1. Windows Server 2008 新安全功能探討 呂政周 精誠恆逸教育訓練處 資深講師 http://edu.uuu.com.tw - -

4. 作業系統安全 - -

5. Windows Server 2008 安全的開發生命週期 對程式開發人員作定期與強制的安全教育 安全顧問針對所有系統元件為開發人員提供安全的建議 在設計階段對各種威脅模式納入考量 程式碼安全性檢視與測試 Common Criteria 認證

7. Protect the OS When Running

10. Hash validation scope - - Windows binaries Yes WHQL-certified third-party drivers Yes Unsigned drivers By policy Third-party application binaries No

16. 存取控制安全 - -

20. Using Network Access Protection 1 Windows Client Policy Servers such as: Patch, AV MSFT NPS DHCP, VPN Switch/Router Client requests access to network and presents current health state 1 Corporate Network

21. Using Network Access Protection 1 Windows Client 2 Policy Servers such as: Patch, AV MSFT NPS DHCP, VPN Switch/Router Client requests access to network and presents current health state 1 2 Dynamic Host Configuration Protocol (DHCP), virtual private network (VPN) or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) Corporate Network

22. Using Network Access Protection 1 Windows Client 2 3 Policy Servers such as: Patch, AV MSFT NPS DHCP, VPN Switch/Router Client requests access to network and presents current health state 1 2 DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) 3 Network Policy Server (NPS) validates against IT-defined health policy Corporate Network

23. Using Network Access Protection 1 Windows Client 2 3 Policy Servers such as: Patch, AV Not policy compliant MSFT NPS 4 DHCP, VPN Switch/Router Restricted Network Client requests access to network and presents current health state 1 2 DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) 3 Network Policy Server (NPS) validates against IT-defined health policy 4 If not policy compliant, client is put in a restricted virtual local area network (VLAN) and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4) Fix Up Servers Example: Patch Corporate Network

24. Using Network Access Protection 1 Windows Client 2 3 Policy Servers such as: Patch, AV Not policy compliant Policy compliant MSFT NPS 5 4 DHCP, VPN Switch/Router Restricted Network Client requests access to network and presents current health state 1 2 DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) 3 Network Policy Server (NPS) validates against IT-defined health policy 4 If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4) Fix Up Servers Example: Patch 5 If policy compliant, client is granted full access to corporate network Corporate Network

25. Windows Firewall Advanced Security Filter both incoming and outgoing traffic

26. Windows Firewall Advanced Security New Microsoft ® Management Console (MMC) snap-in for GUI configuration

27. Windows Firewall Advanced Security Integrated firewall and IP security (IPsec) settings

28. Windows Firewall Advanced Security Several ways to configure exceptions

30. 應用程式安全 與 程式執行安全 - -

35. Restricting services SCM computes service SID SCM adds the SID to service process’s token SCM creates write-restricted token SCM removes unneeded privileges from process token Service places ACL on resource—only service can write to it

37. Windows Server 2008 Services Hardening Kernel Drivers User-mode Drivers D D D D D

41. Granular Audit Policy

42. Object Access Auditing Object Access Attempt: Object Server: %1 Handle ID: %2 Object Type: %3 Process ID: %4 Image File Name: %5 Access Mask: %6

43. Object Access Auditing An operation was performed on an object. Subject : Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Object: Object Server: %5 Object Type: %6 Object Name: %7 Handle ID: %9 Operation: Operation Type: %8 Accesses: %10 Access Mask: %11 Properties: %12 Additional Info: %13 Additional Info2: %14

46. 資料傳遞安全 與 資料儲存安全 - -

47. Terminal Services Gateway Perimeter network Internet Corp LAN External Firewall Internal Firewall Hotel Tunnels RDP over HTTPS Home Terminal Server Internet Terminal Server Terminal Services Gateway Server E-mail Server Business partner / client site Roaming wireless

50. Offline Files Encrypted Per User

51. Encrypted Pagefile

57. 結論

59. Defense-in-Depth ( 續 ) - - Policies, procedures, and awareness Physical security Perimeter Internal network Network defenses Host Application Data Client defenses Server defenses Host Application Data

60. - - © 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.