3Agenda Bitlocker Driver Encryption User Account Protection Internet Explorer 7Hardening dei serviziWindows Vista firewallAltre novitàNuova autenticazione per RDPNovità nell’auditing
4BitLocker Drive Encryption e TBS Vista enterprise e ultimateVerifica l’integrità di del sistemaCripta interi volumi compresi file di swap e di ibernazione, chiavi di registry e file di configurazioneUsa TPM v1.2 per validare i componenti pre-OSMetodi di protezione e autenticazione personalizzabiliProtezione Pre-OSChiave di avvio su USB, PINDriver Microsoft per TPMStabilità e sicurezzaTPM Base Services (TBS)Abilita applicazioni di terze partiBackup su Active DirectoryBackup automatico delle chiavi su ADSupporto nelle Group PolicyGestione via scriptGestione TPMGestione BitLockerTool CLIDismissione sicuraCancellazione della chiave e riusoBitLocker Drive Encryption is a data protection feature available in Windows Vista Enterprise and Windows Vista Ultimate for client computers and in Windows Server "Longhorn.” BitLocker is a response by Microsoft to one of our top customer requests: address the threats of data theft or exposure from lost, stolen or inappropriately decommissioned PC hardware with a tightly integrated solution in the Microsoft Windows Operating System.BitLocker prevents a thief who boots another operating system or runs a software hacking tool from breaking Windows Vista file and system protections or performing offline viewing of the files stored on the protected drive. BitLocker enhances data protection by bringing together two major sub-functions: system volume encryption and the integrity checking of early boot components. Drive encryption protects data by preventing unauthorized users from breaking Windows file and system protection on lost or stolen computers. The entire system volume is encrypted including the swap and hibernation files.Integrity checking the early boot components helps to ensure that data decryption is performed only if those components appear tamper-free and that the encrypted drive is located in the original computer.BitLocker offers the option to lock the normal boot process until the user supplies a PIN, much like an ATM card PIN, or inserts a USB flash drive that contains keying material. These added security measures provide multi-factor authentication and assurance that the computer will not boot or resume from hibernation until the correct PIN or USB flash drive are presented.Finally, BitLocker provides enhanced recovery options. BitLocker has a disaster recovery console integrated into the early boot components to provide for data retrieval. In the default setting, BitLocker requires no user actions, and even activation itself can be done remotely and automatically. By being tightly integrated with Windows Vista, BitLocker provides a seamless, secure, and easily manageable data protection solution for the enterprise. For example, BitLocker optionally leverages an enterprise’s existing Active Directory Domain Services infrastructure to remotely escrow recovery keys. Based upon policy, BitLocker can also be set to backup keys and passwords onto a USB dongle or to a file location. A recovery password should also be set by the administrator so Windows operation can continue as normal.[BUILD1]With Windows XP, on a dual-boot system with the volume protected by BitLocker, you will be prompted to format the drive.[BUILD2]Now with Windows Vista, you will be denied access.
6Struttura del disco MBR Le partizioni criptate dell’OS contengono: OS criptatoPage file criptatoFile temporanei criptatiDati criptatiFile di ibernazione criptatoMBRLa System Partition contiene utility per il boot(non criptate, 50MB)
9Backup delle chiavi Per macchine in dominio (raccomandato) Backup automaticoConfigurare Group Policy per salvare chiavi in ADGestione e salvataggio delle chiavi centralizzateMacchine non in dominioBackup su device USBBackup su un servizio di storage web-basedOEM o 3ze-parti possono creare serviziBackup su fileStampa o registrazione du mezzo fisico
11Configurare Active Directory Per salvare le chiavi di ripristino in AD:Tutti i DC devono essere al minimo Win2K3SP1Applicare l’estensione dello schema per avere gli attributi aggiuntivi (già presente in Windows Server Longhorn)Configurare i permessi sugli oggetti BitLocker e TPM Recovery Information nello schemaSe ci sono più foreste, estendere lo schema di tutte le foreste che devono avere macchine con BitLockerDare diritti di lettura agli utenti che dovranno poter essere assistiti
12Configurare le Group Policy Impostazioni per BitLocker in group policyTurn on AD backup of BDE recovery informationTurn on AD backup of TPM recovery informationConfigure UI experienceAbilitare il controllo del power management per macchine con BitLockerImpedire lo sleep mode (default)Impedire agli utenti la modifica di questa configurazione
13EFS e Bitlocker EFS BitLocker Fornisce sicurezza nel contesto utenteMigliorato in Windows Vista per incrementare la sicurezza fornita all’utente (smartcards)Non misura l’integrità dei singoli componenti del processo di bootNon fornisce protezione offline per l’OS, file temporanei, file di swap e di ibernazioneBitLockerFornisce sicurezza nel contesto macchina – pensato per proteggere l’OSProtegge tutti i settori sul volume di installazione di Windows, inclusi i file temporanei, i file di swap e ibernazione.Non fornisce sicurezza a livello utenteSono tecnologie complementari che possono coesisterefianco a fianco sullo stesso volume o su volumi diversi
21Windows Vista Service Hardening Riduzione della dimensione dei livelli ad alto rischioSegmentazione dei serviziAumento del numero di livelliDService…Service1Service …Service2ServiceAService3Fewer security layers with Window XP mean a larger attack service for exploiting vulnerabilities. Also, some drivers can run in both kernel mode and user mode, meaning that it’s easier for malware to manipulate a service or driver that runs in kernel mode. And, since many of these services run at a high-privilege level, if a service is compromised, the threat of it having access to the entire system is very real.Windows Service Hardening with Windows Vista increases the level of security against these malware threats to services. With service hardening, if a vulnerability is found in a service and compromised by exploit code, that exploit code isn’t allowed to propagate to other machines on the network.[BUILD1]With Windows Vista, the number of security layers between the user and the system kernel has been increased. In addition, the size of the high-risk layers has been reduced. This means that the amount of code that has to run at the kernel level has been significantly reduced. For example, with previous versions of Windows, there were printer drivers that had some kernel-mode code and some user-mode code. With Windows Vista, the printer drivers have been moved into user mode exclusively so that there’s no kernel code in the drivers themselves. This has been done for a variety of services, and by making sure that services run with the least amount of privileges required, the system becomes more secure.[BUILD2]The services that do require higher privileges have been segmented, so that there’s some lower-privileged code running and some higher-privileged code running. Again, the key is reducing the amount of code that is high-privilege.Also, by using outbound filtering on the firewall with some other components, applications or operating systems can be profiled when they start, such as regarding which network ports they can use, where in the file system they can write, and where in the registry they can write.[BUILD3]Finally, there is a new layer introduced called user mode drivers. So even if there are vulnerabilities in a Windows service, and it’s compromised by exploit code, that exploited code is unable to make that service do something that it wouldn’t ordinarily be allowed to do. This is really intended to reduce the risk of malware quickly spreading to other machines.What does this mean? Let us consider the Blaster Worm that appeared a couple of years ago. It did several different things. First, it exploited a vulnerability in the RPC service and forced RPC to write a file to the file system. It also wrote a key to the “run” key registry that made the malware persist once the system restarted. However, RPC shouldn’t be writing to the run key in the registry, nor should it be able to write to the file system. With service hardening in Windows Vista, when RPC starts, it will have a profile of which network ports it can talk on and where it can write in the file system and registry. This is then enforced by the operating system, so that if something like Blaster comes along again in the future, it won’t be able to use RPC or other Windows services to do things that they shouldn’t normally be able to do. In this way, we can prevent malware from propagating rapidly across your network.ServiceBKernel DriversDUser-mode Drivers
22Windows Vista Firewall If your computer is not protected when you connect to the Internet, hackers can gain access to personal information on your computer. These hackers can install code on your computer that destroys files or causes malfunctions. They can also use your computer to cause problems on other home and business computers connected to the Internet. A firewall helps to screen out many kinds of malicious Internet traffic before it reaches your system.[BUILD1]One of the new features with the Windows Firewall with Windows Vista is the integration with IP Security. IP Security, commonly called IPsec, is a suite of IP protocols used to provide secure communication. IPsec policies and filters distributed by Group Policy, provide authorization for authenticated users and machines. IPsec provides the ability to protect communication between workgroups, local area network computers, domain clients and servers, branch offices, extranets, and roving clients.Although support for IPsec is built into Windows 2000 and later, in Windows XP and Windows Server 2003, Windows Firewall and IPsec are configured separately. While the purpose of Windows Firewall was to block or allow incoming traffic, IPsec could also be configured to block or allow incoming traffic. Because block and allow traffic behavior for incoming traffic could be configured through two different and separate services, it was possible to have duplicated or contradictory settings. Additionally, Windows Firewall and IPsec supported different configuration options for specifying allowed incoming traffic. For example, Windows Firewall allowed exceptions by specifying the application name, but IPsec did not. IPsec allowed exceptions based on an IP protocol number, and Windows Firewall did not.[BUILD2]In Windows Vista, the Windows Firewall and IPsec have been combined into a single configurable tool with the new Windows Firewall with Advanced Security snap-in, which now controls blocking and allowing of inbound and outbound traffic, in addition to protecting traffic with IPsec. Also, commands within the netsh advfirewall context can be used for command line configuration of both firewall and IPsec behavior. The integration of Windows Firewall with IPsec provides computers running Windows Vista with an authenticating firewall.Another improvement with the new Windows Firewall is the more intelligent firewall rules. Now administrators can specify security requirements such as authentication and encryption. Also Active Directory computer and user groups can be specified.Enterprise management can benefit from the addition of outbound filtering in the Windows Firewall. Previously only inbound communications were filtered. Outbound filtering can improve business productivity. For example, an administrator can block sharing through a peer-to-peer application that you don’t want communicating in your network. Additionally, if an application has a known vulnerability without a patch available, you can set up a rule that allows that application to be used, but not communicate outbound in the network.
24Nuovo controllo RDP What is Network Level Authentication? Network Level Authentication (NLA) is a new authentication method that completes user authentication before you establish a full Remote Desktop connection and the logon screen appears. The advantages of NLA are:It requires fewer remote computer resources initially. The remote computer uses a limited number of resources before authenticating the user, rather than starting a full Remote Desktop connection as in previous versions.It can help provide better security by reducing the risk of denial-of-service attacks (attempts to limit or prevent access to the Internet).It uses remote computer authentication, which can help protect users from connecting to remote computers that are set up for malicious purposes.
25Audit Modifiche a valori del Registry (vecchi e nuovi valori) Modifiche in AD (vecchi e nuovi valori)Miglioramento nell’audit delle operazioniEventi UACMiglioramento nell’audit di IPSecRPC CallAccesso agli share di reteGestione degli share di reteFunzioni di crittografiaEventi NAP (solo server)Eventi IAS (RADIUS) (solo server)
27Forwarded Event SEA-DC-01 SEA-WRK-002 SEA-WRK-001 Subscriptions are useful for viewing events from multiple remote computers.A subscription can be configured between two or more computers in the same domain. You can configure the subscription to forward events that you specify from one or more of the domain computers to the other.[BUILD1]You have to do some configuration on both the forwarding and the collecting computers before you can use forwarded events. Both computers need to be running the Windows Remote Management (WS-Management) service.Once the subscription is set up, you can view the forwarded events like any other event in the Event Viewer. This makes administration easy from a single location.[BUILD2]In addition to creating a new subscription, you can subscribe to a existing subscription on a remote computer. For example, there is a subscription on SEA-WRK-001 to retrieve the events from SEA-DC-01. The administrator wants to be able to also view the events from SEA-DC-01 from SEA-WRK-002, so he could connect to the first workstation and subscribe to the existing subscription to SEA-DC-01.While event forwarding works best between computers running Windows Vista or Windows Server “Longhorn,” event forwarding is possible with Windows Server R2.Slide Transition: However, with Windows Server R2, there is no GUI tool provided for configuring the forwarding.Slide Comment:Additional Information:SEA-WRK-001
28Viste riusabiliWhen you work with event logs, the primary challenge is to narrow down the set of events to just those that you are interested in. Sometimes this is easy. Other times, this involves a great deal of effort -- effort that is lost if you do not have some way to save the view of the logs that you worked so hard to create.[BUILD1] Event Viewer now supports the idea of views.[BUILD2] Once you have queried, filtered, and sorted your way to just the events you want to analyze, you can save that work as a named view and it will be available for you to reuse in the future. You can even export the view and use it on other computers or share it with other people.Slide Transition: Creating and saving views is a simple procedure.Slide Comment:Additional Information:
29Query cross-log System log Application log Eventi Security log When you use Event Viewer to troubleshoot a problem, information about what events an application or service happened to log in the Application or Security log is not that interesting, or helpful.[BUILD1] Instead, you want to find those events that might have something to do with your problem -- regardless of which log they might happen to be in. Event Viewer supports cross-log queries, making it much easier to generate views of all events potentially related to an issue that you are investigating. Cross-log queries can also be stored as custom views, which you can define to display events that match specific criteria from selected log files.Slide Transition: Cross-log queries can also be used with stored custom views, which you can define to display events that match specific criteria from selected log files.Slide Comment:Additional Information:Security log
30Novità in SMBv2 Solo 16 commandi (80 in SMBv1) Firme SHA-256 (è MD-5 in SMBv1)Gestione delle riconnessioni più stabileCriptatura lato clientLink simbolici attraverso gli share (disabilitato per default)Miglioramento del load balancing che mitica gli attacchi DOS
31Account e gruppiTo handle the problems with the built-in administrator account it is disabled on clean installs of Windows Vista. On upgrades, the upgrade is blocked until you create a new admin account. However, on Windows XP even a disabled administrator account can be used to log on in Safe Mode. To manage that on Windows Vista, the disabled flag is honored even in Safe Mode. In addition, in Windows XP the built-in administrator account was special in the sense that it had certain implicit rights. Those rights are now granted to all users in the Administrators group.There are several new groups on Windows Vista:1. Cryptographic operators – these users have the right to perform certain tasks to configure cryptographic functions on the operating system2. Distributed COM users – this group is used to control access to distributed COM objects3. IIS_IUSRS – One of several new constructs relating to IIS. This group is analogous to the IUSR_<machinename> account on Windows XP, and allows access to web pages4. Performance log and monitor users – These users can use the performance monitoring tools5. RS_Query – These users can query the content indicesThere are two new dynamic SIDs. Much like the existing INTERACTIVE SID covers all users coming in via an interactive logon, the DIALUP SID covers all users connecting via dial-up. There is also an INTERNET USER group covering all users coming in via IIS.
39Nuove impostazioni di sicurezza ImpostazioneDefaultNetwork access: remotely accessible registry paths and sub-pathsSystem\CurrentControlSet\Control\Print\PrintersSystem\CurrentControlSet\Services\EventlogSoftware\Microsoft\OLAP ServerSoftware\Microsoft\Windows NT\CurrentVersion\PrintSoftware\Microsoft\Windows NT\CurrentVersion\WindowsSystem\CurrentControlSet\Control\ContentIndexSystem\CurrentControlSet\Control\Terminal ServerSystem\CurrentControlSet\Control\Terminal Server\UserConfigSystem\CurrentControlSet\Control\Terminal Server\DefaultUserConfigurationSoftware\Microsoft\Windows NT\CurrentVersion\PerflibSystem\CurrentControlSet\Services\SysmonLogNetwork access: Restrict anonymous access to named pipes and sharesEnableSystem settings: Optional subsystemsPosixSystem settings: Use certificate rules on windows executables for software restriction policiesDisable
40Webcast per approfondire Windows VistaI nuovi strumenti di gestione e di monitoring3006007/11/200610:00-11:00Tecnologie per la protezione dei dati9012/12/200610:00-11:30Le novità di Windows Firewall e di Windows Defender19/12/2006User Account Protection e Service Hardening15/01/2007