Presentation is loading. Please wait.

Presentation is loading. Please wait.

9/17/ :47 PM Security Management for Dynamic virtual systems with Server 2008 and System Center - these are the hand outs Steve Lamb, IT Pro Evangelist,

Published byえつま そや Modified over 6 years ago

Similar presentations

Presentation on theme: "9/17/ :47 PM Security Management for Dynamic virtual systems with Server 2008 and System Center - these are the hand outs Steve Lamb, IT Pro Evangelist,"— Presentation transcript:

1

2 9/17/ :47 PM Security Management for Dynamic virtual systems with Server 2008 and System Center - these are the hand outs Steve Lamb, IT Pro Evangelist, Microsoft Ltd © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 agenda Is Virtualisation GOOD or BAD for Information Security?
Dynamically moving workloads across a server farm Making the most of de-perimiterised access Secure Mobile Device Management Conclusion

4 Is Virtualisation GOOD or BAD for Information Security?
9/17/ :47 PM Is Virtualisation GOOD or BAD for Information Security? © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Is Virtualisation Good or Bad for Information Security?
It depends!

6 What threats can virtualisation help mitigate?
Separation / isolation Fine grained control over “what can see what”

7 What are the new threats?
Additional complexity Potentially new tools to learn Some vendors have an entirely different way of managing VMs Possibility of vulnerabilities in the virtualisation layer Sensitive data could be paged out to disk The software designer may have assumed in RAM was more secure Complexity is often the enemy of security System Center can manage BOTH Virtual AND Physical Machines System Center Virtual Machine Manager is the only difference

8 One Ring to Rule them All
Own / compromise the hypervisor and everything’s wide open Two schools of thought for hypervisor architecture Yes the title IS a Lord of the Rings reference! We do extensive code review (via the Security Development Lifecycle) and don’t put drivers or ANY third party code in our hypervisor to reduce the likelihood of code vulnerabilities

9 Hyper-V Architecture Windows hypervisor
9/17/ :47 PM Provided by: Hyper-V Architecture OS ISV / IHV / OEM Microsoft Hyper-V Microsoft / XenSource Parent Partition Child Partitions Applications Applications Applications VM Worker Processes User Mode Applications WMI Provider VM Service Windows Server 2008 Windows Server 2003, 2008 Windows Kernel VSC Non-Hypervisor Aware OS Xen-Enabled Linux Kernel Linux VSC Hypercall Adapter KernelMode Windows Kernel VSP IHV Drivers VMBus Discuss the trust boundaries Compromise the Hypervisor and everything above is wide open Explain how the VMBus works at a high level compromise the VMBus and everything that uses it is wide open Explain how the “parent partition” interacts with the “child partitions” compromise the “parent partition” and the children are wide open VMBus VMBus Emulation Windows hypervisor Ring -1 “Designed for Windows” Server Hardware MICROSOFT CONFIDENTIAL © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 What’s just the same as before?
Compromise the kernel (of a VM) and the entire VM is wide open Installing software by an untrusted 3rd party opens up the system Installing software at any layer (hypervisor, parent, children in kernel or user mode) written by someone you have no reason to trust means you can’t trust the system

11 What approaches can help secure the system?
Least privilege IPSec Ensure policy compliance via NAP IPSec to force devices to authenticate one another Use the principle of least privilege Only install software you have a reason to trust Ensure policy compliance – Network Access Protection can be a huge help Keep things as simple as possible Add functionality as high up the stack as possible Make the most of Forefront Client Security to keep (virtual) systems in compliance System Center Data Protection Manager is fantastic with VMs as it can take backups of running machines and just push block level changes across the wire Whether commercial or Open Source you must trust the author(s) – everything that depends upon the software you add could be left wide open Consider the security vulnerability of architectures (unlike Hyper-v) that include 3rd party drivers in the hypervisor don’t install functionality in the “Parent” that could reside in a VM – it’s easier to isolate/manage/shut-off that way This includes operating system components

12 How to proceed? Virtualisation is not a silver bullet for security problems Nor is it a nightmare It just changes the threat landscape Carefully consider the impact on trust boundaries and the knock-on effect of compromised security at layers underneath the applications – the deeper down the stack, the worse the impact

13 Dynamically moving workloads across a server farm
9/17/ :47 PM Dynamically moving workloads across a server farm © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 VM Placement: Host Ratings
Host Rating = (Free CPU * CPU Weight) + (Free Memory * Memory Weight) + (Free Disk * Disk Weight) + (Free Network * Network Weight) Host Rating equal 0 if any of the thresholds have been violated.

15 Making the most of de-perimiterised access
9/17/ :47 PM Making the most of de-perimiterised access © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Where is the boundary? ?

17 How do you know a system is healthy
?

18 Secure Mobile Device Management
9/17/ :47 PM Secure Mobile Device Management © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Core Feature Areas Security Device Mobile Management Management VPN
9/17/ :47 PM Core Feature Areas System Center Mobile Device Manager will enable Windows Mobile phones to be deployed and managed (device and security) like PCs and laptops in the IT infrastructure, providing network access to corporate data Security Management Device Management Mobile VPN Security Management Active Directory Domain Join Policy enforcement using Active Directory/Group Policy targeting (>130 policies and settings) Communications and camera disablement* File encryption Application allow and deny Remote wipe OMA-DM Compliant Device Management Single point of management for mobile devices in enterprise Full OTA provisioning and bootstrapping OTA Software distribution based on WSUS 3.0 Inventory SQL Server 2005 based reporting capabilities Role based administration MMC snap-ins and Powershell cmndlets WMU On/Off control OMA-DM compliant Mobile VPN Machine authentication and “double envelope security” Session Persistence Fast Reconnect Internetwork roaming Standards based (IKEv2, IPSEC tunnel mode)

20 Group Policy Flow SYSVOL System Centre Mobile Device Manager Server
Group Policy Editor SYSVOL Modeling System Centre Mobile Device Manager Server GPMC Group Policy Driver Results OMA Proxy Engine SCMDM Internal DB Windows Mobile Device

21 Bringing it all together
DMZ Corpnet WWAN Internet 21

22 9/17/ :47 PM Conclusion © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 Steve Lamb, IT Pro Evangelist,
Microsoft Ltd

24 Here’s where to find out more

25 Reference Material 9/17/2018 12:47 PM
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 System Center Virtual Machine Manager
Microsoft TechNet Seminar 2006 System Center Virtual Machine Manager Virtualization Management Capabilities Virtual Machine Manager Operations Manager Configuration Manager Data Protection Server consolidation through virtual migration x Virtual machine provisioning and configuration Server health monitoring, management Performance reporting, analysis Patch management, software upgrades Virtual machine backup and restore Disaster Recovery Seminar Name

27 Virtual Machine Management
Increase utilization by running multiple applications on single physical server Reduce power and real estate costs Hardware Consolidation Manage and reduce planned or unplanned downtime Quickly recover an entire system after data loss or corruption Business Continuity and Rapid Recovery Simplify and streamline movement from test to production Consolidate dev/test H/W and improve lab server provisioning Dev/Test Environments Optimize use of available resources Scale Up / Scale Out Dynamic Data Center

28 Windows Server Virtualization
9/17/ :47 PM Virtualization Windows Server Virtualization Greater Scalability and improved performance x64 bit host and guest support SMP support Increased reliability and security Minimal Trusted Code base Windows running a foundation role Better flexibility and manageability New UI/Integration with SCVMM VM 1 “Parent” VM 2 “Child” VM 3 “Child” VM 2 VM 3 Virtual Server 2005 R2 Windows Hypervisor Windows Server 2003 AMD-V / Intel VT Hardware Virtual Hard Disks (VHD)

29 Microsoft TechNet Seminar 2006
SCVMM At a glance Host Groups Context Sensitive Actions VM Views Centralized Library Live Thumbnail Seminar Name

30 SCVMM Test/Dev Deployment
Microsoft TechNet Seminar 2006 SCVMM Test/Dev Deployment Single Physical Server Windows® PowerShell Administrator Console Delegated Provisioning UI SCVMM Agent VM VM VM VM Centralized Library Seminar Name

31 SCVMM Corporate Deployment
Microsoft TechNet Seminar 2006 SCVMM Corporate Deployment Administrator Console Windows® PowerShell Web-based Delegated Provisioning UI Library Server Virtual Machine Hosts Seminar Name

32 SCVMM Enterprise Deployment
Microsoft TechNet Seminar 2006 SCVMM Enterprise Deployment Administrator Console Windows® PowerShell Web-based Delegated Provisioning UI Library Server Virtual Machine Hosts London Singapore Library Server Library Server Virtual Machine Hosts WAN Infrastructure Virtual Machine Hosts Seminar Name

33 Microsoft TechNet Seminar 2006
Components Virtual Machine Manager (VMM) Engine Server VMM Engine running on dedicated server VMM System Console VMM Agent Installed on the Virtual Server host machines Communicates with VMM Engine Library Server File store for the virtual infrastructure building blocks SQL Server Stores the configuration and discovery information Interfaces Admin UI Web Command line Seminar Name

34 Network Access Protection
Internet Boundary Zone Employees , Partners, Vendors Intranet Customers Network Access Protection Policy-based solution that Validates whether computers meet health policies Limits access for noncompliant computers Automatically remediates noncompliant computers Continuously updates compliant computers to maintain health state Solution Highlights Standards-based Plug and Play Works with most devices Supports multiple antivirus solutions Has become the standard for Network Access Control Network Access Protection (NAP) is a policy enforcement platform that allows better protection of network assets by enforcing compliance with system health requirements. With Network Access Protection, administrators can create customized health policies to validate computer health before allowing access or communication, automatically update compliant computers to ensure ongoing compliance, or limit the access of noncompliant computers to a restricted network until they become compliant. Network Access Protection functions on four levels. It: Validates compliance to health and security policy Restricts access to the network resources based on that compliance Automatically remediates clients to a compliant health state Ensures the client’s ongoing compliance to policy. Partners Remote Employees

35 Network Access Protection How It Works
Policy Servers e.g.., Patch, AV 1 1 Access requested Health state sent to NPS (RADIUS) NPS validates against health policy If compliant, access granted If not compliant, restricted network access and remediation Microsoft NPS 2 3 Not policy compliant 5 3 2 Remediation Servers e.g., Patch Restricted Network 4 Policy compliant TDM-specific notes TBD Network Access Protection Functionality Microsoft built the Network Access Protection platform with client and server components. The client side is built into Windows Vista and will be included in Windows XP SP 3. The server components are being shipped with Windows Server 2008. The NAP platform functions in real time. It recognizes, quarantines and minimizes threats before they even reach the network. What happens to a client when it tries to access the network in a NAP-enabled world? Lets go through the process. (Follow slide build.) Health Check: Client requests access to network and presents current health state. DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) Endpoints are checked by Network Policy Server (NPS) for update level, antivirus, and other criteria as defined by policy. Changes in policy or client health state may trigger the scan and remediate process to keep the client up to date. If policy compliant, client is granted full access to corporate network Examples of healthy client: • Security agent present • Firewall running • BIOS intact • Latest OS patches • Up-to-date antivirus • No malware detected • Only approved applications installed Network Restriction & Remediation - Clients that do not pass may be blocked from accessing the network. Restricted clients may be given access to remediation resources to get healthy. The cycle starts over (repeat steps 1-4). Examples of unhealthy client: • Disabled security agent • No firewall running • BIOS irregularities • Missing patches • Outdated antivirus signatures • Scans detect malware DCHP, VPN Switch/Router Corporate Network 5 4

Download ppt "9/17/ :47 PM Security Management for Dynamic virtual systems with Server 2008 and System Center - these are the hand outs Steve Lamb, IT Pro Evangelist,"

Similar presentations

Ljubomir Ivaniš CPU d.o.o.

Ljubomir Ivaniš CPU d.o.o.
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Connect with life Gopikrishna Kannan Program Manager | Microsoft Corporation

Connect with life Gopikrishna Kannan Program Manager | Microsoft Corporation
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,

© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
Windows Server Virtualization Scenarios And Features Jeff Woolsey Lead Program Manager Windows Virtualization Microsoft Corporation.

Windows Server Virtualization Scenarios And Features Jeff Woolsey Lead Program Manager Windows Virtualization Microsoft Corporation.
Christopher Samson Senior Hosting Technology Specialist Microsoft.

Christopher Samson Senior Hosting Technology Specialist Microsoft.
Windows 7 Windows Server 2008 R2 VirtualizationVirtualization Heterogeneous Server Environment Inventory Linux, Unix & VMware Windows 7 & Server 2008.

Windows 7 Windows Server 2008 R2 VirtualizationVirtualization Heterogeneous Server Environment Inventory Linux, Unix & VMware Windows 7 & Server 2008.
Wally Mead Senior Program Manager Microsoft Corporation.

Wally Mead Senior Program Manager Microsoft Corporation.
Microsoft Desktop Virtualization Migrating to Windows 7 With MED-V.

Microsoft Desktop Virtualization Migrating to Windows 7 With MED-V.
Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation

Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation
Using the WDK for Windows Logo and Signature Testing Craig Rowland Program Manager Windows Driver Kits Microsoft Corporation.

Using the WDK for Windows Logo and Signature Testing Craig Rowland Program Manager Windows Driver Kits Microsoft Corporation.
1 Julius Davies Architectural Technology Specialist Microsoft.

1 Julius Davies Architectural Technology Specialist Microsoft.
Asif Jinnah Microsoft IT – United Kingdom. Security Challenges in an ever changing landscape Evolution of Security Controls: Microsoft’s Secure Anywhere.

Asif Jinnah Microsoft IT – United Kingdom. Security Challenges in an ever changing landscape Evolution of Security Controls: Microsoft’s Secure Anywhere.
Future of the Server Room Tour. Ottawa Montreal Calgary Vancouver Toronto Future of Your Server Room Three Pillars of Windows Server 2008 Virtualization.

Future of the Server Room Tour. Ottawa Montreal Calgary Vancouver Toronto Future of Your Server Room Three Pillars of Windows Server 2008 Virtualization.
Windows Azure Migrating Applications and Workloads Speaker Title Organization.

Windows Azure Migrating Applications and Workloads Speaker Title Organization.
Mike Neil General Manager Microsoft Corporation.

Mike Neil General Manager Microsoft Corporation.
Case for Server Virtualization. Content Why virtualize? Business value of virtualization Virtualization technologies & Hyper-V overview Management and.

Case for Server Virtualization. Content Why virtualize? Business value of virtualization Virtualization technologies & Hyper-V overview Management and.
LegendCorp www.legendcorp.com. What is System Center Virtual Machine Manager (SCVMM)? SCVMM at a glance Features and Benefits Components / Topology /

LegendCorp What is System Center Virtual Machine Manager (SCVMM)? SCVMM at a glance Features and Benefits Components / Topology /

Similar presentations

Ads by Google