Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Smith | Windows Client | Microsoft Canada Security Primer.

Published byBarrie Allen Modified over 8 years ago

Similar presentations

Presentation on theme: "David Smith | Windows Client | Microsoft Canada Security Primer."— Presentation transcript:

1 David Smith | Windows Client | Microsoft Canada Security Primer

2 Agenda Fundamental security UAC (the former LUA) TPM 1.2 BitLocker

3 Fundamentals Improved Security Development Lifecycle (SDL) process for Windows Vista Threat modeling as part of design phase Security reviews and testing built into the schedule Security metrics for product teams Common Criteria (CC) Certification EAL 4 and Single Level OS Protection Profile

4 Service Hardening Windows Service Hardening Defense in depth Services run with reduced privilege compared to Windows XP Active protection File system Registry Network

5 Service Hardening Windows Service Hardening Defense in depth Windows services are profiled for allowed actions to the network, file system, and registry Active protection File system Registry Network

6 Service Hardening Windows Service Hardening Defense in depth Designed to block attempts by malicious software to make a Windows service write to an area of the network, file system, or registry that isn’t part of that service’s profile Active protection File system Registry Network

7 Windows Defender Improved Detection and Removal Redesigned and Simplified User Interface Protection for all users

8 Windows Vista Firewall Combined firewall and IPsec management New management tools – Windows Firewall with Advanced Security MMC snap-in Reduces conflicts and coordination overhead between technologies Firewall rules become more intelligent Specify security requirements such as authentication and encryption Specify Active Directory computer or user groups Outbound filtering Enterprise management feature – not for consumers Simplified protection policy reduces management overhead

9 Challenges Users running as admin = unmanaged desktops Viruses and Spyware can damage the system when run with elevated privileges Enterprise users running elevated privileges can compromise the corporation Users can make changes that require re- imaging the machine to undo

10 Challenges Line of Business (LoB) applications require elevated privileges to run System security must be relaxed to run the LoB application IT Administrators must reevaluate the LoB applications for each Operating System release due to inconsistent configuration settings

11 Challenges Common Operating System Configuration tasks require elevated privilege Corporations can’t easily deploy applications unless they compromise Operating System Security Simple scenarios like changing the time zone don’t work Users are not able to manage non-sensitive account information

12 User Account Control Goal: Allow businesses to move to a better-managed desktop and consumers to use parental controls

13 User Account Control Make the system work well for standard users Allow standard users to change time zone and power management settings, add printers, and connect to secure wireless networks

14 User Account Control High application compatibility Make it clear when elevation to admin is required and allow that to happen in-place without logging off High application compatibility with file/registry virtualization

15 User Account Control Administrators use full privilege only for administrative tasks or applications User provides explicit consent before using elevated privilege

16 Information Leakage Is Top-of-mind With Business Decision Makers “After virus infections, businesses report unintended forwarding of e-mails and loss of mobile devices more frequently than they do any other security breach” Jupiter Research Report, 2004 0%10%20%30%40%50%60%70% Loss of digital assets, restored Email piracy Password compromise Loss of mobile devices Unintended forwarding of emails 20% 22% 35% 36% 63% Virus infection

17 BitLocker Drive Encryption BitLocker Drive Encryption fully encrypts the entire Windows Vista volume. Designed specifically to prevent the unauthorized disclosure of data when it is at rest. BitLocker BitLocker

18 BitLocker Drive Encryption Provides data protection on your Windows client systems, even when the system is in unauthorized hands. Designed to utilize a v1.2 Trusted Platform Module (TPM) for secure key storage and boot environment authentication BitLocker BitLocker

19 Protects secrets Performs cryptographic functions RSA, SHA-1, RNG Meets encryption export requirements Can create, store and manage keys Provides a unique Endorsement Key (EK) Provides a unique Storage Root Key (SRK) TPM 1.2 spec: www.trustedcomputinggroup.org A Trusted Platform Module?

20 Answers the question: “Where do we put the key?” Hardware can be made and certified tamper- resistant Provides anti- hammering protection TPM 1.2 spec: www.trustedcomputinggroup.org A Trusted Platform Module?

21 TPM is implementation of Root-Of-Trust Enables implementation of Static-Root-Of-Trust measurement Hardware is easy to validate Difficult for software to self-validate TPM 1.2 spec: www.trustedcomputinggroup.org A Trusted Platform Module?

22 Performs digital signature operations Holds Platform Measurements (hashes) Anchors chain of trust for keys and credentials Protects itself against attacks TPM 1.2 spec: www.trustedcomputinggroup.org A Trusted Platform Module?

23 Spectrum of Protection

24 An Integrated Solution BitLocker integrated into WMI and Group Policy AD will automatically escrow keys and passwords for centralized management Recovery console built into Vista for field recovery if needed

25 Windows Vista Information Protection Who are you protecting against? Other users or administrators on the machine? EFS Unauthorized users with physical access? BitLocker™ ScenariosBitLockerEFSRMS Laptops Branch office server Local single-user file & folder protection Local multi-user file & folder protection Remote file & folder protection Untrusted network admin Remote document policy enforcement Some cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted network admins)

26 Windows Vista Security Summary SDL Service Hardening Code Scanning Default configuration Code Integrity IE –protected mode/anti- phishing Windows Defender Bi-directional Firewall IPSEC improvements Network Access Protection (NAP) Threat and Vulnerability Mitigation Fundamentals Identify and Access Control User Account Control Plug and Play Smartcards Simplified Logon architecture Bitlocker RMS Client

27 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. Questions and Answers

28 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

29 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

30 DISCLAIMER FOR DOCUMENTATION REGARDING PRE-RELEASED SOFTWARE This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release, including URL and other Internet Web sites referenced, and is the confidential and proprietary information of Microsoft Corporation. The entire risk of the use or the results from the use of this document remains with the user. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Therefore, MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. Copyright 2006 Microsoft Corporation. All rights reserved. Microsoft and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

31 Backup Slides

32 DD D Reduce size of high risk layers Segment the services Increase # of layers Kernel Drivers Windows Service Hardening Defense In Depth – Factoring/Profiling D D User-mode Drivers D DD Service1 Service2 Service3 Service … Service… ServiceA ServiceB

33 Phishing Filter Dynamic Protection Against Fraudulent Websites 3 “checks” to protect users from phishing scams: 1.Compares web site with local list of known legitimate sites 2.Scans the web site for characteristics common to phishing sites 3.Double checks site with online Microsoft service of reported phishing sites updated several times every hour Level 1: Warn Suspicious Website Signaled Level 2: Block Confirmed Phishing Site Signaled and Blocked Two Levels of Warning and Protection in IE7 Security Status Bar

34 IE6 IE6 running with Admin Rights Install a driver, Run Windows Update Change Settings, Download a Picture Cache Web contentExploit can install MALWARE Admin-Rights Access User-Rights Access Temp Internet Files HKLM Program Files HKCU My Documents Startup Folder Untrusted files & settings

35 IExplore Install an ActiveX control Change settings, Save a picture Integrity Control IEUser Redirected settings & files Compat Redirector Cache Web content Admin-Rights Access User-Rights Access Temp Internet Files HKLM HKCR Program Files HKCU My Documents Startup Folder Untrusted files & settings Advanced Malware Protection Protected Mode IE, UAC contain threats IEAdmin

36 Bitlocker™ Hardware Requirements Hardware requirements to support BDE Trusted Platform Module (TPM) v1.2 Provides platform integrity measurement and reporting Requires platform support for TPM Interface (TIS) Firmware (Conventional or EFI BIOS) – TCG compliant Establishes chain of trust for pre-OS boot Must support TCG specified Static Root Trust Measurement (SRTM) Additional functionality enabled by USB dongle At least 2 partitions. Partitions should be NTFS.

37 What Is A Trusted Platform Module (TPM)? Smartcard-like module on the motherboard that: Helps protect secrets Performs cryptographic functions RSA, SHA-1, RNG Meets encryption export requirements Can create, store and manage keys Provides a unique Endorsement Key (EK) Provides a unique Storage Root Key (SRK) Performs digital signature operations Holds Platform Measurements (hashes) Anchors chain of trust for keys and credentials Protects itself against attacks TPM 1.2 spec: www.trustedcomputinggroup.org

38 Bitlocker™ Features Overview BitLocker Drive Encryption (BDE) Prevents bypass of Window’s boot process TPM Base Services (TBS) Windows and 3rd party SW access to TPM Pre-OS multi-factor authentication Dongle, BIOS, and TPM- backed SW Identity Bit-chipping Sys-admin ONLY tool to securely speed-up PC re- deployment Single MS TPM driver Improved stability and security Scenarios: Lost or stolen laptop Branch-office Server

39 Bitlocker™ Drive Appears In XP

40 Bitlocker™ Drive Appears In Vista

Download ppt "David Smith | Windows Client | Microsoft Canada Security Primer."

Similar presentations

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.
The following 10 questions test your knowledge of client site assignment in Configuration Manager 2007. Configuration Manager 2007 Client Site Assignment.

The following 10 questions test your knowledge of client site assignment in Configuration Manager Configuration Manager 2007 Client Site Assignment.
The following 10 questions test your knowledge of Internet-based client management in Configuration Manager 2007. Configuration Manager 2007 Internet-Based.

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.
The following 10 questions test your knowledge of desired configuration management in Configuration Manager 2007. Configuration Manager Desired Configuration.

The following 10 questions test your knowledge of desired configuration management in Configuration Manager Configuration Manager Desired Configuration.
Open XML Developer Workshop DrawingML Basics. Open XML Developer Workshop Disclaimer The information contained in this slide deck represents the current.

Open XML Developer Workshop DrawingML Basics. Open XML Developer Workshop Disclaimer The information contained in this slide deck represents the current.
SpreadsheetML Advanced

SpreadsheetML Advanced
SpreadsheetML Basics.

SpreadsheetML Basics.
DrawingML Basics.

DrawingML Basics.
Microsoft ® Exchange Online Advanced Security Name Title Microsoft Corporation.

Microsoft ® Exchange Online Advanced Security Name Title Microsoft Corporation.
© 2014 Microsoft Corporation. All rights reserved.

© 2014 Microsoft Corporation. All rights reserved.
System Center 2012 Configuration Manager Concepts & Administration

System Center 2012 Configuration Manager Concepts & Administration
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
SECCT10: BitLocker™ Drive Encryption Deployment

SECCT10: BitLocker™ Drive Encryption Deployment
Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.

Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.
WCL317 Disclaimer The information in this presentation relates to a pre-released product which may be substantially modified before it’s commercially.

WCL317 Disclaimer The information in this presentation relates to a pre-released product which may be substantially modified before it’s commercially.
BitLocker: deep details, improvements and benifits

BitLocker: deep details, improvements and benifits
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
WCL313 Windows Vista Security Overview Mike Chan Sr. Product Manager.

WCL313 Windows Vista Security Overview Mike Chan Sr. Product Manager.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
SEC316: BitLocker™ Drive Encryption

SEC316: BitLocker™ Drive Encryption

Similar presentations

Ads by Google