NEXT GENERATION SECURITYTAL SARID | PRINCIPAL CONSULTANT |

MCS

Agenda

Today’s Security ChallengesWindows SecurityNext Generation Windows 2012 Security

Phone-call security

scam targeting PC

users

Microsoft is warning customers

about a new threat where

criminals acting as computer

security engineers call people at

home to warn them about a

security threat.

In the news… Lost Devices Cost Companies BillionsLast month, an oil giant

announced an unencrypted laptop containing sensitive information on 13,000 individuals. The incident may cost

The Stealthiest Rootkit in the Wild?Feds launched the raids against individuals who have

allegedly been managing the Rustock "botnet," a vast network of computers around

the globe, that have been infected with malicious software that allows the devices to distribute enormous volumes of spam...

Michigan firm about to

determine 200,000

account passwords in

under an hour

The most popular passwords among

nearly 400,000 exposed by the

Gawker hack was "123456“ and

“password” according to an analysis

done by a Michigan security firm.

itself.

RSA warns customers after company is hackedSecurID tokens from EMC's RSA Security division, which are used for two-factor authentication, have

been compromised after a sophisticated cyber-attack…

Security firm's

confidential data

is exposed after

successful hack

A web application security

provider has just revealed

that a cyber attack

appears to have exposed

sensitive data about the

companies partners and

employees, including there

login credentials.

Representatives form the

company haven't respond

to emails asking

confirmation...

Microsoft Work Exposes Magnitude of Botnet Threat

Microsoft's Security Intelligence Report sheds light on the expanding threat that bots…

Researchers Discover Link Between a Series of Trojans

A difficult to remove rootkit behind numerous sophisticated attacks, appears to have helped spread yet another Trojan.

Challenges

2012: IT challenges

• What generation are you?• Going hybrid…• Mobile

Mobile WorkforceGenerational Hybrid

Cloud

BROWSERS SMART PHONES

SLATES PCsLAPTOPS SERVERS

Today there are as many devices as humans on the planet!

In 3 years there will be a ratio of 3:1 for every human!!!

Security “things” to think about… Encryption

Assurance Level

Policy

Auditing

Identity

Remote Access

Information Protection

SERVERS

PCs

LAPTOPS

SLATES

SMART PHONES

BUILT FROM THE CLOUD UP

Work-life blur

Information

On the go

Productive

From anywher

e

Windows Security

Windows Security

DEVICESCOMPUT

E

Centralized Management

Secure Remote AccessVirtual

SmartcardsTrusted Boot

BitlockerDirect Access

Virtual Smartcards

Virtual Smart Cards

Emulate the functionality of traditional smart cards

Utilizes the Trusted Platform Module (TPM)

Multiple smart cards can be associated with a single computer to support multiple users

Provide comparable level of security assurance as traditional smart cards• Non-exportability• Isolated cryptography• Anti-hammering

Trusted & Measured Boot

Trusted Boot: Early Load Anti-Malware

Until now… BIOS OS Loader (Malware)

3rd Party Drivers (Malware)

Anti-Malware Software Start Windows Logon

WindowsNative UEFI

Windows 8OS Loader

Anti-Malware Software Start 3rd Party Drivers Windows Logon

• Malware is able to boot before OS and Anti-malware• Malware able to hide and remain undetected• Systems can be compromised before AM starts

• Secure Boot loads Anti-Malware early in the boot process• Early Load Anti-Malware (ELAM) driver is specially signed by

Microsoft• Windows starts AM software before any 3rd party boot drivers• Malware can no longer bypass AM inspection

UEFI 2.3.1

Enhanced Measured Boot

WindowsUEFI

Windows 8OS Loader

Windows Kernel & Drivers Anti-Malware Software

Windows 7 BIOS MBR & Boot Sector OS Loader Kernel Initialization 3rd Party Drivers

• Measurements of some boot components evaluated as part of boot

• Only enabled when BitLocker has been provisioned

• Measures all boot components• Measurements are stored in a Trusted Platform Module (TPM)• Remote attestation, if available, can evaluate client state• Enabled when TPM is present. BitLocker not required

Bitlocker

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

BitlockerWindows 8 Improvements Fast encryption with Used Disk Space Only Encryption ActiveSync to enforce BitLocker in non domain joined & BYOD

Server 2012 Improvements Storage Area Networks (SAN) Support Windows Server Cluster Support Network Unlock Active Directory Users and Computers UI

Enterprise Management with MBAM…

www.microsoft.com/en-us/download/details.aspx?id=24626&hash=wNAzyTY2nXoIrlY%2b3LjX45stIwpLzu%2fntPqr2g5CO4PpkwNm%2bmCwOP6Ta0lfDFIOlHWZVrhU%2bbePlDwrmPHw7A%3d%3d

www.Microsoft.com/getmbam

+

Direct Access

COMPUTE

What is DirectAccess?

DirectAccess Client

Domain member

Internet

Direct Access Server

IPsecIPsec – Using computer certificates,

domain membership, possibly smartcards and NAP health certificates

Windows 8

Windows 2012Corporate Network

Applications & Data

DC & DNS(Win

2003+)ManagementServers

Possible IPsec end-to-end

IPv6 tunneling IPv6 Transition Technologies

Group Policy

Direct Access

Let’s take a look…

BUILT FROM THE CLOUD UP

Next Generation Security

Windows 2012 Server

VirtualizationSecurity

PKI management and Lifecycle

New Windows settings, features and control

Data classificationAuditing Encryption Expression based access

Group PolicyCertificatesDynamic Access Control

Extensible switchVirtual Networks

Security enhancements

My Top 5 Security Group Policy Settings: 1.Prevent connection to non-domain networks

when connected to domain authentication network

2.Advanced Auditing Policy Configuration3.File Servers – Central Access Policy4. Log Certificate Expiry events5. Kerberos Client support for claims

Virtualization

Hyper-V Network Virtualization

Server VirtualizationRun multiple virtual servers

on a physical serverEach VM has illusion it is running as a

physical server

Hyper-V Network Virtualization

Run multiple virtual networks on a physical network

Each virtual network has illusion it is running as a physical network

Blue VM Red VMVirtualization

PhysicalServer

Blue Network Red Network

PhysicalNetwork

Different subnets

Standards-Based Encapsulation - NVGRE

10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7

192.168.2.22 192.168.5.55

192.168.2.22192.168.5.55

10.0.0.5 10.0.0.7

GRE Key 5001

MAC

10.0.0.5 10.0.0.7

GRE Key 6001

MAC192.168.2.22

192.168.5.55

10.0.0.510.0.0.7

10.0.0.510.0.0.7

10.0.0.5 10.0.0.7

10.0.0.510.0.0.7

http://www.ietf.org/id/draft-sridharan-virtualization-nvgre-01.txt

http://tools.ietf.org/html/rfc1701

Extensible (Layer 2) Switch

Capture Extensions

WFP Extensions

Filtering Extensions

Forwarding Extensions

Add-VMNetworkAdapterAcl -VMName VM60 -RemoteIPAddress * -Direction BOTH -Action Deny Add-VMNetworkAdapterAcl -VMName VM60 -RemoteIPAddress 192.168.1.20 -Direction BOTH -Action

Cisco Nexus 1000V for Hyper-V

Hyper-V Network Virtualization Ecosystem

Certificates

Click icon to add picture

Authentication

Digital SignaturesAuthenticode ApplicationsS/MIME SignatureDriver Signing

SSLLDAP/SS/MIME EncryptionEFSIPSECRouters

Digital Signature

Encryption

SmartcardsSSL Client AuthNon Doman joined SCOMMobile DeviceWirelessFederationsAzure Office 365

Certificates not a niche service anymore…

WirelessWiredDHCPIPSECDirect Access Remote Desktop

Health (NAP)

My Top 5 new features in Certificate Services

1.Certificate /s store expiry notifications

2. Group protected PFX

3. Shared SSL storage

4. Version 4 templates

5. Non Domain Joined Issuance and renewal!

Dynamic Access Control( DAC )

Data Classification

Flexible access control lists based on document classification and multiple identities (security groups).

Centralized access control lists using Central Access Policies.

Targeted access auditing based on document classification and user identity.

Centralized deployment of audit polices using Global Audit Policies.

Automatic RMS encryption based on document classification.

Expression based auditing

Expression based access conditions

Encryption

Classify your documents using resource properties stored in Active Directory.

Automatically classify documents based on document content.

DAC Concepts

User claimsUser.Department = Finance

User.Clearance = High

ACCESS POLICY

Applies to: @File.Impact = HighAllow | Read, Write | if (@User.Department == @File.Department) AND

(@Device.Managed == True)

Device claimsDevice.Department = Finance

Device.Managed = True

Resource properties

Resource.Department = Finance

Resource.Impact = High

AD DS

42

Central access policies

File Server

Let’s take a look…

http://www.microsoft.com/en-us/download/details.aspx?id=30152

So…what did we talk about?

Mobile and Windows Security• Virtual Smartcards, Secure Boot, Measured Boot,

Bitlocker, Direct Access…

Server 2012 Security• Network Virtualization, Group Policy, DAC, RMS and

ADCS…

Next Steps

• Windows 2012 Jumpstart: http://technet.microsoft.com/en-us/video/windows-server-2012-jump-start-01-core-hyper-v.aspx• Windows 2012 Virtual Labs: http://technet.microsoft.com/en-us/windowsserver/hh968267.aspx• Private Cloud Jumpstart: http://technet.microsoft.com/en-us/video/private-cloud-jump-start-01-introduction-to-the-microsoft-private-cloud-with-

system-center-2012

Hands on Labs

Windows 2012

PRIVATE CLOUDs

Windows AzureHybrid

DEVICES

COMPUTE

VIRTUALIZEDSERVERS

&

Going Hybrid

DEVICES

BUILT FROM THE CLOUD UP

DOWNLOAD WINDOWS SERVER 2012 RTM

HTTP://TECHNET.MICROSOFT.COM/HE-IL/EVALCENTER/HH670538

WHAT NEXT?

BUILT FROM THE CLOUD UP

NEXT GEN YOUR SECURITY!

THANK YOU.

Tal Sarid | Principal Consultant | MCS

talsa@microsoft.com