Amit Gatenyo is an Infrastructure & Security Manager at Dario IT Solutions ltd. The document discusses security features of Windows such as:
- Defense in depth approach with multiple layers of security.
- Restricted permissions for built-in accounts on Windows Vista/Server 2008 compared to Windows XP/Server 2003.
- Combined firewall and IPsec management with more intelligent policy-based networking.
- Hardening of Windows services and use of Group Policy Objects to manage security.
2. Security
SecurityWeb Virtualization
Reduces costs, increases
hardware utilization,
optimizes your
infrastructure, and
improves server
availability
Delivers rich web-based
experiences efficiently
and effectively
Provides unprecedented
levels of protection for
your network, your data,
and your business
3. Development Process
Secure Startup and shield
up at install
Code integrity
Windows service
hardening
Inbound and outbound
firewall
Restart Manager
Improved auditing
Network Access
Protection
Event Forwarding
Policy Based Networking
Server and Domain
Isolation
Removable Device
Installation Control
Active Directory Rights
Management Services
Security Compliance
Security
4. D DD
Defense In Depth
Reduce size of
high risk layers
Segment the
services
Increase #
of layers
Kernel DriversD
D User-mode Drivers
D
D D
Service
1
Service
2
Service
3
Service
…
Service
…
Service
A
Service
B
5. Windows® XP SP2/Server 2003 R2
LocalSystem
Windows Vista/Server 2008
Network Service
Local Service
LocalSystem
Firewall Restricted
Network Service
Network Restricted
Local Service
No Network Access
LocalSystem
Network Service
Fully Restricted
Local Service
Fully Restricted
11. • Arsenal of Admin Tools
• Delegated Management
• Secure Remote Management
• Shared Config for Web Farms
Better Tools
Intuitive, Task Oriented GUI
.NET Management API
Unified WMI Provider for IIS/ASP.NET
Powerful Command Line Support
Rich Runtime State Information
Automatic Failure Tracing & Logging
Site Owner Web.config
XML
Administrator
Internet
Manage Remotely
Secure HTTPS
AppHost.config
XML
Shared
Config
Shared App Hosting
Web FarmApp
12. Group Policy allows central encryption policy and provides Branch
Office protection
Provides data protection, even when the system is in unauthorized hands
or is running a different or exploiting Operating System
Uses a v1.2 TPM or USB flash drive for key storage
Full Volume
Encryption Key
(FVEK)Encryption
Policy
14. AD RMS protects access to an
organization’s digital files
AD RMS in Windows Server 2008
includes several new features
Improved installation and
administration experience
Self-enrollment of the AD RMS
cluster
Integration with AD Federation
Services
New AD RMS administrative roles
Information Author The Recipient
33. AD FS provides an identity
access solution
Deploy federation servers in
multiple organizations to
facilitate business-to-
business (B2B) transactions
AD FS provides a Web-
based, SSO solution
AD FS interoperates with
other security products that
support the Web Services
Architecture
AD FS improved in Windows
Server 2008
Web
Server
Account
Federation
Server
Resource
Federation
Server
LeadcomDario
Federation
Trust
35. Enterprise PKI (PKIView) Online Certificate Status
Protocol (OSCP)
Network Device Enrollment
Service
Web Enrollment
36. Cryptography Next Generation
(CNG)
Includes algorithms for encryption, digital signatures, key exchange, and
hashing
Supports cryptography in kernel mode
Supports the current set of CryptoAPI 1.0 algorithms
Support for elliptic curve cryptography (ECC) algorithms
Perform basic cryptographic operations, such as creating hashes and
encrypting and decrypting data
40. 1
Remediation
Servers
Example: Patch
Restricted
Network
1
Windows
Client
2
2
DHCP, VPN or Switch/Router relays health status
to Microsoft Network Policy Server (RADIUS)
3
3
Network Policy Server (NPS) validates against IT-
defined health policy
4
If not policy compliant, client is put in a
restricted VLAN and given access to fix up
resources to download patches, configurations,
signatures (Repeat 1 - 4)
Not policy
compliant
5
If policy compliant, client is granted full access
to corporate network
Policy
compliant
NPS
DHCP, VPN
Switch/Router
4
Policy Servers
such as: Patch, AV
Corporate Network
5
Client requests access to network and presents
current health state