BitLocker - Microsoft

Download Report

Transcript BitLocker - Microsoft

WCL313
Windows Vista Security Overview
Mike Chan
Sr. Product Manager
Threat and Vulnerability
Mitigation
Fundamentals
Security Development Lifecycle
Threat Modeling and Code Reviews
Windows Service Hardening
IE Protected Mode
Windows Defender
Network Access Protection
IPSec & Bi-Drectional FW
Address Space Layout Rnd
Security and Compliance
Identity and Access Control
User Account Control
Plug and Play Smartcards
Granular Auditing
Information Protection
BitLocker™ Drive Encryption
EFS Smartcards
RMS Client
Fundamentals
Improved Security Development Lifecycle (SDL)
process for Windows Vista
Periodic mandatory security training
Assignment of security advisors for all components
Threat modeling a part of design phase
Required security reviews and testing
Security metrics for product teams
Common Criteria (CC) Certification
Windows Service Hardening
Defense in depth
Services run with
reduced privilege
Service Hardening
Windows services are
profiled for allowed
actions
Designed to block
attempts by malicious
software to exploit a
Windows service
File system
Registry
Active
protection
Network
Threat And Vulnerability Mitigation
Protect against malware and intrusions
Internet Explorer 7
Social Engineering Protections
Phishing Filter and Colored Address Bar
Dangerous Settings Notification
Secure defaults for IDN
Protection from Exploits
Unified URL Parsing
Code quality improvements (SDLC)
ActiveX Opt-in
Protected Mode to prevent malicious software
ActiveX Opt-in And Protected Mode
Defending systems from malicious attack
ActiveX Opt-in puts users in control
Enabled
Controls
Reduces attack surface
User
Disabled
Controls
Action
Windows
Previously unused controls disabled
ActiveX Opt-in
Retain ActiveX benefits, increase user
security
Protected Mode reduces severity of
threats
Eliminates silent malware install
IE process ‘sandboxed’ to protect OS
Designed for security and compatibility
Low Rights
User
Action
IE
Cache
Broker
Process
My Computer (C:)
Protected Mode
Windows Defender
Improved Detection
and Removal
Redesigned and
Simplified User
Interface
Protection for all
users
Unified malware protection for business desktops,
laptops and server operating systems that is
easier to manage and control

One solution for spyware and virus protection

Built on protection technology used by millions worldwide

Effective threat response

Complements other Microsoft security products

One console for simplified security administration

Define one policy to manage protection agent settings

Deploy signatures and software faster

Integrates with your existing infrastructure

One dashboard for visibility into threats and vulnerabilities

View insightful reports

Stay informed with state assessment scans and security alerts
ActiveX Opt-in Internet Explorer
Protected Mode with Windows
Defender
Mike Chan
Sr Product Manager
Windows Client Division
Windows Vista Firewall
Combined firewall and
IPsec management
Firewall rules become
more intelligent
Outbound filtering
Simplified protection
policy reduces
management
overhead
Windows Firewall
Mike Chan
Sr Product Manager
Windows Client Division
Network Access Protection
Policy Servers
e.g. MSFT Security
Center, SMS, Antigen
or 3rd party
3
1
Windows
Vista Client
Not policy
compliant
2
DHCP, VPN
Switch/Router
MSFT
Network
Policy Server
4
Restricted
Network
Fix Up
Servers
e.g. MSFT WSUS,
SMS & 3rd party
Policy
compliant
5
Corporate Network
Enhanced Security
Customer
Benefits
All communications are authenticated, authorized & healthy
Defense-in-depth on your terms with DHCP, VPN, IPsec, 802.1X
Policy-based access that IT Pros can set and control
Increased Business Value
Preserves user productivity
Extends existing investments in Microsoft and 3rd party infrastructure
Broad industry partnership
Data Execution Prevention
Address Space Layout
Randomization
Stack
Code
Locals
Windows Code
Return Address
LoadLibrary()
Parameters
Library Code
Previous Frames
Application Code
Identity And Access Control
Enable Secure Access to Information
Challenges
Users running as admin = unmanaged desktops
Viruses and Spyware
Enterprise users can compromise the corporation
Users can make changes that require re-imaging
Line of Business (LoB) applications
System security must be relaxed to run the LoB app
IT Administrators must reevaluate the LoB applications for each
OS
Common OS tasks require elevated privilege
Balance usability with security
Can’t change time zone as standard user
Users can’t manage non-sensitive account info
User Account Control
Businesses can move to a better-managed desktop and
parental controls for consumers
Make the system work well for standard users
Allow standard users to change relevant settings
High application compatibility with file/registry virtualization
Make it clear when elevation is required
Administrators use full
privilege only for admin tasks
User provides explicit consent
before using elevated privilege
User Account Access
Mike Chan
Sr Product Manager
Windows Client Division
Improved Auditing
More Granularity
Support for many auditing
subcategories
New Logging Infrastructure
Filter out the “noise”
Search and filtering with new XML format
Tasks tied to events
Send an email on an event
Authentication Improvements
Plug and Play Smart Cards
Drivers and Certificate Service Provider (CSP)
included in Windows Vista
Login and credential prompts for User Account Control
all support Smart Cards
New logon architecture
GINA (the old Windows logon model) is gone.
Third parties can add biometrics, one-time password
tokens, and other authentication methods to Windows
with much less coding
Information Protection
Protect Corporate Intellectual Property and Customer Data
Group Policy Control of Devices
Control whether or not device drivers
can install
Control what types of devices are
allowed (or not)
Control what specific devices are
allowed (or not)
Block CD/DVD Burning
Blocking USB Key Install
Mike Chan
Sr Product Manager
Windows Client Division
Information Leakage Is Top-of-mind
With Business Decision Makers
Virus infection
63%
Unintended forwarding of emails
36%
Loss of mobile devices
35%
Password compromise
22%
Email piracy
22%
20%
Loss of digital assets, restored
0%
10%
20%
30%
40%
50%
60%
70%
“After virus infections, businesses report unintended forwarding of e-mails and loss of
mobile devices more frequently than they do any other security breach”
Jupiter Research Report, 2004
BitLocker™ Drive Encryption
Designed to prevent a
thief from breaking OS
Provides data protection
on your Windows client
systems, even when the
system is in unauthorized
hands
Uses a v1.2 TPM or USB
flash drive for key storage
BitLocker
Spectrum Of Protection
Ease of Use
BitLocker offers a spectrum of protection allowing customers to balance
ease-of-use against the threats they are most concerned with.
TPM Only
“What it is.”
Protects against:
SW-only attacks
Vulnerable to: HW
attacks (including
potentially “easy”
HW attacks)
Dongle Only
“What you have.”
Protects against:
All HW attacks
Vulnerable to:
Losing dongle
Pre-OS attacks
*****
TPM + PIN
“What you know.”
Protects against:
Many HW attacks
Vulnerable to: TPM
breaking attacks
Security
TPM + Dongle
“Two what I
have’s.”
Protects against:
Many HW attacks
Vulnerable to: HW
attacks
Windows Vista Information
Protection
Who are you protecting against?
Other users or administrators on the machine? EFS
Unauthorized users with physical access? BitLocker™
Scenarios
BitLocker
EFS
RMS
Laptops
Branch office server
Local single-user file & folder protection
Local multi-user file & folder protection
Remote file & folder protection
Untrusted network admin
Remote document policy enforcement
Some cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted network admins)
Recovery Options
BitLocker™ setup will automatically escrow keys and
passwords into AD
Centralized storage/management keys (EA SKU)
Setup may also try (based on policy) to backup keys and
passwords onto a USB dongle or to a file location
Default for non-domain-joined users
Exploring options for web service-based key escrow
Recovery password known by the user/administrator
Recovery can occur “in the field”
Windows operation can continue as normal
Threat and Vulnerability
Mitigation
Fundamentals
Security Development Lifecycle
Threat Modeling and Code Reviews
Windows Service Hardening
IE Protected Mode
Windows Defender
Network Access Protection
IPSec & Bi-Drectional FW
Address Space Layout Rnd
Security and Compliance
Identity and Access Control
User Account Control
Plug and Play Smartcards
Granular Auditing
Information Protection
BitLocker™ Drive Encryption
EFS Smartcards
RMS Client
Ask The Experts
Get Your Questions Answered
You can find me at the Microsoft Ask the Experts
area, located in the Exhibition Hall:
Wednesday
15 November
Lunch
Friday
17 November
10.15 – 10.45
© 2006 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
© 2006 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.