Andrej Budja | Tehnološki svetovalec | Microsoft Slovenija
Jan 05, 2016
Andrej Budja | Tehnološki svetovalec | Microsoft Slovenija
For ConsumersFor Medium and Large Businesses
For SmallBusinesses
For Emerging Markets
Offerings By Customer Segment
Offerings By Channel
Packaged Product at Retail (FPP)
OEM Pre-installed PCs& System Builder PCs
Volume Licensing SA/EA Benefit
OEM Pre-installed PCs in emerging market countries in addition to mainstream
SKUs
VersionsVersionsFeatures & Services
Security & PerfEnhancements
Search & Organize Enhancements
Peer-to-Peer Collaboration
Join Only
Scheduled & Networked Backup
AERO UI Enhancements
Media Center & Extender Capability
Tablet / Auxiliary Disp. Enhancement
VLK Compatible
Subsystem for Unix Applications
BitLocker™ Drive Encryption
Multi-Language Support
4 Virtual OS Licenses
Availability OEM, FPP OEM, FPP OEM, FPP, VL VL (SA Only) OEM, FPP, VL (SA Only)
•Vista Capable PC• 512 MB RAM• CPU 800 MHz
•Vista Premium Ready PC• 1 GB RAM• 1 GHz CPU• 128 MB graphic card, WDDM drivers
•Aero:• 64 MB of VRAM• DirectX 9 Support with Pixel Shader 2 support• AGP 4x or better
•8.5 GB free disk space on x86, 14 GB free on x64•http://www.microsoft.com/technet/windowsvista/
evaluate/hardware/vistarpc.mspx
Social Engineering Protections
Phishing Filter and Colored Address BarDangerous Settings NotificationSecure defaults for IDN
Protection from ExploitsUnified URL ParsingCode quality improvements (SDLC)ActiveX Opt-inProtected Mode to prevent malicious software
Internet Explorer 7
ActiveX Opt-in And Protected ModeDefending systems from malicious attack
• ActiveX Opt-in puts users in control• Reduces attack surface• Previously unused controls disabled• Retain ActiveX benefits, increase user
security• Protected Mode reduces severity of
threats• Eliminates silent malware install• IE process ‘sandboxed’ to protect OS• Designed for security and compatibility
ActiveX Opt-in
EnabledControls
Windows
DisabledControlsUser
Action
Protected Mode
User
Action
IECache My Computer (C:)
BrokerProcess
Low Rights
Phishing FilterDynamic Protection Against Fraudulent Websites
•3 “checks” to protect users from phishing scams:
1.Compares web site with local list of known legitimate sites
2.Scans the web site for characteristics common to phishing sites
3.Double checks site with online Microsoft service of reported phishing sites updated several times every hour
Level 1: Warn Suspicious Website
Signaled
Level 2: Block Confirmed Phishing Site
Signaled and Blocked
Two Levels of Warning and Protection Two Levels of Warning and Protection in IE7 Security Status Barin IE7 Security Status Bar
IE6IE6
IE6 running with Admin Rights
Install a driver,
Run Windows Update
Change Settings,
Download a Picture
Cache Web content
Exploit can install MALWARE
Exploit can install MALWARE
Admin-Rights Access
Admin-Rights Access
User-Rights AccessUser-Rights Access
Temp Internet FilesTemp Internet Files
HKLM
Program Files
HKCU
My Documents
Startup Folder
Untrusted files & settings
User Account Control
• Goal: Allow businesses to move to a better-managed desktop and consumers to use parental controls• Make the system work well for standard users
• Allow standard users to change time zone and power management settings, add printers, and connect to secure wireless networks
• High application compatibility• Make it clear when elevation to admin
is required and allow that to happen in-place without logging off
• High application compatibility with file/registry virtualization
• Administrators use full privilege only for administrative tasks or applications
• User provides explicit consent before using elevated privilege
Vista Integrity model
•Low, Medium, High, System•Processes with low integrity cannot
communicate with processes with higher integrity
•IE only in Low integrity write only in low int. folders
•Normal apps in Medium integrity•Admin apps in High integrity•Default is medium
Service Hardening
Windows Service HardeningDefense in depth
• Services run with reduced privilege compared to Windows XP
• Windows services are profiled for allowed actions to the network, file system, and registry
• Designed to block attempts by malicious software to make a Windows service write to an area of the network, file system, or registry that isn’t part of that service’s profile
Activeprotection
File system
Registry
Network
DD DDDD
•Reduce size of high risk layers
•Segment the services
• Increase # of layers
Kernel DriversKernel Drivers
Windows Service HardeningDefense In Depth – Factoring/Profiling
DD
DD User-mode DriversUser-mode Drivers
DDDD DD
Service Service 11
Service Service 22
Service Service 33
ServiceService……
Service Service ……
Service Service AA
Service Service BB
Windows Vista Firewall
• Combined firewall and IPsec management• New management tools – Windows
Firewall with Advanced Security MMC snap-in
• Reduces conflicts and coordination overhead between technologies
• Firewall rules become more intelligent• Specify security requirements such as
authentication and encryption• Specify Active Directory computer or
user groups
• Outbound filtering• Enterprise management feature – not
for consumers
• Simplified protection policy reduces management overhead
Windows Resource Protection
•Windows protecting itself•Files, folders, registry and other system
objects•Only OS can update the protected resources•Applications cannot change system registry or
system files and cannot write to system folder
Authentication Improvements
•Plug and Play Smart Cards• Drivers and Certificate Service Provider (CSP) included
in Windows Vista• Login and credential prompts for User Account Control
all support Smart Cards
•New logon architecture• GINA (the old Windows logon model) is gone. • Third parties can add biometrics, one-time password
tokens, and other authentication methods to Windows with much less coding
BitLocker™ Drive Encryption
• Designed specifically to prevent a thief who boots another Operating System or runs a hacking tool from breaking Windows file and system protections
• Provides data protection on your Windows client systems, even when the system is in unauthorized hands or is running a different or exploiting Operating Ssystem
• Uses a v1.2 TPM or USB flash drive for key storage
BitLockerBitLocker
Security
Eas
e of
Us e
TPM Only“What it is.”
Protects against: SW-only attacks
Vulnerable to: HW attacks (including potentially “easy”
HW attacks)
TPM + PIN“What you know.”Protects against: Many HW attacks
Vulnerable to: TPM breaking attacks
Dongle Only“What you have.” Protects against: All HW attacksVulnerable to: Losing donglePre-OS attacks
TPM + Dongle“Two what I
have’s.”Protects against: Many HW attacksVulnerable to: HW
attacks
BDE offers a spectrum of protection allowing customers to balance ease-of-use
against the threats they are most concerned with.
Spectrum Of Protection
**************
Other security changes (1)
•Power Users group = normal users now•Local Administrator - disabled by default•Help and Support accounts - gone•New groups•Services have SIDs•3000 GPO settings•Multiple local GPOs (Local, admin, non-admin,
user)•GP settings for Removable Devices
(read/write)•EFS cert on smartcard
Other security changes (2)
•Offline files encrypted per user•Encrypted pagefile•AES and SHA-2 in kernel•IPSec support for AES•Cached credentials secured•AuthIP – IPSec rules by user•SMBv2 – client-side file encryption•Volume Shadow Copies – Previous Versions
Typical Compatibility Failures
•Assumption of running as admin•Using old system features•Tied to OS version•Using internal system calls and data structures
•Latent bugs
Changes
•User Account Control•Internet Explorer•Updates as admin!•New TCP/IP stack•GINA – replaced by Credential Provider
•Biometrics•VPN•Smart card readers
•New display driver model•Users folder instead of Documents and Settigns
Redirection
•Files, registry keys are redirected when written to privileged areas
•Redirection per user – VirtualStore folder•App doesn’t know it was redirected•Apps that don’t know anything about UAC
will just work•Apps running as Admin will not get
redirection
Application Compatibility
•Windows Vista Program Compatiblity Assistant•Application Compatibility Toolkit 5.0 (Beta)•Windows Application Toolkit 4.1•Microsoft Standard User Analyzer
•Windows Vista Upgrade Advisor•Virtual PC
•http://www.microsoft.com/technet/windowsvista/appcompat/tools.mspx
•http://www.microsoft.com/technet/windowsvista/appcompat/default.mspx
Deployment
•WIM – file-based image format•One image per platform – x86, x64•Nondestructive imaging•Several images inside one image file•One XML unattended answer file•Offline editing of image file – patches,
drivers•Image file mouting to the file system
Event Viewer• Know where to lookKnow where to look
Central logging of eventsCentral logging of eventsEvents unified in single viewerEvents unified in single viewerHigh-level Event SummaryHigh-level Event Summary
• Find what you needFind what you needEnhanced filteringEnhanced filteringDefine and save viewsDefine and save viewsDefault views for common scenariosDefault views for common scenarios
Know what to doKnow what to doRicher data and documentationRicher data and documentationEasy-to-use task integration in Event ViewerEasy-to-use task integration in Event Viewer
Manage centrallyManage centrallyEvent forwardingEvent forwardingView multiple logs from one machineView multiple logs from one machine
• Control information flowControl information flowEnable/disable detailed logging to troubleshooEnable/disable detailed logging to troubleshoo
Reliability Analysis Comp.
Analyzes, aggregates, and correlates user disruptions for the OS and applications
Tracks frequency and cause of user disruption
Exposes reliability metrics and results to the IT Administrator, to health monitoring applications and, by customer choice, to MS Product Feedback
Performance
SuperFetchSuperFetch
EMDEMD Low-Priority I/OLow-Priority I/O
Intelligent memory Intelligent memory management lets you access management lets you access your data more quicklyyour data more quickly
Optimizes based on usage Optimizes based on usage patterns over timepatterns over time
Takes advantage of USB 2.0 Takes advantage of USB 2.0 drive for additional memory drive for additional memory cachecache
Substantially improves Substantially improves responsiveness – without responsiveness – without upgrading RAMupgrading RAM
User apps have priority over User apps have priority over background processes for hard background processes for hard drive accessdrive access
Search indexing, virus scans Search indexing, virus scans and and auto defrag run in the auto defrag run in the background without impacting background without impacting performanceperformance
Windows Vista SecuritySummary
SDL
Service Hardening
Code Scanning
Default configuration
Code Integrity
IE –protected mode/anti-phishing
Windows Defender
Bi-directional Firewall
IPSEC improvements
Network Access Protection (NAP)
Threat and Vulnerability
Mitigation
Fundamentals
Identify and Access
ControlUser Account Control
Plug and Play Smartcards
Simplified Logon architecture
Bitlocker
RMS Client
Q&A