Windows 7 Security TalkPart 2 of 3

Network Security and Application Control

Paul Cooke – CISSP | Microsoft Corporation | 05/21/2010

Windows 7

Part 1 : A Secure Platform

Part 2 : Network Security and Application Control

Part 3 : Data Protection and SecurityGuidance

Windows 7

Part 1 : A Secure Platform

Part 2 : Network Security and Application Control

Part 3 : Data Protection and SecurityGuidance

Microsoft Confidential | Do not distribute externally

Network Security DirectAccess

Help ensure that only “healthy” machines can access corporate data

Enable “unhealthy” machines to get clean before they gain access

Network Access Protection

Security enhanced, seamless, always-on connection to corporate network

Improved management of remote users

Consistent security for all access scenarios

Helping Secure Anywhere Access

Policy-based network segmentation for more secure and isolated logical networks

Multi-Home Firewall Profiles

DNSSec Support

Microsoft Confidential | Do not distribute externally

Remote Access for Mobile WorkersAccess Information Virtually Anywhere

Same experience accessing corporate resources inside and outside the office

Seamless connection increases productivity of mobile users

Easy to service mobile PCs and distribute updates and polices

Difficult for users to access corporate resources from outside the office

Challenging for IT to manage, update mobile PCs while disconnected from company network

Microsoft Confidential | Do not distribute externally

Network Access Protection

Health policy validation and remediation

Helps keep mobile, desktop, and server devices in compliance

Reduces risk from unauthorized systems on the network Remediation

ServersExample: UpdateRestricted

Network

Windows®

Client

Policy compliantNPS

DHCP, VPNSwitch/Router

Policy Serverssuch as: Update, AV

Corporate Network

Not policy compliant

Microsoft Confidential | Do not distribute externally

AppLockerTM

Help protect users against social engineering and privacy exploits

Help protect users against browser-based exploits

Help protect users against Web server exploits

Internet Explorer® 8

Help Protect Users and Infrastructure

Enables application standardization within an organization without increasing total cost of ownership (TCO)

Increase security to safeguard against data and privacy loss

Support compliance enforcement

Microsoft Confidential | Do not distribute externally

Application Control

Microsoft Confidential | Do not distribute externally

Windows 7 AppLocker

Microsoft Confidential | Do not distribute externally

Simple Rule Structure

Allow

• Limit execution to “known good” and block everything else

Deny

• Deny “known bad” and allow execution of everything else

Exception

• Exclude files from allow/deny rule that would normally be included

“Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft EXCEPT Microsoft Access.”

Microsoft Confidential | Do not distribute externally

Publisher Rules

Rules based upon application digital signatures

Can specify application attributes

Allow for rules that survive application updates

“Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft.”

Microsoft Confidential | Do not distribute externally

Rule Targeting

Rules can be associated with any user or group

Provides granular control of specific applications

Supports compliance by enforcing who can run specific applications

“Allow users in the Finance Department to run…”

Microsoft Confidential | Do not distribute externally

Multiple Rule Sets

Rule Types

• Executable

• Installer

• Script

• DLL

Allows construction of rules beyond executable-only solutions

Provides greater flexibility and enhanced protection

“Allow users to install updates for Office as long as it is signed by Microsoft and is for version 12.*”

Microsoft Confidential | Do not distribute externally

Rule Creation Wizards

Step-by-step approach

Fully integrated help

Rule creation modes• Manual

• Automatically generated

• Import / Export

Intuitive so that rules are easy to create and maintain

Microsoft Confidential | Do not distribute externally

Audit Only Mode

Test rules before enforcement

Events written to local audit log

Applications and Service Logs | Microsoft | Windows | AppLocker

PowerShell cmdlets

Turn audit events into rules

Microsoft Confidential | Do not distribute externally

PowerShell cmdlets

Core needs scriptable through PowerShell

Building blocks for a more streamlinedend-to-end experience

Inbox cmdlets

• Get-AppLockerFileInformation

• Get-AppLockerPolicy

• Set-AppLockerPolicy

• New-AppLockerPolicy

• Test-AppLockerPolicy

Microsoft Confidential | Do not distribute externally

PowerShell Example Scenario

Test-AppLocker

Policy

New-AppLocker

Policy

Get-AppLockerFileInformation

Retrieve file information from event

log

Create a new policy

Test the new policy

Set-AppLockerPolicy

Set the policy

Help Desk Local or GPOAdmin

Bob calls Help Desk because AppLocker has blocked a finance application that he really needs to run for his job. Help Desk agrees to temporarily add

a rule to local GPO to allow the program.

Microsoft Confidential | Do not distribute externally

Custom Error Messages

Configurable in Group Policy

• Computer Configuration | Administrative Templates | Windows Components | Windows Explorer |Set a support Web page link

Sets URL for Support Web page that is displayed to the user

Microsoft Confidential | Do not distribute externally

Architectural Overview

Process 1

Appid.sys

AppIDSRP

Kernel

AppID/SRP Service

SRP UM

ntoskrnl

Process 2

ntdll

Process 3

Demo

AppLocker

Microsoft Confidential | Do not distribute externally

Freedom from intrusion International Domain Names

Pop-up Blocker

Increased usability

Control of information User-friendly, discoverable notices

P3P-enabled cookie controls

Delete Browsing History

InPrivate™ Browsing and Filtering

Protection from harm

Secure Development Lifecycle

Extended Validation (EV) SSL certs

SmartScreen® Filter

Domain Highlighting

XSS Filter / Clickjack Prevention

DEP/NX

ActiveX® Controls

Internet Explorer 8 Security

Social engineering and exploits

Reduce unwanted communications

Browser and Web Server exploits

Protection from deceptive Web sites

Choice, control, and clear notice of information use

Microsoft Confidential | Do not distribute externally

Questions and Answers

• Submit text questions using the “Ask” button.

• Send us your feedback and content ideas in the survey.

• Replay of this webcast will be available in 24 hours.

• Get the latest developer content (webcasts, podcasts, videos, virtual labs) at:

www.Microsoft.com/Events/Series/

• For more security webcasts:www.microsoft.com/events/series/securitytalk

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows 7 and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing

market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this

presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.