security and policy enforcement mark gibson dave northey
Post on 20-Dec-2015
221 views
TRANSCRIPT
Security and Policy Security and Policy EnforcementEnforcement
Mark GibsonMark GibsonDave NortheyDave Northey
Agenda
14:30 Security & Policy Overview 15:40 Coffee 16:00 NAP platform architecture 17:10 Coffee 17:30 NAP components 18:30 End
Hardens Operating System and Hardens Operating System and Increases Environment ProtectionIncreases Environment Protection
Read-Only Domain
ControllerNetwork Access
Protection
BitLocker™ BitLocker™ Drive Drive
Encryption Encryption
SecuritySecurity
Server Protection FeaturesServer Protection Features Security
Development Process
Secure Startup and shield up at install
Code integrity
Windows service hardening
Inbound and outbound firewall
Restart Manager
Improved auditing
Network Access Protection
Event Forwarding
Policy Based Networking
Server and Domain Isolation
Removable Device Installation Control
Active Directory Rights Management Services
Security Compliance
SecuritSecurityy
Windows Server 2008 HardeningWindows Server 2008 Hardening
Windows® XP SP2/Server 2003 R2
LocalSystem
Windows Vista/Server 2008
Network Service
Local Service
LocalSystemFirewall Restricted
Network ServiceNetwork Restricted
Local ServiceNo Network Access
LocalSystem
Network ServiceFully Restricted
Local ServiceFully Restricted
Security
BitLocker™ Drive Encryption BitLocker™ Drive Encryption
Group Policy allows central encryption policy and provides Branch Office protection
Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System
Uses a v1.2 TPM or USB flash drive for key storage
Full Volume Encryption Key
(FVEK)Encryption
Policy
Security
Solid FoundationWindows Firewall w/ Advanced SecurityWindows Firewall w/ Advanced Security
Combined firewall and IPsec managementFirewall rules become more intelligentPolicy-based networking
Network Access ProtectionNetwork Access Protection
RemediationServers
Example: PatchRestrictedNetwork
WindowsClient
Policy Policy compliantcompliant
NPSDHCP, VPN
Switch/Router
Policy Serverssuch as: Patch, AV
Corporate Network
Not policy Not policy compliantcompliant
What is Network Access What is Network Access Protection?Protection?
Cisco and Microsoft Cisco and Microsoft Integration StoryIntegration Story
Health Policy ValidationHealth Policy Validation Health Policy ComplianceHealth Policy Compliance
Ability to Provide Limited Ability to Provide Limited AccessAccess Enhanced SecurityEnhanced Security
Increased Business ValueIncreased Business Value
Security
11
RemediationServers
Example: Patch
Using Network Access ProtectionUsing Network Access Protection
RestrictedNetwork
11
WindowsClient
22
22DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)
33
33Network Policy Server (NPS) validates against IT-defined health policy
44
If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)
Not policy Not policy compliantcompliant
55If policy compliant, client is granted full access to corporate network
Policy Policy compliantcompliant
NPSDHCP, VPN
Switch/Router
44
Policy Serverssuch as: Patch, AV
Corporate Network55
Client requests access to network and presents current health state
Security
AD Rights Management ServicesAD Rights Management Services
AD RMS protects access to an organization’s digital files
AD RMS in Windows Server 2008 includes several new features
Improved installation and administration experience
Self-enrollment of the AD RMS cluster
Integration with AD Federation Services
New AD RMS administrative rolesInformation Author The Recipient
Security
Active Directory Federation ServicesActive Directory Federation Services
AD FS provides an identity access solution
Deploy federation servers in multiple organizations to facilitate business-to-business (B2B) transactions
AD FS provides a Web-based, SSO solution
AD FS interoperates with other security products that support the Web Services Architecture
AD FS improved in Windows Server 2008
WebServer
AccountFederation
Server
ResourceFederation
Server
AdatumContoso
Federation Trust
Security
Federated Rights ManagementFederated Rights Management
Together AD FS and AD RMS enable users from different domains to securely share documents based on federated identities
AD RMS is fully claims-aware and can interpret AD FS claims
Office SharePoint Server 2007 can be configured to accept federated identity claims
AccountFederation
Server
ResourceFederation
Server
AdatumContoso
Federation Trust
WebSSO
Security
Read-Only Domain ControllerRead-Only Domain Controller
Main Office Branch Office
FeaturesRead Only Active Directory DatabaseOnly allowed user passwords are stored on RODCUnidirectional ReplicationRole Separation
BenefitsIncreases security for remote Domain Controllers where physical security cannot be guaranteed
Support ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM
RODC
Security
BranchHub
Read Only DC
How RODC WorksHow RODC Works
Windows Server 2008 DC
11
22
33
44
5566
66
112233445566 User logs on and authenticatesRODC: Looks in DB: "I don't have the users secrets"Forwards Request to Windows Server 2008 DCWindows Server 2008 DC authenticates requestReturns authentication response and TGT back to the RODCRODC gives TGT to User and RODC will cache credentials
RODC
Security
Read-only DC Mitigates “Stolen DC”Read-only DC Mitigates “Stolen DC”
Attacker PerspectiveHub Admin Perspective
Security
PKI EnhancementsPKI Enhancements
Enterprise PKI (PKIView)Enterprise PKI (PKIView)Now a Microsoft Management Now a Microsoft Management
Console snap-in Console snap-in
Support for Unicode charactersSupport for Unicode characters
Online Certificate Status Online Certificate Status Protocol (OSCP)Protocol (OSCP)
Online Responders Online Responders
Responder ArraysResponder Arrays
Network Device Enrollment Network Device Enrollment ServiceService
Microsoft's implementation of Microsoft's implementation of the Simple Certificate Enrollment the Simple Certificate Enrollment Protocol (SCEP) Protocol (SCEP)
Enhances security of Enhances security of communications by using IPseccommunications by using IPsec
Web EnrollmentWeb EnrollmentRemoved previous ActiveX® Removed previous ActiveX®
enrollment control - XEnroll.dll enrollment control - XEnroll.dll
Enhanced new COM enrollment Enhanced new COM enrollment control - CertEnroll.dllcontrol - CertEnroll.dll
Security
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Next StepsNext Steps
AppendixAppendix