Yaniv Feldman Senior Infrasec Architect Microsoft Security Regional Director

SecurityWebVirtualization Reduces costs, increases hardware utilization, optimizes your infrastructure, and improves server availability Delivers rich web-based experiences efficiently and effectively Provides unprecedented levels of protection for your network, your data, and your business

Development Process Secure Startup and shield up at install Code integrity Windows service hardening Inbound and outbound firewall Restart Manager Improved auditing Network Access Protection Event Forwarding Policy Based Networking Server and Domain Isolation Removable Device Installation Control Active Directory Rights Management Services Security Compliance

DD D Reduce size of high risk layers Segment the services Increase # of layers Kernel Drivers D D User-mode Drivers D DD Service1 Service2 Service3 Service … Service… ServiceA ServiceB

Windows ® XP SP2/Server 2003 R2 LocalSystem Windows Vista/Server "Longhorn" Network Service Local Service LocalSystem Firewall Restricted LocalSystem Firewall Restricted Network Service Network Restricted Network Service Network Restricted Local Service No Network Access Local Service No Network Access LocalSystem Network Service Fully Restricted Network Service Fully Restricted Local Service Fully Restricted Local Service Fully Restricted

Combined firewall and IPsec management Firewall rules become more intelligent Policy-based networking

Only a subset of the executable files and DLLs installed No GUI interface installed 9 available Server Roles Can be managed with remote tools

Customization Troubleshooting Administration True application deployment Application and health management

Arsenal of Admin Tools Delegated Management Secure Remote Management Shared Config for Web Farms Better Tools Intuitive, Task Oriented GUI.NET Management API Unified WMI Provider for IIS/ASP.NET Powerful Command Line Support Rich Runtime State Information Automatic Failure Tracing & Logging Site Owner Web.config XML DelegationDelegation XCopy Deploy Administrator Internet Manage Remotely Secure HTTPS AppHost.config XML Shared Config Shared App Hosting Web Farm App

Group Policy allows central encryption policy and provides Branch Office protection Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System Uses a v1.2 TPM or USB flash drive for key storage Full Volume Encryption Key (FVEK) Encryption Policy

AD RMS protects access to an organization’s digital files AD RMS in Windows Server 2008 includes several new features Improved installation and administration experience Self-enrollment of the AD RMS cluster Integration with AD Federation Services New AD RMS administrative roles Information Author The Recipient

AD FS provides an identity access solution Deploy federation servers in multiple organizations to facilitate business-to- business (B2B) transactions AD FS provides a Web- based, SSO solution AD FS interoperates with other security products that support the Web Services Architecture AD FS improved in Windows Server 2008 Web Server Account Federation Server Resource Federation Server Adatum Contoso Federation Trust

Main Office Branch Office RODC

Enterprise PKI (PKIView) Online Certificate Status Protocol (OSCP) Network Device Enrollment Service Web Enrollment

Cryptography Next Generation (CNG) Includes algorithms for encryption, digital signatures, key exchange, and hashing Supports cryptography in kernel mode Supports the current set of CryptoAPI 1.0 algorithms Support for elliptic curve cryptography (ECC) algorithms Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data

Internet Perimeter Network Corporate Network Remote/ Mobile User Terminal Services Gateway Network Policy Server Active Directory DC Tunnels RDP over HTTPs Strips off RDP / HTTPs Terminal Servers and other RDP Hosts RDP traffic passed to TS Internet

Remediation Servers Example: Patch Restricted Network Windows Client Policy compliant NPS DHCP, VPN Switch/Router Policy Servers such as: Patch, AV Corporate Network Not policy compliant What is Network Access Protection? Health Policy Validation Health Policy Compliance Ability to Provide Limited Access Enhanced Security Increased Business Value

11 Remediation Servers Example: Patch Restricted Network 11 Windows Client DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) Network Policy Server (NPS) validates against IT- defined health policy 44 If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4) Not policy compliant 55 If policy compliant, client is granted full access to corporate network Policy compliant NPS DHCP, VPN Switch/Router 44 Policy Servers such as: Patch, AV Corporate Network 55 Client requests access to network and presents current health state

Policy based – was network access allowed Health based - % compliant per SHA

Windows 2008 Home Windows Server 2008 Technical Library b0f1a1-54aa-4cef e8bcc mspx?mfr=true Network Access Protection us/network/bb aspx Terminal Services /terminal-services/default.mspx

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.