Upload
colin-fisher
View
221
Download
1
Tags:
Embed Size (px)
Citation preview
NEXT GENERATION SECURITYTAL SARID | PRINCIPAL CONSULTANT |
MCS
Agenda
Today’s Security ChallengesWindows SecurityNext Generation Windows 2012 Security
Phone-call security
scam targeting PC
users
Microsoft is warning customers
about a new threat where
criminals acting as computer
security engineers call people at
home to warn them about a
security threat.
In the news… Lost Devices Cost Companies BillionsLast month, an oil giant
announced an unencrypted laptop containing sensitive information on 13,000 individuals. The incident may cost
The Stealthiest Rootkit in the Wild?Feds launched the raids against individuals who have
allegedly been managing the Rustock "botnet," a vast network of computers around
the globe, that have been infected with malicious software that allows the devices to distribute enormous volumes of spam...
Michigan firm about to
determine 200,000
account passwords in
under an hour
The most popular passwords among
nearly 400,000 exposed by the
Gawker hack was "123456“ and
“password” according to an analysis
done by a Michigan security firm.
itself.
RSA warns customers after company is hackedSecurID tokens from EMC's RSA Security division, which are used for two-factor authentication, have
been compromised after a sophisticated cyber-attack…
Security firm's
confidential data
is exposed after
successful hack
A web application security
provider has just revealed
that a cyber attack
appears to have exposed
sensitive data about the
companies partners and
employees, including there
login credentials.
Representatives form the
company haven't respond
to emails asking
confirmation...
Microsoft Work Exposes Magnitude of Botnet Threat
Microsoft's Security Intelligence Report sheds light on the expanding threat that bots…
Researchers Discover Link Between a Series of Trojans
A difficult to remove rootkit behind numerous sophisticated attacks, appears to have helped spread yet another Trojan.
Challenges
2012: IT challenges
• What generation are you?• Going hybrid…• Mobile
Mobile WorkforceGenerational Hybrid
Cloud
BROWSERS SMART PHONES
SLATES PCsLAPTOPS SERVERS
Today there are as many devices as humans on the planet!
In 3 years there will be a ratio of 3:1 for every human!!!
Security “things” to think about… Encryption
Assurance Level
Policy
Auditing
Identity
Remote Access
Information Protection
SERVERS
PCs
LAPTOPS
SLATES
SMART PHONES
BUILT FROM THE CLOUD UP
Work-life blur
Information
On the go
Productive
From anywher
e
Windows Security
Windows Security
DEVICESCOMPUT
E
Centralized Management
Secure Remote AccessVirtual
SmartcardsTrusted Boot
BitlockerDirect Access
Virtual Smartcards
Virtual Smart Cards
Emulate the functionality of traditional smart cards
Utilizes the Trusted Platform Module (TPM)
Multiple smart cards can be associated with a single computer to support multiple users
Provide comparable level of security assurance as traditional smart cards• Non-exportability• Isolated cryptography• Anti-hammering
Trusted & Measured Boot
Trusted Boot: Early Load Anti-Malware
Until now… BIOS OS Loader (Malware)
3rd Party Drivers (Malware)
Anti-Malware Software Start Windows Logon
WindowsNative UEFI
Windows 8OS Loader
Anti-Malware Software Start 3rd Party Drivers Windows Logon
• Malware is able to boot before OS and Anti-malware• Malware able to hide and remain undetected• Systems can be compromised before AM starts
• Secure Boot loads Anti-Malware early in the boot process• Early Load Anti-Malware (ELAM) driver is specially signed by
Microsoft• Windows starts AM software before any 3rd party boot drivers• Malware can no longer bypass AM inspection
UEFI 2.3.1
Enhanced Measured Boot
WindowsUEFI
Windows 8OS Loader
Windows Kernel & Drivers Anti-Malware Software
Windows 7 BIOS MBR & Boot Sector OS Loader Kernel Initialization 3rd Party Drivers
• Measurements of some boot components evaluated as part of boot
• Only enabled when BitLocker has been provisioned
• Measures all boot components• Measurements are stored in a Trusted Platform Module (TPM)• Remote attestation, if available, can evaluate client state• Enabled when TPM is present. BitLocker not required
Bitlocker
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
BitlockerWindows 8 Improvements Fast encryption with Used Disk Space Only Encryption ActiveSync to enforce BitLocker in non domain joined & BYOD
Server 2012 Improvements Storage Area Networks (SAN) Support Windows Server Cluster Support Network Unlock Active Directory Users and Computers UI
Enterprise Management with MBAM…
www.microsoft.com/en-us/download/details.aspx?id=24626&hash=wNAzyTY2nXoIrlY%2b3LjX45stIwpLzu%2fntPqr2g5CO4PpkwNm%2bmCwOP6Ta0lfDFIOlHWZVrhU%2bbePlDwrmPHw7A%3d%3d
www.Microsoft.com/getmbam
+
Direct Access
COMPUTE
What is DirectAccess?
DirectAccess Client
Domain member
Internet
Direct Access Server
IPsecIPsec – Using computer certificates,
domain membership, possibly smartcards and NAP health certificates
Windows 8
Windows 2012Corporate Network
Applications & Data
DC & DNS(Win
2003+)ManagementServers
Possible IPsec end-to-end
IPv6 tunneling IPv6 Transition Technologies
Group Policy
Direct Access
Let’s take a look…
BUILT FROM THE CLOUD UP
Next Generation Security
Windows 2012 Server
VirtualizationSecurity
PKI management and Lifecycle
New Windows settings, features and control
Data classificationAuditing Encryption Expression based access
Group PolicyCertificatesDynamic Access Control
Extensible switchVirtual Networks
Security enhancements
My Top 5 Security Group Policy Settings: 1.Prevent connection to non-domain networks
when connected to domain authentication network
2.Advanced Auditing Policy Configuration3.File Servers – Central Access Policy4. Log Certificate Expiry events5. Kerberos Client support for claims
Virtualization
Hyper-V Network Virtualization
Server VirtualizationRun multiple virtual servers
on a physical serverEach VM has illusion it is running as a
physical server
Hyper-V Network Virtualization
Run multiple virtual networks on a physical network
Each virtual network has illusion it is running as a physical network
Blue VM Red VMVirtualization
PhysicalServer
Blue Network Red Network
PhysicalNetwork
Different subnets
Standards-Based Encapsulation - NVGRE
10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7
192.168.2.22 192.168.5.55
192.168.2.22192.168.5.55
10.0.0.5 10.0.0.7
GRE Key 5001
MAC
10.0.0.5 10.0.0.7
GRE Key 6001
MAC192.168.2.22
192.168.5.55
10.0.0.510.0.0.7
10.0.0.510.0.0.7
10.0.0.5 10.0.0.7
10.0.0.510.0.0.7
http://www.ietf.org/id/draft-sridharan-virtualization-nvgre-01.txt
http://tools.ietf.org/html/rfc1701
Extensible (Layer 2) Switch
Capture Extensions
WFP Extensions
Filtering Extensions
Forwarding Extensions
Add-VMNetworkAdapterAcl -VMName VM60 -RemoteIPAddress * -Direction BOTH -Action Deny Add-VMNetworkAdapterAcl -VMName VM60 -RemoteIPAddress 192.168.1.20 -Direction BOTH -Action
Cisco Nexus 1000V for Hyper-V
Hyper-V Network Virtualization Ecosystem
Certificates
Click icon to add picture
Authentication
Digital SignaturesAuthenticode ApplicationsS/MIME SignatureDriver Signing
SSLLDAP/SS/MIME EncryptionEFSIPSECRouters
Digital Signature
Encryption
SmartcardsSSL Client AuthNon Doman joined SCOMMobile DeviceWirelessFederationsAzure Office 365
Certificates not a niche service anymore…
WirelessWiredDHCPIPSECDirect Access Remote Desktop
Health (NAP)
My Top 5 new features in Certificate Services
1.Certificate /s store expiry notifications
2. Group protected PFX
3. Shared SSL storage
4. Version 4 templates
5. Non Domain Joined Issuance and renewal!
Dynamic Access Control( DAC )
Data Classification
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit polices using Global Audit Policies.
Automatic RMS encryption based on document classification.
Expression based auditing
Expression based access conditions
Encryption
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
DAC Concepts
User claimsUser.Department = Finance
User.Clearance = High
ACCESS POLICY
Applies to: @File.Impact = HighAllow | Read, Write | if (@User.Department == @File.Department) AND
(@Device.Managed == True)
Device claimsDevice.Department = Finance
Device.Managed = True
Resource properties
Resource.Department = Finance
Resource.Impact = High
AD DS
42
Central access policies
File Server
Let’s take a look…
http://www.microsoft.com/en-us/download/details.aspx?id=30152
So…what did we talk about?
Mobile and Windows Security• Virtual Smartcards, Secure Boot, Measured Boot,
Bitlocker, Direct Access…
Server 2012 Security• Network Virtualization, Group Policy, DAC, RMS and
ADCS…
Next Steps
• Windows 2012 Jumpstart: http://technet.microsoft.com/en-us/video/windows-server-2012-jump-start-01-core-hyper-v.aspx• Windows 2012 Virtual Labs: http://technet.microsoft.com/en-us/windowsserver/hh968267.aspx• Private Cloud Jumpstart: http://technet.microsoft.com/en-us/video/private-cloud-jump-start-01-introduction-to-the-microsoft-private-cloud-with-
system-center-2012
Hands on Labs
Windows 2012
PRIVATE CLOUDs
Windows AzureHybrid
DEVICES
COMPUTE
VIRTUALIZEDSERVERS
&
Going Hybrid
DEVICES
BUILT FROM THE CLOUD UP
DOWNLOAD WINDOWS SERVER 2012 RTM
HTTP://TECHNET.MICROSOFT.COM/HE-IL/EVALCENTER/HH670538
WHAT NEXT?
BUILT FROM THE CLOUD UP
NEXT GEN YOUR SECURITY!