

3 Enabling Security and Compliance Security Development Lifecycle Threat Modeling and Code Reviews Windows Service Hardening Fundamentals Threat and Vulnerability Mitigation Information Protection Identity and Access Control

4 Fundamentals Improved Security Development Lifecycle (SDL) process for Windows Vista Periodic mandatory security training Assignment of security advisors for all components Threat modeling as part of design phase Security reviews and testing built into the schedule Security metrics for product teams Common Criteria (CC) Certification

5 Service Hardening Windows Service Hardening Defense in depth Services run with reduced privilege compared to Windows XP Windows services are profiled for allowed actions to the network, file system, and registry Designed to block attempts by malicious software to make a Windows service write to an area of the network, file system, or registry that isn’t part of that service’s profile Active protection File system Registry Network

6 Enabling Security and Compliance Fundamentals IE Protected Mode and Phishing Filter Windows Defender Outbound and Inbound Firewall Network Access Protection Threat and Vulnerability Mitigation Information Protection Identity and Access Control

7 Social Engineering Protections Phishing Filter and Colored Address Bar Dangerous Settings Notification Secure defaults for IDN Protection from Exploits Unified URL Parsing Code quality improvements (SDLC) ActiveX Opt-in Protected Mode to prevent malicious software Internet Explorer 7

8 Advanced Malware Protection Exploit can install malware IE6 Install a driver and run Windows Update Change settings, download a picture Cache Web content HKLM Program Files Admin-Rights AccessUser-Rights Access HKCU My Documents Startup Folder Temp Internet Files Un-trusted files and settings Internet Explorer Compact Redirector Redirected settings & filesInstall an ActiveX control Change settings, save a picture IEAdmin IEUser Integrity Control

9 Phishing Filter Dynamic Protection Against Fraudulent Websites 3 “checks” to protect users from phishing scams: 1.Compares web site with local list of known legitimate sites 2.Scans the web site for characteristics common to phishing sites 3.Double checks site with online Microsoft service of reported phishing sites updated several times every hour Level 1: Warn Suspicious Website Signaled Level 2: Block Confirmed Phishing Site Signaled and Blocked Two Levels of Warning and Protection in IE7 Security Status Bar

10 ActiveX Opt-in IE7 Disabled Controls by default IE7 blocks ActiveX Control User grants permission (opts-in) IE7 confirms install ActiveX Control enabled

11 Windows Defender Improved Detection and Removal Redesigned and Simplified User Interface Protection for all users

12 Windows Vista Firewall Combined firewall and IPsec management New management tools – Windows Firewall with Advanced Security MMC snap-in Reduces conflicts and coordination overhead between technologies Firewall rules become more intelligent Specify security requirements such as authentication and encryption Specify Active Directory computer or user groups Outbound filtering Enterprise management feature – not for consumers Simplified protection policy reduces management overhead

13 Network Access Protection 1 RestrictedNetwork MSFTNetwork Policy Server 3 Policy Servers e.g. MSFT Security Center, SMS, Antigen or 3 rd party Policy compliant DHCP, VPN Switch/Router 2 Windows Vista Client Fix Up Servers e.g. MSFT WSUS, SMS & 3 rd party Corporate Network 5 Not policy compliant 4 Enhanced Security All communications are authenticated, authorized & healthy Defense-in-depth on your terms with DHCP, VPN, IPsec, 802.1X Policy-based access that IT Pros can set and control

14 Enabling Security and Compliance Fundamentals Threat and Vulnerability Mitigation BitLocker™ Drive Encryption EFS Smartcards RMS Client Wireless Security XPS Document format Information Protection Identity and Access Control

15 Information Leakage Is Top-of-mind With Business Decision Makers “After virus infections, businesses report unintended forwarding of e-mails and loss of mobile devices more frequently than they do any other security breach” Jupiter Research Report, 2004 0%10%20%30%40%50%60%70% Loss of digital assets, restored Email piracy Password compromise Loss of mobile devices Unintended forwarding of emails 20% 22% 35% 36% 63% Virus infection

16 BitLocker ™ Drive Encryption Designed specifically to prevent a thief who boots another Operating System or runs a hacking tool from breaking Windows file and system protections Provides data protection on your Windows client systems, even when the system is in unauthorized hands or is running a different or exploiting Operating Ssystem Uses a v1.2 TPM or USB flash drive for key storage BitLocker BitLocker

17 BitLocker Drive Encryption Improved at-rest data protection with full drive encryption Usability with scalable security protections Enterprise-ready deployment capabilities Offline system-tampering resistance Worry-free hardware repurposing and decommissioning Integrated disaster recovery features

18 Trusted Platform Module Encrypted Data Encrypted Volume Key Encrypted Full Volume Encryption Key TPM Volume Master Key Full Volume Encryption Key Cleartext Data

19 BDE offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with. Spectrum Of Protection*******

20 Windows Vista Data Protection Policy Definition and Enforcement Rights Management Services User-Based File System Encryption Encrypted File System Drive-Level Encryption BitLocker Drive Encryption

21 Recovery Options BitLocker™ setup will automatically escrow keys and passwords into AD Centralized storage/management keys (EA SKU) Setup may also try (based on policy) to backup keys and passwords onto a USB dongle or to a file location Default for non-domain-joined users Exploring options for web service-based key escrow Recovery password known by the user/administrator Recovery can occur “in the field” Windows operation can continue as normal

22 Improve Wireless Security Lowers Risk IEEE 802.11i replaces previous, less secure encryption schemes and interim security standards Supports IEEE 802.11i Superior encryption with Advanced Encryption Standard (AES) Fast roaming with cached credentials Faster re-connect to commonly used networks

23 XPS Document Format Create using Microsoft Office applications Support digital signatures Support digital rights management Format based on XML Features Overview Format unpaginated content for reading Distribute application-agnostic documents Leverage for service-oriented applications Benefits Overview New secure XML-based document specification

24 Enabling Security and Compliance Fundamentals Threat and Vulnerability Mitigation Information Protection Device Group policy User Account Control Plug and Play Smartcards Granular Auditing Identity and Access Control

25 Challenges Users running as admin = unmanaged desktops Line of Business (LoB) applications require elevated privileges to run Common Operating System Configuration tasks require elevated privilege

26 Goal: Allow businesses to move to a better- managed desktop and consumers to use parental controls Make the system work well for standard users Allow standard users to change time zone and power management settings, add printers, and connect to secure wireless networks High application compatibility Make it clear when elevation to admin is required and allow that to happen in-place without logging off High application compatibility with file/registry virtualization Administrators use full privilege only for administrative tasks or applications User provides explicit consent before using elevated privilege User Account Control

27 Authentication Improvements Plug and Play Smart Cards Drivers and Certificate Service Provider (CSP) included in Windows Vista Login and credential prompts for User Account Control all support Smart Cards New logon architecture GINA (the old Windows logon model) is gone. Third parties can add biometrics, one-time password tokens, and other authentication methods to Windows with much less coding

28 Improved Auditing More Granularity Support for many auditing subcategories: Logon, logoff, file system access, registry access, use of administrative privilege Previous versions of Windows only support high-level categories such as System, Logon/Logoff, and Object Access, with little granularity New Logging Infrastructure Easier to filter out “noise” in logs and find the event you’re looking for Tasks tied to events: When an event occurs, such as administrative privilege use, tasks such as sending an Email to an auditor can run automatically

29 Q&A Bruce Cowper Senior Program Manager; Security Initiative Microsoft Canada Rodney Buike IT Pro Advisor Microsoft Canada

30 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Security and Compliance Bruce Cowper Senior Program Manager; Security Initiative Microsoft Canada Rodney Buike IT Pro Advisor Microsoft Canada."

Similar presentations

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.
Rodney Buike IT Pro Advisor, Microsoft Canada

Rodney Buike IT Pro Advisor, Microsoft Canada
Windows Vista Serious Challenges for Digital Investigators Authors: Darren Hayes Shareq Qureshi Presented By: Prerna Gupta.

Windows Vista Serious Challenges for Digital Investigators Authors: Darren Hayes Shareq Qureshi Presented By: Prerna Gupta.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft

Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft
Chapter 13 Securing Windows Server 2008

Chapter 13 Securing Windows Server 2008
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Security Features in Windows Vista. What Will We Cover? Security fundamentals Protecting your company’s resources Anti-malware features.

Security Features in Windows Vista. What Will We Cover? Security fundamentals Protecting your company’s resources Anti-malware features.
4/16/2017 10:01 AM © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

4/16/ :01 AM © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
WCL313 Windows Vista Security Overview Mike Chan Sr. Product Manager.

WCL313 Windows Vista Security Overview Mike Chan Sr. Product Manager.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Chapter 6: Configuring Security. Options for Managing Security Configurations LGPO (Local Group Policy Object) –Used if Computer is not part of a domain.

Chapter 6: Configuring Security. Options for Managing Security Configurations LGPO (Local Group Policy Object) –Used if Computer is not part of a domain.
Optimizing Client Security by Using Windows Vista.

Optimizing Client Security by Using Windows Vista.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)

Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)
Internet Explorer 7 Security Features Steve Lamb Technical Security Microsoft Ltd

Internet Explorer 7 Security Features Steve Lamb Technical Security Microsoft Ltd
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Cyra Richardson Microsoft Corporation Internet Explorer 7.

Cyra Richardson Microsoft Corporation Internet Explorer 7.

Similar presentations

Ads by Google