1. Enhance Security and Control NarendaWicaksono IT Pro Advisor, Microsoft Indonesia
2. Windows 7 Enterprise Security Building upon the security foundations of Windows Vista, Windows 7 provides IT Professionals security features that are simple to use, manageable, and valuable. FUNDAMENTALY SECURE PLATFORM SECURING ANYWHERE ACCESS PROTECT DATA FROM UNAUTHORIZED VIEWING PROTECT USERS & INFRASTRUCTURE
3. A. Fundamentally Secure Platform Windows Vista Foundation Streamlined User Account Control Enhanced Auditing
4. B. Securing Anywhere Access Network Security Network Access Protection Direct AccessTM
5. C. Protect Users & Infrastructure AppLockerTM Internet Explorer Data Recovery
6. D. Protect Data from Unauthorized Viewing RMS EFS BitLocker & BitLocker To GoTM
7. A. Fundamentally Secure Platform Windows Vista Foundation Streamlined User Account Control Enhanced Auditing
8. Windows Vista Foundation Security Development Lifecycle process Kernel Patch Protection Windows Service Hardening DEP & ASLR IE 8 inclusive Mandatory Integrity Controls
9. Streamlined User Account Control Make the system work well for standard users Administrators use full privilege only for administrative tasks File and registry virtualization helps applications that are not UAC compliant
10. Enhanced Auditing XML based Granular audit categories Detailed collection of audit results Simplified compliance management
11. User Account Control – Windows Vista System Works for Standard User All users, including administrators, run as Standard User by default Administrators use full privilege only for administrative tasks or applications CHALLENGES User provides explicit consent before using elevated privilege Disabling UAC removes protections, not just consent prompt
12. User Account Control – Windows 7 Streamlined UAC Reduce the number of OS applications and tasks that require elevation Refactor applications into elevated/non-elevated pieces Flexible prompt behavior for administrators Customer’s Value Users can do even more as a standard user Administrators will see fewer UAC Elevation Prompts
13. Desktop Auditing – Windows Vista New XML based events Fine grained support for audit of administrative privilege Simplified filtering of “noise” to find the event you’re looking for Tasks tied to events CHALLENGES Granular auditing complex to configure Auditing access and privilege use for a group of users
14. Desktop Auditing – Windows 7 Enhanced Auditing Simplified configuration results in lower TCO Demonstrate why a person has access to specific information Understand why a person has been denied access to specific information Track all changes made by specific people or groups
16. Network Security Policy based network segmentation for more secure and isolated logical networks Multi-Home Firewall Profiles DNSSec Support
17. Network Access Protection Ensure that only “healthy” machines can access corporate data Enable “unhealthy” machines to get clean before they gain access
18. DirectAccess Security protected, seamless, always on connection to corporate network Improved management of remote users Consistent security for all access scenarios
19. Network Access Protection Remediation Servers Example: Patch Restricted Network CORPORATE NETWORK Windows 7 Health policy validation and remediation Helps keep mobile, desktop and server devices in compliance Reduces risk from unauthorized systems on the network POLICY SERVERS such as: Patch, AV Windows Client DHCP, VPN Switch/Router NPS Not Policy Compliant Policy Compliant
20. Remote Access for Mobile Workers Access Information Anywhere SITUATION TODAY Difficult for users to access corporate resources from outside the office Challenging for IT to manage, update, patch mobile PCs while disconnected from company network
21. Remote Access for Mobile Workers Access Information Anywhere DirectAccess Windows 7 SOLUTION Same experience accessing corporate resources inside and outside the office Seamless connection increases productivity of mobile users Easy to service mobile PCs and distribute updates and polices
22. C. Protect Users & Infrastructure Data Recovery AppLockerTM Internet Explorer 8
23. AppLockerTM Enables application standardization within an organization without increasing TCO Increase security to safeguard against data and privacy loss Support compliance enforcement
24. Internet Explorer 8 Protect users against social engineering and privacy exploits Protect users against browser based exploits Protect users against web server exploits
25. Data Recovery File back up and restore CompletePC™ image-based backup System Restore Volume Shadow Copies Volume Revert
26. Application Control SITUATION TODAY Users can install and run non-standard applications Even standard users can install some types of software Unauthorized applications may: Introduce malware, Increase helpdesk calls, Reduce user productivity, Undermine compliance efforts
27. Application Control AppLocker Windows 7 SOLUTION Eliminate unwanted/unknown applications in your network Enforce application standardization within your organization Easily create and manage flexible rules using Group Policy
29. Building on IE7 and addressing the evolving threat landscape Social Engineering & Exploits Reduce unwanted communications Freedom from intrusion International Domain Names Pop-up Blocker Increased usability Browser & Web Server Exploits Protection from deceptive websites, malicious code, online fraud, identity theft Protection from harm Secure Development Lifecycle Extended Validation (EV) SSL certs SmartScreen® Filter Domain Highlighting XSS Filter/ DEP/NX ActiveX Controls Choice and control Clear notice of information use Provide only what is needed Control of information User-friendly, discoverable notices P3P-enabled cookie controls Delete Browsing History InPrivate™ Browsing & Filtering Internet Explorer 8 Security
31. RMS Policy definitionand enforcement Protects information wherever it travels Integrated RMS Client Policy-based protection of document libraries in SharePoint
32. EFS User-based file and folder encryption Ability to store EFS keys on a smart card
33. BitLocker Easier to configure and deploy Roam protected data between work and home Share protected data with co-workers, clients, partners, etc. Improve compliance and data security
34.
35.
36. BitLocker Technical Details BitLocker Enhancements Automatic 200 Mb hidden boot partition New Key Protectors Domain Recovery Agent (DRA) Smart card – data volumes only BitLocker To Go Support for FAT* Protectors: DRA, passphrase, smart card and/or auto-unlock Management: protector configuration, encryption enforcement Read-only access on Vista & XP SKU Availability Encrypting – Enterprise Unlocking – All
37. Windows 7 Enterprise Security Building upon the security foundations of Windows Vista, Windows 7 provides IT Professionals security features that are simple to use, manageable, and valuable. SECURING ANYWHERE ACCESS PROTECT DATA FROM UNAUTHORIZED VIEWING FUNDAMENTALY SECURE PLATFORM PROTECT USERS & INFRASTRUCTURE Windows Vista Foundation Streamlined UAC Enhanced Auditing Network Security Network Access Protection DirectAccess AppLocker Internet Explorer 8 Data Recovery RMS EFS BitLocker
38. Next Steps Partner with your Microsoft Account Team to create or review your Security Action Plan Talk about Infrastructure Optimization and the value it could bring to your organization Implement a Defense-in-Depth security architecture using our advanced security technologies Leverage Microsoft prescriptive security guidance and online security training Stay informed through Microsoft Security Bulletins,Security Newsletters and Security Events
39. Security Guidance and Resources Windows 7 Information: Windows Enterprise: http://www.microsoft.com/windows/enterprise/products/windows-7.aspx Windows For IT Pros: http://technet.microsoft.com/en-us/windows/default.aspx General Security Information: Microsoft Security Home Page: www.microsoft.com/security Microsoft Live Safety Center: http://safety.live.com Microsoft Security Response Center: www.microsoft.com/security/msrc Security Development Lifecycle: http://msdn.microsoft.com/security/sdl Get the Facts on Windows and Linux: www.microsoft.com/getthefacts Guidance Centers: Security Guidance Centers: www.microsoft.com/security/guidance Security Guidance for IT Professionals: www.microsoft.com/technet/security The Microsoft Security Developer Center: msdn.microsoft.com/security The Security at Home Consumer Site: www.microsoft.com/athome/security
UAC was introduced in Windows Vista to help provide customers more control of their system by enabling IT administrators to lock down the system for certain users by running them within standard, non privileged user accounts. UAC has delivered successfully on this in the Windows Vista timeframe and customers continue to value the ability to create a standard user and be confident an administrator can make the decisions on what software is added to the system and what changes should be allowed. However, we have received substantial feedback about the number of notifications for change. In Windows 7, we have invested in addressing the key customer feedback around UAC, while still maintaining the ability for IT administrators to be confident about a standard user environment.We have enabled the Windows operations that users do often to be done in a standard user environment with the goal of providing prompt free daily activities. For example, a standard user can now adjust the readability of the screen (dpi) without having to change it for the entire system. Additionally, we have reduced key duplicate notifications for common activities such as installing applications from IE. We have also made it easier for IT to look at key setting on the system without needing administrative privileges by refactoring many of our control panel applications into read only and write sections.In line with our overall Windows 7focus on user-in-control, we have enabled a person running as a protected administrator to determine the range of notifications s/he receives. Based on customer feedback and actual instrumented data from our customers’ response to UAC prompts, we default the initial setting for UAC such that administrators are notified when software other than Windows is requesting to change the overall system and such that standard users will receive a request for administrator authorization for any change to the overall system. We believe this default setting has the right balance of establishing an ecosystem where a broad range of ISV software can be run in a standard user environment while providing administrators with control over the experience of configuring Windows.
UAC was introduced in Windows Vista to help provide customers more control of their system by enabling IT administrators to lock down the system for certain users by running them within standard, non privileged user accounts. UAC has delivered successfully on this in the Windows Vista timeframe and customers continue to value the ability to create a standard user and be confident an administrator can make the decisions on what software is added to the system and what changes should be allowed. However, we have received substantial feedback about the number of notifications for change. In Windows 7, we have invested in addressing the key customer feedback around UAC, while still maintaining the ability for IT administrators to be confident about a standard user environment.We have enabled the Windows operations that users do often to be done in a standard user environment with the goal of providing prompt free daily activities. For example, a standard user can now adjust the readability of the screen (dpi) without having to change it for the entire system. Additionally, we have reduced key duplicate notifications for common activities such as installing applications from IE. We have also made it easier for IT to look at key setting on the system without needing administrative privileges by refactoring many of our control panel applications into read only and write sections.In line with our overall Windows 7focus on user-in-control, we have enabled a person running as a protected administrator to determine the range of notifications s/he receives. Based on customer feedback and actual instrumented data from our customers’ response to UAC prompts, we default the initial setting for UAC such that administrators are notified when software other than Windows is requesting to change the overall system and such that standard users will receive a request for administrator authorization for any change to the overall system. We believe this default setting has the right balance of establishing an ecosystem where a broad range of ISV software can be run in a standard user environment while providing administrators with control over the experience of configuring Windows.
UAC was introduced in Windows Vista to help provide customers more control of their system by enabling IT administrators to lock down the system for certain users by running them within standard, non privileged user accounts. UAC has delivered successfully on this in the Windows Vista timeframe and customers continue to value the ability to create a standard user and be confident an administrator can make the decisions on what software is added to the system and what changes should be allowed. However, we have received substantial feedback about the number of notifications for change. In Windows 7, we have invested in addressing the key customer feedback around UAC, while still maintaining the ability for IT administrators to be confident about a standard user environment.We have enabled the Windows operations that users do often to be done in a standard user environment with the goal of providing prompt free daily activities. For example, a standard user can now adjust the readability of the screen (dpi) without having to change it for the entire system. Additionally, we have reduced key duplicate notifications for common activities such as installing applications from IE. We have also made it easier for IT to look at key setting on the system without needing administrative privileges by refactoring many of our control panel applications into read only and write sections.In line with our overall Windows 7focus on user-in-control, we have enabled a person running as a protected administrator to determine the range of notifications s/he receives. Based on customer feedback and actual instrumented data from our customers’ response to UAC prompts, we default the initial setting for UAC such that administrators are notified when software other than Windows is requesting to change the overall system and such that standard users will receive a request for administrator authorization for any change to the overall system. We believe this default setting has the right balance of establishing an ecosystem where a broad range of ISV software can be run in a standard user environment while providing administrators with control over the experience of configuring Windows.
UAC was introduced in Windows Vista to help provide customers more control of their system by enabling IT administrators to lock down the system for certain users by running them within standard, non privileged user accounts. UAC has delivered successfully on this in the Windows Vista timeframe and customers continue to value the ability to create a standard user and be confident an administrator can make the decisions on what software is added to the system and what changes should be allowed. However, we have received substantial feedback about the number of notifications for change. In Windows 7, we have invested in addressing the key customer feedback around UAC, while still maintaining the ability for IT administrators to be confident about a standard user environment.We have enabled the Windows operations that users do often to be done in a standard user environment with the goal of providing prompt free daily activities. For example, a standard user can now adjust the readability of the screen (dpi) without having to change it for the entire system. Additionally, we have reduced key duplicate notifications for common activities such as installing applications from IE. We have also made it easier for IT to look at key setting on the system without needing administrative privileges by refactoring many of our control panel applications into read only and write sections.In line with our overall Windows 7focus on user-in-control, we have enabled a person running as a protected administrator to determine the range of notifications s/he receives. Based on customer feedback and actual instrumented data from our customers’ response to UAC prompts, we default the initial setting for UAC such that administrators are notified when software other than Windows is requesting to change the overall system and such that standard users will receive a request for administrator authorization for any change to the overall system. We believe this default setting has the right balance of establishing an ecosystem where a broad range of ISV software can be run in a standard user environment while providing administrators with control over the experience of configuring Windows.
One of the most time-consuming challenges that network administrators we talk to face is ensuring that computers that connect to private networks are up to date and meet health policy requirements. This complex task is commonly referred to as maintaining computer health. Enforcing requirements is even more difficult when the computers, such as home computers or traveling laptops, are not under the administrator’s control. Yet failure to keep computers that connect to the network up to date is one of the most common ways to jeopardize the integrity of a network. Network Access Protection NAP was introduced in Windows Vista and remains a key component of Windows 7. While there are no major additions in Windows 7, NAP is a core Windows technology that provides components that can help you enforce compliance with health requirement policies for network access or communication. With NAP, you can create solutions for validating computers that connect to your networks, provide needed updates or access to needed health update resources, and limit the access or communication of noncompliant computers. The enforcement features of NAP can be integrated with software from other vendors or with custom programs. One point to really understand, NAP is not designed to protect a network from malicious users. It is designed to help your administrators automatically maintain the health of the computers on the network, which in turn helps maintain your network’s overall integrity.
UAC was introduced in Windows Vista to help provide customers more control of their system by enabling IT administrators to lock down the system for certain users by running them within standard, non privileged user accounts. UAC has delivered successfully on this in the Windows Vista timeframe and customers continue to value the ability to create a standard user and be confident an administrator can make the decisions on what software is added to the system and what changes should be allowed. However, we have received substantial feedback about the number of notifications for change. In Windows 7, we have invested in addressing the key customer feedback around UAC, while still maintaining the ability for IT administrators to be confident about a standard user environment.We have enabled the Windows operations that users do often to be done in a standard user environment with the goal of providing prompt free daily activities. For example, a standard user can now adjust the readability of the screen (dpi) without having to change it for the entire system. Additionally, we have reduced key duplicate notifications for common activities such as installing applications from IE. We have also made it easier for IT to look at key setting on the system without needing administrative privileges by refactoring many of our control panel applications into read only and write sections.In line with our overall Windows 7focus on user-in-control, we have enabled a person running as a protected administrator to determine the range of notifications s/he receives. Based on customer feedback and actual instrumented data from our customers’ response to UAC prompts, we default the initial setting for UAC such that administrators are notified when software other than Windows is requesting to change the overall system and such that standard users will receive a request for administrator authorization for any change to the overall system. We believe this default setting has the right balance of establishing an ecosystem where a broad range of ISV software can be run in a standard user environment while providing administrators with control over the experience of configuring Windows.
The longer a computer has been deployed, the more the software on them drifts away from their desired configuration. These inconsistencies are greatly accelerated by installation and execution of non-standard software within the desktop environment. Users today bring software into the environment by bringing in software from home, Internet downloads (intended and not intended!), and through email. The result is higher incidence of malware infections, more help desk calls, and difficulty in ensuring that your PCs are running only approved, licensed software. Coupled with the required on compliance in the enterprise through OCI, SOX, HIPPA and other compliance regulations, enterprises are renewing efforts to lock down their desktops as a means to: Reduce total cost of ownership (TCO)Increase security to safeguard against data loss and the threat of IT theft and to secure privacySupport compliance solutions by validating which users can run specific applicationsWith Windows XP and Windows Vista, we gave IT administrators Software Restriction Policies to enable the definition of a relatively secure application lockdown policy. SRP has been utilized with tremendous success in many customer situations, but customers have requested more flexibility and control over the applications in their desktop environment.Windows 7 reenergizes application lockdown policies with a totally revamped set of capabilities in AppLocker. AppLocker provides a flexible mechanism that allows administrators to specify exactly what is allowed to run on their systems and gives users the ability to run applications, installation programs, and scripts that administrators have explicitly granted permission to execute. As a result, IT can enforce application standardization within their organization with minimal TCO implications.
AppLocker provides a flexible mechanism that allows IT administrators to specify exactly which applications, install packages, and scripts are allowed to run on their systems. When enabled, the feature operates as an “allow list” by default. Users may only run applications, installation programs, and scripts that administrators have approved. Within these allow lists, IT administrators can call out exceptions to the allow list (e.g. allow everything in c:windowssystem32 to run, except the registry editor). In specific instances, where required, specific deny rules can also be enforced. AppLocker enables IT to enforce application standardization within their organization with minimal cost implications. AppLocker enables IT administrators to manage applications beyond the traditional file name and hash mechanisms that are prevalent. This gives AppLocker rules a resiliency throughout the software update lifecycle. For example, a rule could be written that says “allow all versions greater than 8.1 of the program Photoshop to run if it is signed by the software publisher Adobe.” Such a rule can be associated with existing security groups within an organization, providing controls that allow an organization to support compliance requirements by validating and enforcing which users can run specific applications.AppLocker is a totally new feature that will only be available in the premium SKUs, while the legacy Software Restriction Policies will be available in the Business and Enterprise SKUs.
Delivering a Web browser that helps protect an organizations security posture in addition to a user’s privacy has been a focus for Microsoft for several years. From the ability to block cookies from Web sites without privacy policies that comply with user settings that was introduced in IE 6 to the first integrated browser based phishing filter in IE 7, Microsoft has been a leader in browser security and privacy controls.User safety, choice, and control also were key themes in the development of Internet Explorer 8, which includes many innovations that contribute to a more trustworthy Web browsing experience. For example, the SmartScreen® Filter helps protect against known phishing and malware sites. Internet Explorer 8 also highlights the domain name in the URL string in the Address Bar in black text, making it easier for users to identify deceptive sites. And the new Cross-Site Scripting Filter (XSS), helps prevent against type-1 cross-site scripting attacks, which can be used to capture keystrokes, steal user credentials, deface Web pages, or launch more exotic attacks.From a privacy standpoint, Internet Explorer 8 includes an enhanced Delete Browsing History option that enables users to retain cookies and temporary Internet files for their favorite Web sites when deleting their browsing history, so that those favorite sites can continue to retain user preferences providing users increased browsing productivity.InPrivate™ Browsing is another new feature which helps prevent users’ browsing history, temporary Internet files, form data, cookies, and usernames/passwords from being stored or retained locally by the browser.InPrivate Filtering provides greater user choice and control over the third-parties from which content is retrieved and displayed on Web sites that the user visits—and thus how those same third parties can potentially track and aggregate users’ Web browsing activities.