Windows Server 2008 Security Enhancements

Security EnhancementNarendaWicaksonoIT Pro Advisor, Microsoft Indonesia

AgendaSecurity FundamentalsThreat and Vulnerability MitigationIdentity and Access ControlCompliance EnhancementsTechnology CoverageRead Only Domain Controller, Bit Locker, Service Hardening, Server Core, Device Installation, Next Gen firewall, NAP and Terminal Services/RDP changes, Rights management, … and more

SECURITY: FUNDAMENTALSTHREAT & VULNERABILITY MITIGATIONNetwork Access ProtectionRead-Only Domain ControllerEnhanced AuditingServer and Domain IsolationSecurity Development LifecycleWindows Service HardeningNext Generation CryptoPKI EnhancementsIDENTITY &ACCESS CONTROLCOMPLIANCE ENHANCEMENTSBitLocker™ Drive EncryptionEFS SmartcardsRights Management ServerRemovable Device ControlActive Directory Federation ServicesPlug and Play SmartcardsGranular AuditingGranular Password Control Security and Compliance

Security Development LifecycleMandated development process for Windows Server and Windows Vista Periodic mandatory security trainingAssignment of security advisors for all components Threat modeling as part of design phaseSecurity reviews and testing built into the scheduleSecurity metrics for product teamsCommon Criteria (CC) Certification

Windows Service HardeningDefense-in-Depth / FactoringDDDDDDDDReduce size ofhigh risk layersSegment theservicesIncrease # of layersService 1Service …Service 2Service…Service AService 3Service BKernel DriversUser-mode Drivers

Server CoreMinimal installation optionLow surface areaCommand line interfaceLimited set of server rolesSERVER, SERVER ROLES (for example only)TSIASWebServerSharePointEtc…SERVERWith WinFx, Shell, Tools, etc.SERVER CORE SERVER ROLESDNSDHCPFileADWVIISSERVER CORESecurity, TCP/IP, File Systems, RPC,plus other Core Server Sub-SystemsGUI, CLR, Shell, IE, Media, OE, etc.

Cryptography Next Generation (CNG) Cryptography Next GenerationIncludes algorithms for encryption, digital signatures, key exchange, and hashingSupports cryptography in kernel modeSupports the current set of CryptoAPI 1.0 algorithmsSupport for elliptic curve cryptography (ECC) algorithmsPerform basic cryptographic operations, such as creating hashes and encrypting and decrypting data

PKI EnhancementsOnline Certificate Status Protocol (OSCP)Enterprise PKI (PKIView)Network Device Enrollment Service and Simple Certificate Enrollment ProtocolWeb Enrollment

Windows Server FirewallMore ControlCombined firewall and IPsec management

Windows Server FirewallMore ControlFirewall rules become more intelligent

Windows Server FirewallMore ControlPolicy-based networking

Enhancing and Simplifying IPsec

Threat and Vulnerability Mitigation

Servers with Sensitive DataServer IsolationHR WorkstationManaged ComputerDomain IsolationDomain IsolationManaged ComputerActive Directory Domain ControllerCorporate NetworkTrusted Resource ServerXUnmanaged/Rogue ComputerXUntrustedServer and Domain Isolation

POLICY SERVERSe.g. MSFT Security Center, SMS, Antigenor 3rd party Fix UpServerse.g. MSFT WSUS, SMS & 3rd partyRestrictedNetworkCORPORATE NETWORKNetwork Access ProtectionWindows Server 20083Not policy compliant124MSFTNetworkPolicy Server WindowsVista ClientPolicy compliantDHCP, VPNSwitch/Router5Enhanced SecurityAll communications are authenticated, authorized & healthyDefense-in-depth on your terms with DHCP, VPN, IPsec, 802.1XPolicy-based access that IT Pros can set and controlBENEFITSIncreased Business ValuePreserves user productivity Extends existing investments in Microsoft and 3rd party infrastructure Broad industry partnership

Read-Only Domain ControllerRead-Only Copy of AD DatabaseCan Hold all Directory Objects & AttributesMaintains Read-Only Copy of DNS ZonesHUB Writeable DC Secure LocationUnidirectional ReplicationNo Local Changes – Pull from Upstream OnlyControlled Replication - Limits Bandwidth UseCredential HandlingCan Cache User Passwords (Explicitly Set)Admin Knowledge of Accounts if CompromisedRODC May Only Issue Local Auth TicketsBranchAdministrative Role SeparationManagement Delegated to Local UserNo Enterprise or Domain DC Membership Read-Only DC Read-Only DNS One-way Replication Credential Cache Local Admin Role

How RODC WorksAS_Req sent to RODC (request for TGT)12RODC: Looks in DB: "I don't have the users secrets"3HubBranchForwards Request to Windows Server "Longhorn" DC37Windows Server "Longhorn" DCRead Only DCWindows Server "Longhorn" DC authenticates request4425Returns authentication response and TGT back to the RODC51RODC gives TGT to User and RODC will cache credentials66At this point the user will have a hub signed TGT7

Read-only DC Mitigates Stolen DCAttacker Perspective

Read-only DC Mitigates Stolen DCHub Admin Perspective

Improved AuditingMore GranularitySupport for many auditing subcategories: Logon, logoff, file system access, registry access, use of administrative privilege, Active DirectoryCaptures the Who, the What, & the WhenFrom and To Values for Objects or AttributesLogs All – Creates, Modifies, Moves, DeletesNew Logging InfrastructureEasier to filter out “noise” in logsTasks tied to events: When an event occurs tasks such as sending an Email to an auditor can run automatically

Active Directory Federation ServicesFull implementation of a ‘claims-based’ architecture based on WS-FederationFully integrated with Active DirectorySupports group, role and rules-based modelsPartner Value AddBMC, Centrify & Quest: Multi-platform supportBusiness BenefitsEnables new models for cross-company single sign-on systems Facilitates single-sign across Windows and non-Windows environmentsReduces the risk of unauthorized access by eliminating the need for cross-company synchronization of user and rights information

Authentication ImprovementsPlug and Play Smart CardsDrivers and Certificate Service Provider (CSP) includedLogin and credential prompts for User Account Control all support Smart CardsNew logon architectureGINA (the old Windows logon model) is gone Third parties can add biometrics, one-time password tokens, and other authentication methods with much less coding

Granular Policy ControlAllows to set Password Policies on Users and/or Groups (different from the domain‘s Password Policies)Big Win for Customers:Requirements for different Password Policies do not result in deploying multiple domains anymoreNew Object-Type in Active Directory, the Password Settings ObjectPassword Settings are configured using those Objects in the Password Settings Container

AD Rights Management ServicesAD RMS protects access to an organization’s digital filesAD RMS in Windows Server "Longhorn" includes several new featuresImproved installation and administration experienceSelf-enrollment of the AD RMS clusterIntegration with AD FSNew AD RMS administrative rolesSQL ServerActive DirectoryRMS Server132Information AuthorThe Recipient

BitLocker™ Drive Encryption Full Volume Encryption Key (FVEK)Encryption Policy Group Policy allows central encryption policy and provides Branch Office protectionProvides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating SystemUses a v1.2 TPM or USB flash drive for key storage

Information ProtectionWho are you protecting against?Other users or administrators on the machine? EFSUnauthorized users with physical access? BitLocker™Some cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted network admins)

Removable Device Installation ControlBenefits:Reduced Support CostsReduced Risk of Data TheftScenarios:Prevent installation of all devicesAllow installation of only allowed devicesPrevent installation of only prohibited devices

Learning curriculumHands on labSample codesVideosSlidesE-CertificationOnline Assessment

Indonesia Developer Portalhttp://geeks.netindonesia.net

IT Professional Portalhttp://wss-id.org

Windows Server 2008 Security Enhancements

More Related Content

What's hot (20)

Similar to Windows Server 2008 Security Enhancements (20)

Recently uploaded (20)

Windows Server 2008 Security Enhancements