View
227
Download
2
Tags:
Embed Size (px)
Citation preview
Optimizing Client Security by Optimizing Client Security by Using Windows VistaUsing Windows Vista
AgendaAgenda
Introduction of Microsoft ITIntroduction of Microsoft IT
Common Security AttacksCommon Security Attacks
Windows VISTA SecurityWindows VISTA Security
Consideration for Line of Business Consideration for Line of Business ApplicationsApplications
Network Access ProtectionNetwork Access Protection
Drive Down Enterprise Costs With Windows Drive Down Enterprise Costs With Windows Vista, SMS And MOMVista, SMS And MOM
Q&AQ&A
340,000+ computers
121,000 end users
98 countries
441 buildings15,000 Windows Vista–based clients25,000 Office 2007 clients5,700 Exchange 12 mailboxes31 “Longhorn”–based servers
46 million+ remote connections per month
189,000+ SharePoint sites
4 data centers
8,400 production servers
E-mail messages per day:3.3 million+ internal10 million incoming9 million filtered out
33 million IMs per month120,000+ e-mail server accounts
Microsoft IT EnvironmentMicrosoft IT Environment
Common Security AttackCommon Security Attack
Windows VISTA Windows VISTA SecuritySecurity
Built more secure from Built more secure from the ground upthe ground upEnhanced protection from Enhanced protection from intrusions and malwareintrusions and malware
Helps guard confidential Helps guard confidential data from theft or misusedata from theft or misuseIntegrated security Integrated security management and management and improved ability to improved ability to manage remotelymanage remotely
Sophisticated auditing, Sophisticated auditing, tracking, and data tracking, and data management features to management features to support internal support internal compliancecompliance
Malicious Malicious SoftwareSoftware
WirelessWireless
ComplianceCompliance
PhishingPhishing
Social EngineeringSocial Engineering
ARP, DoS, DDoSARP, DoS, DDoS
Mobile UsersMobile Users
BitLocket Drive EncryptionBitLocket Drive EncryptionReduce Security Risks and Reduce Security Risks and ThreatsThreatsEnhancing Information Enhancing Information Protection and Regulatory Protection and Regulatory ComplianceCompliance
BitLocker Drive EncryptionBitLocker Drive Encryption
MS IT System Build and ProcessMS IT System Build and Process
MS IT System and Build ProcessMS IT System and Build Process
Recovery OptionsRecovery Options
BitLocker™ setup will automatically escrow keys BitLocker™ setup will automatically escrow keys and passwords into ADand passwords into AD
Centralized storage/management keys (EA SKU)Centralized storage/management keys (EA SKU)
Setup may also try (based on policy) to backup Setup may also try (based on policy) to backup keys and passwords onto a USB dongle or to a file keys and passwords onto a USB dongle or to a file locationlocation
Default for non-domain-joined users Default for non-domain-joined users
Exploring options for web service-based key escrowExploring options for web service-based key escrow
Recovery password known by the Recovery password known by the user/administratoruser/administrator
Recovery can occur “in the field”Recovery can occur “in the field”
Windows operation can continue as normalWindows operation can continue as normal
Social Engineering Protections
Phishing Filter and Colored Address Bar
Dangerous Settings Notification
Secure defaults for IDN
Protection from ExploitsProtected Mode to prevent malicious software
Code quality improvements (SDLC)
ActiveX Opt-in
Unified URL Parsing
Internet Explorer 7Internet Explorer 7
ActiveX Opt-in And Protected ActiveX Opt-in And Protected ModeModeDefending systems from malicious attackDefending systems from malicious attack
ActiveX Opt-in ActiveX Opt-in puts users in controlputs users in control
Reduces attack surfaceReduces attack surface
Previously unused controls disabledPreviously unused controls disabled
Retain ActiveX benefits, increase Retain ActiveX benefits, increase user securityuser security
Protected ModeProtected Mode reduces severity of reduces severity of threatsthreats
Eliminates silent malware installEliminates silent malware install
IE process ‘sandboxed’ to protect OSIE process ‘sandboxed’ to protect OS
Designed for security Designed for security andand compatibilitycompatibility
ActiveX Opt-in
EnabledControls
Windows
DisabledControlsUser
Action
Protected Mode
User
Action
IECache My Computer (C:)
BrokerProcess
Low Rights
Windows Security Windows Security CenterCenter● Improved Detection and
Removal● Redesigned and Simplified
User Interface● Protection for all users
● Combined firewall and IPsec management● New management tools – Windows Firewall
with Advanced Security MMC snap-in ● Reduces conflicts and coordination overhead
between technologies
● Firewall rules become more intelligent● Specify security requirements such as
authentication and encryption● Specify Active Directory computer or user
groups
● Outbound filtering● Enterprise management feature
● Simplified protection policy reduces management overhead
User Account ControlUser Account ControlA Better Managed DesktopA Better Managed Desktop
Make the system work well for standard usersMake the system work well for standard users
Allow standard users to change time zone and power Allow standard users to change time zone and power management settings, add printers, and connect to secure management settings, add printers, and connect to secure wireless networkswireless networksAllow elevation to administrator without logging offAllow elevation to administrator without logging offSupport high application compatibility with file/registry Support high application compatibility with file/registry virtualizationvirtualization
Full privilege for administrative tasks onlyFull privilege for administrative tasks only
User provides consent before using elevated privilegesUser provides consent before using elevated privileges
Use of the shield iconUse of the shield icon
Indicates tasks requiring elevationIndicates tasks requiring elevationHas only one stateHas only one stateDoes not remember elevated stateDoes not remember elevated state
Considerations for Line-of-Considerations for Line-of-Business ApplicationsBusiness Applications
Require the user to be an administrator only when Require the user to be an administrator only when it is absolutely necessaryit is absolutely necessary
File and registry virtualizationFile and registry virtualization
ACT 5.0ACT 5.0
UAC is enabled throughout the environment and UAC is enabled throughout the environment and maintained centrally through Group Policymaintained centrally through Group Policy
Group PolicyGroup Policy
User Account Control settingsUser Account Control settings
Behavior on elevation for administrators Behavior on elevation for administrators and usersand users
No promptNo prompt
Prompt for consentPrompt for consent
Prompt for credentialsPrompt for credentials
Elevate on application installs Elevate on application installs
Virtualized file and registry write failuresVirtualized file and registry write failures
New Group Policy settingsNew Group Policy settings
Windows Defender Windows Defender
Device installation controlDevice installation control
Wireless and wired service configurationWireless and wired service configuration
Enhanced Internet Explorer security Enhanced Internet Explorer security configurationconfiguration
Removable storage device Group Policy Removable storage device Group Policy settingssettings
Network Access ProtectionNetwork Access Protection
11
RestrictedRestrictedNetworkNetworkMSFTMSFT
NetworkNetworkPolicy Server Policy Server
33
Policy ServersPolicy Serverse.g. MSFT Security e.g. MSFT Security
Center, SMS, AntigenCenter, SMS, Antigenor 3or 3rd rd party party
Policy Policy compliantcompliantDHCP, VPNDHCP, VPN
Switch/Router Switch/Router
22
WindowsWindowsVista ClientVista Client
Fix UpFix UpServersServers
e.g. MSFT WSUS, e.g. MSFT WSUS, SMS & 3SMS & 3rdrd party party
Corporate NetworkCorporate Network55
Not policy Not policy compliantcompliant 44
Enhanced SecurityEnhanced SecurityAll communications are authenticated, authorized & healthyAll communications are authenticated, authorized & healthy
Defense-in-depth on your terms with DHCP, VPN, IPsec, Defense-in-depth on your terms with DHCP, VPN, IPsec, 802.1X802.1X
Policy-based access that IT Pros can set and controlPolicy-based access that IT Pros can set and controlIncreased Business ValueIncreased Business Value
Preserves user productivity Preserves user productivity
Extends existing investments in Microsoft and 3rd party infrastructureExtends existing investments in Microsoft and 3rd party infrastructure Broad industry partnershipBroad industry partnership
Benefits
Drive Down Enterprise Costs Drive Down Enterprise Costs With Windows Vista, SMS And With Windows Vista, SMS And MOMMOMSecurity ManagementSecurity Management
SMS client remediation for NAP scenariosSMS client remediation for NAP scenariosDelivering software to standard users (UAC) via SMSDelivering software to standard users (UAC) via SMS
Deployment And UpdatingDeployment And UpdatingCommon image format (WIM) for Windows Vista and SMSv4Common image format (WIM) for Windows Vista and SMSv4SMS support for Windows Deployment Services (WDS)SMS support for Windows Deployment Services (WDS)Common scanning agent (SMS , WSUS) for updatingCommon scanning agent (SMS , WSUS) for updating
Management And Monitoring Management And Monitoring Leveraging common XML schema for event data (MOM)Leveraging common XML schema for event data (MOM)MOM leverages enhanced Watson dataMOM leverages enhanced Watson data
For More InformationFor More InformationAdditional content on Microsoft IT Additional content on Microsoft IT deployments and best practices can be deployments and best practices can be found on found on http://www.microsoft.comhttp://www.microsoft.com
Microsoft TechNetMicrosoft TechNet http://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/technet/itshowcase
Optimizing Client Security by Using Optimizing Client Security by Using Windows Vista – Technical White Paper Windows Vista – Technical White Paper http://www.microsoft.com/technet/itsolutions/mshttp://www.microsoft.com/technet/itsolutions/msit/security/vistasecurity_twp.mspxit/security/vistasecurity_twp.mspx
Network Access Protection Network Access Protection http://www.microsoft.com/naphttp://www.microsoft.com/nap BitLocker Drive Encryption BitLocker Drive Encryption http://www.microsoft.com/technet/windowsvista/sehttp://www.microsoft.com/technet/windowsvista/security/bittech.mspx curity/bittech.mspx
This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Excel, Internet Explorer, Outlook, PowerPoint, SharePoint, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.