Post on 21-Nov-2014
description
1
Welcome to CTE Solutions
Windows 8 in the Enterprise
Training with Impact.
www.ctesolutions.com
2
Introduction
Senior Trainer at CTE Solutions, Inc. Training for 16 years MCITP, MCTS, MCSE 2003/2000/NT,
MCSA, MCP+I, MCT, ITIL V3 Foundations, ITIL OSA, ITIL RCV, CTT, Security+, Network+, A+, EIEIO+
Gérald F. Tessier
Windows 8 in the Enterprise
1. Overview of Windows 8
2. Deploying Windows 8
3. Navigating the Windows 8 Interface
4. Securing Windows 8
5. 10 Reasons to Upgrade to Windows 8
Part I: Overview of Windows 8
Introducing Windows 8
Windows 8 Editions
Advantages of 64 bit
Introducing Windows 8
Windows 8 represents the largest change in the Windows operating system since Windows 95
Key new features:
• Start Screen • Cloud integration • Reset and Refresh your PC • Windows To Go • Remote Desktop Services • Hyper-V
• Support for multiple form factors • Powershell v3.0
Understanding Windows 8 Editions
Windows 8 comes in three editions:
• Windows 8 • Windows 8 Pro • Windows 8 Enterprise
Windows RT is the ARM-specific version of Windows 8 designed for mobile devices that use the ARM processor architecture
Understanding Windows 8 Editions (cont.)
Windows 8 Enterprise offers the following advantages: o BranchCache o Applocker o DirectAccess o Side-load Metro Apps o Virtualization through RemoteFX o Windows To Go
Advantages of 64-bit Windows 8 Versions
Advantages of 64-bit processors: Limitation:
• Improved performance • More memory • Improved device support • Improved security
• Does not support the 16-bit Windows on Windows (WOW) environment
Part II: Deploying Windows 8
Hardware Requirements for Installing Windows 8
Determining Device Compatibility and Screen Resolution
Common Application-Compatibility Problems
Methods for Mitigating Common Application-Compatibility Issues
Options for Installing Windows 8
Imaging with MDT 2012 Update 1
Windows 8 to Go
Hardware Requirements for Installing Windows 8
Windows 8 minimum recommended hardware requirements:
• 1 GHz or faster processor • 1 GB RAM (32-bit) or 2 GB RAM (64-bit) • 16 GB available hard disk space (32-bit) or 20 GB (64-bit) • DirectX 9 graphics device with WDDM 1.0 or higher driver
Windows 8 feature-specific requirements:
• UEFI-based BIOS for secured boot process • 64-bit processor with second level address translation support
• TPM for full BitLocker support
Determining Device Compatibility and Screen Resolution
Use the Compatibility Center for Windows 8 website to check hardware compatibility
Metro-based apps require a screen resolution of 1024x768 or higher
• Processor
• Memory
• Network card • Hard disk
Common Application-Compatibility Problems
Common application compatibility problems may relate to the following areas:
• Setup and installation of applications • User Account Control • Windows Resource Protection • Internet Explorer Protected Mode • 64-bit architecture • Windows Filtering Platform • Operating system version changes • Kernel-mode drivers • Deprecated components
Methods for Mitigating Common Application-Compatibility Issues
You can use the ACT to determine whether your applications are compatible with Windows 8
Other mitigation methods include: • Verify your application, device, and computer compatibility with a new version of the Windows operating system • Verify a Windows update's compatibility • Become involved in the ACT community and share your risk assessment with other ACT users • Test your web applications and websites for compatibility with new releases and security updates to Internet Explorer
Options for Installing Windows 8
Clean installation • Install Windows 8 on a new partition • Replace an existing operating system on a partition
Upgrade installation • Replace an existing version of Windows with Windows
8 • All users applications, files, and settings are retained
Migration • Move files and settings from an old operating system
to Windows 8 • Side-by-side or wipe and load
Part III: Navigating the Windows 8 Interface
Part III: Navigating the Windows 8 Interface
In the news… Microsoft
Work Exposes Magnitude of Botnet Threat
Microsoft's Security Intelligence Report sheds light on the expanding threat
that bots…
Researchers Discover Link
Between a Series of Trojans
A difficult to remove
rootkit behind numerous
sophisticated attacks, appears to have helped
spread yet another
Computing and Societal Trends
Devices & Experiences Users Want
Enterprise-Grade Solutions Enterprise-Grade Solutions
Devices & Experiences Users Love
Enterprise Scenarios
Windows for the Enterprise
Microsoft Experience and Credentials
Trustworthy Computing Initiative (TwC)
BillG Memo
Microsoft Security
Engineering Center/
Security Development
Lifecycle
Global Foundation
Services (GFS)
Malware Protection
Center
Microsoft Security Response Center
(MSRC)
SAS-70 Certificati
on
FISMA Certificati
on
ISO 27001 Certification
DEVICES
Security Landscape
APPS
INFORMATION PROTECTION
ACCESS CONTROL
ANTI- MALWARE
POLICY MANAGEMENT
RESEARCH & RESPONSE
SECURE DEVELOPMENT
Private Cloud
Public Cloud
On-Premise Online
Microsoft End-to-End Client Protection
Universal Extensible Firmware Interface (UEFI)
Trusted Platform Model (TPM)
Windows Standard User Accounts
User Account Control, and AppLocker
Modern Applications Defender
• Maintain software with a patch management solution
• Deliver software that is secure by design
• Operate a malware resistant platform and applications
• Defend against malware threats
Protect Against and Manage Threats
Windows 7 BitLocker MDOP -BitLocker Administration and
Monitoring Office Information Rights Management
(IRM) Office Encrypted File System
Active Directory Rights Management Services z
• Secure data that is at rest with encryption
• Protect data that is in motion with encryption
• Protect data that is in use with access controls
Active Directory Direct Access
Network Access Protection
Dynamic Access Control
• Manage the full identity lifecycle • Validate user identity with strong
authentication • Secured and always connected
remote access • Protect resources as
environment changes
Protect Sensitive Data Secure Access to Resources
Secured Boot
Measured Boot
Protected View
IE Smart Screen
Microsoft Security Development Lifecycle
Ongoing Process Improvements – 12 month cycle
Education
Accountability
Process
Protection Starts with Patch Management
100%
150%
200%
250%
2H06 1H07 2H07 1H08 2H08 1H09 2H09 1H10
Patch Manage with WSUS
• Setting the industry standard for threat response
• Engaging with over 70 “Active Protection” partners
• Further reducing the impact of zero-day vulnerabilities
• Predictable IT patch cycle • Streamlined update process with
WSUS • Integration with System Center
Configuration Manager
100%120%140%160%180%200%220%240%
Patch Manag with WSUS
The number of enterprises with regular patch
management has significantly grown
®
Protection Starts with Patch Management Patch management is among the top 5 security priorities for
2010 Based on Gartner Survey: Top 10 Security Technology Project Priorities for 2010, Dec 2009
Microsoft Security Intelligence Report Vol. 9, Oct 2010
• Establish a managed, common identity
infrastructure with Active Directory®
• Easily enforce device and user policies with Active Directory Group
Policies
• Simplify identity, strong authentication, and access management
with Forefront® Identity Manager (FIM)
With Forefront Identity Manager and Active Directory, we have the
comprehensive identity and access management solution that we need to
support our banking operations.”
é Ch d
• Manage security tasks with System Center
Configuration Manager
• Ensure corporate desktops comply with desired configuration and security baseline
• Monitor, control, and gain visibility of
physical and virtual desktop environments
• Set a security baseline with SCM
• Leverage Microsoft security guidance for
compliance • Customize your security configuration with settings packs
“[With Windows 7 security enhancements],
we will save more than $10 for each of our 16,000 PCs.
That equals more than $160,000 in savings.”
• Securing the Code
• Securing the Boot Process
• Securing the Core
• Securing Sign-In
• Securing while Desktop is in
Use
• Securing Access to
Resources “We are using SharePoint Workspace 2010 to expand our security initiatives,
which will help us ensure that our information is protected, correct, and
accessible.” Teknosa, Electronics Retailer, Turkey
• Mitigate exploits through the
sandboxed Protected View which allows users to view
untrusted files without harming their computer
• Reduce the attack surface by validating file schemas, limiting file types, blocking embedded code, and leveraging built-in
Windows security mechanisms • Improve the user experience
with fewer security decisions that need to be made and more
instrumental instructions to pre-empt helpdesk calls
• Securing the Code
• Securing the Boot Process
• Securing the Core
• Securing Sign-In
• Securing while Desktop is in
Use
• Securing Access to
Resources “Internet Explorer …is a definite positive step in terms of a protected
browser” –Neil MacDonald/Gartner, Network World,
6/21/2010
•Protect from social
engineering and phishing
•Protect desktop from malicious
downloads
•Enhance protection based the
needs per Zone
•Protect system and IE from
malicious applications
•Protect from webpage
manipulation (XSS)
• Leverage Windows Core
• Minimize impact of application vulnerabilities and
exploits with integral mechanisms developed from the Security Development Lifecycle
• Prevent unauthorized operations by running in
“standard user” mode using User Account Control
• Protect against network threats with built-in firewall
• Restrict applications installation and usage with
Windows AppLocker policies
•Proactive protection against
threats •Dynamic updates through cloud
service •Centralized security and firewall
policies •Security compliance alerts,
tracking, and reporting •Builds on Microsoft industry-leading anti-malware engine
• Global threat intelligence and real-time response backed by Microsoft Malware
Protection Center • Equivalent level of protection outside
• Windows BitLocker® protects data on hard-drives with encryption
• Data cannot be extracted in the event of loss or theft, complying
with FIPS 140-2 (in process)
• Hardware integration (TPM) prevents access on a tampered OS or
another device
• Microsoft BitLocker Administration and
Monitoring enhances provisioning,
monitoring, and key recovery
• Office Information Rights Management
(IRM) sets boundaries for sensitive data
• Keep documents and email communication
to authorized corporate users
• Mark content manually or by
automated inspection in Microsoft Exchange
and SharePoint® • Enforce password
protection, digital signatures and limit data extraction from
• Data extraction through USB devices is centrally controlled • Protect data on
removable drives with BitLocker To GoTM
encryption • Restrict device types
and block writes to unprotected drives
through Group Policies
Replaced a third party solution with Bitlocker
and saved $100,000 in licensing and maintenance
Implemented BitLocker and BitLocker To Go
for all mobile workers
• Establish a managed, common identity
infrastructure with Active Directory, enhanced with
Forefront Identity Manager
• Create a common, single sign on across on-premises and
cloud services
• Manage access to resources with policy controlled groups
in Active Directory
• Enhance and automate identity and access
provisioning / deprovisioning
• Empower users with self service tools for group and
d t
•Add strong authentication with Windows 7
•Use Windows 7 Biometric or Smart-card frameworks
to authenticate users at logon, for admin access or drive
encryption •Simplify Enrollment and end to
end lifecycle management of PKI
certificates for both IT and end users
•Extend remote access authentication with PKI certificates, smart-cards
or RSA One Time Password
vides various options for remote access
• Enable DirectAccess connectivity for continuous manageability of remote corporate laptops
• Apply OS patches, maintain anti-virus signatures, and keep applications updated at all times
• Keep configuration and security policies up to date
• Set access policy based on device type and health
• Validate and remediate remote devices before granting access to corporate resources
• Support access from unmanaged PCs and phones
• Allow any device with a browser to access internal portals through Unified Access Gateway
• Provide asset and compliance reporting with System Center for devices connected via Exchange ActiveSync
• Manual tagging by content owners
• Automatic Classification
• Application based tagging
• Automatic RMS protection for Office documents based on
file tags • Near real time
protection soon after the file is tagged
• Extensibility for non Office RMS protectors
• Expression based access conditions and auditing with support for user claims, device
claims and file tags • Central access policies
targeted based on file tags
• Access denied remediation
• Policy staging audits to simulate policy changes in a real
environment
Modern Security Thinner, Lighter, Faster
Sensors
New Form
Factors
Touch
Long Battery
Life
ffective IT investment for desktop security needs
Top 10 Reasons to Upgrade to Windows 8
1. UEFI Fast boot
2. Secure Boot
3. Improved Authentication
4. Client Hyper-V
5. Live Performance Feedback
6. Powershell v3.0
7. Windows to GO
8. DirectAccess
9. Unified Experience
10. Who really likes the old start menu?
11. *Bonus: Cloud Integration!