Securing Your IT Infrastructure with Windows Server 2008

decisioncrunchNetworking and Communications

Nov 20, 2013 (3 years and 10 months ago)

97 views

{

Securing Your IT Infrastructure
with Windows Server 2008
}

Presenter Name

Title

Microsoft Corporation

Security on Windows Server 2008

Secure Platform

Secure Access Control

Secure Information and Compliance


Customer Challenges
Data security and compliance

Unauthorized
use of data, documents and emails

Legal
and regulatory issues due to loss of sensitive data

Competitive
disadvantage due to loss of
corporate

intellectual property

Unauthorized access

Unauthorized
users able to access the network

Non
-
compliant
devices access and hence corrupt the network

Wireless
network security is difficult to deploy and
manage

Platform Reliability

File
system and registry are easy targets for attacks

Fewer
layers between user and kernel
increases

platform
vulnerability

Server
applications at risk because of a weak
platform architecture

Enhancements

Secure Platform

Hardened platform with reduced high risk layers

Prevent abnormal activity in the file system and registry

Re
-
architected platform to reduces corruption and

compromise of the system

Secure Access Control

Enable policy validation, compliance and remediation

for user access

Effectively manage and secure mobile users and devices

Segregate user access based on identity

Secure Information and Regulatory Compliance

Reduce risk of data loss by restricting email and document

usage to authorized users

Helps network compliance with regulatory and corporate policies

Prevent corporate intellectual property from being stolen

New Security Features

Secure Platform

Windows Service Hardening

Windows Firewall with Advanced Security

Enhanced and improved TCP/IP Stack

Read
-
Only Domain Controller

Secure Access Control

Network Access Protection

Server and Domain Isolation

Active Directory Federation Services

Secure Information and Compliance

BitLocker

Active Directory Rights Management Service

Enhanced Auditing Infrastructure

Security on Windows Server 2008

Secure Platform

Secure Access Control

Secure Information and Compliance

U

U

U

Windows
Services

are
profiled

Reduce size of
high

risk
layers

Segment the services

Increase
number

of
layers

Kernel Drivers

K

U

User
-
mode Drivers

K

K

K

Service

1

Service

2

Service

3

Service



Service



Service

A

Service

B

New Windows Firewall
Inbound and

Outbound Filtering

New Management Console

Integrated Firewall

and
IPsec

Policies

Rule Configuration

on Active Directory Groups
and Users

Support for IPv4 and IPv6

Advanced Rule Options

On by Default (Beta 3)

Enhanced and Improved TCP/IP Stack
Windows

Filtering
Platform

IPv4

802.3

WSK

WSK Clients

TDI Clients

NDIS

802.11

Loop
-

back

IPv4

Tunnel

IPv6

Tunnel

IPv6

RAW

UDP

TCP

Next
-
Generation TCP/IP Stack (tcpip.sys)

AFD

TDX

TDI

Winsock

User Mode

Kernel
Mode

New dual
-
IP layer architecture for native IPv4 and IPv6 support

Expanded
IPsec

integration

Improved performance via hardware acceleration

New network auto
-
tuning and optimization algorithms

Increased extensibility and reliability through rich APIs

Next Generation Networking Highlights

Read
-
Only Domain Controller
Main Office

Branch Office

Features

Read Only Active Directory Database and GC PAS

Only allowed user passwords are stored on RODC

Unidirectional Replication

Role Separation

Benefits

Increases security for remote Domain Controllers where physical
security cannot be guaranteed

Support

ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN,
DFS, SMS, ADSI queries, MOM

RODC

Security on Windows Server 2008

Secure Platform

Secure Access Control

Secure Information and Compliance

Network Access Protection
Network Access Protection

Policy
-
based solution that

Validates
whether computers meet

health policies

Limits access

for noncompliant computers

Automatically remediates

noncompliant computers

Continuously updates

compliant
computers to maintain health state

Solution Highlights

Standards
-
based

Plug and Play

Works with most devices

Supports multiple antivirus solutions

Has become the standard for Network Access Contro
l

Intranet

NAP


How it Works

Access requested

Health state sent

to NPS (RADIUS)

NPS validates against health
policy

If compliant, access granted

If not compliant,
restricted network access
and remediation

Microsoft
NPS

Corporate Network

Policy Servers

e.g.., Patch, AV

DHCP
, VPN

Switch/Router

Restricted

Network

Remediatio
n

Servers

e.g., Patch

Not policy
compliant

Policy
compliant

1

3

5

4

1

3

4

5

2

2

Broad Industry Adoption And Support
Extending Network Access Protection

Vendors and Developers

Using published API to extending functionality and create

Custom network policy validation

Ongoing network policy compliance

Network isolation components

Heterogeneous operating support (Linux, Macintosh)

Ecosystem Partners

Networking

Anti
-
Virus Systems

Integrators

Endpoint Security

Update/Management

Interoperability Partners

Cisco

Trusted Computing Group

Juniper Networks

More than 120
Partners

{

Network Access Protection
}
Untrusted

Unmanaged/Rogue
Computer

Domain
Isolation

Active Directory
Domain Controller

X

Server
Isolation

Servers with
Sensitive Data

HR Workstation

Managed
Computer

X

Managed
Computer

Trusted Resource
Server

Corporate
Network

Define the logical isolation boundaries

Distribute policies and credentials

Managed computers can communicate

Block inbound connections from
untrusted

Enable tiered
-
access to sensitive resources

Server and Domain Isolation
Secure And Manageable Wireless LAN
Efficiently deploy
and
manage secure 802.11 wireless networking

Deploy
and
maintain leading wireless 802.11 security methods, including
smartcards or passwords, with no additional client
software

Windows Server NPS, AD
and
optional CA services enable central
control

of
network authentication and encryption of wireless 802.11 traffic

Network Policy Server

Authentication Server

Wireless Access Points

Wireless Controller

Wireless Clients

Active Directory

SQL Server (Optional)

Certificate Authority
(Optional)

Active Directory Federated Services
Projecting

user Identity from a single logon…

Providing

distributed authentication and

claims
-
based authorization…

Connecting

islands (across security,

organizational or platform boundaries)…

Enabling

web single sign
-
on and simplified

identity management

An authentication method that enables secure,
appropriate customer/partner/employee access to
web applications outside their domain/forest

Security on Windows Server 2008

Secure Platform

Secure Access Control

Secure Information and Compliance

Compliance Challenges
-

Multiple Mandates
Mandate

Description

Sarbanes
-
Oxley Act of 2002

Financial reporting

accountability.

Payment Card

Industry Data

Security Standard

Developed by an alliance of credit

card companies to protect account data.

Federal Information Security

Act of 2002

FISMA requires all federal agencies to manage the security of federal
information and information systems

according to best practices.

OMB A
-
123

This mandate

makes federal agencies subject to the same internal controls
and financial reporting requirements as public companies under SOX 404.

FCPA


Foreign

Corrupt Practices Act

Outlaw companies

from bribing foreign government officials for business
purposes. Requires controls over transactions and reporting to SEC.

SEC

Rules 17a
-
3 and 17a
-
4

Requires records

related to securities transactions be maintained in
accessible form.

Basel I/III

Requires comprehensive operational

risk management framework for
international banking.

Health

Insurance Portability
andAccountability

Act (HIPAA)

Confidentiality

of patient information.

Gramm
-
Leach

Bliley Act

Banks are required

to safeguard privacy of customer financial information.

FDA CFR21 Part 11

Securities

and management of electronic records for clinical trials.

DoD

5015.2

Federal

records management standards.

BitLocker


Persistent Protection
Mitigating Against External Threats

BitLocker

Drive Encryption Support in Windows
Server 2008

Protects Data While a System is Offline

Ensures Boot Process Integrity

Simplifies Equipment Recycling

Protecting Information
Rights Management Services (RMS)

Document owner can identify authorized
users

Protection goes with the file

Both Access and Usage restrictions are
enforced

RMS can manage Forwarding, Printing, Copy
-
and
-
Paste, Print Screen, Document Expiration

Easy to Use, Integrated with Office

Managed by the Enterprise

Protecting Intellectual Capital: RMS Workflow
Author using
Office

The Recipient

Windows Server running RMS

SQL Server

Active Directory

2

3

4

5

2.
Author defines a set of usage rights
and rules for their file; Application
creates a “Publish License” and
encrypts the file

3.
Author distributes file

4.
Recipient clicks file to open,
the

RMS
-
enabled
application
calls

to
the RMS server which
validates

the
user and issues a “Use
License”

5.
The RMS
-
enabled application
renders file and enforces rights

1.
Author receives a client licensor
certificate the “first time”
they

rights
-
protect
information

1

3

Together AD FS and

AD RMS enable users
from different domains

to securely share
documents based on
federated identities

AD RMS is fully claims
-
aware and can interpret
AD FS claims

Office SharePoint Server
2007 can be configured
to accept federated
identity claims

Account

Federation

Server

Resource

Federation

Server

Adatum

Contoso

Federation Trust

Web

SSO

Federated Rights Management
Windows Eventing 6.0
The new auditing subsystem in Windows Vista

and Windows Server 2008

95% of Windows Server 2008 feature set exists within

Windows Vista codebase

Includes

Enhanced event explain text

XML event format

Accessible via WS
-
Management

Granular Audit Policy (GAP) through subcategories (
AuditPol
)

Increased scalability

Event Triggering

Enhanced Registry and Directory Service auditing

Event Subscriptions

Security Event Comparison
Windows Server 2003

Windows Server 2008

Updated Event Viewer
Granular Audit Policy (GAP)
Broad audit categories result in event overload

The only option in previous versions of Windows

Each category (9 previously) has events broken down

to provide selective success/failure

Decreased ratio to ~7 events per subcategory

Not deployable through standard Group Policy UI

Leverage updated AUDITPOL to set and review

List available GAP categories:

auditpol

/list /subcategory:*

Get configured policies:

auditpol

/get /category:*

KB 921469 has sample instructions on how to deploy in GP

today for Windows Server 2008 and Vista

Note: Once deployed, audit policy is not often changed

Granular Audit Policy (GAP)
Broad audit categories result in event overload

The only option in previous versions of Windows

Each category (9 previously) has events broken down

to provide selective success/failure

Decreased ratio to ~7 events per subcategory

Not deployable through standard Group Policy UI

Leverage updated AUDITPOL to set and review

KB 921469 has sample instructions on how to deploy in GP

today for Windows Server 2008 and Vista





Note: Once deployed, audit policy is not often changed


{

Auditing
}
Windows Server 2008 introduces a number

of security enhancements and innovations to
increase protection of:

Servers

Networks

Data

Administrators will have policy
-
driven mechanisms
to better manage and secure network access

Solutions like Network Access Protection (NAP)
offer Administrators a wide range of choice and
deployment flexibility to better secure their
Windows networks

©
2008
Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registere
d t
rademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the
dat
e of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accu
rac
y of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.