Download presentation
Published byClyde Richard Modified over 9 years ago
1
virtual techdays Desktop Security with Windows 7 AppLocker & BitLocker to Go Aviraj Ajgekar│ Technology Evangelist │Microsoft Corporation Blog: │
2
Agenda BitLocker enhancements and capabilities
Trusted Module Management PINs Encrypt Data Volumes and Removable storage devices Recover Encrypted Data AppLocker Enforce Rules & Audit Only Mode AppLocker Management using PowerShell AppLocker Architecture AppLocker Deployment Best Practices AppLocker Vs Software Restriction Policies
3
BitLocker & BitLocker to Go
4
Overview of BitLocker +
Extend BitLocker drive encryption to removable devices Create group policies to mandate the use of encryption and block unencrypted drives Simplify BitLocker setup and configuration of primary hard drive
5
New Features of BitLocker
Improved Setup Wizard Automatic 200MB hidden boot partition New Key Protectors BitLocker To Go Support for FAT Protectors: DRA, passphrase, smart card and/or auto-unlock New GPOs to improve enterprise management Edition Availability BitLocker To Go Reader
6
Trusted Platform Module (TPM)
Version 1.2 or later BIOS Trusted Computing Group BIOS Physical presence interface Memory overwrite on reset Immutable CRTM or secure update USB System boot from USB 1.x and 2.x USB read/write in pre-operating system environment Hard Disk Requires at least two partitions Separate partitions for System and OS
7
DEMO Configuring the Trusted Platform Module Set Ownership of the TPM
Block or Allow TPM Commands Turn Off and Clear TPM
8
DEMO Configuring BitLocker Group Policy Settings
Enable BitLocker Encryption Without a TPM Configure BitLocker Group Policy Settings
9
Operating System Volume
Disk Layout and Key Storage Operating System Volume Contains Encrypted OS Encrypted page file Encrypted temp files Encrypted data Encrypted hibernation file Where’s the Encryption Key? SRK (Storage Root Key) contained in TPM SRK encrypts the VMK (Volume Master Key) VMK encrypts FVEK (Full Volume Encryption Key) – used for the actual data encryption FVEK and VMK are stored encrypted on the Operating System Volume VMK FVEK 2 SRK 3 Operating System Volume 1 4 System Volume Contains MBR Boot Manager Boot Utilities System
10
BitLocker on Removable Drives
Drive Type Removable data drives USB flash drives External hard drives Unlock Methods Passphrase Smart card Automatic unlocking Recovery Methods Recovery password Recovery key Active Directory backup of recovery password Data Recovery Agent Management Robust and consistent group policy controls Ability to mandate encryption prior to granting write access File Systems NTFS FAT FAT32 ExFAT
11
DEMO Encrypting Drives Using BitLocker and BitLocker To Go
Add a Data Recovery Agent Encrypt FAT-Formatted Disk Drive Configure BitLocker To Go
12
DEMO Using the Manage-BDE Command-Line Tool
Encrypt and Decrypt a Drive Using Manage-BDE
13
Lost or forgotten authentication methods
Data Recovery Scenarios Lost or forgotten authentication methods Upgrade to core files Broken hardware Deliberate attack
14
Windows Recovery Environment
Data Recovery Methods Develop Strategy Active Directory Data Recovery Agents Windows Recovery Environment
15
DEMO Managing and Recovering Data Unlock FAT-Formatted Drive
Manage and Decrypt BitLocker Protected Disk Drive
16
AppLocker
17
Application Control - Situation Today
Users can install and run non-standard applications Even standard users can install some types of software Unauthorized applications may: Introduce malware Increase helpdesk calls Reduce user productivity Undermine compliance efforts
18
Windows 7 AppLockerTM Eliminate unwanted/unknown applications in your network Enforce application standardization within your organization Easily create and manage flexible rules using Group Policy
19
DEMO AppLocker Identity Service AppLocker Audit Only Mode
AppLocker Enforce Rules & Policies AppLocker Custom Error Messages
20
PowerShell Cmdlets Get-AppLockerFileInformation Get-AppLockerPolicy
Core needs scriptable through PowerShell Building blocks for a more streamlined end-to-end experience Inbox cmdlets Get-AppLockerFileInformation Get-AppLockerPolicy Set-AppLockerPolicy New-AppLockerPolicy Test-AppLockerPolicy
21
DEMO AppLocker Management using PowerShell
22
Architectural Overview
Process 1 Process 2 Process 3 AppID/SRP Service LoadLibrary SaferIdentityLevel CreateProcess ntdll SRP UM QueryPolicy ntoskrnl CreateProcess Notification Appid.sys AppID SRP Kernel
23
Deployment Best Practices
Create a desktop lockdown strategy Inventory your applications Select and test rule types (allow / deny) in a lab Define GPO strategy and structure Build a process for managing rules Document your AppLocker design Build reference computers Test and update the policy using audit-only Enable rule enforcement Maintain the policy
24
AppLocker Vs. Software Restriction Policies
25
Session Summary BitLocker enhancements and capabilities
BitLocker to Go for Removable Storage Devices BitLocker Recovery Agents & Tools AppLocker protect digital assets by preventing unwanted software from running AppLocker provides an improved management experience making it easier to maintain a list of approved applications
27
tech·ed Event Overview Microsoft® Event Dates: 23 - 25 March, 2011
India │2011 March 23-25│B a n g a l o r e Event Dates: March, 2011 Event Venue: Lalit Ashok│ Bangalore (India) Attendee Profile: CXO’s:3%│CXO’s -1/-2:13%│Architects : 8%│Developers : 54% │ IT Pro’s : 22% │Students │ Media/Press Event Theme: Learn │Connect │Explore │Evolve What’s in it 4 Audience: Strategic direction in Keynotes│Deep-Dive Technical Training │Free Certification │Software Access │ Networking│ Hands on Labs │Demo X Expected Attendance: 3,500 Tech Audience (onsite) │100,000 Tech Audience (satellite locations) │300 CXO & CXO-1 (onsite)
28
“Stay Ahead of the Game”
Participate & “Stay Ahead of the Game”
29
virtual techdays Thank You
Blog:
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.