windows server 2008 security overview short
DESCRIPTION
In this presentation we review the Security Changes in Windows 2008 and Windows 2008 R2.Saludos,Ing. Eduardo Castro Martínez, PhD – Microsoft SQL Server MVPhttp://mswindowscr.orghttp://comunidadwindows.orgCosta Rica Technorati Tags: SQL Server LiveJournal Tags: SQL Serverdel.icio.us Tags: SQL Serverhttp://ecastrom.blogspot.comhttp://ecastrom.wordpress.comhttp://ecastrom.spaces.live.comhttp://universosql.blogspot.comhttp://todosobresql.blogspot.comhttp://todosobresqlserver.wordpress.comhttp://mswindowscr.org/blogs/sql/default.aspxhttp://citicr.org/blogs/noticias/default.aspxhttp://sqlserverpedia.blogspot.com/TRANSCRIPT
![Page 1: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/1.jpg)
![Page 2: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/2.jpg)
Ing. Eduardo Castro, PhD Comunidad Windows [email protected] http://comunidadwindows.org
![Page 3: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/3.jpg)
“Windows Server 2008 helps
Macquarie operate… our remote
offices more securely and
efficiently than we could in the
past.” Phillip Dundas
Technical Team Lead,
Windows Server Group, Information Technology
Group
Macquarie Group Limited
“We’ll be able to used RODC to
place domain controllers at sites
where physical security has
always been a concern and we’ll
have much better control over our
remote infrastructure.”
Loic Calvez
Senior Enterprise Infrastructure Architect
Lafarge
“The public key infrastructure that
we created through our
deployment of Windows Server
2008 has fundamentally increased
the level of information security
that we have at the bank.”
Security Director
PKO Bank Polski
“We are confident that the bank is
now more secure, that devices
accessing our network are secure,
and that those devices meet our
current network policy for access.”
Howard Witherby
Senior Vice President of Operations
National Bank & Trust
![Page 4: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/4.jpg)
Security Development Lifecycle
Installation Options
Read Only Domain Controller (RODC)
Network Access Protection (NAP)
Others
![Page 5: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/5.jpg)
Foundation
Service Hardening*
Kernel Patch Protection*
Data Execution Prevention*
BitLocker*
Mostly S
erv
er
R2
DirectAccess
AppLocker
Enhanced Storage Access
DNSSEC
Enhanced Auditing*
Suite-B for EFS, Kerberos, TLS v1.2 and more
Mostly W
indow
s 7
BitLocker to Go
Multiple Firewall Profiles
Streamlined UAC
Biometric Framework
HTTP PKI Enroll
PIV Smartcards
![Page 6: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/6.jpg)
Methods of Security and Policy Enforcement
Network Location Awareness
Network Access Protection
Windows Firewall with Advanced Security
Internet Protocol Security
Windows Server Hardening
Server and Domain Isolation
Active Directory Domain Services Auditing
Read-Only Domain Controller
BitLocker Drive Encryption
Removable Device Installation Control
Enterprise PKI
![Page 7: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/7.jpg)
![Page 8: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/8.jpg)
Create inbound and outbound rules
Create a firewall rule limiting a service
![Page 9: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/9.jpg)
Integrated with WFAS
IPSec improvements Simplified IPSec policy configuration
Client-to-DC IPSec protection
Improved load balancing and clustering server support
Improved IPSec authentication
Integration with NAP
Multiple authentication methods
New cryptographic support
Integrated IPv4 and IPv6 support
Extended events and performance monitor counters
Network diagnostics framework support
![Page 10: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/10.jpg)
What changes have been made to AD DS auditing?
![Page 11: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/11.jpg)
New Functionality
AD database
Unidirectional replication
Credential caching
Password replication policy
Administrator role separation
Read-Only DNS
Requirements/special considerations
RODC
![Page 12: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/12.jpg)
A read-only Active Directory Domain Services database
Unidirectional replication mitigating misinformation even if a change is made on a RODC
Caching of only specific attributes based
Credential caching for only specific users
Separation of administrator capabilities
Read-only DNS
Pre-create RODC account allowing local installation without the need for admin credentials
![Page 13: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/13.jpg)
Data protection
Drive encryption
Integrity checking
BDE hardware and software requirements
![Page 14: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/14.jpg)
Easier management through PKIView
Certificate Web enrollment
Network device enrollment service
Managing certificate with group policy
Certificate deployment changes
Online certificate status protocol support
Cryptographic next generation
![Page 15: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/15.jpg)
Enforce Security Policy
Improve Domain Security
Improve System Security
Improve Network Communications Security
![Page 16: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/16.jpg)
![Page 17: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/17.jpg)
Network Access Protection Network Access Quarantine Control
Internal, VPN, and Remote Access
Client
Only VPN and Remote Access
Clients
IPSec, 802.1X, DHCP, and VPN DHCP and VPN
NAP NPS and Client included in
Windows Server 2008; NAP client
included in Windows Vista
Installed from Windows Server
2003 Resource Kit
![Page 18: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/18.jpg)
Automatic remediation
Health policy validation
Health policy compliance
Limited access
![Page 19: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/19.jpg)
If policy-compliant, client is granted full access to corporate network
How it works
Not policy-
compliant
1
Restricted Network
Client requests access to network and presents current
health state 1
4 If not policy-compliant, client is put in a restricted VLAN
and given access to fix up resources to download patches,
configurations, signatures (Repeat 1 - 4)
2 DHCP, VPN, or Switch/Router relays health status to
Microsoft Network Policy Server (NPS) via Remote
Authentication Dial-In User Service (RADIUS)
Microsoft
NPS
3
Policy Servers e.g. Patch, Antivirus
Policy-
compliant
DHCP, VPN,
Switch/Router
3 Network Policy Server (NPS) validates against IT-defined
health policy
2
Windows
Client
Corporate Network 5
4
5
Fix Up Servers e.g. Patch
![Page 20: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/20.jpg)
802.1X
VPN
IPSec
DHCP
NPS RADIUS
![Page 21: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/21.jpg)
Create a NAP policy
Use the MMC to create NAP configuration settings
Create a new RADIUS client
Create a new system health validator for Windows Vista and Windows XP SP2
![Page 22: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/22.jpg)
Logical Networks
IPSec Enforcement
IEEE 802.1X
Remote Access VPNs
DHCP
![Page 23: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/23.jpg)
![Page 24: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/24.jpg)
Checking the health and status of roaming laptops
Ensuring the health of corporate desktops
Determining the health of visiting laptops
Verify the compliance of home computers
![Page 25: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/25.jpg)
Carefully test and plan all security policies
Implement Network Access Protection
Use Windows Firewall and Advanced Security to implement IPSec
Deploy Read-Only Domain Controllers, where appropriate
Implement BitLocker Drive Encryption
Take advantage of PKI improvements
![Page 26: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/26.jpg)
Group Policy Changes How Group Policy works now...
Templates ADM templates
difficult to manage
Troubleshootin
g
Userenv log
GP Result
Templates and
Replication
Journal Wrap
anyone? Bloated
SYSVOL?
Local GPOs Limited flexibility with a single local
GPO
Settings
~1,800 policy settings in
XP
Incomplete coverage
means missing key
scenarios
LGPO’s
LGPO Local Computer
Policy
Group Policy Process
Part of Winlogon
Network
Limited awareness of
changing network
conditions
DC SysVol
ADM ADM
ADM ADM
ADM
Group Policy Service GP now runs in a
shared service
Hardened Service, more
reliable
Group Policy Settings Over 800 new policy changes
with Windows Vista
Extended GP for new Windows
Vista features
Network Location
Awareness (NLA) NLA service provides the latest
network information
Applications can query or register with
NLA for network change indications
Group Policy Logging Administrative log
Applications and Services log
XML based event logs
New Tools - GPOLogView
Group Policy
Templates ADM Templates now in
ADMX files (ADMX,
ADML)
Windows
Vista/Windows
Server 2008
ADM ADMX
Multiple Local
GPOs LGPO’s
LGPO
Admin
User User Specified Group Policy
Admin/Non-Admin Group Policy
Local Computer Policy
Group Policy Central
Store Centralized repository
for ADMX
Created in the Sysvol
on DC
in each domain
New Replicator with
DFS-R
DC
FRS/DFS-R
SysVol
ADMX
ADML
+ Policie
s +
+
GUID
ADM Policy
Definitions ADMX, ADML
Files
+
![Page 27: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/27.jpg)
What is new? GP PowerShell features
Adding to GP scripts extensions
PowerShell cmdlets to perform GP operations
Starter GPOs in-box in Windows 7
Best practices that map to the security guide
ADMX enhancements
GP Preferences enhancements
GP Preferences, new in Windows Server 2008
New items added to support new OS functionality
![Page 28: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/28.jpg)
Import-module GroupPolicy
get-help *-gp*
•New-GPLink
•New-GPO
•New-GPStarterGPO
New
•Get-GPInheritance
•Get-GPO
•Get-GPOReport
•Get-GPPermissions
•Get-GPPrefRegistryValue
•Get-GPRegistryValue
•Get-GPResultantSetofPolicy
•Get-GPStarterGPO
Get
•Set-GPInheritance
•Set-GPLink
•Set-GPPermissions
•Set-GPPrefRegistryValue
•Set-GPRegistryValue
Set
• Remove-GPLink
• Remove-GPO
• Remove-GPPrefRegistryValue
• Remove-GPRegistryValue
Remove
• Backup-GPO
• Copy-GPO
• Import-GPO
• Rename-GPO
• Restore-GPO
Misc
![Page 29: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/29.jpg)
Have heard up to 11,000 GPOs
Not best practice
GPMC has perf issues loading
Management difficulties
Troubleshooting difficulties
Migration difficulties
Recommendation:
Consolidate
AGPM is tested up to 2000 GPOs
![Page 30: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/30.jpg)
New UI: More intuitive, integrated help content, no more tabs
Support for:
REG_MultiSZ
REG_QWORD
![Page 31: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/31.jpg)
Starter GPOs & ADMX UI
![Page 32: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/32.jpg)
Preference Settings Not true “Policy”
More control of desktop – more settings! Not limited to policy-aware applications
Ease of administration through rich UI
Better targeting
New in Windows 7 Support for new Power Plan settings
Support for new Schedule task triggers, actions, etc.
![Page 33: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/33.jpg)
![Page 34: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/34.jpg)
Group Policies
(Native / Managed)
• Setting are enforced, user cannot change settings
• Settings revert back to original setting
• Highest precedence
• Work only on specific registry location
Group Policy Preferences
• Users can change settings
• Multiple items per GPO
• Can write registry settings to more than HKCU, HKLM hives
• Granular Targeting of individual items
![Page 35: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/35.jpg)
Drive Mappings
Regional Settings
Printer Mappings
Shortcuts
Start Menu
Internet Explorer Settings
![Page 36: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/36.jpg)
Local Users and Groups
Services
Network Shares
Environment Variables
![Page 37: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/37.jpg)
Familiar Experience
Clearer to understand and find
Easy to manage
Better control of individual settings – Red/Green
Powerful browsers
Avoids typing errors
Configure settings quicker
![Page 38: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/38.jpg)
29 different targeting options
Boolean AND, OR, IS, IS NOT
Wildcard support
“WSBNE*”
Target on the item, not just the GPO
![Page 39: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/39.jpg)
Item level targeting,
not GPO level
Robust targeting
29 types
Boolean logic (And, Or, Not)
Collections
Intuitive UI
No need to learn
query languages
![Page 40: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/40.jpg)
Apply once and do not reapply
Remove when no longer applicable
Create – Replace - Update - Delete
More than just Enable vs Disable
![Page 41: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/41.jpg)
Active Directory: Windows 2000
Console - Group Policy Manager Console - Snap-in
Part of the Remote Server Admin Tool (link and end)
One Windows 7 client or Windows Server 2008 R2 Terminal Server
Client - Client Side Extensions (CSE’s)
![Page 42: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/42.jpg)
3000 Total ADMX settings
300 new ADMX settings
IE more than 90 new
Bitlocker
Taskbar
Power
Terminal Services rebranded “Remote Desktop Services”
Settings Spreadsheet
![Page 43: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/43.jpg)
12 settings added under Security Options
Restrict NTLM (multiple)
Kerberos encryption types
Local System null session fallback
Only supported on Windows 7 & Windows Server 2008 R2
Settings Spreadsheet
![Page 44: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/44.jpg)
Wireless Network (IEEE 802.11) Policies
Public Key Policies
Certificate Services Client - Certificate Enrollment Policy
BitLocker Drive Encryption
Network Access Protection
Enforcement Clients: Removed RAQ EC and TS Gateway
Enforcement Clients: Added RD Gateway QEC
Application Control Policies – AppLocker
More info
Advanced Audit Policy Configuration
More info
Name Resolution Policy
![Page 45: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/45.jpg)
Storage
growth
Storage
cost
Compliance Security and
Information leakage
Replication
Backup
HSM Security
Archive
Encryption
Expiration
Increasing data management needs / many data management products
![Page 46: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/46.jpg)
Need per project share
Make sure business secret files
do not leak out
Backup files with personal
information to encrypted store
Expire low business impact files
created three years ago and not
touched for a year
IT Business
![Page 47: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/47.jpg)
![Page 48: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/48.jpg)
Step 1:
Classify data
Step 2:
Apply policy according to classification
![Page 49: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/49.jpg)
Need per project share
Make sure business secret files do
not leak out
Backup files with personal
information to encrypted store
Expire low business impact files created
three years ago and not touched for a year
IT Business
Pe
rso
na
l
Info
rmatio
n
Se
cre
cy
![Page 50: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/50.jpg)
Step 1:
Classify data
Step 2:
Apply policy based on
classification
Manual
Line Of Business
application
Automatic classification
Location
Content
Owner
Other
IT Scripts
Backup
Archive
Reports
Expiration
Security Leakage prevention
Search
Custom commands
![Page 51: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/51.jpg)
Discover Data
Extract classification
properties Classify data
Store classification
properties
Apply Policy based on
classification
Extensible infrastructure-Partner ecosystem
Inbox end to end scenarios
Integration with SharePoint
Set classification properties
API for external applications
Windows Server 2008 R2
File Classification Extensibility
points
Get classification properties
API for external applications
![Page 52: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/52.jpg)
When using IPSec – employ ESP with encryption
Carefully test and verify all IPSec Policies
Consider using Domain isolation
Use quality of service to improve bandwidth
Plan to prioritize traffic on the network
Apply network access protection to secure client computers
![Page 53: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/53.jpg)
IPSec Server Domain Isolation
Full Volume Bitlocker on Servers
New elliptic curve encryption strength
Network Level Authentication for RDP
Service Profiling
New Levels of System Auditing
… and many more
![Page 54: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/54.jpg)
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
![Page 55: Windows Server 2008 Security Overview Short](https://reader031.vdocuments.net/reader031/viewer/2022013114/546c9fbbb4af9f842c8b5181/html5/thumbnails/55.jpg)