May 30 th – 31 st, 2007 Chateau Laurier Ottawa
Getting it Done: Understanding the Security Features of Windows Vista Kai Axford, CISSP, MCSE-Security Sr. Security Strategist Microsoft Corporation
Guidance Developer Tools Systems Management Active Directory Federation Services (ADFS) Identity Management Service s Information Protection Encrypting File System (EFS) BitLocker™ Network Access Protection (NAP) Client and Server OS Server Applications Edge
Service Hardening Windows services are profiled for allowed actions to the network, file system, and registry Services run with reduced privilege compared to Windows XP Designed to block attempts by malware to make a Windows service write to an area of the network, file system, or registry that isn’t part of that service’s profile Address Space Location Randomization (ASLR) Activeprotection File system Registry Network Windows Service Hardening
Authentication User Account Control Network Access Protection New Logon Architecture replacing GINA Strong authentication including support for: Smart Cards, Biometrics, and One-time passwords Easier to run as standard user Helps protect against infection Prevents unauthorized installation of software Ensure that only “healthy” machines can access corporate data Enable “unhealthy” machines to get clean before they gain access Enable Secure Access
Shows status of security software and settings Monitor multiple vendors’ security solutions running on a PC Security health platform used by third parties Bi-directional; on by default Key component to enforce service hardening IPSec integration Can be disabled by 3 rd party firewall applications Detection and removal of spyware and other potentially unwanted software Protection of OS extensibility points Protect against damage caused by malware install IE process ‘sandboxed’ to protect OS Designed for security and compatibility IE Protected Mode Windows Defender Windows Firewall Windows Security Center Malware Protection
Windows Vista Firewall Combined firewall and IPSec management New management tools – Windows Firewall with Advanced Security MMC snap-in Reduces conflicts and coordination overhead between technologies Firewall rules become more intelligent Specify security requirements such as authentication and encryption Specify Active Directory computer or user groups Outbound filtering Enterprise management feature – not for consumers Simplified protection policy reduces management overhead
Protecting Data from Unauthorized Viewing Policy definition and enforcement Integrated RMS Client Policy-based protection of document libraries in MOSS2007 User-based file and folder encryption Ability to store EFS keys on a smart card Ability to store EFS keys on a smart card Hardware-enabled data protection Provides full volume encryption Laptop and server scenarios In Windows Vista
How BitLocker Appears in Windows XP
1 2 How BitLocker Appears in Linux 3
Demo Title The 50¢ Vista Security Tour
Guidance Developer Tools Systems Management Active Directory Federation Services (ADFS) Identity Management Service s Information Protection Encrypting File System (EFS) BitLocker™ Network Access Protection (NAP) Client and Server OS Server Applications Edge
One solution for spyware and virus protection Built on protection technology used by millions worldwide Effective threat response One console for simplified security administration Define one policy to manage client protection agent settings Integrates with your existing infrastructure One dashboard for visibility into threats and vulnerabilities View insightful reports Stay informed with state assessment scans and security alerts Unified malware protection for business desktops, laptops and server operating systems that is easy to manage and control
14 Remove most prevalent viruses Remove all known viruses Real-time antivirus Remove all known spyware Real-time antispyware Central reporting and alerting Customization Microsoft Forefront Client Security MSRT Windows Defender Windows Live OneCare Safety Scanner Windows Live OneCare FOR INDIVIDUAL USERS FOR BUSINESSES
November The 50 ¢ Vista Security Tour
Demo Title Microsoft Forefront Client Security
One console for simplified security administration One policy to manage client protection agent settings, e.g.: Choice of 3 integrated policy profile deployment methods: Microsoft Forefront Client Security Console (uses AD/GP) ADM file (uses AD/GP) Export to a file then use existing software distribution system Anti-spyware unknown action Alert level Event and logging settings SpyNet reporting on/off Level of end-user UI shown Scan schedule Real time protection on/off Signature update frequency Anti-spyware signature overrides Security state assessment settings
Signature deployment optimized for Windows Server Update Services (WSUS) Can use any software distribution system Auto and manual approval of definitions Client Security installs an Update Assistant service to: Increase sync frequency between WSUS and Microsoft Update (MU) for definitions Support for roaming users Failover from WSUS to Microsoft Update Malware Research Microsoft Update WSUS + Update Assistant Sync Sync ® Desktops, Laptops and Servers Failover
User Account Control IE7 with Protected Mode Randomize Address Space Layout Windows Advanced Firewall Kernel Patch Protection (64bit) Unified Virus & Spyware Protection Central Management Reporting, Alerting and State Assessment Infrastructure Software Integration Policy Based Network Segmentation Restrict-To-Trusted Net Communications Server and Domain Isolation (SD&I) Combined Solution Windows Vista™ Forefront™ Client Security
Questions?Questions? Kai Axford, CISSP, MCSE-Security Sr. Security Strategist Microsoft Corporation