Securing Your Wireless Network Ian Hellen Stirling Goetz Microsoft.
Securing Your Data with Microsoft Technologies Steve Lamb Technical Security Microsoft Ltd
-
Upload
vernon-walton -
Category
Documents
-
view
219 -
download
0
description
Transcript of Securing Your Data with Microsoft Technologies Steve Lamb Technical Security Microsoft Ltd
Securing Your Data with Securing Your Data with Microsoft TechnologiesMicrosoft Technologies
Steve LambSteve LambTechnical Security Evangelist @ Microsoft LtdTechnical Security Evangelist @ Microsoft Ltd
[email protected]@microsoft.comhttp://blogs.technet.com/steve_lambhttp://blogs.technet.com/steve_lamb
What you can expect during this sessionWhat you can expect during this session
Our current thinking on Scenarios & SolutionsOur current thinking on Scenarios & SolutionsWhat technologies to use where and whyWhat technologies to use where and why
60 minutes for discussion & quick demo60 minutes for discussion & quick demo15 minutes for questions at the end15 minutes for questions at the end
Why Am I Talking To You About This?Why Am I Talking To You About This?
““When should I use X?”When should I use X?”EFS, RMS, S/MIME, BDE, XPS, CAPI, CAPICOM, EFS, RMS, S/MIME, BDE, XPS, CAPI, CAPICOM, CAPI-NG, WS-Sec, Smart Cards…CAPI-NG, WS-Sec, Smart Cards…
““What is the What is the right right encryption to use?”encryption to use?”““Give me a strategic direction”Give me a strategic direction”
Where is your Data Stored?Where is your Data Stored?
Q: Where is your biggest Q: Where is your biggest security exposure?security exposure?Trick question!Trick question!
SQL
ClientsClients
DocumentsDocumentsWhere do Where do your your users keep their documents?users keep their documents?
User ProfileUser ProfileOutlook, Sharepoint, Desktop, TempOutlook, Sharepoint, Desktop, Temp
per-machine dataper-machine dataSearch index, file cacheSearch index, file cache
ServersServers
File SharesFile SharesCollaboration store (e.g. Sharepoint)Collaboration store (e.g. Sharepoint)RDBMS (e.g. SQL)RDBMS (e.g. SQL)Mail (e.g. Exchange)Mail (e.g. Exchange)SANSANHSMHSMEnterprise backupEnterprise backup
Where ISN’T Data stored?Where ISN’T Data stored?
SQL
Big Picture…Big Picture…
What Technologies Can Be Used?What Technologies Can Be Used?
ACLsACLsRights Management (eek!)Rights Management (eek!)Role-based AccessRole-based AccessSystem encryptionSystem encryptionApplication encryptionApplication encryption
ACLsACLs
Classic approachClassic approachConfiguring:Configuring:
Windows Explorer, cacls.exeWindows Explorer, cacls.exeGroup Policy/SeceditGroup Policy/SeceditNEW!NEW! .NET Framework 2.0 (SDDL) .NET Framework 2.0 (SDDL)
Good: protect against online/remote attackersGood: protect against online/remote attackersBad: protecting against local AdminsBad: protecting against local AdminsUgly: protecting against offline attacksUgly: protecting against offline attacks
ACLs example: File serverACLs example: File server
Uses AD, Group Policy, Windows clientUses AD, Group Policy, Windows clientGoal: users cannot see each others’ filesGoal: users cannot see each others’ filesServer shares folder Server shares folder \\Server\Home
Share permissions = Users: ChangeShare permissions = Users: ChangeFolder root permissions allow:Folder root permissions allow:
Users: Traverse folder, List folder, Create folders, Read Users: Traverse folder, List folder, Create folders, Read (This folder only)(This folder only)Creator/owner: Change (Subfolders and files only)Creator/owner: Change (Subfolders and files only)
Result:Result:User creates new folderUser creates new folderCan do anything they want with that folderCan do anything they want with that folderNo other user can see inside that folderNo other user can see inside that folder
Rights ManagementRights Management
The “ACL” goes wherever the document goesThe “ACL” goes wherever the document goesCombines encryption with policy enforcementCombines encryption with policy enforcement
Good: protecting against offline, online attacksGood: protecting against offline, online attacksBad: protecting against Super UsersBad: protecting against Super UsersUgly: protecting against Active Directory adminsUgly: protecting against Active Directory admins
Roles-based access (RBAC)Roles-based access (RBAC)
Idealized approachIdealized approachMust combine with other techMust combine with other tech
ACLsACLsEncryptionEncryptionRights ManagementRights ManagementApp-specific authorization (e.g. SQL, Exchange)App-specific authorization (e.g. SQL, Exchange)
Issues: Issues: Every Windows app has a different approachEvery Windows app has a different approachStill no better against offline attacksStill no better against offline attacks
ADAD
RBAC scenario: rights managementRBAC scenario: rights management
Leverage Active Directory, RMS, OfficeLeverage Active Directory, RMS, Office1.1. Assign users to groups (roles) in ADAssign users to groups (roles) in AD2.2. RMS Templates assign rights to groupsRMS Templates assign rights to groups3.3. Use RMS-enabled app (e.g. Office) to assign Use RMS-enabled app (e.g. Office) to assign
rights via templatesrights via templates4.4. RMS server and client grant limited access to RMS server and client grant limited access to
documentsdocuments
22
Corporate IntranetCorporate Intranet1.1. Assume author is already bootstrapped Assume author is already bootstrapped
with a RAC and CLCwith a RAC and CLC2.2. Author creates mailAuthor creates mail3.3. Author protects mail using RAC and CLCAuthor protects mail using RAC and CLC4.4. Author sends mail to recipientAuthor sends mail to recipient5.5. Recipient contacts AD for service Recipient contacts AD for service
discoverydiscovery6.6. Recipient gets bootstrapped from RMSRecipient gets bootstrapped from RMS7.7. Recipient gets use license from RMSRecipient gets use license from RMS8.8. Recipient can access contentRecipient can access content
Intranet / VPN scenarioIntranet / VPN scenarioPublishing and consumptionPublishing and consumption
RACRAC CLCCLC
11
RACRAC CLCCLC
66
88
ULUL
77
44
55
RMS SCP:http://...
InternetInternetPLPL
33
RMSRMSADAD
System encryptionSystem encryption
Encrypt each file = Encrypting File System (EFS)Encrypt each file = Encrypting File System (EFS)Encrypt each sector = BitLocker Drive Encrypt each sector = BitLocker Drive Encryption (BDE)Encryption (BDE)
Good: protect against offline attackGood: protect against offline attackBad: doesn’t protect against user errorBad: doesn’t protect against user errorUgly: doesn’t protect between systemsUgly: doesn’t protect between systems
Application EncryptionApplication Encryption
Leverage each app’s data protection approachLeverage each app’s data protection approach““Every” app has its own approach, e.g. Every” app has its own approach, e.g. Outlook S/MIME, SQL Server, Office, WinzipOutlook S/MIME, SQL Server, Office, Winzip
Good: there’s encryptionGood: there’s encryptionBad: hard to manageBad: hard to manageUgly: brutal to manage across the enterpriseUgly: brutal to manage across the enterprise
SQL
App example: SQL 2005App example: SQL 2005
SQL 2005 uses DPAPISQL 2005 uses DPAPIComparable to EFSComparable to EFS
Multiple layers of keysMultiple layers of keysPartition accessPartition access
Encrypt instances, databases, tables with Encrypt instances, databases, tables with separate keysseparate keysLeverage HSM @ server levelLeverage HSM @ server level
Advantages: keys managed with data, max Advantages: keys managed with data, max perf, uses system librariesperf, uses system librariesDisadvantages: Server & DB Ops can get keysDisadvantages: Server & DB Ops can get keys
SQL
ScenariosScenarios
1.1. Loss or Theft of PCLoss or Theft of PCaka “notebook in taxi”aka “notebook in taxi”
2.2. Reduced data leaksReduced data leaksaka “whoopsie”aka “whoopsie”
3.3. Server-side encryptionServer-side encryptionaka “untrustworthy Admins”aka “untrustworthy Admins”
4.4. End-to-end encryptionEnd-to-end encryptionaka “regulatory compliance”aka “regulatory compliance”
(1) Loss or Theft of PC(1) Loss or Theft of PC
Threat: Attackers with infinite time, many Threat: Attackers with infinite time, many tools, well-documented attack techniquestools, well-documented attack techniquesGoal: mitigate the risk of Data exposureGoal: mitigate the risk of Data exposure
Reduce the risk, NOT eliminateReduce the risk, NOT eliminateGoodGood
Application EncryptionApplication EncryptionBetterBetter
Minimize the stored dataMinimize the stored dataSystem EncryptionSystem Encryption
Don't bother with ACLs, RBAC, DRMDon't bother with ACLs, RBAC, DRM
(1) Loss or Theft of PC(1) Loss or Theft of PC
1.1. EFSEFSMitigates offline attacks except against user accountMitigates offline attacks except against user accountPrevents online attacks (on encrypted files)Prevents online attacks (on encrypted files)Threats focus on user’s passwordThreats focus on user’s password
2.2. BitLocker with TPM or USB (Vista)BitLocker with TPM or USB (Vista)Prevents offline attacks (replace passwords, copy hashes, Prevents offline attacks (replace passwords, copy hashes, change system files)change system files)Threats focus on user logonsThreats focus on user logons
3.3. Ideal: BitLocker with TPM + EFS with Smart Card Ideal: BitLocker with TPM + EFS with Smart Card (Vista)(Vista)
Attacker with notebook + Smart Card needs PIN (not Attacker with notebook + Smart Card needs PIN (not password)password)After “x” bad tries, Smart Card locked FOREVERAfter “x” bad tries, Smart Card locked FOREVER
(1) Loss or Theft of PC(1) Loss or Theft of PC
Reality check: Windows XP todayReality check: Windows XP todayAttack focus: user passwords, cleartext dataAttack focus: user passwords, cleartext dataTactics:Tactics:
BetterBetter passwords/phrases passwords/phrasesEncrypt significant sets of dataEncrypt significant sets of data
EFS for Documents, email, desktop, TIF, server cachesEFS for Documents, email, desktop, TIF, server cachesSmartcard logon per-PCSmartcard logon per-PC
Residual risk: pagefile fragments, hiberfile, Residual risk: pagefile fragments, hiberfile, cached logon verifierscached logon verifiers
(2) Reduced data leaks(2) Reduced data leaks
Threat: Authorized users with legit access Threat: Authorized users with legit access giving data to othersgiving data to othersGoal: mitigate the risk of spread of dataGoal: mitigate the risk of spread of data
Reduce, NOT eliminateReduce, NOT eliminateGoodGood
ACLs, Role-based AccessACLs, Role-based AccessBetterBetter
DRM, Application encryptionDRM, Application encryptionDon't bother with Don't bother with System encryptionSystem encryption
(2) Reduced data leaks(2) Reduced data leaks
1.1. ACL shared files on servers with RBAC groupsACL shared files on servers with RBAC groupsPrevents users from granting each other permissionsPrevents users from granting each other permissions
2.2. Leverage a rights management technologyLeverage a rights management technologyReduces the amount of unprotected filesReduces the amount of unprotected files
3.3. Ideal: RM automatically assigned (RMS partners)Ideal: RM automatically assigned (RMS partners)Enforces RM protection according to pre-defined Enforces RM protection according to pre-defined business rulesbusiness rules
Bonus: encryption on physical mediaBonus: encryption on physical mediaBonus: removable media policy (Vista)Bonus: removable media policy (Vista)
(2) Reduced data leaks(2) Reduced data leaks
Reality check: user-initiated RMS is unreliableReality check: user-initiated RMS is unreliableRisk focus: leaks to outsidersRisk focus: leaks to outsidersTactics:Tactics:
““do not forward” emails from execs, legal, R&Ddo not forward” emails from execs, legal, R&DRMS automation on servers (future)RMS automation on servers (future)Converting AD roles to security-enabled Converting AD roles to security-enabled Distribution GroupsDistribution GroupsExperiment with WinFX, Print-to-XPSExperiment with WinFX, Print-to-XPS
(3) Server-Side Encryption(3) Server-Side Encryption
Threat: some Admins have or grant themselves Threat: some Admins have or grant themselves access with no oversight or detectionaccess with no oversight or detectionGoal: mitigate the risk of widespread leaksGoal: mitigate the risk of widespread leaks
Reduce, NOT eliminateReduce, NOT eliminateGoodGood
Role-based AccessRole-based AccessBetterBetter
System encryption, Application encryption, System encryption, Application encryption, ERMERM
Don't Bother with Don't Bother with ACLsACLs
(3) Server-Side Encryption(3) Server-Side Encryption
Roles-based access on all servers (and clients)Roles-based access on all servers (and clients)Prevents Admins from unaudited access to dataPrevents Admins from unaudited access to data
EFS, BitLocker, RMS with central keys EFS, BitLocker, RMS with central keys managed elsewheremanaged elsewhere
Reduces opportunity for quick access to protected Reduces opportunity for quick access to protected datadataThreats switch to impersonating usersThreats switch to impersonating users
Bonus: audit for Object Access (Take Bonus: audit for Object Access (Take Ownership, Change Permissions), Policy Ownership, Change Permissions), Policy Change, System EventsChange, System EventsBonus: role-separated audit collectionBonus: role-separated audit collection
(4) End-to-end encryption(4) End-to-end encryption
ChallengesChallengesApproachesApproachesFuturesFutures
(4) End to End: Challenges(4) End to End: Challenges
Lack of product integrationLack of product integrationKey managementKey management
Keep keys close to data (performance, portability)?Keep keys close to data (performance, portability)?Keep keys far from data (security, administration)?Keep keys far from data (security, administration)?
Cross-platform issuesCross-platform issuesManaging transitions between systems, applications Managing transitions between systems, applications and organizationsand organizations
(4) End to End: Approaches(4) End to End: Approaches
Standard algorithmsStandard algorithmsThird-party productsThird-party productsBest-fit solutionsBest-fit solutionsMitigate greatest exposures firstMitigate greatest exposures first
(4) End to End: Futures(4) End to End: Futures
““information protection platform”information protection platform”Possibly integrate EFS, RMS, NGSCBPossibly integrate EFS, RMS, NGSCB
WS-Sec (and other standards)WS-Sec (and other standards).NET Framework 3.0 (WinFX).NET Framework 3.0 (WinFX)IPv6IPv6
Beyond Microsoft technologiesBeyond Microsoft technologies
Pervasive hardware-integrated cryptoPervasive hardware-integrated cryptoISV encryptionISV encryptionISV rights managementISV rights managementSmart cardsSmart cardsother multi-factor access controlother multi-factor access control
ResourcesResources
Technical Chats and Webcastshttp://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp
Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx
MSDN & TechNet http://microsoft.com/msdnhttp://microsoft.com/technet
Virtual Labshttp://www.microsoft.com/technet/traincert/virtuallab/rms.mspx
Newsgroupshttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx
Technical Community Siteshttp://www.microsoft.com/communities/default.mspx
User Groupshttp://www.microsoft.com/communities/usergroups/default.mspx
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Thanks to Mike Smith-Lonergan for Thanks to Mike Smith-Lonergan for creating the slidescreating the slides
Steve LambSteve LambTechnical Security Evangelist @ Microsoft LtdTechnical Security Evangelist @ Microsoft Ltd
[email protected]@microsoft.comhttp://blogs.technet.com/steve_lambhttp://blogs.technet.com/steve_lamb