virtual techdays india │ 9-11 february 2011 virtual techdays desktop security with windows 7...
TRANSCRIPT
virtual techdaysINDIA │ 9-11 February 2011
virtual techdays
Desktop Security with Windows 7 AppLocker & BitLocker to GoAviraj Ajgekar│ Technology Evangelist │Microsoft CorporationBlog: http://blogs.technet.com/aviraj │ [email protected]
AgendaBitLocker enhancements and capabilities Trusted Module Management PINsEncrypt Data Volumes and Removable storage devicesRecover Encrypted DataAppLocker Enforce Rules & Audit Only ModeAppLocker Management using PowerShellAppLocker ArchitectureAppLocker Deployment Best PracticesAppLocker Vs Software Restriction Policies
BitLocker & BitLocker to Go
Overview of BitLocker
+Extend BitLocker drive encryption to removable devices
Create group policies to mandate the use of encryption and block unencrypted drives
Simplify BitLocker setup and configuration of primary hard drive
New Features of BitLockerBitLocker
Improved Setup WizardAutomatic 200MB hidden boot partitionNew Key Protectors
BitLocker To GoSupport for FATProtectors: DRA, passphrase, smart card and/or auto-unlockNew GPOs to improve enterprise managementEdition AvailabilityBitLocker To Go Reader
Trusted Platform Module (TPM) TPM
Version 1.2 or laterwww.trustedcomputinggroup.org/specs/TPM
www.trustedcomputinggroup.org/specs/PCClient
TPM
Version 1.2 or laterwww.trustedcomputinggroup.org/specs/TPM
www.trustedcomputinggroup.org/specs/PCClient
USB
System boot from USB 1.x and 2.x
USB read/write in pre-operating system
environment
USB
System boot from USB 1.x and 2.x
USB read/write in pre-operating system
environment
BIOS
Trusted Computing Group BIOS
Physical presence interface
Memory overwrite on reset
Immutable CRTM or secure update
BIOS
Trusted Computing Group BIOS
Physical presence interface
Memory overwrite on reset
Immutable CRTM or secure update
Hard Disk
Requires at least two partitions
Separate partitions for System and OS
Hard Disk
Requires at least two partitions
Separate partitions for System and OS
Configuring the Trusted Platform Module
DEMO
• Set Ownership of the TPM• Block or Allow TPM Commands • Turn Off and Clear TPM
Configuring BitLocker Group Policy Settings
DEMO
• Enable BitLocker Encryption Without a TPM
• Configure BitLocker Group Policy Settings
Disk Layout and Key StorageOperating System Volume Contains
Encrypted OSEncrypted page fileEncrypted temp filesEncrypted dataEncrypted hibernation file
SystemSystem Volume Contains
MBR
Boot Manager
Boot Utilities
FVEK
3
4
Operating System Volume
SRK1
VMK2
Where’s the Encryption Key?1. SRK (Storage Root Key) contained in TPM
2. SRK encrypts the VMK (Volume Master Key)
3. VMK encrypts FVEK (Full Volume Encryption Key) – used for the actual data encryption
4. FVEK and VMK are stored encrypted on the Operating System Volume
BitLocker on Removable Drives
Drive Type
• Removable data drives
• USB flash drives
• External hard drives
Unlock Methods
• Passphrase• Smart card• Automatic
unlocking
Recovery Methods
• Recovery password
• Recovery key• Active
Directory backup of recovery password
• Data Recovery Agent
Management
• Robust and consistent group policy controls
• Ability to mandate encryption prior to granting write access
File Systems
• NTFS• FAT• FAT32• ExFAT
Encrypting Drives Using BitLocker and BitLocker To Go
DEMO
• Add a Data Recovery Agent• Encrypt FAT-Formatted Disk Drive• Configure BitLocker To Go
Using the Manage-BDE Command-Line Tool
DEMO
• Encrypt and Decrypt a Drive Using Manage-BDE
Data Recovery Scenarios
Lost or forgotten authentication methods
Upgrade to core files
Broken hardware
Deliberate attack
Data Recovery Methods
Develop Strategy
Active Directory
Data Recovery Agents
Windows Recovery Environment
Managing and Recovering Data
DEMO
• Unlock FAT-Formatted Drive• Manage and Decrypt BitLocker
Protected Disk Drive
AppLocker
Application Control - Situation Today
• Users can install and run non-standard applications• Even standard users can install
some types of software• Unauthorized applications may:• Introduce malware• Increase helpdesk calls• Reduce user productivity• Undermine compliance efforts
Windows 7 AppLockerTM
• Eliminate unwanted/unknown applications in your network
• Enforce application standardization within your organization
• Easily create and manage flexible rules using Group Policy
DEMO
• AppLocker Identity Service• AppLocker Audit Only Mode• AppLocker Enforce Rules & Policies• AppLocker Custom Error Messages
PowerShell CmdletsCore needs scriptable through PowerShellBuilding blocks for a more streamlinedend-to-end experienceInbox cmdlets
Get-AppLockerFileInformation Get-AppLockerPolicySet-AppLockerPolicyNew-AppLockerPolicy Test-AppLockerPolicy
DEMO
• AppLocker Management using PowerShell
Architectural OverviewProcess 1
Appid.sys
AppIDSRP
Kernel
AppID/SRP Service
SRP UM
ntoskrnl
Process 2
ntdll
Process 3
CreateProcess
CreateProcessNotification
LoadLibrary SaferIdentityLevel
QueryPolicy
Deployment Best Practices• Create a desktop lockdown strategy• Inventory your applications• Select and test rule types (allow / deny) in a lab• Define GPO strategy and structure• Build a process for managing rules• Document your AppLocker design• Build reference computers• Test and update the policy using audit-only• Enable rule enforcement• Maintain the policy
AppLocker Vs. Software Restriction Policies
Session Summary
BitLocker enhancements and capabilitiesBitLocker to Go for Removable Storage DevicesBitLocker Recovery Agents & ToolsAppLocker protect digital assets by preventing unwanted software from runningAppLocker provides an improved management experience making it easier to maintain a list of approved applications
EVENT OVERVIEW
Microsoft®
tech·ed India │2011
March 23-25│B a n g a l o r e
- Event Dates: 23 - 25 March, 2011
- Event Venue: Lalit Ashok│ Bangalore (India)
- 2010 Attendee Profile: CXO’s:3%│CXO’s -1/-2:13%│Architects : 8%│Developers : 54% │ IT Pro’s : 22% │Students │ Media/Press
- Event Theme: Learn │Connect │Explore │Evolve
- What’s in it 4 Audience: Strategic direction in Keynotes│Deep-Dive Technical Training │Free Certification │Software Access │ Networking│ Hands on Labs │Demo X
- Expected Attendance: 3,500 Tech Audience (onsite) │100,000 Tech Audience (satellite locations) │300 CXO & CXO-1 (onsite)
virtual techdaysINDIA │ 9-11 February 2011
virtual techdays
Email: [email protected] Blog: http://blogs.technet.com/aviraj
Thank You