Upload
dokhanh
View
214
Download
1
Embed Size (px)
Citation preview
Windows 7 Security TalkPart 2 of 3
Network Security and Application Control
Paul Cooke – CISSP | Microsoft Corporation | 05/21/2010
Windows 7
Part 1 : A Secure Platform
Part 2 : Network Security and Application Control
Part 3 : Data Protection and SecurityGuidance
Windows 7
Part 1 : A Secure Platform
Part 2 : Network Security and Application Control
Part 3 : Data Protection and SecurityGuidance
Microsoft Confidential | Do not distribute externally
Network Security DirectAccess
Help ensure that only “healthy” machines can access corporate data
Enable “unhealthy” machines to get clean before they gain access
Network Access Protection
Security enhanced, seamless, always-on connection to corporate network
Improved management of remote users
Consistent security for all access scenarios
Helping Secure Anywhere Access
Policy-based network segmentation for more secure and isolated logical networks
Multi-Home Firewall Profiles
DNSSec Support
Microsoft Confidential | Do not distribute externally
Remote Access for Mobile WorkersAccess Information Virtually Anywhere
Same experience accessing corporate resources inside and outside the office
Seamless connection increases productivity of mobile users
Easy to service mobile PCs and distribute updates and polices
Difficult for users to access corporate resources from outside the office
Challenging for IT to manage, update mobile PCs while disconnected from company network
Microsoft Confidential | Do not distribute externally
Network Access Protection
Health policy validation and remediation
Helps keep mobile, desktop, and server devices in compliance
Reduces risk from unauthorized systems on the network Remediation
ServersExample: UpdateRestricted
Network
Windows®
Client
Policy compliantNPS
DHCP, VPNSwitch/Router
Policy Serverssuch as: Update, AV
Corporate Network
Not policy compliant
Microsoft Confidential | Do not distribute externally
AppLockerTM
Help protect users against social engineering and privacy exploits
Help protect users against browser-based exploits
Help protect users against Web server exploits
Internet Explorer® 8
Help Protect Users and Infrastructure
Enables application standardization within an organization without increasing total cost of ownership (TCO)
Increase security to safeguard against data and privacy loss
Support compliance enforcement
Microsoft Confidential | Do not distribute externally
Simple Rule Structure
Allow
• Limit execution to “known good” and block everything else
Deny
• Deny “known bad” and allow execution of everything else
Exception
• Exclude files from allow/deny rule that would normally be included
“Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft EXCEPT Microsoft Access.”
Microsoft Confidential | Do not distribute externally
Publisher Rules
Rules based upon application digital signatures
Can specify application attributes
Allow for rules that survive application updates
“Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft.”
Microsoft Confidential | Do not distribute externally
Rule Targeting
Rules can be associated with any user or group
Provides granular control of specific applications
Supports compliance by enforcing who can run specific applications
“Allow users in the Finance Department to run…”
Microsoft Confidential | Do not distribute externally
Multiple Rule Sets
Rule Types
• Executable
• Installer
• Script
• DLL
Allows construction of rules beyond executable-only solutions
Provides greater flexibility and enhanced protection
“Allow users to install updates for Office as long as it is signed by Microsoft and is for version 12.*”
Microsoft Confidential | Do not distribute externally
Rule Creation Wizards
Step-by-step approach
Fully integrated help
Rule creation modes• Manual
• Automatically generated
• Import / Export
Intuitive so that rules are easy to create and maintain
Microsoft Confidential | Do not distribute externally
Audit Only Mode
Test rules before enforcement
Events written to local audit log
Applications and Service Logs | Microsoft | Windows | AppLocker
PowerShell cmdlets
Turn audit events into rules
Microsoft Confidential | Do not distribute externally
PowerShell cmdlets
Core needs scriptable through PowerShell
Building blocks for a more streamlinedend-to-end experience
Inbox cmdlets
• Get-AppLockerFileInformation
• Get-AppLockerPolicy
• Set-AppLockerPolicy
• New-AppLockerPolicy
• Test-AppLockerPolicy
Microsoft Confidential | Do not distribute externally
PowerShell Example Scenario
Test-AppLocker
Policy
New-AppLocker
Policy
Get-AppLockerFileInformation
Retrieve file information from event
log
Create a new policy
Test the new policy
Set-AppLockerPolicy
Set the policy
Help Desk Local or GPOAdmin
Bob calls Help Desk because AppLocker has blocked a finance application that he really needs to run for his job. Help Desk agrees to temporarily add
a rule to local GPO to allow the program.
Microsoft Confidential | Do not distribute externally
Custom Error Messages
Configurable in Group Policy
• Computer Configuration | Administrative Templates | Windows Components | Windows Explorer |Set a support Web page link
Sets URL for Support Web page that is displayed to the user
Microsoft Confidential | Do not distribute externally
Architectural Overview
Process 1
Appid.sys
AppIDSRP
Kernel
AppID/SRP Service
SRP UM
ntoskrnl
Process 2
ntdll
Process 3
Microsoft Confidential | Do not distribute externally
Freedom from intrusion International Domain Names
Pop-up Blocker
Increased usability
Control of information User-friendly, discoverable notices
P3P-enabled cookie controls
Delete Browsing History
InPrivate™ Browsing and Filtering
Protection from harm
Secure Development Lifecycle
Extended Validation (EV) SSL certs
SmartScreen® Filter
Domain Highlighting
XSS Filter / Clickjack Prevention
DEP/NX
ActiveX® Controls
Internet Explorer 8 Security
Social engineering and exploits
Reduce unwanted communications
Browser and Web Server exploits
Protection from deceptive Web sites
Choice, control, and clear notice of information use
Microsoft Confidential | Do not distribute externally
Questions and Answers
• Submit text questions using the “Ask” button.
• Send us your feedback and content ideas in the survey.
• Replay of this webcast will be available in 24 hours.
• Get the latest developer content (webcasts, podcasts, videos, virtual labs) at:
www.Microsoft.com/Events/Series/
• For more security webcasts:www.microsoft.com/events/series/securitytalk
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows 7 and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing
market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this
presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.