SETEMBRO, 2010 | SÃO PAULO 14/07/2010 4:47 PM

Apresentação em tema: "SETEMBRO, 2010 | SÃO PAULO 14/07/2010 4:47 PM"— Transcrição da apresentação:

1 SETEMBRO, 2010 | SÃO PAULO 14/07/2010 4:47 PM
© 2007 Microsoft Corporation. Todos os direitos reservados. Microsoft, Windows, Windows Vista e outros nomes de produtos são ou podem ser marcas registradas e/ou marcas comerciais nos EUA e/ou outros países. Este documento é meramente informativo e representa a visão atual da Microsoft Corporation a partir da data desta apresentação. Como a Microsoft deve atender a condições de mercado em constante alteração, este documento não deve ser interpretado como um compromisso por parte da Microsoft, e a Microsoft não pode garantir a precisão de qualquer informação fornecida após a data desta apresentação. A MICROSOFT NÃO DÁ QUALQUER GARANTIA, SEJA ELA EXPRESSA, IMPLÍCITA OU ESTATUTÁRIA, REFERENTE ÀS INFORMAÇÕES DESTA APRESENTAÇÃO.

2 Segurança fim-a-fim: Juntando as peças do quebra-cabeça
14/07/2010 4:47 PM CÓDIGO DA SESSÃO: SIA309 Segurança fim-a-fim: Juntando as peças do quebra-cabeça Rodrigo Immaginario CISSP MVP Security Vitor Nakano Coord. de Segurança da Informação Ecorodovias © 2007 Microsoft Corporation. Todos os direitos reservados. Microsoft, Windows, Windows Vista e outros nomes de produtos são ou podem ser marcas registradas e/ou marcas comerciais nos EUA e/ou outros países. Este documento é meramente informativo e representa a visão atual da Microsoft Corporation a partir da data desta apresentação. Como a Microsoft deve atender a condições de mercado em constante alteração, este documento não deve ser interpretado como um compromisso por parte da Microsoft, e a Microsoft não pode garantir a precisão de qualquer informação fornecida após a data desta apresentação. A MICROSOFT NÃO DÁ QUALQUER GARANTIA, SEJA ELA EXPRESSA, IMPLÍCITA OU ESTATUTÁRIA, REFERENTE ÀS INFORMAÇÕES DESTA APRESENTAÇÃO.

3 14/07/2010 4:47 PM Agenda Desafio Atual Empresas e dos Profissionais de SI Endereçando as Tecnologias e Recursos de Segurança Demonstrações: IPSEC, NAP, DirectAccess, PKI, RMS, SSL, EFS e Autenticação 2 fatores © 2007 Microsoft Corporation. Todos os direitos reservados. Microsoft, Windows, Windows Vista e outros nomes de produtos são ou podem ser marcas registradas e/ou marcas comerciais nos EUA e/ou outros países. Este documento é meramente informativo e representa a visão atual da Microsoft Corporation a partir da data desta apresentação. Como a Microsoft deve atender a condições de mercado em constante alteração, este documento não deve ser interpretado como um compromisso por parte da Microsoft, e a Microsoft não pode garantir a precisão de qualquer informação fornecida após a data desta apresentação. A MICROSOFT NÃO DÁ QUALQUER GARANTIA, SEJA ELA EXPRESSA, IMPLÍCITA OU ESTATUTÁRIA, REFERENTE ÀS INFORMAÇÕES DESTA APRESENTAÇÃO.

4 Novos Desafios de TI Política, não a topologia, define a fronteira
2-factor and biometrics Claims-based Security Autenticação e Autorização Acesso Universal IPv6 Controle de Identidades Active Directory Network Access Protection Anti-malware Saúde do Ambiente Definição da Fronteira Per-application VPN and Firewalls IPSec Policies Acesso de qualquer ponto

5 Cenário Atual … Não há fronteira para o fluxo da informação
Home USB Drive Mobile Devices Independent Consultant Partner Organization Não há fronteira para o fluxo da informação Informação é compartilhada, armazenada e acessada sem o controle do owner Segurança do Host e da Rede são insuficientes

6 Informações perdidas e responsabilidade civil são crescentes preocupações entre as organizações
“Data Privacy is the most important security concern in the enterprise in 2007, outranking Malware for the first time” “Regulatory and legal compliance is a top driver for enterprise and government investment in information security” Source: WW Security Perceptions Report, MSFT 2007; The Info Pro Information Security Wave 9, November 2007

7 O que fazer ? Reduzir o risco de ameaças à segurança da rede
Uma camada adicional no “defense-in-depth” Reduzir a superficie de ataques em máquinas conhecidas Aumentar o gerenciamento e a “saúde” dos clientes Proteger dádos sensíveis e a propriedade intelectual Comunicação autenticada ponto-a-ponto nas comunicações de rede Proteger a confidencialidade e integridade dos dados Oferecer acesso remoto seguro Suporta autenticação de máquinas e usuários com IPsec Network Access Protection com VPNs e IPsec Secure routing compartments aumenta o isolamento em conexões VPN

8 Isolamento de Servidores e Domínio
Segmentar dinamicamente seu ambiente Windows® com base em políticas Labs Unmanaged guests Server Isolation Proteger servidores e dados específicos Proteger computadores de máquinas não gerenciadas ou desconhecidas Domain Isolation

9 Isolamento de Servidores e Domínio
Domain Isolation Active Directory Domain Controller Corporate Network Server Isolation Trusted Resource Server Servers with Sensitive Data HR Workstation X Unmanaged/Rogue Computer X Managed Computer Managed Computer Untrusted Restringe acesso a dados críticos Bloquei conexões de computadores não confiáveis Distribui políticas e credenciais Computadores controlados podem se comunicar Define os limites lógicos

10

11

12 Network Access Protection - NAP
4/2/2017 3:03 PM Network Access Protection - NAP Policy Servers such as: Patch, AV O que é o Network Access Protection? Health Policy Validation Health Policy Compliance Not policy compliant Restricted Network Remediation Servers Example: Patch Windows Client DHCP, VPN Switch/Router NPS Policy compliant Limitar o acesso a rede Aumentar a segurança Title: Network Access Protection (NAP) Talking Points: Network Access Protection provides the enterprise with additional protection by checking system health and restricting access of systems that are not in compliance. Enterprises are constantly being challenged by viruses that invade system because of guests plugging in, employees connecting with VPN, and the everyday attacks on vulnerable computers in the network. In response to viruses and other threats, IT administrators are always on the lookout for tools to detect and manage threats, establish health policies, and require baseline compliance, keep the network resilient, remediate vulnerabilities, and manage the policy enforcement and remediation systems. What is Network Access Protection: One of the most time-consuming challenges that administrators face is ensuring that computers that connect to the private network meet health policy requirements. Network Access Protection for Windows Server 2008 and Windows Vista helps administrators enforce compliance with health policies for network access or communication. Developers and administrators can create solutions for validating computers that connect to their networks, can provide needed updates or access to needed resources—called health update resources—and can limit the access of noncompliant computers. Network Access Protection does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or engaging in other inappropriate behavior. NAP has three important and distinct aspects: [BUILD1] Health Policy Validation: When a user attempts to connect to the network, the computer’s health state is validated against the health policies as defined by the administrator. Administrators can then choose what to do if a computer is not compliant. In a restricted access environment, computers that comply with the health policies are allowed unlimited access to the network, but computers that do not comply with health policies, or that are not compatible with Network Access Protection, have their access limited to a restricted network. [BUILD2] Health Policy Compliance: Administrators can help ensure compliance with health policies by choosing to automatically update noncompliant computers with the missing requirements through management software, such as Microsoft Systems Management Server. Computers that do not comply with health policies may have limited access until the software and configuration updates are completed. Again, computers that are compatible with Network Access Protection can automatically become compliant and the administrator can define policy exceptions. [BUILD3] Ability to Provide Limited Access: Administrators can protect network assets by limiting the access of computers that do not comply with health policy requirements. Non-compliant computers will have their access limited as defined by the administrator. Network access limits can be based on a specific amount of time or whether the network access is limited to a restricted network, to a single resource, or to no internal resources at all. [BUILD4] Enhanced Security: Network Access Protection for Windows Server 2008 helps administrators enforce compliance with health policies for network access or communication. Network Access Protection verifies that all communications are authenticated, authorized and healthy. Administrators can use NAP for DHCP, VPN, IPsec, and 802.1x to set the security level that meets the needs of their organization. IT Professionals can set policy-based access controls to define access to their systems. [BIULD5] Increased Business Value: Network Access Protection helps extend the existing investments in Microsoft and third party infrastructure. It also preserves user productivity while protecting the system. The development of NAP is based on a broad industry partnership. [BUILD6] Cisco and Microsoft Integration Story: Cisco and Microsoft worked on a joint architecture for NAC-NAP Interoperability. The new security architecture will enable customers and partners to deploy interoperable Cisco Network Admission Control and Microsoft Network Access Protection. In addition, the two companies have revealed a general road map for bringing Cisco NAC and Microsoft NAP interoperability to market, including a limited beta program set to start later in calendar year Customers will be able to start deploying the Cisco NAC-Microsoft NAP interoperable solution once Windows Server 2008 is available. Cisco and Microsoft have cross-licensed the Cisco NAC and Microsoft NAP protocols to help ensure interoperability and to enable both companies to respond to future market and customer requirements. For more information, see:    Additional Information: Changes in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn)  Add-302.ppt Corporate Network Aumentar o valor do negócio Integração Cisco e Microsoft

13 NAP – Como Funciona ... Policy Servers Restricted Network Fix Up
e.g. Patch, AV 3 1 2 Not policy compliant Restricted Network 4 Fix Up Servers e.g. Patch MSFT NPS Windows Client DHCP, VPN Switch/Router Policy compliant Cliente solicita o acesso a rede apresentando seu estado de saúde 1 5 Corporate Network 2 DHCP, VPN ou Switch/Router encaminha o status de saúde para o Microsoft Network Policy Server (RADIUS) 3 Network Policy Server (NPS) valida de acordo com as políticas definida 4 Se não houver conformidade o cliente é colocado em um VLAN restrita e terá acesso somente aos servidores de remediação (Repeat 1 - 4) 5 Havendo conformidade o cliente terá acesso completo a rede

14 NAP - Arquitetura Client Network Policy Server System Health Server
MS Network Policy Server Quarantine Server (QS) Client Quarantine Agent (QA) Health policy Updates Health Statements Network Access Requests System Health Servers Remediation Certificate Network Access Devices and Servers System Health Agent (SHA) MS and 3rd Parties System Health Validator Enforcement Client (EC) (DHCP, IPSec, 802.1X, VPN) Client SHA – Health agents check client state QA – Coordinates SHA/EC EC – Method of enforcement Remediation Server Serves up patches, AV signatures, etc. Network Policy Server QS – Coordinates SHV SHV – Validates client health System Health Server Provides client compliance policies

15 4/2/2017 3:03 PM © 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

16  X NAP com IPSEC Quarantine Zone Boundary Zone Protected Zone Host
Posso ter um certificado de saúde? Aqui está meu SoH.. Cliente ok? Exchange Aqui está seu certificado de saúde. Você não possui um certificado de saúde. Faça sua atualização  Não, precisa de correções Sim, pegue seu novo certificado HCS X Host Policy Server Preciso de atualizações. Acessando a rede Aqui está. Remediation Server

17 Active Directory Certificate Services
4/2/2017 3:03 PM Active Directory Certificate Services Segurança Gerenciamento Interoperabilidade Cryptography Next Generation Windows Server 2008 Server Role Suporte ao OCSP Title: Active Directory Certificate Services Talking Points: Fundamental improvements to Certificate Services in Windows Server 2008 can help organizations from a security, manageability, and interoperability perspective. Fundamental improvements to Certificate Services in Windows Server 2008 can help organizations from a security, manageability, and interoperability perspective. Security: In the area of security we’ll cover leveraging the latest cryptographic technologies, increasing security for managing your Certificate Services infrastructure, and also discuss the new certificate templates offered in Windows Server 2008. Cryptography Next Generation: Microsoft introduces a completely new cryptography API in Windows Vista and Windows Server This Advanced Cryptography Support is a new infrastructure component in Windows and is also a component used by Active Directory Certificate Services. CNG supports classic cryptographic algorithms supported through CSPs as well as new algorithms like Elliptic Curve Cryptography (ECC). A flexible implementation model allows you to dynamically switch between algorithms as needed. CNG is covered in more detail over the next two slides. [BUILD1] Granular Admin: In Windows Server 2003, it is not possible to control certificate management granularly. A user that has certificate manager permissions on a Windows Server 2003 CA is able to approve and revoke certificates for all certificate types. This might be a problem for environments where role separation between certificate managers is required. Windows Server 2008 delivers new tools for PKI operational management which not only increase the security of PKI Infrastructures but can lead to increased productivity of your PKI management staff. Windows Server 2008 creates two new management controls which provide granularity over who can enroll certificates as well as what certificates and who they can be issued to. Both of these management features integrate Active Directory Security Groups into the overall management process of a Windows Server 2008 PKI. Enrollment agents are one or more authorized individuals within an organization. The enrollment agent needs to be issued an Enrollment Agent certificate, which enables the agent to enroll for certificates on behalf of users. Enrollment agents are typically members of the corporate security, IT security, or help desk teams because these individuals have already been trusted with safeguarding valuable resources. In some organizations, such as banks that have many branches, help desk and security workers might not be conveniently located to perform this task. In this case, designating a branch manager or other trusted employee to act as an enrollment agent is required. The Windows Server 2003 Enterprise CA does not provide any configurable means to control enrollment agents except from enrollment agents’ certificates enforcement. The restricted enrollment agent feature is new functionality that allows limiting the permissions enrollment agents have for enrolling on behalf of other users. On a Windows Server 2008 Enterprise CA, an enrollment agent can be permitted for one or many certificate templates. For each certificate template, it is configurable for which users or security groups the enrollment agent can enroll on behalf of. You cannot constrain an enrollment agent based on a certain Active Directory organizational unit (OU) or container, you must use Active Directory security groups. With the restricted certificate manager, you are basically applying similar controls by restricting the templates and the users that a certificate manager can manage certificates for. [BUILD2] V3 Certificates: Certificate templates provide a practical way to implement certificate enrollment in a managed Active Directory environment with Enterprise CAs. The CA administrator can define the blueprint for certificates that are enrolled from Enterprise CAs. Historically, static V1 certificate templates have been introduced with Windows With Windows Server 2003, customization was introduced with V2 certificate templates. With Windows Server 2008, more certificate templates and certificate template properties compared to the Windows Server 2003 templates became available. The new template types in Windows Server 2008 are called V3 templates. V3 templates can leverage the latest cryptographic algorithms introduced in Windows Server You can also ensure that CA related communications between clients and the CA occur in the most secure fashion. Windows Server 2008 also introduce a completely new default template that provides a more secure method for client validation of domain controllers. Because of dependencies to the underlying operating system, Windows Server 2008 templates can only be assigned to CAs that are running on a Windows Server Additionally, only Windows Vista client computers and Windows Server 2008 computers can enroll for V3 certificate templates. One important change in Windows Server 2008 and Windows Vista is the support for the CNG (Suite-B). With Suite-B algorithms, it is possible to use alternate and customized cryptographic algorithms for encryption and signing certificates. [BUILD3] Manageability: With Manageability we’ll examine new deployment options that present unparalleled deployment flexibility. There are also new options for managing your enterprise PKI from a centralized console. Windows Server 2008 Server Role: One of the design goals of the Windows Server 2008 release is to make Windows a componentized operating system. Therefore, a lot of engineering effort has been invested to redesign the management of Windows Server components. Active Directory Certificate Services setup is done through the Server Manager Tool - a completely new wizard-based tool that was designed to improve the user experience in setting up optional components in Windows Server. Server Manager was covered in more detail earlier in this presentation. [BUILD4] PKIView: Managing a PKI Infrastructure can be a complex undertaking. Monitoring and troubleshooting the health of multiple certification authorities for enterprise public key infrastructure hierarchies are essential enterprise PKI administrative tasks. PKIView simplifies these administration requirements by combining vital CA management tasks within a single administrative interface. This consolidated view removes geographical boundaries by providing globalized support through Unicode character support. PKIView is covered in more detail on the following slide. [BUILD5] New GPOs: As X.509 public key infrastructures become more widely used as a foundation of trust, many organizations need more options to manage certificate path discovery and path validation. Previous versions of Windows operating systems had few settings to implement this kind of control. Windows Server 2008 introduces several new Group Policy settings for controlling the interactions of certificates and certificate trusts within your enterprise. New controls exist which can be implemented include: Regulate the ability of users to manage their own trusted root certificates and peer trust certificates. This control can be implemented so that users are not allowed to make any root or peer trust decisions, or it can be used to control how many or how few specific certificate purposes, such as signing and encryption, users can manage for peer trust. To determine Code Signing Certificate Use: Software signing is being used by a growing number of software publishers and application developers to verify that their applications come from a trusted source. However, many users do not understand or pay little attention to the signing certificates associated with applications that they install. Specifying organization-wide trusted publisher policy options allows organizations to decide whether Authenticode® certificates can be managed by users and administrators, only administrators, or only enterprise administrators. In addition, this path validation policy can require that additional revocation and time stamp checks are completed before a trusted publisher certificate is accepted. Just as network administrators are responsible for preventing viruses and other malicious software from entering their environments, administrators in the future might want to block certain certificates from being used. A certificate issued by your own CA can be revoked, and it will be added to a certificate revocation list. You cannot revoke certificates issued by external CAs. However, you can disallow these untrusted certificates by adding them to the Untrusted Certificates store. These certificates will be copied to the Untrusted Certificates store of each client computer in the domain the next time Group Policy is refreshed. [BUILD6] Interoperability: Microsoft has added, or extended, support for various industry standards to ensure that Windows Server 2008 is one of the most interoperable operating systems available on the market today. Three significant changes have occurred with Certificate Server, these include Online Certificate Status Protocol, the Issuing Distribution Point Extension, and the Microsoft Simple Certificate Enrollment Protocol implementation. Online Certificate Status Protocol (OCSP): The use of online responders that distribute OCSP responses, along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an online responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. OCSP is covered in more detail in the following slide. [BUILD7] Issuing Distribution Point Extension (IDP CRL): To support X.509– and RFC 3280–compliance the Windows Server 2008 CA supports the IDP extension in CRLs. The IDP extension is a critical extension and to non- Windows clients; the use of IDP extension in CRLs ensures that relying parties can determine the proper scope of a CRL when a CA certificate is renewed or re-keyed (renew with new key). It indicates whether the CRL covers revocation for end-entity certificates only, CA certificates only, attribute certificates only, or a limited set of reason codes. [BUILD8] Simple Certificate Enrollment Protocol (MSCEP): The Simple Certificate Enrollment Protocol (SCEP) is a public key infrastructure (PKI) communication protocol that makes it possible for software running on network devices such as routers and switches, which cannot otherwise be authenticated on the network, to enroll for x509 certificates from a certification authority (CA). Microsoft SCEP (MSCEP) is the Windows implementation of SCEP. MSCEP operates as an Internet Server Application Programming Interface (ISAPI) filter on Internet Information Services (IIS) that performs the following: Generates and provides one-time enrollment passwords to administrators. Receives and processes SCEP enrollment requests on behalf of software running on network devices. Retrieves pending requests from the CA. In Windows Server 2003, MSCEP was a Windows Server 2003 Resource Kit add-on that had to be installed on the same computer as the CA. In Windows Server 2008, MSCEP is part of the operating system and can be installed on a different computer than the CA. Additional Information: ITPROADD-204.ppt Changes in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn) Granular Admin PKIView Suporte ao IDP CRL V3 Certificates Novas GPOs Suporte MSCEP

18 Melhorias no PKI Enterprise PKI (PKIView)
4/2/2017 3:03 PM Melhorias no PKI Enterprise PKI (PKIView) Microsoft Management Console snap-in Suporta caracteres Unicode Online Certificate Status Protocol (OSCP) Online Responders Responder Arrays Title: PKI Enhancements Talking Points: There are many enhancements in the public key infrastructure (PKI) in the Windows Vista and Windows Server 2008 operating systems. There have been increases in manageability throughout all aspects of Windows PKI, the revocations services have been redesigned and there is a decreased attack surface for enrollment. PKI enhancements include: Enterprise PKI (PKIView): Originally part of the Microsoft Windows Server 2003 Resource Kit and called the PKI Health tool, PKIView is now a Microsoft Management Console (MMC) snap-in for Windows Server Because it is part of the core operating system, administrators can use PKIView after server installation by simply adding it to MMC. It then becomes available to analyze the health state of CAs and to view details for CA certificates published in AD CS. PKIView provides full support for Unicode characters along with PrintableString encoding. Using Unicode character encoding allows you to present text and symbols from all languages. Unicode encoding uses a scheme or Unicode Transformation Format (UTF-8) that assigns two bytes for each character. A total of 65,536 character combinations are possible. In contrast, PrintableString encoding allows you to use only a simple subset of ASCII characters. These characters are A-Z a-z 0-9 (space) ' () + , . / : = ?. [BUILD1] Online Certificate Status Protocol (OCSP): Certificate revocation is a necessary part of managing certificates issued by certification authorities (CAs). The most common means of communicating certificate status is by distributing certificate revocation lists (CRLs). In Windows Server 2008, an online responder, based on the Online Certificate Status Protocol (OCSP), can be used to manage and distribute revocation status information in cases where the use of conventional CRLs is not an optimal solution. The OCSP responder has been designed with scalability in mind, and can be deployed on a certificate server or a completely separate computer. The service can also be applied to multiple-cluster servers. This server-side component is flexible enough to obtain revocation information from multiple sources. Two significant new sets of functionality can be derived from the Online Responder service: Online Responders: An online responder is a computer on which the Online Responder service is running. A computer that hosts a CA can also be configured as an online responder, but it is recommended that you maintain CAs and online responders on separate computers. A single online responder can provide revocation status information for certificates issued by a single CA or multiple CAs. CA revocation information can be distributed using more than one Online Responder. Responder arrays: Multiple online responders can be linked in an online responder array. Online responders in an array are referred to as array members. One member of the array must be designated as the array controller. Although each online responder in an array can be configured and managed independently, in case of conflicts, the configuration information for the array controller will override configuration options set on other array members. [BUILD2] Network Device Enrollment Service (NDES): In Windows Server 2008, the Network Device Enrollment Service (NDES) is Microsoft's implementation of the Simple Certificate Enrollment Protocol (SCEP), a communication protocol that makes it possible for software running on network devices, such as routers and switches that cannot otherwise be authenticated on the network, to enroll for x509 certificates from a CA. SCEP was developed by Cisco Systems, Inc. as an extension to existing HTTP, PKCS #10, PKCS #7, RFC 2459, and other standards to enable network device and application certificate enrollment with CAs. This feature applies to organizations that have PKIs with one or more Windows Server 2008 CAs, and want to enhance the security of communications using IPsec with network devices, such as routers and switches. Adding support for NDES can significantly enhance the flexibility and scalability of an organization's PKI. [BUILD3] Web Enrollment: Certificate Web enrollment has been available since its inclusion in Windows 2000 operating systems. It is designed to provide an enrollment mechanism for organizations that need to issue and renew certificates for users and computers that are not joined to the domain, or are not connected directly to the network. It is also used for users of non-Microsoft operating systems. Instead of relying on the autoenrollment mechanism of a CA, or using the Certificate Request Wizard, the Web enrollment support provided by a Windows-based CA allows these users to request and obtain new and renewed certificates over an Internet or intranet connection. A number of changes have been made to certificate Web enrollment support in Windows Server These changes are because the previous ActiveX® enrollment control was removed from Windows Vista and Windows Server 2008, and is replaced with a new COM enrollment control. The previous enrollment control, XEnroll.dll, is removed from Windows Vista and Windows Server 2008, and a new enrollment control, CertEnroll.dll, is introduced to enhance certificate enrollment. XEnroll.dll can continue to be used for Web enrollment on computers running Windows 2000, Windows XP, and Windows Server 2003. CertEnroll.dll, on the other hand, was created to be more secure, easier to script, and easier to update than XEnroll.dll. Additional Information: ITPROADD-204.ppt Changes in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn) Network Device Enrollment Service Implementação da Microsoft do Simple Certificate Enrollment Protocol (SCEP) Melhorias da segurança nad comunicações usando IPsec Web Enrollment Removida a versão do ActiveX® XEnroll.dll Melhorias no novo compomente COM enrollment control - CertEnroll.dll

19 Cryptography Next Generation
4/2/2017 3:03 PM Cryptography Next Generation Cryptography Next Generation (CNG) Title: Cryptography Next Generation (CNG) Talking Points: Cryptography Next Generation (CNG) is new functionality in Windows Server 2008 that provides a flexible cryptographic development platform, allowing IT Professionals to create, update, and use custom cryptography algorithms in cryptography-related applications such as Active Directory® Certificate Services, SSL, and IPsec. CNG implements the U.S. government's Suite B cryptographic algorithms, which include algorithms for encryption, digital signatures, key exchange, and hashing. Difference between PKI and CNG: A public key infrastructure (PKI) is the combination of cryptography, software, processes, and services that enable an organization to secure its communications and business transactions. Cryptography Next Generation (CNG), is a new API that allows IT Professionals to create, update, and use custom cryptography algorithms in cryptography-related applications. Cryptography Next Generation is a long term replacement for the CryptoAPI in previous versions of Windows. CNG implements the NSA’s Suite-B protocols recommendations. One of the unique features of CNG is the ability for customers to use their own cryptographic algorithms or implementations of standard cryptographic algorithms if desired. This also covers the ability to add new algorithms as required. A CA installed on a Windows Server 2003 computer supports only cryptographic algorithms such as RSA or SHA1 through cryptographic service providers (CSPs). With Windows Vista and Windows Server 2008, classic cryptographic algorithms are still supported through CSPs, but also new algorithms like Elliptic Curve Cryptography are supported through CNG key providers. Although Key Providers cannot be changed post installation, the underlying Hash Algorithms can be changed at any time through command line tools. Currently, CNG–based algorithms such as ECC are only supported on Windows Vista and Windows Server This means that those certificates cannot be used on earlier Windows versions such as Windows XP or Windows Server However, classic algorithms such as RSA can be used even if the keys have been generated with a CNG key provider. To use the new cryptographic algorithms, both your CA and your applications should support ECC. While the CA needs to issue and manage these new certificate types, applications must be able to handle certificate chain validation and use the keys generated with CNG algorithms. Cryptography Next Generation (CNG) Capabilities: CNG allows customers to use their own cryptographic algorithms or implementations of standard cryptographic algorithms. They can also add new algorithms. CNG supports cryptography in kernel mode. The same API is used in both kernel mode and user mode to fully support cryptography features. Secure Sockets Layer/Transport Layer Security (SSL/TLS) and IPsec, in addition to startup processes that use CNG, operate in kernel mode. The plan for CNG includes acquiring Federal Information Processing Standards (FIPS) level-2 certification, together with Common Criteria evaluations. CNG complies with Common Criteria requirements by using and storing long-lived keys in a secure process. CNG supports the current set of CryptoAPI 1.0 algorithms. CNG provides support for elliptic curve cryptography (ECC) algorithms. A number of ECC algorithms are required by the United States government's Suite B effort. Any computer with a Trusted Platform Module (TPM) will be able to provide key isolation and key storage in TPM. Benefits of CNG: CNG provides IT staff with a tool that can be used to securely perform cryptographic operations, and also meets government Common Criteria requirements for storing keys. IT staff can use CNG to: Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data. Create, store, and retrieve cryptographic keys. Install and use additional cryptographic providers. Additional Information: Changes in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn) Inclui algoritimos para encryption, digital signatures, key exchange, e hashing Suporta criptografia em modo Kernel Suporta o algoritimo CryptoAPI 1.0 atual Suporta algoritimos elliptic curve cryptography (ECC) Executa operações de criptografia básica, como a criação de hashes e encriptar e decriptar dados

20 14/07/2010 4:47 PM SSL Encryption para Servidores Web É a fundação para diversas soluções e recursos da Microsoft Por que SSL encryption para Servidores Web é a fundação para muitas soluções e recursos Escolhendo o provedor de certificados para servidores web Deploy do certificados para servidores web Modelos de Certificados (templates) Emitindo Certificados de Servidor Web © 2007 Microsoft Corporation. Todos os direitos reservados. Microsoft, Windows, Windows Vista e outros nomes de produtos são ou podem ser marcas registradas e/ou marcas comerciais nos EUA e/ou outros países. Este documento é meramente informativo e representa a visão atual da Microsoft Corporation a partir da data desta apresentação. Como a Microsoft deve atender a condições de mercado em constante alteração, este documento não deve ser interpretado como um compromisso por parte da Microsoft, e a Microsoft não pode garantir a precisão de qualquer informação fornecida após a data desta apresentação. A MICROSOFT NÃO DÁ QUALQUER GARANTIA, SEJA ELA EXPRESSA, IMPLÍCITA OU ESTATUTÁRIA, REFERENTE ÀS INFORMAÇÕES DESTA APRESENTAÇÃO.

21 Encrypting File System Proteção de Dados
14/07/2010 4:47 PM Encrypting File System Proteção de Dados Hoje em dia, um dos desafios é proteger as informações sensíveis. Nas Políticas de Segurança para os Usuários descreve que informação com conteúdo confidencial ou sigiloso deverá usar técnicas de criptografia, ou qualquer outra disponibilizada pela empresa. Desafio: Em que momento usar o EFS? Habilitando e desabilitando o EFS Modelo de Certificado para EFS Obtendo certificado para EFS © 2007 Microsoft Corporation. Todos os direitos reservados. Microsoft, Windows, Windows Vista e outros nomes de produtos são ou podem ser marcas registradas e/ou marcas comerciais nos EUA e/ou outros países. Este documento é meramente informativo e representa a visão atual da Microsoft Corporation a partir da data desta apresentação. Como a Microsoft deve atender a condições de mercado em constante alteração, este documento não deve ser interpretado como um compromisso por parte da Microsoft, e a Microsoft não pode garantir a precisão de qualquer informação fornecida após a data desta apresentação. A MICROSOFT NÃO DÁ QUALQUER GARANTIA, SEJA ELA EXPRESSA, IMPLÍCITA OU ESTATUTÁRIA, REFERENTE ÀS INFORMAÇÕES DESTA APRESENTAÇÃO.

22 Autenticação 2 fatores Autenticação Forte
14/07/2010 4:47 PM Autenticação 2 fatores Autenticação Forte Na SI, a autenticação é um processo que busca verificar a identidade digital do usuário. A autenticação normalmente depende de um ou mais "fatores de autenticação". Os fatores de autenticação são normalmente classificados: Aquilo que o usuário é Aquilo que o usuário tem Aquilo que o usuário conhece Desafio: Quando usar autenticação de 2 fatores? Dispositivos (Smart card, Token USB, Token OTP) Planejando e Gerenciando a entrega © 2007 Microsoft Corporation. Todos os direitos reservados. Microsoft, Windows, Windows Vista e outros nomes de produtos são ou podem ser marcas registradas e/ou marcas comerciais nos EUA e/ou outros países. Este documento é meramente informativo e representa a visão atual da Microsoft Corporation a partir da data desta apresentação. Como a Microsoft deve atender a condições de mercado em constante alteração, este documento não deve ser interpretado como um compromisso por parte da Microsoft, e a Microsoft não pode garantir a precisão de qualquer informação fornecida após a data desta apresentação. A MICROSOFT NÃO DÁ QUALQUER GARANTIA, SEJA ELA EXPRESSA, IMPLÍCITA OU ESTATUTÁRIA, REFERENTE ÀS INFORMAÇÕES DESTA APRESENTAÇÃO.

23

24 AD RMS Proteção de dados e Classificação da Informação
14/07/2010 4:47 PM AD RMS Proteção de dados e Classificação da Informação Hoje em dia, um dos desafios é proteger as informações sensíveis. Nas Políticas de Segurança para os Usuários descreve: Toda informação deverá ser classificada quanto ao seu sigilo; Toda informação deverá ser protegida com base na sua classificação; É de responsabiliade o usuário proteger a informação (geração, manuseio, guarda, ..., descarte da informação). Desafio: Em que momento usar o RMS? Use o RMS no processo de Classificação da Informação Como proteger as informações de Alto Impacto © 2007 Microsoft Corporation. Todos os direitos reservados. Microsoft, Windows, Windows Vista e outros nomes de produtos são ou podem ser marcas registradas e/ou marcas comerciais nos EUA e/ou outros países. Este documento é meramente informativo e representa a visão atual da Microsoft Corporation a partir da data desta apresentação. Como a Microsoft deve atender a condições de mercado em constante alteração, este documento não deve ser interpretado como um compromisso por parte da Microsoft, e a Microsoft não pode garantir a precisão de qualquer informação fornecida após a data desta apresentação. A MICROSOFT NÃO DÁ QUALQUER GARANTIA, SEJA ELA EXPRESSA, IMPLÍCITA OU ESTATUTÁRIA, REFERENTE ÀS INFORMAÇÕES DESTA APRESENTAÇÃO.

25 Projeto Tradicional … Firewall Perimeter Access Control List Perimeter
Authorized Users Authorized Users Access Control List Perimeter YES Unauthorized Users Unauthorized Users Information Leakage NO

26 Identity-Based Information Protection
Persistent Protection Encryption Policy Access Permissions Use Right Permissions Persistent protection for sensitive/confidential data Controla o acesso através do ciclo de vida da informação Permite o acesso com base em Identidates confiáveis Garante a segurança da transmissão e armazenamento de dados importantes – Documento criptografados com 128-bit Criação de tipos de permissão (print, view, edit, expiration, etc.)

27 Rights Management Services Proteção de Informação Persistente
Encryption Policy Access Permissions Use Rights Encryption Policy Access Permissions Use Rights

28 RMS Workflow Autor recebe um Author receives a client licensor certificate na primeira que ele proteger um documento Active Directory Microsoft® SQL Server® Autor define as permissões e regras para o arquivo; A aplicação cria o “publishing license” e criptografa o arquivo RMS Server Autor distribui o arquivo 1 4 Cliente abre o arquivo; O aplicativo chama o RMS Server que valida o usuário e atribui um “use license” 2 5 3 Aplicação aplica e força as permissões Information Author The Recipient

29

30 Tendências de Mercado Internet Rede Corporativa
Premissa que a infraestrutura de rede é sempre insegura Redefinição do perímetro corporativo para proteger o datacenter Rede Corporativa Políticas de acesso baseado na identidade e não na posição dentro da rede Servidor DirectAccess Internet Data Center e Outros Recursos Críticos Usuário Local Usuário Remoto

31 DirectAccess Oferecer um acesso seguro e transparente a sua Rede Corporativa de qualquer lugar

32 O que é DirectAccess? Acesso transparente a rede corporativa
Se o computador do usuário está conectada a Internet, ela está conectada a rede corporativa Gerenciamento remoto Computador do usuário é gerenciado em qualquer lugar em que esteja ligado na Internet Conectividade segura Comunicação entre a máquina do usuário e os recursos corporativos é protegida

33 Sempre Conectado Sempre Conectado Não é necessário ação do usuário
Se adapta as mudanças de rede

34 Seguro Criptografia por default Smartcards Controle de Acesso Granula
Coexiste com soluções atuais (Políticas de Acesso, Estado de Saúde e etc)

35 Gerenciável Acesso a máquinas antes “intocáveis
Permite GPO para máquinas remotas Integração com o NAP

36 Solução DirectAccess Internet Rede Corporativa
IPsec/IPv6 Internet Cliente DirectAccess Cliente DirectAccess IPsec/IPv6 Servidores NAP Túnel sobre IPv4 UDP, TLS, etc. IPsec/IPv6 Servidor DirectAccess Clientes tem conectividade IPv6 transparente de qualquer local, com segurança IPsec Usuário Corporativo Tráfego para a rede corporativa é roteada através de um servidor DirectAccess (Windows 2008 R2 Server) Data Center e Outros Recursos Críticos Usuário Corporativo Rede Corporativa Integração com NAP para controle de acesso baseado em políticas

37

38

39 Conteúdo relacionado Sessões temáticas Sessões temáticas

40 14/07/2010 4:47 PM © 2008 Microsoft Corporation. Todos os direitos reservados. Microsoft, Windows, Windows Vista e outros nomes de produtos são ou podem ser marcas registradas e/ou marcas comerciais nos EUA e/ou outros países. Este documento é meramente informativo e representa a visão atual da Microsoft Corporation a partir da data desta apresentação. Como a Microsoft deve atender a condições de mercado em constante alteração, este documento não deve ser interpretado como um compromisso por parte da Microsoft, e a Microsoft não pode garantir a precisão de qualquer informação fornecida após a data desta apresentação. A MICROSOFT NÃO DÁ QUALQUER GARANTIA, SEJA ELA EXPRESSA, IMPLÍCITA OU ESTATUTÁRIA, REFERENTE ÀS INFORMAÇÕES DESTA APRESENTAÇÃO. © 2007 Microsoft Corporation. Todos os direitos reservados. Microsoft, Windows, Windows Vista e outros nomes de produtos são ou podem ser marcas registradas e/ou marcas comerciais nos EUA e/ou outros países. Este documento é meramente informativo e representa a visão atual da Microsoft Corporation a partir da data desta apresentação. Como a Microsoft deve atender a condições de mercado em constante alteração, este documento não deve ser interpretado como um compromisso por parte da Microsoft, e a Microsoft não pode garantir a precisão de qualquer informação fornecida após a data desta apresentação. A MICROSOFT NÃO DÁ QUALQUER GARANTIA, SEJA ELA EXPRESSA, IMPLÍCITA OU ESTATUTÁRIA, REFERENTE ÀS INFORMAÇÕES DESTA APRESENTAÇÃO.

41 Por favor preencha a avaliação