Optimizing Client Security by Optimizing Client Security by Using Windows VistaUsing Windows Vista

AgendaAgenda

Introduction of Microsoft ITIntroduction of Microsoft IT

Common Security AttacksCommon Security Attacks

Windows VISTA SecurityWindows VISTA Security

Consideration for Line of Business Consideration for Line of Business ApplicationsApplications

Network Access ProtectionNetwork Access Protection

Drive Down Enterprise Costs With Windows Drive Down Enterprise Costs With Windows Vista, SMS And MOMVista, SMS And MOM

Q&AQ&A

340,000+ computers

121,000 end users

98 countries

441 buildings15,000 Windows Vista–based clients25,000 Office 2007 clients5,700 Exchange 12 mailboxes31 “Longhorn”–based servers

46 million+ remote connections per month

189,000+ SharePoint sites

4 data centers

8,400 production servers

E-mail messages per day:3.3 million+ internal10 million incoming9 million filtered out

33 million IMs per month120,000+ e-mail server accounts

Microsoft IT EnvironmentMicrosoft IT Environment

Common Security AttackCommon Security Attack

Windows VISTA Windows VISTA SecuritySecurity

Built more secure from Built more secure from the ground upthe ground upEnhanced protection from Enhanced protection from intrusions and malwareintrusions and malware

Helps guard confidential Helps guard confidential data from theft or misusedata from theft or misuseIntegrated security Integrated security management and management and improved ability to improved ability to manage remotelymanage remotely

Sophisticated auditing, Sophisticated auditing, tracking, and data tracking, and data management features to management features to support internal support internal compliancecompliance

Malicious Malicious SoftwareSoftware

WirelessWireless

ComplianceCompliance

PhishingPhishing

Social EngineeringSocial Engineering

ARP, DoS, DDoSARP, DoS, DDoS

Mobile UsersMobile Users

BitLocket Drive EncryptionBitLocket Drive EncryptionReduce Security Risks and Reduce Security Risks and ThreatsThreatsEnhancing Information Enhancing Information Protection and Regulatory Protection and Regulatory ComplianceCompliance

BitLocker Drive EncryptionBitLocker Drive Encryption

MS IT System Build and ProcessMS IT System Build and Process

MS IT System and Build ProcessMS IT System and Build Process

Recovery OptionsRecovery Options

BitLocker™ setup will automatically escrow keys BitLocker™ setup will automatically escrow keys and passwords into ADand passwords into AD

Centralized storage/management keys (EA SKU)Centralized storage/management keys (EA SKU)

Setup may also try (based on policy) to backup Setup may also try (based on policy) to backup keys and passwords onto a USB dongle or to a file keys and passwords onto a USB dongle or to a file locationlocation

Default for non-domain-joined users Default for non-domain-joined users

Exploring options for web service-based key escrowExploring options for web service-based key escrow

Recovery password known by the Recovery password known by the user/administratoruser/administrator

Recovery can occur “in the field”Recovery can occur “in the field”

Windows operation can continue as normalWindows operation can continue as normal

Social Engineering Protections

Phishing Filter and Colored Address Bar

Dangerous Settings Notification

Secure defaults for IDN

Protection from ExploitsProtected Mode to prevent malicious software

Code quality improvements (SDLC)

ActiveX Opt-in

Unified URL Parsing

Internet Explorer 7Internet Explorer 7

ActiveX Opt-in And Protected ActiveX Opt-in And Protected ModeModeDefending systems from malicious attackDefending systems from malicious attack

ActiveX Opt-in ActiveX Opt-in puts users in controlputs users in control

Reduces attack surfaceReduces attack surface

Previously unused controls disabledPreviously unused controls disabled

Retain ActiveX benefits, increase Retain ActiveX benefits, increase user securityuser security

Protected ModeProtected Mode reduces severity of reduces severity of threatsthreats

Eliminates silent malware installEliminates silent malware install

IE process ‘sandboxed’ to protect OSIE process ‘sandboxed’ to protect OS

Designed for security Designed for security andand compatibilitycompatibility

ActiveX Opt-in

EnabledControls

Windows

DisabledControlsUser

Action

Protected Mode

User

Action

IECache My Computer (C:)

BrokerProcess

Low Rights

Windows Security Windows Security CenterCenter● Improved Detection and

Removal● Redesigned and Simplified

User Interface● Protection for all users

● Combined firewall and IPsec management● New management tools – Windows Firewall

with Advanced Security MMC snap-in ● Reduces conflicts and coordination overhead

between technologies

● Firewall rules become more intelligent● Specify security requirements such as

authentication and encryption● Specify Active Directory computer or user

groups

● Outbound filtering● Enterprise management feature

● Simplified protection policy reduces management overhead

User Account ControlUser Account ControlA Better Managed DesktopA Better Managed Desktop

Make the system work well for standard usersMake the system work well for standard users

Allow standard users to change time zone and power Allow standard users to change time zone and power management settings, add printers, and connect to secure management settings, add printers, and connect to secure wireless networkswireless networksAllow elevation to administrator without logging offAllow elevation to administrator without logging offSupport high application compatibility with file/registry Support high application compatibility with file/registry virtualizationvirtualization

Full privilege for administrative tasks onlyFull privilege for administrative tasks only

User provides consent before using elevated privilegesUser provides consent before using elevated privileges

Use of the shield iconUse of the shield icon

Indicates tasks requiring elevationIndicates tasks requiring elevationHas only one stateHas only one stateDoes not remember elevated stateDoes not remember elevated state

Considerations for Line-of-Considerations for Line-of-Business ApplicationsBusiness Applications

Require the user to be an administrator only when Require the user to be an administrator only when it is absolutely necessaryit is absolutely necessary

File and registry virtualizationFile and registry virtualization

ACT 5.0ACT 5.0

UAC is enabled throughout the environment and UAC is enabled throughout the environment and maintained centrally through Group Policymaintained centrally through Group Policy

Group PolicyGroup Policy

User Account Control settingsUser Account Control settings

Behavior on elevation for administrators Behavior on elevation for administrators and usersand users

No promptNo prompt

Prompt for consentPrompt for consent

Prompt for credentialsPrompt for credentials

Elevate on application installs Elevate on application installs

Virtualized file and registry write failuresVirtualized file and registry write failures

New Group Policy settingsNew Group Policy settings

Windows Defender Windows Defender

Device installation controlDevice installation control

Wireless and wired service configurationWireless and wired service configuration

Enhanced Internet Explorer security Enhanced Internet Explorer security configurationconfiguration

Removable storage device Group Policy Removable storage device Group Policy settingssettings

Network Access ProtectionNetwork Access Protection

11

RestrictedRestrictedNetworkNetworkMSFTMSFT

NetworkNetworkPolicy Server Policy Server

33

Policy ServersPolicy Serverse.g. MSFT Security e.g. MSFT Security

Center, SMS, AntigenCenter, SMS, Antigenor 3or 3rd rd party party

Policy Policy compliantcompliantDHCP, VPNDHCP, VPN

Switch/Router Switch/Router

22

WindowsWindowsVista ClientVista Client

Fix UpFix UpServersServers

e.g. MSFT WSUS, e.g. MSFT WSUS, SMS & 3SMS & 3rdrd party party

Corporate NetworkCorporate Network55

Not policy Not policy compliantcompliant 44

Enhanced SecurityEnhanced SecurityAll communications are authenticated, authorized & healthyAll communications are authenticated, authorized & healthy

Defense-in-depth on your terms with DHCP, VPN, IPsec, Defense-in-depth on your terms with DHCP, VPN, IPsec, 802.1X802.1X

Policy-based access that IT Pros can set and controlPolicy-based access that IT Pros can set and controlIncreased Business ValueIncreased Business Value

Preserves user productivity Preserves user productivity

Extends existing investments in Microsoft and 3rd party infrastructureExtends existing investments in Microsoft and 3rd party infrastructure Broad industry partnershipBroad industry partnership

Benefits

Drive Down Enterprise Costs Drive Down Enterprise Costs With Windows Vista, SMS And With Windows Vista, SMS And MOMMOMSecurity ManagementSecurity Management

SMS client remediation for NAP scenariosSMS client remediation for NAP scenariosDelivering software to standard users (UAC) via SMSDelivering software to standard users (UAC) via SMS

Deployment And UpdatingDeployment And UpdatingCommon image format (WIM) for Windows Vista and SMSv4Common image format (WIM) for Windows Vista and SMSv4SMS support for Windows Deployment Services (WDS)SMS support for Windows Deployment Services (WDS)Common scanning agent (SMS , WSUS) for updatingCommon scanning agent (SMS , WSUS) for updating

Management And Monitoring Management And Monitoring Leveraging common XML schema for event data (MOM)Leveraging common XML schema for event data (MOM)MOM leverages enhanced Watson dataMOM leverages enhanced Watson data

For More InformationFor More InformationAdditional content on Microsoft IT Additional content on Microsoft IT deployments and best practices can be deployments and best practices can be found on found on http://www.microsoft.comhttp://www.microsoft.com

Microsoft TechNetMicrosoft TechNet http://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/technet/itshowcase

Optimizing Client Security by Using Optimizing Client Security by Using Windows Vista – Technical White Paper Windows Vista – Technical White Paper http://www.microsoft.com/technet/itsolutions/mshttp://www.microsoft.com/technet/itsolutions/msit/security/vistasecurity_twp.mspxit/security/vistasecurity_twp.mspx

Network Access Protection Network Access Protection http://www.microsoft.com/naphttp://www.microsoft.com/nap BitLocker Drive Encryption BitLocker Drive Encryption http://www.microsoft.com/technet/windowsvista/sehttp://www.microsoft.com/technet/windowsvista/security/bittech.mspx curity/bittech.mspx

This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Excel, Internet Explorer, Outlook, PowerPoint, SharePoint, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.