Yaniv Feldman Senior Infrasec Architect Microsoft Security Regional Director Db@net

Web

Virtualization

Security

Delivers rich web-based experiences efficiently and effectively

Reduces costs, increases hardware utilization, optimizes your infrastructure, and improves server availability

Provides unprecedented levels of protection for your network, your data, and your business

Security

Security
Development Process Secure Startup and shield up at install Code integrity Windows service hardening Inbound and outbound firewall Restart Manager

Compliance
Improved auditing Network Access Protection Event Forwarding Policy Based Networking Server and Domain Isolation Removable Device Installation Control Active Directory Rights Management Services

Security

Defense In Depth
Reduce size of high risk layers Segment the services D Increase # D D of layers
Service 1 Service 2 Service 3 Service B

Service

Service A

Service

D Kernel Drivers D User-mode Drivers D D D

Windows XP SP2/Server 2003 R2

Windows Vista/Server "Longhorn"

LocalSystem
Firewall Restricted

LocalSystem

LocalSystem Network Service

Fully Restricted

Network Service

Local Service

Network Service
Network Restricted

Local Service
No Network Access

Local Service
Fully Restricted

Firewall firewall andnetworking Policy-based IPsec management Combinedrules become more intelligent

Only a subset of the executable files and DLLs installed No GUI interface installed 9 available Server Roles Can be managed with remote tools

Customization Troubleshooting Administration True application deployment Application and health management

Secure HTTPS
Internet

XML
Administrator
AppHost.config

Manage Remotely

Better Tools

Shared Config

Intuitive, Task Oriented GUI .NET Management API Unified WMI Provider for IIS/ASP.NET Powerful Command Line Support Rich Runtime State Information Automatic Failure Tracing & Logging Shared App Hosting XML
Site Owner
App Web.config

Web Farm

Arsenal of Admin Tools Delegated Management

Secure Remote Management Shared Config for Web Farms

Encryption Policy

Full Volume Encryption Key (FVEK)

Group Policy allows central encryption policy and provides Branch Office protection Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System Uses a v1.2 TPM or USB flash drive for key storage

AD RMS protects access to an organizations digital files AD RMS in Windows Server 2008 includes several new features Improved installation and administration experience Self-enrollment of the AD RMS cluster Integration with AD Federation Services New AD RMS administrative roles
Information Author The Recipient

Contoso

Adatum

Account Federation Server

Federation Trust

Resource Federation Server

Web Server

AD FS provides an identity access solution Deploy federation servers in multiple organizations to facilitate business-tobusiness (B2B) transactions AD FS provides a Webbased, SSO solution AD FS interoperates with other security products that support the Web Services Architecture AD FS improved in Windows Server 2008

RODC

Main Office
Features

Branch Office

Role Separation Benefits

Enterprise PKI (PKIView)

Online Certificate Status Protocol (OSCP)

Network Device Enrollment Service

Web Enrollment

Cryptography Next Generation (CNG)

Includes algorithms for encryption, digital signatures, key exchange, and hashing Supports cryptography in kernel mode Supports the current set of CryptoAPI 1.0 algorithms Support for elliptic curve cryptography (ECC) algorithms Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data

Internet
Tunnels RDP over HTTPs

Perimeter Network
Strips off RDP / HTTPs

Corporate Network
RDP traffic passed to TS
Terminal Servers and other RDP Hosts

Internet

Remote/ Mobile User

Terminal Services Gateway Network Active Policy Server Directory DC

What is Network Access as: Patch, AV such Protection?

Policy Servers

Health Policy Validation

Windows Client DHCP, VPN Switch/Router NPS

Not policy compliant

Health Policy Compliance

Remediation Servers
Restricted Network
Example: Patch

Ability to Provide Limited Access

Policy compliant

Enhanced Security
Corporate Network

Increased Business Value

Policy Servers
such as: Patch, AV

Not policy compliant

Windows Client

DHCP, VPN Switch/Router

Remediation Servers
Example: Patch

NPS
Policy compliant
5

Restricted Network

Corporate Network
5 4 3 2 1

If not policy compliant, client is put in a restricted Client and given access network and access If policy Policy access tois granted full against Networkcompliant, client to fix up resources status DHCP, VPN or Server (NPS) validates presentsITVLAN requests Switch/Router relays health to to current health policy corporate patches, defined health state configurations, (RADIUS) to Microsoft Network Policy Server signatures download network (Repeat 1 - 4)

Policy based was network access allowed

Health based - % compliant per SHA

Windows 2008 Home

http://www.microsoft.com/windowsserver2008/default.mspx

Windows Server 2008 Technical Library

http://technet2.microsoft.com/windowsserver2008/en/library/ba b0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=true

Network Access Protection

http://technet.microsoft.com/enus/network/bb545879.aspx

Terminal Services
http://www.microsoft.com/windowsserver2008 /terminal-services/default.mspx

 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.