Yaniv Feldman Senior Infrasec Architect Microsoft Security Regional Director Db@net.
-
Upload
dulcie-mckenzie -
Category
Documents
-
view
215 -
download
0
Transcript of Yaniv Feldman Senior Infrasec Architect Microsoft Security Regional Director Db@net.
Yaniv FeldmanSenior Infrasec ArchitectMicrosoft Security Regional DirectorDb@net
SecurityWeb Virtualization
Reduces costs, increases hardware utilization, optimizes your infrastructure, and improves server availability
Delivers rich web-based experiences efficiently and effectively
Provides unprecedented levels of protection for your network, your data, and your business
Development ProcessSecure Startup and shield up at installCode integrityWindows service hardening Inbound and outbound firewallRestart Manager
Improved auditingNetwork Access ProtectionEvent ForwardingPolicy Based NetworkingServer and Domain IsolationRemovable Device Installation ControlActive Directory Rights Management Services
Security Compliance
SecuritSecurityy
DD DDDD
Reduce size ofhigh risk layersSegment theservicesIncrease # of layers
Kernel DriversKernel DriversDD
DD User-mode DriversUser-mode Drivers
DDDD DD
Service Service 11
Service Service 22
Service Service 33
ServiceService……
Service Service ……
Service Service AA
Service Service BB
Windows® XP SP2/Server 2003 R2
LocalSystem
Windows Vista/Server "Longhorn"
Network Service
Local Service
LocalSystemFirewall Restricted
Network ServiceNetwork Restricted
Local ServiceNo Network Access
LocalSystem
Network ServiceFully Restricted
Local ServiceFully Restricted
Combined firewall and IPsec managementFirewall rules become more intelligentPolicy-based networking
Only a subset of the executable files and DLLs installedNo GUI interface installed9 available Server RolesCan be managed with remote tools
Customization
Troubleshooting
Administration
True application deployment
Application and health management
• Arsenal of Admin Tools
• Delegated Management
• Secure Remote Management
• Shared Config for Web Farms
Better ToolsIntuitive, Task Oriented GUI.NET Management APIUnified WMI Provider for
IIS/ASP.NETPowerful Command Line SupportRich Runtime State InformationAutomatic Failure Tracing &
LoggingSite Owner Web.confi
g
XML
XCop
y
XCop
y
Deplo
y
Deplo
y
Administrator
Internet
Manage Remotely
Secure HTTPS
AppHost.config
XML
SharedConfig
Shared App Hosting
Web FarmApp
Group Policy allows central encryption policy and provides Branch Office protectionProvides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating SystemUses a v1.2 TPM or USB flash drive for key storage
Full Volume Encryption Key (FVEK)Encryptio
n Policy
AD RMS protects access to an organization’s digital filesAD RMS in Windows Server 2008 includes several new featuresImproved installation and administration experienceSelf-enrollment of the AD RMS clusterIntegration with AD Federation ServicesNew AD RMS administrative roles
Information Author
The Recipient
AD FS provides an identity access solutionDeploy federation servers in multiple organizations to facilitate business-to-business (B2B) transactions AD FS provides a Web-based, SSO solutionAD FS interoperates with other security products that support the Web Services ArchitectureAD FS improved in Windows Server 2008
WebServer
AccountFederation
Server
ResourceFederation
Server
AdatumContoso
Federation Trust
Main Office Branch Office
RODC
Enterprise PKI (PKIView)Enterprise PKI (PKIView) Online Certificate Status Online Certificate Status Protocol (OSCP)Protocol (OSCP)
Network Device Network Device Enrollment ServiceEnrollment Service
Web EnrollmentWeb Enrollment
Cryptography Next Cryptography Next Generation (CNG) Generation (CNG)
Includes algorithms for encryption, digital signatures, key exchange, and hashingSupports cryptography in kernel modeSupports the current set of CryptoAPI 1.0 algorithmsSupport for elliptic curve cryptography (ECC) algorithmsPerform basic cryptographic operations, such as creating hashes and encrypting and decrypting data
InternetPerimeter Network
Corporate Network
Remote/ Mobile User
Terminal Services Gateway
Network Policy Server
Active Directory
DC
Tunnels RDP over HTTPs
Strips off RDP / HTTPs
Terminal Servers
and other RDP Hosts
RDP traffic passed to TS
Internet
Remediation
ServersExample: Patch
RestrictedNetwork
WindowsClient
Policy Policy compliacomplia
ntnt
NPSDHCP, VPN
Switch/Router
Policy Servers
such as: Patch, AV
Corporate Network
Not Not policy policy
compliancompliantt
What is Network What is Network Access Protection?Access Protection?
Health Policy Health Policy ValidationValidation
Health Policy Health Policy ComplianceCompliance
Ability to Provide Ability to Provide Limited AccessLimited Access Enhanced SecurityEnhanced Security
Increased Business Increased Business ValueValue
11
Remediation
ServersExample: Patch
RestrictedNetwork
11
WindowsClient
22
22DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)
33
33Network Policy Server (NPS) validates against IT-defined health policy
44
If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)
Not Not policy policy
compliancompliantt
55If policy compliant, client is granted full access to corporate network
Policy Policy compliacomplia
ntnt
NPSDHCP, VPN
Switch/Router
44
Policy Servers
such as: Patch, AV
Corporate Network55
Client requests access to network and presents current health state
Policy based – was network access allowed
• Health based - % compliant per SHA
Windows 2008 Home http://www.microsoft.com/windowsserver2008/default.mspx
Windows Server 2008 Technical Library http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=true
Network Access Protection http://technet.microsoft.com/en-us/network/bb545879.aspx
Terminal Services http://www.microsoft.com/windowsserver2008/terminal-services/default.mspx
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.