windows server 2008 security overview short
DESCRIPTION
In this presentation we review the Security Changes in Windows 2008 and Windows 2008 R2.Saludos,Ing. Eduardo Castro Martínez, PhD – Microsoft SQL Server MVPhttp://mswindowscr.orghttp://comunidadwindows.orgCosta Rica Technorati Tags: SQL Server LiveJournal Tags: SQL Serverdel.icio.us Tags: SQL Serverhttp://ecastrom.blogspot.comhttp://ecastrom.wordpress.comhttp://ecastrom.spaces.live.comhttp://universosql.blogspot.comhttp://todosobresql.blogspot.comhttp://todosobresqlserver.wordpress.comhttp://mswindowscr.org/blogs/sql/default.aspxhttp://citicr.org/blogs/noticias/default.aspxhttp://sqlserverpedia.blogspot.com/TRANSCRIPT
Ing. Eduardo Castro, PhD Comunidad Windows [email protected] http://comunidadwindows.org
“Windows Server 2008 helps
Macquarie operate… our remote
offices more securely and
efficiently than we could in the
past.” Phillip Dundas
Technical Team Lead,
Windows Server Group, Information Technology
Group
Macquarie Group Limited
“We’ll be able to used RODC to
place domain controllers at sites
where physical security has
always been a concern and we’ll
have much better control over our
remote infrastructure.”
Loic Calvez
Senior Enterprise Infrastructure Architect
Lafarge
“The public key infrastructure that
we created through our
deployment of Windows Server
2008 has fundamentally increased
the level of information security
that we have at the bank.”
Security Director
PKO Bank Polski
“We are confident that the bank is
now more secure, that devices
accessing our network are secure,
and that those devices meet our
current network policy for access.”
Howard Witherby
Senior Vice President of Operations
National Bank & Trust
Security Development Lifecycle
Installation Options
Read Only Domain Controller (RODC)
Network Access Protection (NAP)
Others
Foundation
Service Hardening*
Kernel Patch Protection*
Data Execution Prevention*
BitLocker*
Mostly S
erv
er
R2
DirectAccess
AppLocker
Enhanced Storage Access
DNSSEC
Enhanced Auditing*
Suite-B for EFS, Kerberos, TLS v1.2 and more
Mostly W
indow
s 7
BitLocker to Go
Multiple Firewall Profiles
Streamlined UAC
Biometric Framework
HTTP PKI Enroll
PIV Smartcards
Methods of Security and Policy Enforcement
Network Location Awareness
Network Access Protection
Windows Firewall with Advanced Security
Internet Protocol Security
Windows Server Hardening
Server and Domain Isolation
Active Directory Domain Services Auditing
Read-Only Domain Controller
BitLocker Drive Encryption
Removable Device Installation Control
Enterprise PKI
Create inbound and outbound rules
Create a firewall rule limiting a service
Integrated with WFAS
IPSec improvements Simplified IPSec policy configuration
Client-to-DC IPSec protection
Improved load balancing and clustering server support
Improved IPSec authentication
Integration with NAP
Multiple authentication methods
New cryptographic support
Integrated IPv4 and IPv6 support
Extended events and performance monitor counters
Network diagnostics framework support
What changes have been made to AD DS auditing?
New Functionality
AD database
Unidirectional replication
Credential caching
Password replication policy
Administrator role separation
Read-Only DNS
Requirements/special considerations
RODC
A read-only Active Directory Domain Services database
Unidirectional replication mitigating misinformation even if a change is made on a RODC
Caching of only specific attributes based
Credential caching for only specific users
Separation of administrator capabilities
Read-only DNS
Pre-create RODC account allowing local installation without the need for admin credentials
Data protection
Drive encryption
Integrity checking
BDE hardware and software requirements
Easier management through PKIView
Certificate Web enrollment
Network device enrollment service
Managing certificate with group policy
Certificate deployment changes
Online certificate status protocol support
Cryptographic next generation
Enforce Security Policy
Improve Domain Security
Improve System Security
Improve Network Communications Security
Network Access Protection Network Access Quarantine Control
Internal, VPN, and Remote Access
Client
Only VPN and Remote Access
Clients
IPSec, 802.1X, DHCP, and VPN DHCP and VPN
NAP NPS and Client included in
Windows Server 2008; NAP client
included in Windows Vista
Installed from Windows Server
2003 Resource Kit
Automatic remediation
Health policy validation
Health policy compliance
Limited access
If policy-compliant, client is granted full access to corporate network
How it works
Not policy-
compliant
1
Restricted Network
Client requests access to network and presents current
health state 1
4 If not policy-compliant, client is put in a restricted VLAN
and given access to fix up resources to download patches,
configurations, signatures (Repeat 1 - 4)
2 DHCP, VPN, or Switch/Router relays health status to
Microsoft Network Policy Server (NPS) via Remote
Authentication Dial-In User Service (RADIUS)
Microsoft
NPS
3
Policy Servers e.g. Patch, Antivirus
Policy-
compliant
DHCP, VPN,
Switch/Router
3 Network Policy Server (NPS) validates against IT-defined
health policy
2
Windows
Client
Corporate Network 5
4
5
Fix Up Servers e.g. Patch
802.1X
VPN
IPSec
DHCP
NPS RADIUS
Create a NAP policy
Use the MMC to create NAP configuration settings
Create a new RADIUS client
Create a new system health validator for Windows Vista and Windows XP SP2
Logical Networks
IPSec Enforcement
IEEE 802.1X
Remote Access VPNs
DHCP
Checking the health and status of roaming laptops
Ensuring the health of corporate desktops
Determining the health of visiting laptops
Verify the compliance of home computers
Carefully test and plan all security policies
Implement Network Access Protection
Use Windows Firewall and Advanced Security to implement IPSec
Deploy Read-Only Domain Controllers, where appropriate
Implement BitLocker Drive Encryption
Take advantage of PKI improvements
Group Policy Changes How Group Policy works now...
Templates ADM templates
difficult to manage
Troubleshootin
g
Userenv log
GP Result
Templates and
Replication
Journal Wrap
anyone? Bloated
SYSVOL?
Local GPOs Limited flexibility with a single local
GPO
Settings
~1,800 policy settings in
XP
Incomplete coverage
means missing key
scenarios
LGPO’s
LGPO Local Computer
Policy
Group Policy Process
Part of Winlogon
Network
Limited awareness of
changing network
conditions
DC SysVol
ADM ADM
ADM ADM
ADM
Group Policy Service GP now runs in a
shared service
Hardened Service, more
reliable
Group Policy Settings Over 800 new policy changes
with Windows Vista
Extended GP for new Windows
Vista features
Network Location
Awareness (NLA) NLA service provides the latest
network information
Applications can query or register with
NLA for network change indications
Group Policy Logging Administrative log
Applications and Services log
XML based event logs
New Tools - GPOLogView
Group Policy
Templates ADM Templates now in
ADMX files (ADMX,
ADML)
Windows
Vista/Windows
Server 2008
ADM ADMX
Multiple Local
GPOs LGPO’s
LGPO
Admin
User User Specified Group Policy
Admin/Non-Admin Group Policy
Local Computer Policy
Group Policy Central
Store Centralized repository
for ADMX
Created in the Sysvol
on DC
in each domain
New Replicator with
DFS-R
DC
FRS/DFS-R
SysVol
ADMX
ADML
+ Policie
s +
+
GUID
ADM Policy
Definitions ADMX, ADML
Files
+
What is new? GP PowerShell features
Adding to GP scripts extensions
PowerShell cmdlets to perform GP operations
Starter GPOs in-box in Windows 7
Best practices that map to the security guide
ADMX enhancements
GP Preferences enhancements
GP Preferences, new in Windows Server 2008
New items added to support new OS functionality
Import-module GroupPolicy
get-help *-gp*
•New-GPLink
•New-GPO
•New-GPStarterGPO
New
•Get-GPInheritance
•Get-GPO
•Get-GPOReport
•Get-GPPermissions
•Get-GPPrefRegistryValue
•Get-GPRegistryValue
•Get-GPResultantSetofPolicy
•Get-GPStarterGPO
Get
•Set-GPInheritance
•Set-GPLink
•Set-GPPermissions
•Set-GPPrefRegistryValue
•Set-GPRegistryValue
Set
• Remove-GPLink
• Remove-GPO
• Remove-GPPrefRegistryValue
• Remove-GPRegistryValue
Remove
• Backup-GPO
• Copy-GPO
• Import-GPO
• Rename-GPO
• Restore-GPO
Misc
Have heard up to 11,000 GPOs
Not best practice
GPMC has perf issues loading
Management difficulties
Troubleshooting difficulties
Migration difficulties
Recommendation:
Consolidate
AGPM is tested up to 2000 GPOs
New UI: More intuitive, integrated help content, no more tabs
Support for:
REG_MultiSZ
REG_QWORD
Starter GPOs & ADMX UI
Preference Settings Not true “Policy”
More control of desktop – more settings! Not limited to policy-aware applications
Ease of administration through rich UI
Better targeting
New in Windows 7 Support for new Power Plan settings
Support for new Schedule task triggers, actions, etc.
Group Policies
(Native / Managed)
• Setting are enforced, user cannot change settings
• Settings revert back to original setting
• Highest precedence
• Work only on specific registry location
Group Policy Preferences
• Users can change settings
• Multiple items per GPO
• Can write registry settings to more than HKCU, HKLM hives
• Granular Targeting of individual items
Drive Mappings
Regional Settings
Printer Mappings
Shortcuts
Start Menu
Internet Explorer Settings
Local Users and Groups
Services
Network Shares
Environment Variables
Familiar Experience
Clearer to understand and find
Easy to manage
Better control of individual settings – Red/Green
Powerful browsers
Avoids typing errors
Configure settings quicker
29 different targeting options
Boolean AND, OR, IS, IS NOT
Wildcard support
“WSBNE*”
Target on the item, not just the GPO
Item level targeting,
not GPO level
Robust targeting
29 types
Boolean logic (And, Or, Not)
Collections
Intuitive UI
No need to learn
query languages
Apply once and do not reapply
Remove when no longer applicable
Create – Replace - Update - Delete
More than just Enable vs Disable
Active Directory: Windows 2000
Console - Group Policy Manager Console - Snap-in
Part of the Remote Server Admin Tool (link and end)
One Windows 7 client or Windows Server 2008 R2 Terminal Server
Client - Client Side Extensions (CSE’s)
3000 Total ADMX settings
300 new ADMX settings
IE more than 90 new
Bitlocker
Taskbar
Power
Terminal Services rebranded “Remote Desktop Services”
Settings Spreadsheet
12 settings added under Security Options
Restrict NTLM (multiple)
Kerberos encryption types
Local System null session fallback
Only supported on Windows 7 & Windows Server 2008 R2
Settings Spreadsheet
Wireless Network (IEEE 802.11) Policies
Public Key Policies
Certificate Services Client - Certificate Enrollment Policy
BitLocker Drive Encryption
Network Access Protection
Enforcement Clients: Removed RAQ EC and TS Gateway
Enforcement Clients: Added RD Gateway QEC
Application Control Policies – AppLocker
More info
Advanced Audit Policy Configuration
More info
Name Resolution Policy
Storage
growth
Storage
cost
Compliance Security and
Information leakage
Replication
Backup
HSM Security
Archive
Encryption
Expiration
Increasing data management needs / many data management products
Need per project share
Make sure business secret files
do not leak out
Backup files with personal
information to encrypted store
Expire low business impact files
created three years ago and not
touched for a year
IT Business
Step 1:
Classify data
Step 2:
Apply policy according to classification
Need per project share
Make sure business secret files do
not leak out
Backup files with personal
information to encrypted store
Expire low business impact files created
three years ago and not touched for a year
IT Business
Pe
rso
na
l
Info
rmatio
n
Se
cre
cy
Step 1:
Classify data
Step 2:
Apply policy based on
classification
Manual
Line Of Business
application
Automatic classification
Location
Content
Owner
Other
IT Scripts
Backup
Archive
Reports
Expiration
Security Leakage prevention
Search
Custom commands
Discover Data
Extract classification
properties Classify data
Store classification
properties
Apply Policy based on
classification
Extensible infrastructure-Partner ecosystem
Inbox end to end scenarios
Integration with SharePoint
Set classification properties
API for external applications
Windows Server 2008 R2
File Classification Extensibility
points
Get classification properties
API for external applications
When using IPSec – employ ESP with encryption
Carefully test and verify all IPSec Policies
Consider using Domain isolation
Use quality of service to improve bandwidth
Plan to prioritize traffic on the network
Apply network access protection to secure client computers
IPSec Server Domain Isolation
Full Volume Bitlocker on Servers
New elliptic curve encryption strength
Network Level Authentication for RDP
Service Profiling
New Levels of System Auditing
… and many more
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.