Security and Policy Enforcement Mark Gibson Dave Northey.
-
date post
20-Dec-2015 -
Category
Documents
-
view
217 -
download
0
Transcript of Security and Policy Enforcement Mark Gibson Dave Northey.
![Page 1: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/1.jpg)
Security and Policy Security and Policy EnforcementEnforcement
Mark GibsonMark GibsonDave NortheyDave Northey
![Page 2: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/2.jpg)
Agenda
14:30 Security & Policy Overview 15:40 Coffee 16:00 NAP platform architecture 17:10 Coffee 17:30 NAP components 18:30 End
![Page 3: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/3.jpg)
Hardens Operating System and Hardens Operating System and Increases Environment ProtectionIncreases Environment Protection
Read-Only Domain
ControllerNetwork Access
Protection
BitLocker™ BitLocker™ Drive Drive
Encryption Encryption
SecuritySecurity
![Page 4: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/4.jpg)
Server Protection FeaturesServer Protection Features Security
Development Process
Secure Startup and shield up at install
Code integrity
Windows service hardening
Inbound and outbound firewall
Restart Manager
Improved auditing
Network Access Protection
Event Forwarding
Policy Based Networking
Server and Domain Isolation
Removable Device Installation Control
Active Directory Rights Management Services
Security Compliance
SecuritSecurityy
![Page 5: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/5.jpg)
Windows Server 2008 HardeningWindows Server 2008 Hardening
Windows® XP SP2/Server 2003 R2
LocalSystem
Windows Vista/Server 2008
Network Service
Local Service
LocalSystemFirewall Restricted
Network ServiceNetwork Restricted
Local ServiceNo Network Access
LocalSystem
Network ServiceFully Restricted
Local ServiceFully Restricted
Security
![Page 6: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/6.jpg)
BitLocker™ Drive Encryption BitLocker™ Drive Encryption
Group Policy allows central encryption policy and provides Branch Office protection
Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System
Uses a v1.2 TPM or USB flash drive for key storage
Full Volume Encryption Key
(FVEK)Encryption
Policy
Security
![Page 7: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/7.jpg)
Solid FoundationWindows Firewall w/ Advanced SecurityWindows Firewall w/ Advanced Security
Combined firewall and IPsec managementFirewall rules become more intelligentPolicy-based networking
![Page 8: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/8.jpg)
Network Access ProtectionNetwork Access Protection
RemediationServers
Example: PatchRestrictedNetwork
WindowsClient
Policy Policy compliantcompliant
NPSDHCP, VPN
Switch/Router
Policy Serverssuch as: Patch, AV
Corporate Network
Not policy Not policy compliantcompliant
What is Network Access What is Network Access Protection?Protection?
Cisco and Microsoft Cisco and Microsoft Integration StoryIntegration Story
Health Policy ValidationHealth Policy Validation Health Policy ComplianceHealth Policy Compliance
Ability to Provide Limited Ability to Provide Limited AccessAccess Enhanced SecurityEnhanced Security
Increased Business ValueIncreased Business Value
Security
![Page 9: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/9.jpg)
11
RemediationServers
Example: Patch
Using Network Access ProtectionUsing Network Access Protection
RestrictedNetwork
11
WindowsClient
22
22DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)
33
33Network Policy Server (NPS) validates against IT-defined health policy
44
If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)
Not policy Not policy compliantcompliant
55If policy compliant, client is granted full access to corporate network
Policy Policy compliantcompliant
NPSDHCP, VPN
Switch/Router
44
Policy Serverssuch as: Patch, AV
Corporate Network55
Client requests access to network and presents current health state
Security
![Page 10: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/10.jpg)
AD Rights Management ServicesAD Rights Management Services
AD RMS protects access to an organization’s digital files
AD RMS in Windows Server 2008 includes several new features
Improved installation and administration experience
Self-enrollment of the AD RMS cluster
Integration with AD Federation Services
New AD RMS administrative rolesInformation Author The Recipient
Security
![Page 11: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/11.jpg)
Active Directory Federation ServicesActive Directory Federation Services
AD FS provides an identity access solution
Deploy federation servers in multiple organizations to facilitate business-to-business (B2B) transactions
AD FS provides a Web-based, SSO solution
AD FS interoperates with other security products that support the Web Services Architecture
AD FS improved in Windows Server 2008
WebServer
AccountFederation
Server
ResourceFederation
Server
AdatumContoso
Federation Trust
Security
![Page 12: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/12.jpg)
Federated Rights ManagementFederated Rights Management
Together AD FS and AD RMS enable users from different domains to securely share documents based on federated identities
AD RMS is fully claims-aware and can interpret AD FS claims
Office SharePoint Server 2007 can be configured to accept federated identity claims
AccountFederation
Server
ResourceFederation
Server
AdatumContoso
Federation Trust
WebSSO
Security
![Page 13: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/13.jpg)
Read-Only Domain ControllerRead-Only Domain Controller
Main Office Branch Office
FeaturesRead Only Active Directory DatabaseOnly allowed user passwords are stored on RODCUnidirectional ReplicationRole Separation
BenefitsIncreases security for remote Domain Controllers where physical security cannot be guaranteed
Support ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM
RODC
Security
![Page 14: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/14.jpg)
BranchHub
Read Only DC
How RODC WorksHow RODC Works
Windows Server 2008 DC
11
22
33
44
5566
66
112233445566 User logs on and authenticatesRODC: Looks in DB: "I don't have the users secrets"Forwards Request to Windows Server 2008 DCWindows Server 2008 DC authenticates requestReturns authentication response and TGT back to the RODCRODC gives TGT to User and RODC will cache credentials
RODC
Security
![Page 15: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/15.jpg)
Read-only DC Mitigates “Stolen DC”Read-only DC Mitigates “Stolen DC”
Attacker PerspectiveHub Admin Perspective
Security
![Page 16: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/16.jpg)
PKI EnhancementsPKI Enhancements
Enterprise PKI (PKIView)Enterprise PKI (PKIView)Now a Microsoft Management Now a Microsoft Management
Console snap-in Console snap-in
Support for Unicode charactersSupport for Unicode characters
Online Certificate Status Online Certificate Status Protocol (OSCP)Protocol (OSCP)
Online Responders Online Responders
Responder ArraysResponder Arrays
Network Device Enrollment Network Device Enrollment ServiceService
Microsoft's implementation of Microsoft's implementation of the Simple Certificate Enrollment the Simple Certificate Enrollment Protocol (SCEP) Protocol (SCEP)
Enhances security of Enhances security of communications by using IPseccommunications by using IPsec
Web EnrollmentWeb EnrollmentRemoved previous ActiveX® Removed previous ActiveX®
enrollment control - XEnroll.dll enrollment control - XEnroll.dll
Enhanced new COM enrollment Enhanced new COM enrollment control - CertEnroll.dllcontrol - CertEnroll.dll
Security
![Page 17: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/17.jpg)
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
![Page 18: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/18.jpg)
Next StepsNext Steps
![Page 19: Security and Policy Enforcement Mark Gibson Dave Northey.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649d475503460f94a22d2a/html5/thumbnails/19.jpg)
AppendixAppendix