Jayesh Mowjee Security Consultant Microsoft Session Code: SIA 201

Fundamentally Secure Platform Windows 7 Enterprise Security Building upon the security foundations of Windows Vista, Windows 7 provides IT Professionals security features that are simple to use, manageable, and valuable. Protect Data from Unauthorized Viewing Securing Anywhere Access Protect Users & Infrastructure

Windows Vista Foundation Enhanced Auditing Make the system work well for standard users Administrators use full privilege only for administrative tasks File and registry virtualization helps applications that are not UAC compliant Streamlined User Account Control XML based Granular audit categories Detailed collection of audit results Simplified compliance management Fundamentally Secure Platform Security Development Lifecycle process Kernel Patch Protection Windows Service Hardening DEP & ASLR Internet Explorer 8 inclusive Mandatory Integrity Controls

User Account Control User provides explicit consent before using elevated privilege Disabling UAC removes protections, not just consent prompt Users can do even more as a standard user Administrators will see fewer UAC Elevation Prompts Reduce the number of OS applications and tasks that require elevation Re-factor applications into elevated/non-elevated pieces Flexible prompt behavior for administrators System Works for Standard User All users, including administrators, run as Standard User by default Administrators use full privilege only for administrative tasks or applications

Desktop Auditing Simplified configuration results in lower TCO Demonstrate why a person has access to specific information Understand why a person has been denied access to specific information Track all changes made by specific people or groups Granular auditing complex to configure Auditing access and privilege use for a group of users New XML based events Fine grained support for audit of administrative privilege Simplified filtering of “noise” to find the event you’re looking for Tasks tied to events

UAC & Audit

Network Security DirectAccess Help ensure that only “healthy” machines can access corporate data Enable “unhealthy” machines to get clean before they gain access Network Access Protection Security enhanced, seamless, always on connection to corporate network Improved management of remote users Helping Secure Anywhere Access Policy based network segmentation for more secure and isolated logical networks Multi-Home Firewall Profiles DNSSec Support

Network Access Protection Health policy validation and remediation Helps keep mobile, desktop and server devices in compliance Reduces risk from unauthorized systems on the network Remediation Servers Example: Update Restricted Network Windows Client Policy compliant NPS DHCP, VPN Switch/Router Policy Servers such as: Update, AV Corporate Network Not policy compliant

Remote Access for Mobile Workers Access Information Virtually Anywhere Same experience accessing corporate resources inside and outside the office Seamless connection increases productivity of mobile users Easy to service mobile PCs and distribute updates and polices Difficult for users to access corporate resources from outside the office Challenging for IT to manage, update mobile PCs while disconnected from company network

AppLocker TM Data Recovery Help protect users against social engineering and privacy exploits Help protect users against browser based exploits Help protect users against web server exploits Internet Explorer 8 File back up and restore CompletePC ™ image- based backup System Restore Volume Shadow Copies Volume Revert Help Protect Users & Infrastructure Enables application standardization within an organization without increasing TCO Support compliance enforcement

Application Control Eliminate unwanted/unknown applications in your network Enforce application standardization within your organization Easily create and manage flexible rules using Group Policy Users can install and run non- standard applications Even standard users can install some types of software Unauthorized applications may: Introduce malware Increase helpdesk calls Reduce user productivity Undermine compliance efforts

AppLocker Simple Rule Structure: Allow, Exception & DenySimple Rule Structure: Allow, Exception & Deny Publisher RulesPublisher Rules Product Publisher, Name, Filename & VersionProduct Publisher, Name, Filename & Version Multiple PoliciesMultiple Policies Executables, installers, scripts & DLLsExecutables, installers, scripts & DLLs Rule creation tools & wizardRule creation tools & wizard Including PowerShell cmdletsIncluding PowerShell cmdlets Audit only modeAudit only mode SKU AvailabilitySKU Availability AppLocker – EnterpriseAppLocker – Enterprise Legacy SRP – Business & EnterpriseLegacy SRP – Business & Enterprise

AppLocker

Social Engineering & Exploits Reduce unwanted communications Social Engineering & Exploits Reduce unwanted communications Freedom from intrusion International Domain Names Pop-up Blocker Increased usability Choice and control Clear notice of information use Provide only what is needed Choice and control Clear notice of information use Provide only what is needed Control of information User-friendly, discoverable notices P3P-enabled cookie controls Delete Browsing History InPrivate™ Browsing & Filtering Browser & Web Server Exploits Protection from deceptive websites, malicious code, online fraud, identity theft Browser & Web Server Exploits Protection from deceptive websites, malicious code, online fraud, identity theft Protection from harm Secure Development Lifecycle Extended Validation (EV) SSL certs SmartScreen ® Filter Domain Highlighting XSS Filter/ DEP/NX ClickJacking Prevention ActiveX® Controls Internet Explorer 8 Security

RMSBitLocker User-based file and folder encryption Ability to store EFS keys on a smart card EFS Easier to configure and deploy Roam protected data between work and home Share protected data with co-workers, clients, partners, etc. Help Protect Data Policy definition and enforcement Helps protect information wherever it travels Integrated RMS Client

BitLocker Extend BitLocker drive encryption to removable devices Create group policies to mandate the use of encryption and block unencrypted drives Simplify BitLocker setup and configuration of primary hard drive Dual partition configuration of primary hard drive for IT End user friendliness and discoverability Corporate control over ubiquitous, cheap, small, high capacity removable storage devices +

BitLocker BitLocker EnhancementsBitLocker Enhancements Automatic 100 Mb hidden boot partitionAutomatic 100 Mb hidden boot partition New Key ProtectorsNew Key Protectors Domain Recovery Agent (DRA)Domain Recovery Agent (DRA) Smart card – data volumes onlySmart card – data volumes only BitLocker To GoBitLocker To Go Support for FAT*Support for FAT* Protectors: DRA, passphrase, smart card and/or auto-unlockProtectors: DRA, passphrase, smart card and/or auto-unlock Management: protector configuration, encryption enforcementManagement: protector configuration, encryption enforcement Read-only access on Windows Vista & Windows XPRead-only access on Windows Vista & Windows XP SKU AvailabilitySKU Availability Encrypting – EnterpriseEncrypting – Enterprise Unlocking – AllUnlocking – All

BitLocker

Fundamentally Secure Platform Protect Users & Infrastructure Windows Vista Foundation Streamlined User Account Control Enhanced Auditing Helping Secure Anywhere Access Windows 7 Enterprise Security Building upon the security foundations of Windows Vista ®, Windows ® 7 provides IT Professionals security features that are simple to use, manageable, and valuable. Help Protect Data Network Security Network Access Protection DirectAccess TM AppLocker TM Internet Explorer® 8 Data Recovery RMSEFS BitLocker ™ & BitLocker To Go TM

Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification & Training Resources Resources

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.