Andrej Budja | Tehnološki svetovalec | Microsoft Slovenija

For ConsumersFor Medium and Large Businesses

For SmallBusinesses

For Emerging Markets

Offerings By Customer Segment

Offerings By Channel

Packaged Product at Retail (FPP)

OEM Pre-installed PCs& System Builder PCs

Volume Licensing SA/EA Benefit

OEM Pre-installed PCs in emerging market countries in addition to mainstream

SKUs

VersionsVersionsFeatures & Services

Security & PerfEnhancements

Search & Organize Enhancements

Peer-to-Peer Collaboration

Join Only

Scheduled & Networked Backup

AERO UI Enhancements

Media Center & Extender Capability

Tablet / Auxiliary Disp. Enhancement

VLK Compatible

Subsystem for Unix Applications

BitLocker™ Drive Encryption

Multi-Language Support

4 Virtual OS Licenses

Availability OEM, FPP OEM, FPP OEM, FPP, VL VL (SA Only) OEM, FPP, VL (SA Only)

•Vista Capable PC• 512 MB RAM• CPU 800 MHz

•Vista Premium Ready PC• 1 GB RAM• 1 GHz CPU• 128 MB graphic card, WDDM drivers

•Aero:• 64 MB of VRAM• DirectX 9 Support with Pixel Shader 2 support• AGP 4x or better

•8.5 GB free disk space on x86, 14 GB free on x64•http://www.microsoft.com/technet/windowsvista/

evaluate/hardware/vistarpc.mspx

Social Engineering Protections

Phishing Filter and Colored Address BarDangerous Settings NotificationSecure defaults for IDN

Protection from ExploitsUnified URL ParsingCode quality improvements (SDLC)ActiveX Opt-inProtected Mode to prevent malicious software

Internet Explorer 7

ActiveX Opt-in And Protected ModeDefending systems from malicious attack

• ActiveX Opt-in puts users in control• Reduces attack surface• Previously unused controls disabled• Retain ActiveX benefits, increase user

security• Protected Mode reduces severity of

threats• Eliminates silent malware install• IE process ‘sandboxed’ to protect OS• Designed for security and compatibility

ActiveX Opt-in

EnabledControls

Windows

DisabledControlsUser

Action

Protected Mode

User

Action

IECache My Computer (C:)

BrokerProcess

Low Rights

Phishing FilterDynamic Protection Against Fraudulent Websites

•3 “checks” to protect users from phishing scams:

1.Compares web site with local list of known legitimate sites

2.Scans the web site for characteristics common to phishing sites

3.Double checks site with online Microsoft service of reported phishing sites updated several times every hour

Level 1: Warn Suspicious Website

Signaled

Level 2: Block Confirmed Phishing Site

Signaled and Blocked

Two Levels of Warning and Protection Two Levels of Warning and Protection in IE7 Security Status Barin IE7 Security Status Bar

IE6IE6

IE6 running with Admin Rights

Install a driver,

Run Windows Update

Change Settings,

Download a Picture

Cache Web content

Exploit can install MALWARE

Exploit can install MALWARE

Admin-Rights Access

Admin-Rights Access

User-Rights AccessUser-Rights Access

Temp Internet FilesTemp Internet Files

HKLM

Program Files

HKCU

My Documents

Startup Folder

Untrusted files & settings

User Account Control

• Goal: Allow businesses to move to a better-managed desktop and consumers to use parental controls• Make the system work well for standard users

• Allow standard users to change time zone and power management settings, add printers, and connect to secure wireless networks

• High application compatibility• Make it clear when elevation to admin

is required and allow that to happen in-place without logging off

• High application compatibility with file/registry virtualization

• Administrators use full privilege only for administrative tasks or applications

• User provides explicit consent before using elevated privilege

Vista Integrity model

•Low, Medium, High, System•Processes with low integrity cannot

communicate with processes with higher integrity

•IE only in Low integrity write only in low int. folders

•Normal apps in Medium integrity•Admin apps in High integrity•Default is medium

Service Hardening

Windows Service HardeningDefense in depth

• Services run with reduced privilege compared to Windows XP

• Windows services are profiled for allowed actions to the network, file system, and registry

• Designed to block attempts by malicious software to make a Windows service write to an area of the network, file system, or registry that isn’t part of that service’s profile

Activeprotection

File system

Registry

Network

DD DDDD

•Reduce size of high risk layers

•Segment the services

• Increase # of layers

Kernel DriversKernel Drivers

Windows Service HardeningDefense In Depth – Factoring/Profiling

DD

DD User-mode DriversUser-mode Drivers

DDDD DD

Service Service 11

Service Service 22

Service Service 33

ServiceService……

Service Service ……

Service Service AA

Service Service BB

Windows Vista Firewall

• Combined firewall and IPsec management• New management tools – Windows

Firewall with Advanced Security MMC snap-in

• Reduces conflicts and coordination overhead between technologies

• Firewall rules become more intelligent• Specify security requirements such as

authentication and encryption• Specify Active Directory computer or

user groups

• Outbound filtering• Enterprise management feature – not

for consumers

• Simplified protection policy reduces management overhead

Windows Resource Protection

•Windows protecting itself•Files, folders, registry and other system

objects•Only OS can update the protected resources•Applications cannot change system registry or

system files and cannot write to system folder

Authentication Improvements

•Plug and Play Smart Cards• Drivers and Certificate Service Provider (CSP) included

in Windows Vista• Login and credential prompts for User Account Control

all support Smart Cards

•New logon architecture• GINA (the old Windows logon model) is gone. • Third parties can add biometrics, one-time password

tokens, and other authentication methods to Windows with much less coding

BitLocker™ Drive Encryption

• Designed specifically to prevent a thief who boots another Operating System or runs a hacking tool from breaking Windows file and system protections

• Provides data protection on your Windows client systems, even when the system is in unauthorized hands or is running a different or exploiting Operating Ssystem

• Uses a v1.2 TPM or USB flash drive for key storage

BitLockerBitLocker

Security

Eas

e of

Us e

TPM Only“What it is.”

Protects against: SW-only attacks

Vulnerable to: HW attacks (including potentially “easy”

HW attacks)

TPM + PIN“What you know.”Protects against: Many HW attacks

Vulnerable to: TPM breaking attacks

Dongle Only“What you have.” Protects against: All HW attacksVulnerable to: Losing donglePre-OS attacks

TPM + Dongle“Two what I

have’s.”Protects against: Many HW attacksVulnerable to: HW

attacks

BDE offers a spectrum of protection allowing customers to balance ease-of-use

against the threats they are most concerned with.

Spectrum Of Protection

**************

Other security changes (1)

•Power Users group = normal users now•Local Administrator - disabled by default•Help and Support accounts - gone•New groups•Services have SIDs•3000 GPO settings•Multiple local GPOs (Local, admin, non-admin,

user)•GP settings for Removable Devices

(read/write)•EFS cert on smartcard

Other security changes (2)

•Offline files encrypted per user•Encrypted pagefile•AES and SHA-2 in kernel•IPSec support for AES•Cached credentials secured•AuthIP – IPSec rules by user•SMBv2 – client-side file encryption•Volume Shadow Copies – Previous Versions

Typical Compatibility Failures

•Assumption of running as admin•Using old system features•Tied to OS version•Using internal system calls and data structures

•Latent bugs

Changes

•User Account Control•Internet Explorer•Updates as admin!•New TCP/IP stack•GINA – replaced by Credential Provider

•Biometrics•VPN•Smart card readers

•New display driver model•Users folder instead of Documents and Settigns

Redirection

•Files, registry keys are redirected when written to privileged areas

•Redirection per user – VirtualStore folder•App doesn’t know it was redirected•Apps that don’t know anything about UAC

will just work•Apps running as Admin will not get

redirection

Application Compatibility

•Windows Vista Program Compatiblity Assistant•Application Compatibility Toolkit 5.0 (Beta)•Windows Application Toolkit 4.1•Microsoft Standard User Analyzer

•Windows Vista Upgrade Advisor•Virtual PC

•http://www.microsoft.com/technet/windowsvista/appcompat/tools.mspx

•http://www.microsoft.com/technet/windowsvista/appcompat/default.mspx

Deployment

•WIM – file-based image format•One image per platform – x86, x64•Nondestructive imaging•Several images inside one image file•One XML unattended answer file•Offline editing of image file – patches,

drivers•Image file mouting to the file system

Event Viewer• Know where to lookKnow where to look

Central logging of eventsCentral logging of eventsEvents unified in single viewerEvents unified in single viewerHigh-level Event SummaryHigh-level Event Summary

• Find what you needFind what you needEnhanced filteringEnhanced filteringDefine and save viewsDefine and save viewsDefault views for common scenariosDefault views for common scenarios

Know what to doKnow what to doRicher data and documentationRicher data and documentationEasy-to-use task integration in Event ViewerEasy-to-use task integration in Event Viewer

Manage centrallyManage centrallyEvent forwardingEvent forwardingView multiple logs from one machineView multiple logs from one machine

• Control information flowControl information flowEnable/disable detailed logging to troubleshooEnable/disable detailed logging to troubleshoo

Reliability Analysis Comp.

Analyzes, aggregates, and correlates user disruptions for the OS and applications

Tracks frequency and cause of user disruption

Exposes reliability metrics and results to the IT Administrator, to health monitoring applications and, by customer choice, to MS Product Feedback

Performance

SuperFetchSuperFetch

EMDEMD Low-Priority I/OLow-Priority I/O

Intelligent memory Intelligent memory management lets you access management lets you access your data more quicklyyour data more quickly

Optimizes based on usage Optimizes based on usage patterns over timepatterns over time

Takes advantage of USB 2.0 Takes advantage of USB 2.0 drive for additional memory drive for additional memory cachecache

Substantially improves Substantially improves responsiveness – without responsiveness – without upgrading RAMupgrading RAM

User apps have priority over User apps have priority over background processes for hard background processes for hard drive accessdrive access

Search indexing, virus scans Search indexing, virus scans and and auto defrag run in the auto defrag run in the background without impacting background without impacting performanceperformance

Windows Vista SecuritySummary

SDL

Service Hardening

Code Scanning

Default configuration

Code Integrity

IE –protected mode/anti-phishing

Windows Defender

Bi-directional Firewall

IPSEC improvements

Network Access Protection (NAP)

Threat and Vulnerability

Mitigation

Fundamentals

Identify and Access

ControlUser Account Control

Plug and Play Smartcards

Simplified Logon architecture

Bitlocker

RMS Client

Q&A