Windows 7 Security Overview

Jayesh MowjeeSecurity ConsultantMicrosoftSession Code: SIA 201

Fundamentally Secure

Platform

Windows 7 Enterprise SecurityBuilding upon the security foundations of Windows Vista,

Windows 7 provides IT Professionals security features that are simple to use, manageable, and valuable.

Protect Data from

Unauthorized Viewing

Securing Anywhere

Access

Protect Users &

Infrastructure

Windows Vista Foundation

Enhanced Auditing

Make the system work well for standard users

Administrators use full privilege only for administrative tasks

File and registry virtualization helps applications that are not UAC compliant

Streamlined User Account Control

XML based

Granular audit categories

Detailed collection of audit results

Simplified compliance management

Fundamentally Secure Platform

Security Development Lifecycle process

Kernel Patch Protection

Windows Service Hardening

DEP & ASLRInternet Explorer 8 inclusive

Mandatory Integrity Controls

User Account ControlWindows Vista Windows 7

Streamlined UAC

User provides explicit consent before using elevated privilegeDisabling UAC removes protections, not just consent prompt

Challenges

Users can do even more as a standard userAdministrators will see fewer UAC Elevation Prompts

Customer Value

Reduce the number of OS applications and tasks that require elevationRe-factor applications into elevated/non-elevated piecesFlexible prompt behavior for administrators

System Works for Standard UserAll users, including administrators, run as Standard User by defaultAdministrators use full privilege only for administrative tasks or applications

Desktop AuditingWindows Vista

Simplified configuration results in lower TCODemonstrate why a person has access to specific informationUnderstand why a person has been denied access to specific informationTrack all changes made by specific people or groups

Enhanced Auditing

Granular auditing complex to configureAuditing access and privilege use for a group of users

Challenges

New XML based eventsFine grained support for audit of administrative privilegeSimplified filtering of “noise” to find the event you’re looking forTasks tied to events

Windows 7

UAC & Auditdemo

Network Security DirectAccess

Help ensure that only “healthy” machines can access corporate data

Enable “unhealthy” machines to get clean before they gain access

Network Access Protection

Security enhanced, seamless, always on connection to corporate network

Improved management of remote users

Helping Secure Anywhere Access

Policy based network segmentation for more secure and isolated logical networks

Multi-Home Firewall Profiles

DNSSec Support

Network Access ProtectionWindows 7

Health policy validation and remediationHelps keep mobile, desktop and server devices in complianceReduces risk from unauthorized systems on the network Remediation

ServersExample: UpdateRestricted

Network

WindowsClient

Policy compliantNPS

DHCP, VPNSwitch/Router

Policy Serverssuch as: Update, AV

Corporate Network

Not policy compliant

Remote Access for Mobile Workers Access Information Virtually Anywhere

Situation Today Windows 7 Solution

Same experience accessing corporate resources inside and outside the officeSeamless connection increases productivity of mobile usersEasy to service mobile PCs and distribute updates and polices

DirectAccess

Difficult for users to access corporate resources from outside the officeChallenging for IT to manage, update mobile PCs while disconnected from company network

AppLockerTM Data Recovery

Help protect users against social engineering and privacy exploits

Help protect users against browser based exploits

Help protect users against web server exploits

Internet Explorer 8

File back up and restoreCompletePC™ image-based backup System RestoreVolume Shadow CopiesVolume Revert

Help Protect Users & Infrastructure

Enables application standardization within an organization without increasing TCO

Support compliance enforcement

Application ControlSituation Today Windows 7 Solution

Eliminate unwanted/unknown applications in your networkEnforce application standardization within your organizationEasily create and manage flexible rules using Group Policy

AppLocker

Users can install and run non-standard applicationsEven standard users can install some types of softwareUnauthorized applications may:

Introduce malwareIncrease helpdesk callsReduce user productivityUndermine compliance efforts

AppLockerTechnical Details

Simple Rule Structure: Allow, Exception & DenyPublisher Rules

Product Publisher, Name, Filename & Version

Multiple PoliciesExecutables, installers, scripts & DLLs

Rule creation tools & wizardIncluding PowerShell cmdlets

Audit only modeSKU Availability

AppLocker – EnterpriseLegacy SRP – Business & Enterprise

AppLockerdemo

Social Engineering & ExploitsReduce unwanted communications

Freedom from intrusion International Domain NamesPop-up BlockerIncreased usability

Choice and controlClear notice of information useProvide only what is needed

Control of information User-friendly, discoverable noticesP3P-enabled cookie controlsDelete Browsing HistoryInPrivate™ Browsing & Filtering

Browser & Web Server ExploitsProtection from deceptive websites, malicious code, online fraud, identity theft

Protection from harmSecure Development LifecycleExtended Validation (EV) SSL certsSmartScreen® FilterDomain HighlightingXSS Filter/ DEP/NX ClickJacking PreventionActiveX® Controls

Internet Explorer 8 SecurityBuilding on IE7 and addressing the evolving threat landscape

RMS BitLocker

User-based file and folder encryption

Ability to store EFS keys on a smart card

EFS

Easier to configure and deployRoam protected data between work and homeShare protected data with co-workers, clients, partners, etc.

Help Protect Data

Policy definitionand enforcement

Helps protect information wherever it travels

Integrated RMS Client

BitLockerSituation Today Windows 7 Solution

Extend BitLocker drive encryption to removable devices

Create group policies to mandate the use of encryption and block unencrypted drives

Simplify BitLocker setup and configuration of primary hard drive

BitLocker To Go

Dual partition configuration of primary hard drive for IT

End user friendliness and discoverability

Corporate control over ubiquitous, cheap, small, high capacity removable storage devices

Challenges

+

BitLockerTechnical Details

BitLocker EnhancementsAutomatic 100 Mb hidden boot partitionNew Key Protectors

Domain Recovery Agent (DRA)Smart card – data volumes only

BitLocker To GoSupport for FAT*Protectors: DRA, passphrase, smart card and/or auto-unlockManagement: protector configuration, encryption enforcementRead-only access on Windows Vista & Windows XPSKU Availability

Encrypting – EnterpriseUnlocking – All

BitLockerdemo

Fundamentally Secure Platform

Protect Users & Infrastructure

Windows Vista Foundation

Streamlined User Account Control

Enhanced Auditing

Helping Secure Anywhere

Access

Windows 7 Enterprise SecurityBuilding upon the security foundations of Windows Vista®, Windows® 7 provides IT Professionals

security features that are simple to use, manageable, and valuable.

Help Protect

Data

Network Security

Network Access Protection

DirectAccessTM

AppLockerTM

Internet Explorer® 8

Data Recovery

RMS

EFS

BitLocker ™ & BitLocker To GoTM

question & answer

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.