Andrej Budja Tehnoloki svetovalec Microsoft Slovenija

1
Andrej Budja Tehnoloki svetovalec
Microsoft Slovenija
2
Offerings By Customer Segment
For Medium and Large Businesses
For SmallBusinesses
For Consumers
3
Offerings By Channel
Packaged Product at Retail (FPP)
OEM Pre-installed PCs System Builder PCs
Volume Licensing
SA/EA Benefit
OEM Pre-installed PCs in emerging market
countries in addition to mainstream SKUs
4
Versions
5

• Highlights
• Security reliability
• Parental Controls
• Integrated search and new ways to organize
  information
• New user interface Windows Vista Basic

6

• Highlights
• New user interface Windows Aero
• Great for digital media and entertainment
• Windows Media Center and more
• Great for mobile PCs
• Windows Tablet PC features and more

7

• Highlights
• New user interface Windows Aero
• Integrated search and new ways to organize
  information
• Great for mobile PCs
• Windows Tablet PC features and more
• Core business features
• Domain join, Group Policy, EFS, etc.
• Small Business-focused features

8

• Highlights
• Windows BitLocker Drive Encryption
• All worldwide interface languages
• Virtual PC Express
• Subsystem for UNIX Applications (SUA)

9

• Highlights
• All features in Windows Vista Enterprise
• Domain join, BitLocker, languages
• All features in Windows Vista Home Premium
• Windows Media Center, Parental Controls
• Focused on consumer/small business segments
• Entertainment features are not Group
  Policy-enabled
• Does not support Volume License Keys

10

• Vista Capable PC
• 512 MB RAM
• CPU 800 MHz
• Vista Premium Ready PC
• 1 GB RAM
• 1 GHz CPU
• 128 MB graphic card, WDDM drivers
• Aero
• 64 MB of VRAM
• DirectX 9 Support with Pixel Shader 2 support
• AGP 4x or better
• 8.5 GB free disk space on x86, 14 GB free on x64
• http//www.microsoft.com/technet/windowsvista/eval
  uate/hardware/vistarpc.mspx

11
Internet Explorer 7
Social Engineering Protections

• Phishing Filter and Colored Address Bar
• Dangerous Settings Notification
• Secure defaults for IDN

Protection from Exploits

• Unified URL Parsing
• Code quality improvements (SDLC)
• ActiveX Opt-in
• Protected Mode to prevent malicious software

12
ActiveX Opt-in And Protected ModeDefending
systems from malicious attack

• ActiveX Opt-in puts users in control
• Reduces attack surface
• Previously unused controls disabled
• Retain ActiveX benefits, increase user security
• Protected Mode reduces severity of threats
• Eliminates silent malware install
• IE process sandboxed to protect OS
• Designed for security and compatibility

13
Phishing FilterDynamic Protection Against
Fraudulent Websites

• 3 checks to protect users from phishing scams
• Compares web site with local list of known
  legitimate sites
• Scans the web site for characteristics common to
  phishing sites
• Double checks site with online Microsoft service
  of reported phishing sites updated several times
  every hour

Two Levels of Warning and Protection in IE7
Security Status Bar
Level 1 Warn Suspicious Website Signaled
Level 2 Block Confirmed Phishing Site Signaled
and Blocked
14
IE6 running with Admin Rights
IE6
Admin-Rights Access
HKLM Program Files
User-Rights Access
HKCU My Documents Startup Folder
Temp Internet Files
Untrusted files settings
15
User Account Control

• Goal Allow businesses to move to a
  better-managed desktop and consumers to use
  parental controls
• Make the system work well for standard users
• Allow standard users to change time zone and
  power management settings, add printers, and
  connect to secure wireless networks
• High application compatibility
• Make it clear when elevation to admin is
  required and allow that to happen in-place
  without logging off
• High application compatibility with
  file/registry virtualization
• Administrators use full privilege only for
  administrative tasks or applications
• User provides explicit consent before using
  elevated privilege

16
Vista Integrity model

• Low, Medium, High, System
• Processes with low integrity cannot communicate
  with processes with higher integrity
• IE only in Low integrity write only in low int.
  folders
• Normal apps in Medium integrity
• Admin apps in High integrity
• Default is medium

17
Windows Service HardeningDefense in depth
Service Hardening

• Services run with reduced privilege compared to
  Windows XP
• Windows services are profiled for allowed
  actions to the network, file system, and
  registry
• Designed to block attempts by malicious software
  to make a Windows service write to an area of the
  network, file system, or registry that isnt part
  of that services profile

File system
Registry
Active protection
Network
18
Windows Service HardeningDefense In Depth
Factoring/Profiling

• Reduce size of high risk layers
• Segment the services
• Increase of layers

Service 1
Service
Service 2
Service
Service A
Service 3
Service B
Kernel Drivers
User-mode Drivers
19
Windows Vista Firewall

• Combined firewall and IPsec management
• New management tools Windows Firewall with
  Advanced Security MMC snap-in
• Reduces conflicts and coordination overhead
  between technologies
• Firewall rules become more intelligent
• Specify security requirements such as
  authentication and encryption
• Specify Active Directory computer or user groups
• Outbound filtering
• Enterprise management feature not for
  consumers
• Simplified protection policy reduces management
  overhead

20
Windows Resource Protection

• Windows protecting itself
• Files, folders, registry and other system objects
• Only OS can update the protected resources
• Applications cannot change system registry or
  system files and cannot write to system folder

21
Authentication Improvements

• Plug and Play Smart Cards
• Drivers and Certificate Service Provider (CSP)
  included in Windows Vista
• Login and credential prompts for User Account
  Control all support Smart Cards
• New logon architecture
• GINA (the old Windows logon model) is gone.
• Third parties can add biometrics, one-time
  password tokens, and other authentication methods
  to Windows with much less coding

22
BitLocker Drive Encryption

• Designed specifically to prevent a thief who
  boots another Operating System or runs a hacking
  tool from breaking Windows file and system
  protections
• Provides data protection on your Windows client
  systems, even when the system is in unauthorized
  hands or is running a different or exploiting
  Operating Ssystem
• Uses a v1.2 TPM or USB flash drive for key storage

BitLocker
23
Spectrum Of Protection
BDE offers a spectrum of protection allowing
customers to balance ease-of-use against the
threats they are most concerned with.
24
Windows Vista Information Protection

• Who are you protecting against?
• Other users or administrators on the machine? EFS
• Unauthorized users with physical access?
  BitLocker

Some cases can result in overlap. (e.g.
Multi-user roaming laptops with untrusted network
admins)
25
Other security changes (1)

• Power Users group normal users now
• Local Administrator - disabled by default
• Help and Support accounts - gone
• New groups
• Services have SIDs
• 3000 GPO settings
• Multiple local GPOs (Local, admin, non-admin,
  user)
• GP settings for Removable Devices (read/write)
• EFS cert on smartcard

26
Other security changes (2)

• Offline files encrypted per user
• Encrypted pagefile
• AES and SHA-2 in kernel
• IPSec support for AES
• Cached credentials secured
• AuthIP IPSec rules by user
• SMBv2 client-side file encryption
• Volume Shadow Copies Previous Versions

27
Network Access Protection
3
Not policy compliant
1
2
4
MSFT Network Policy Server
Windows Vista Client
Policy compliant
DHCP, VPN Switch/Router
5

• Enhanced Security
• All communications are authenticated, authorized
  healthy
• Defense-in-depth on your terms with DHCP, VPN,
  IPsec, 802.1X
• Policy-based access that IT Pros can set and
  control

Customer Benefits

• Increased Business Value
• Preserves user productivity
• Extends existing investments in Microsoft and 3rd
  party infrastructure
• Broad industry partnership

28
Typical Compatibility Failures

• Assumption of running as admin
• Using old system features
• Tied to OS version
• Using internal system calls and data structures
• Latent bugs

29
Changes

• User Account Control
• Internet Explorer
• Updates as admin!
• New TCP/IP stack
• GINA replaced by Credential Provider
• Biometrics
• VPN
• Smart card readers
• New display driver model
• Users folder instead of Documents and Settigns

30
Redirection

• Files, registry keys are redirected when written
  to privileged areas
• Redirection per user VirtualStore folder
• App doesnt know it was redirected
• Apps that dont know anything about UAC will just
  work
• Apps running as Admin will not get redirection

31
Application Compatibility

• Windows Vista Program Compatiblity Assistant
• Application Compatibility Toolkit 5.0 (Beta)
• Windows Application Toolkit 4.1
• Microsoft Standard User Analyzer
• Windows Vista Upgrade Advisor
• Virtual PC
• http//www.microsoft.com/technet/windowsvista/appc
  ompat/tools.mspx
• http//www.microsoft.com/technet/windowsvista/appc
  ompat/default.mspx

32
Deployment

• WIM file-based image format
• One image per platform x86, x64
• Nondestructive imaging
• Several images inside one image file
• One XML unattended answer file
• Offline editing of image file patches, drivers
• Image file mouting to the file system

33
Event Viewer

• Know where to look
• Central logging of events
• Events unified in single viewer
• High-level Event Summary
• Find what you need
• Enhanced filtering
• Define and save views
• Default views for common scenarios
• Know what to do
• Richer data and documentation
• Easy-to-use task integration in Event Viewer
• Manage centrally
• Event forwarding
• View multiple logs from one machine
• Control information flow

34
Reliability Analysis Comp.

• Analyzes, aggregates, and correlates user
  disruptions for the OS and applications
• Tracks frequency and cause of user disruption
• Exposes reliability metrics and results to the IT
  Administrator, to health monitoring applications
  and, by customer choice, to MS Product Feedback

35
Performance
SuperFetch

• Intelligent memory management lets you access
  your data more quickly
• Optimizes based on usage patterns over time

EMD
Low-Priority I/O

• Takes advantage of USB 2.0 drive for additional
  memory cache
• Substantially improves responsiveness without
  upgrading RAM

• User apps have priority over background processes
  for hard drive access
• Search indexing, virus scans and auto defrag run
  in the background without impacting performance

36
Windows Vista SecuritySummary
Threat and Vulnerability Mitigation
Identify and Access Control

• IE protected mode/anti-phishing
• Windows Defender
• Bi-directional Firewall
• IPSEC improvements
• Network Access Protection (NAP)

• User Account Control
• Plug and Play Smartcards
• Simplified Logon architecture
• Bitlocker
• RMS Client

Fundamentals

• SDL
• Service Hardening
• Code Scanning
• Default configuration
• Code Integrity

37
QA