Transcript Enhanced Security - Center

Andrej Budja | Tehnološki svetovalec | Microsoft Slovenija
Offerings By Customer Segment
For Consumers
For Emerging Markets
For Small
Businesses
For Medium and
Large Businesses
Offerings By Channel
Packaged Product
at Retail (FPP)
OEM Pre-installed PCs
& System Builder PCs
Volume Licensing
SA/EA Benefit
OEM Pre-installed PCs in
emerging market countries in
addition to mainstream SKUs
Versions
Features &
Services
Security & Perf
Enhancements
Search & Organize
Enhancements
Peer-to-Peer
Collaboration
Join Only
Scheduled &
Networked Backup
AERO UI
Enhancements
Media Center &
Extender Capability
Tablet / Auxiliary
Disp. Enhancement
VLK Compatible
Subsystem for Unix
Applications
BitLocker™ Drive
Encryption
Multi-Language
Support
4 Virtual OS
Licenses
Availability
OEM, FPP
OEM, FPP
OEM, FPP, VL
VL (SA Only)
OEM, FPP, VL
(SA Only)
• Vista Capable PC
• 512 MB RAM
• CPU 800 MHz
• Vista Premium Ready PC
• 1 GB RAM
• 1 GHz CPU
• 128 MB graphic card, WDDM drivers
• Aero:
• 64 MB of VRAM
• DirectX 9 Support with Pixel Shader 2 support
• AGP 4x or better
• 8.5 GB free disk space on x86, 14 GB free on x64
• http://www.microsoft.com/technet/windowsvista/evalu
Internet Explorer 7
Social Engineering Protections
Phishing Filter and Colored Address Bar
Dangerous Settings Notification
Secure defaults for IDN
Protection from Exploits
Unified URL Parsing
Code quality improvements (SDLC)
ActiveX Opt-in
Protected Mode to prevent malicious software
ActiveX Opt-in And Protected Mode
Defending systems from malicious attack
•
•
•
•
•
•
•
•
ActiveX Opt-in puts users in control
Reduces attack surface
Previously unused controls disabled
Retain ActiveX benefits, increase user
security
Protected Mode reduces severity of threats
Eliminates silent malware install
IE process ‘sandboxed’ to protect OS
Designed for security and compatibility
Disabled
User Controls
Enabled
Controls Action
Windows
ActiveX Opt-in
Low Rights
User
Action
IE
Cache
Broker
Process
My Computer (C:)
Protected Mode
Phishing Filter
Dynamic Protection Against Fraudulent Websites
• 3 “checks” to protect users from phishing scams:
1.Compares web site with local list of known legitimate sites
2.Scans the web site for characteristics common to phishing sites
3.Double checks site with online Microsoft service of reported phishing
sites updated several times every hour
Two Levels of Warning and Protection
in IE7 Security Status Bar
Level 1: Warn
Suspicious Website
Signaled
Level 2: Block
Confirmed Phishing Site
Signaled and Blocked
IE6 running with Admin Rights
Admin-Rights Access
Install a driver,
Run Windows Update
Exploit can install
MALWARE
IE6
HKLM
Program Files
User-Rights Access
Change Settings,
Download a Picture
Exploit can install
MALWARE
HKCU
My Documents
Startup Folder
Temp Internet Files
Cache Web content
Untrusted files & settings
User Account Control
• Goal: Allow businesses to move to a better-managed
desktop and consumers to use parental controls
• Make the system work well for standard users
•
•
•
•
Allow standard users to change time zone and power management
settings, add printers, and connect to secure wireless networks
High application compatibility
Make it clear when elevation to admin
is required and allow that to happen
in-place without logging off
High application compatibility with
file/registry virtualization
• Administrators use full
privilege only for administrative
tasks or applications
• User provides explicit consent
before using elevated privilege
Vista Integrity model
• Low, Medium, High, System
• Processes with low integrity cannot communicate
with processes with higher integrity
• IE only in Low integrity write only in low int.
folders
• Normal apps in Medium integrity
• Admin apps in High integrity
• Default is medium
Windows Service Hardening
Defense in depth
•
•
•
Services run with reduced
privilege compared to
Windows XP
Windows services are
profiled for allowed
actions to the network,
file system, and registry
Designed to block attempts by
malicious software to make a
Windows service write to an
area of the network, file system,
or registry that isn’t part of that
service’s profile
Service Hardening
File system
Registry
Active
protection
Network
• Reduce size of
high risk layers
• Segment the
services
• Increase #
of layers
Service
…
Service
1
D
Service
A
Service
…
D
D
Service
2
Service
3
Service
B
D Kernel Drivers
D User-mode Drivers
D
D
D
Windows Vista Firewall
•
Combined firewall and IPsec
management
•
•
•
Firewall rules become more intelligent
•
•
•
Specify security requirements such as
authentication and encryption
Specify Active Directory computer or
user groups
Outbound filtering
•
•
New management tools – Windows
Firewall with Advanced Security
MMC snap-in
Reduces conflicts and coordination
overhead between technologies
Enterprise management feature – not
for consumers
Simplified protection policy reduces
management overhead
Windows Resource Protection
•
•
•
•
Windows protecting itself
Files, folders, registry and other system objects
Only OS can update the protected resources
Applications cannot change system registry or
system files and cannot write to system folder
Authentication Improvements
• Plug and Play Smart Cards
• Drivers and Certificate Service Provider (CSP) included in
Windows Vista
• Login and credential prompts for User Account Control all
support Smart Cards
• New logon architecture
• GINA (the old Windows logon model) is gone.
• Third parties can add biometrics, one-time password tokens,
and other authentication methods to Windows with much less
coding
BitLocker™ Drive Encryption
• Designed specifically to prevent
a thief who boots another
Operating System or runs a
hacking tool from breaking
Windows file and system
protections
• Provides data protection on your
Windows client systems, even
when the system is in
unauthorized hands or is
running a different or exploiting
Operating Ssystem
• Uses a v1.2 TPM or USB flash
drive for key storage
BitLocker
Spectrum Of Protection
Ease of Use
BDE offers a spectrum of protection allowing
customers to balance ease-of-use against the
threats they are most concerned with.
TPM Only
“What it is.”
Protects against:
SW-only attacks
Vulnerable to: HW
attacks (including
potentially “easy”
HW attacks)
Dongle Only
“What you have.”
Protects against:
All HW attacks
Vulnerable to:
Losing dongle
Pre-OS attacks
*******
TPM + PIN
“What you know.”
Protects against:
Many HW attacks
Vulnerable to: TPM
breaking attacks
Security
TPM + Dongle
“Two what I
have’s.”
Protects against:
Many HW attacks
Vulnerable to: HW
attacks
Other security changes (1)
• Power Users group = normal users now
• Local Administrator - disabled by default
• Help and Support accounts - gone
• New groups
• Services have SIDs
• 3000 GPO settings
• Multiple local GPOs (Local, admin, non-admin,
user)
• GP settings for Removable Devices (read/write)
• EFS cert on smartcard
Other security changes (2)
•
•
•
•
•
•
•
•
Offline files encrypted per user
Encrypted pagefile
AES and SHA-2 in kernel
IPSec support for AES
Cached credentials secured
AuthIP – IPSec rules by user
SMBv2 – client-side file encryption
Volume Shadow Copies – Previous Versions
Typical Compatibility Failures
• Assumption of running as admin
• Using old system features
• Tied to OS version
• Using internal system calls and data
structures
• Latent bugs
Changes
• User Account Control
• Internet Explorer
• Updates as admin!
• New TCP/IP stack
• GINA – replaced by Credential Provider
• Biometrics
• VPN
• Smart card readers
• New display driver model
• Users folder instead of Documents and
Settigns
Redirection
• Files, registry keys are redirected when written to
privileged areas
• Redirection per user – VirtualStore folder
• App doesn’t know it was redirected
• Apps that don’t know anything about UAC will
just work
• Apps running as Admin will not get redirection
Application Compatibility
•
•
•
•
Windows Vista Program Compatiblity Assistant
Application Compatibility Toolkit 5.0 (Beta)
Windows Application Toolkit 4.1
Microsoft Standard User Analyzer
• Windows Vista Upgrade Advisor
• Virtual PC
• http://www.microsoft.com/technet/windowsvista/appc
ompat/tools.mspx
• http://www.microsoft.com/technet/windowsvista/appc
ompat/default.mspx
Deployment
• WIM – file-based image format
• One image per platform – x86, x64
• Nondestructive imaging
• Several images inside one image file
• One XML unattended answer file
• Offline editing of image file – patches, drivers
• Image file mouting to the file system
Event Viewer
• Know where to look
Central logging of events
Events unified in single viewer
High-level Event Summary
• Find what you need
Enhanced filtering
Define and save views
Default views for common scenarios
Know what to do
Richer data and documentation
Easy-to-use task integration in Event Viewer
Manage centrally
Event forwarding
View multiple logs from one machine
• Control information flow
Enable/disable detailed logging to troubleshoo
Reliability Analysis Comp.
Analyzes, aggregates, and correlates user
disruptions for the OS and applications
Tracks frequency and cause of user
disruption
Exposes reliability metrics and results to the
IT Administrator, to health monitoring
applications and, by customer choice, to MS
Product Feedback
Performance
SuperFetch
Intelligent memory management
lets you access your data more
quickly
Optimizes based on usage
patterns over time
EMD
Takes advantage of USB 2.0 drive
for additional memory cache
Substantially improves
responsiveness – without
upgrading RAM
Low-Priority I/O
User apps have priority over
background processes for hard
drive access
Search indexing, virus scans and
auto defrag run in the background
without impacting performance
Windows Vista Security
Summary
Threat and
Vulnerability Mitigation
IE –protected mode/antiphishing
Windows Defender
Bi-directional Firewall
IPSEC improvements
Network Access Protection
(NAP)
Fundamentals
SDL
Service Hardening
Code Scanning
Default configuration
Code Integrity
Identify and
Access
Control
User Account Control
Plug and Play Smartcards
Simplified Logon
architecture
Bitlocker
RMS Client
Q&A