Slide Title: Title Slide Keywords: Title Key Message: Title Slide

Apresentação em tema: "Slide Title: Title Slide Keywords: Title Key Message: Title Slide"— Transcrição da apresentação:

1 Protegendo o Windows Vista com Políticas de Restrição de Software e Dispositivos
Slide Title: Title Slide Keywords: Title Key Message: Title Slide Slide Builds: 0 Slide Script: Hello and welcome to this Microsoft TechNet session on Group Policy in Windows Vista. My name is {insert name}. Slide Transition: This session serves as an introduction to the new Group Policy features included in Windows Vista. Slide Comment: Additional Information: Fabio Hara IMCSA,MCSE,MCT,MCTS MVP Windows Server Networking

2 Agenda Administração de GPO’s Group Policy com Windows Vista
QoS Policies Slide Title: What Will We Cover? Keywords: What Will We Cover? Key Message: What Will We Cover? Slide Builds: 2 Slide Script: During the session, we’ll review many of the ways Windows Vista and Windows Server “Longhorn” improves how you control Windows settings through Group Policy. We will describe the new and updated features, and how these help alleviate problems that were present with previous versions of Windows. [BUILD1] The number of Group Policy settings has increased from approximately 1,700 in Windows Server 2003 with Service Pack 1 to approximately 3,000 in Windows Vista and Windows Server “Longhorn.” We will only look at the biggest improvements and give a good starting point for you to utilize the new Group Policy settings. [BUILD2] Finally, we will introduce Quality of Service (QoS) policies, which are available with Windows Vista. IT managers are concerned with end-to-end performance and WAN performance. The introduction of the new QoS policies in Windows Vista allows you to either prioritize or manage the sending rate for outgoing network traffic. Windows Vista also introduces new QoS policies for home networks. Slide Transition: As we go through today's session, you will hear various Microsoft acronyms and terminology. Slide Comment: Additional Information:

3 Pré-requisitos Necessários
Conhecimento de Group Policy Administração de Redes Microsoft Slide Title: Helpful Experience Keywords: Helpful Experience Key Message: Helpful Experience Slide Builds: 2 Slide Script: While we will explain all new terms related to today's session, there are some general terms from the industry or from other versions of Microsoft products that we may not spend time on. To help you out, we have listed the areas that it may be helpful to be familiar with, either prior to this session or to reference afterwards. [BUILD1] First, it will be helpful for you to have at least a basic understanding of Group Policy. This includes how to administer Group Policy through the Group Policy Management Console or GPMC. [BUILD2] Since, we will be covering improvements to Group Policy over previous versions of Windows, it will be helpful for you to have some experience administering Windows Server 2003 and Windows XP. Slide Transition: We’ve divided today’s session into three parts to cover the relevant Group Policy topics. Slide Comment: Additional Information: Nível 200

4 Agenda Entendendo a Group Policy
Revisando os Novos Recursos de InfraEstrutura Usando Parâmetros da GPO Slide Title: Agenda: Understanding Group Policy Keywords: Agenda Key Message: Agenda Slide Builds: 2 Slide Script: We’ll start with a general overview of Group Policy. We will discuss the terms related to Group Policy and how Group Policy has functioned in previous versions of Windows. We’ll also look at the state of Group Policy and the common customer complaints present with the previous versions of Windows. [BUILD1] Then, we will introduce new Group Policy infrastructure improvements that have been made in response in customer needs. We will show how these new features assist in reliable and efficient policy application. [BUILD2] Finally, we will show how to use some of the new policy settings for better administration. Many new or improved settings make Group Policy management easier from a single location. We are going to focus on how these settings improve security and desktop management. In addition, there are new settings to restrict device installation, which greatly increase security. Finally, we will take a look at QoS policies and how we can use Group Policy to control them. Slide Transition: Let’s start with an overview of the Group Policy architecture. Slide Comment: Additional Information:

5 Group Policy Visão Geral
Slide Title: Group Policy Overview Keywords: group policy, group policy objects, GPMC, registry-based policy, security policy Key Message: Group Policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computers within an Active Directory environment. Slide Builds: 3 Slide Script: Group Policy is an infrastructure used to deliver and apply desired configuration or policy settings to a set of targeted users and computers within an Active Directory environment. The infrastructure consists of a Group Policy engine and multiple client-side extensions that write policy settings on target client computers. In organizations where Active Directory is deployed, Group Policy is used in 90 percent of large organizations and 60 percent of mid-market companies. With the last major release, there were over 1,800 registry-based policy settings; however, we have seen that customers want more policy settings in the areas of security and desktop management. [BUILD1] Except for the local Group Policy object, Group Policy objects are virtual objects. The policy setting information of a GPO is stored in two locations: the Group Policy container and the Group Policy template. [BUILD2] The Group Policy container is an Active Directory container that stores GPO properties, including information on version, GPO status, and a list of components that have settings in the GPO. The Group Policy template is a folder structure within the file system that stores administrative template-based policies, security settings, script files, and information regarding applications that are available for Group Policy software installation. [BUILD3] There are two management consoles to administer Group Policy. The Group Policy Management Console, or GPMC, is a Microsoft Management Console snap-in. Group Policy Object Editor is used to edit the individual settings contained within each Group Policy object. Slide Transition: There are several other areas of frustration in Group Policy. Slide Comment: Additional Information:

6 Melhoramentos com o Windows Vista
Hello Hola SYSVOL Slide Title: Windows Vista Improvements Keywords: Ease of use, security, desktop management, application of policy Key Message: With Windows Vista, Group Policy has more settings applied more reliably and easier to use. Slide Builds: 2 Slide Script: Group Policy has been extended to include the new features of the new operating system, with an emphasis in the key areas of security and desktop management. [BUILD1] While the ability to set policies across the organization is important, ensuring that the policies are deployed and enforced is equally important. The new infrastructure improvements with Windows Vista help make the application of policy more reliable and efficient. The infrastructure is more secure and stable with Windows Vista with the introduction of Group Policy Service. Also, network awareness increases responsiveness to changing network conditions. In the past, Group Policy has been difficult to troubleshoot. Windows Vista provides an enhanced troubleshooting experience. Finally, Windows Vista allows for the application of multiple local GPOs for desktop management and security. [BUILD2] Ease of use is increased with Windows Vista, with the integration of the GPMC with the operating system. In addition, the administrative templates have improved syntax and allow for multilingual support. Also introduced is a solution to SYSVOL bloat. Slide Transition: In earlier versions of Windows, the Group Policy process relied on winlogon. Slide Comment: Additional Information: Reliable and Efficient Application of Policy Extended Coverage Ease of Use

7 Group Policy Service Mais Eficiente Serviço ficou mais seguro Winlogon
Slide Title: Group Policy Service Keywords: Winlogon, GINA Key Message: The Group Policy infrastructure with Windows Vista is improved, with complete isolation from Winlogon. Slide Builds: 3 Slide Script: Winlogon is a component of the operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a Graphical Identification and Authentication DLL referred to as the GINA, and any number of network providers. When an administrator applies a Group Policy, the client interprets the policy and makes the relevant changes to the environment. As Group Policy is processed, the Winlogon process passes the list of GPOs that must be processed to each Group Policy client. The client uses the list to process the relevant policy when applicable. With Windows Vista, the Group Policy infrastructure is improved, with complete isolation from Winlogon, delivering a new architecture for how Group Policy performs notification and processing. Group Policy now runs in a shared service host on the client. The separation from the Winlogon service provides better reliability for Windows and Group Policy, and includes several other benefits. [BUILD1] The application of the group policy is more efficient because of the reduction of resources used for background processing. With this new design, there is a reduction in memory usage and an increase in performance. These changes remove the need to load Group Policy functionality in multiple services. [BUILD2] The Group Policy Service has been hardened. A local administrator needs elevated privilege to stop the service, and the service restart configuration provides unexpected failure recovery. All this improved functionality is transparent to users. Slide Transition: Network Location Awareness with Windows Vista allows Group Policy to respond better to changing network conditions. Slide Comment: Additional Information:

8 Network Awareness Con~xão via VPN Ping Ping Group Policy Client Ping
Slide Title: Network Awareness Keywords: ICMP protocol, PING, VPN, network awareness Key Message: Network Location Awareness allows Group Policy to respond better to changing network conditions. Slide Builds: 2 Slide Script: ICMP allows for the generation of error messages, test packets, and informational messages related to IP. The protocol is used to report problems with delivery of IP datagrams within an IP network. It can be used to warn for things such as when a particular end system is not responding, when an IP network is not reachable, when a node is overloaded, or when an error occurs in the IP header information. The "ping" program contains a client interface to ICMP. It may be used to verify that an end-to-end Internet Path is operational. The ping program also collects performance statistics. Windows Vista introduces the network awareness feature, which removes the reliance on the ICMP protocol for policy application. Instead of ICMP, the Group Policy client uses Network Location Awareness for bandwidth determination. This feature allows organizations to secure their networks with firewalls, filter the ICMP protocol, and apply Group Policy. [BUILD1] Group Policy processes, even if you have removed the ability for computers to respond to the ICMP protocol. In the past, Group Policy settings would fail in this situation because slow link detection relied on ICMP. The Group Policy client in Windows Vista now utilizes Network Location Awareness to determine the network bandwidth, and successfully continues to process Group Policy. Network Location Awareness also provides other benefits. First, the workstation or server will experience more efficient startup times with Network Location Awareness. Because Network Location Awareness provides an accurate indicator to Group Policy of when the network is ready and determines if the adapter is disabled or disconnected, Group Policy will shorten its wait time when the network is unavailable. Then, the Group Policy client will apply policy settings whenever domain controller availability returns. By more quickly applying Group Policy changes, your workstation will be more secure. Group Policy Client Ping

9 Múltiplas GPO’s Locais
Clientes Solicitam: Diferentes configurações para Diferentes usuários através de Policies Locais Slide Title: Multiple Local GPOs Keywords: Local GPOs, LGPOs Key Message: With Windows Vista, you can manage multiple local GPOs on a single computer. Slide Builds: 1 Slide Script: Local GPOs are primarily used in environments that don’t use Active Directory or for non-domain joined, shared-use computer, such as kiosks. Customers have requested the ability to set different configurations for different users using just local GPOs. Before Windows Vista, this wasn’t possible, because there wasn’t a concept of security filtering on local GPOs. [BUILD1] Windows Vista has introduced the concept of multiple local GPOs, which now supports different policy settings for different local users. This increased flexibility eases the management of environments that involve shared computing on a single computer, such as libraries or computer labs. In addition, in a workgroup, each computer maintains its own policy settings. Multiple local GPOs may be assigned to local users or to built-in groups that will work with domain-based Group Policy, or that can be disabled through a Group Policy setting. As with other versions of Windows, domain GPOs have greater precedence than local GPOs. Multiple Local Group Policy gives you the flexibility to manage Group Policy based on built-in groups. For example, if you wanted to set up kiosk computers in a library, you could create tightly managed policy settings for built-in User groups and a more relaxed set of policy settings for the built-in Administrator accounts. This approach allows users to utilize the Internet kiosk in a secure environment. Local administrators have a more relaxed environment for managing the workstation. In addition, Windows Vista administrators can turn off local Group Policy settings without having to explicitly enable domain-based Group Policy. Slide Transition: Originally, GPMC was provided as a separate download component for Windows Server 2003. Slide Comment: Additional Information:

10 Group Policy Management Console
Slide Title: Group Policy Management Console Keywords: Group Policy Management Console, GPMC Key Message: The GPMC is integrated with Windows Vista. Slide Builds: 2 Slide Script: This led to some confusion and resulted in its being directly integrated with the Windows Vista operating system. GPMC was designed to simplify management of Group Policy, and now the integration with Windows Vista simplifies the Group Policy process even more. In Windows Vista and Windows Server “Longhorn,” GPMC has full update support through Windows Update, meaning that GPMC can now be updated in the same way as any other component that ships with the operating system. In addition, GPMC now takes advantage of capabilities provided by newly developed, XML-based, resource-independent policy definition files, which we will explain later in the demonstration. While, the GPMC is the standard tool for managing Group Policy, administrators can also use the Group Policy Object Editor, or GPEDIT. GPEDIT is used to edit the individual settings contained within each Group Policy object. Slide Transition: Over the years, Group Policy logging has been a consistent problem for administrators. Slide Comment: Additional Information:

11 Cryptic Error Messages
Eventos e Logging userenv.log Admin Events Slide Title: Events and Logging Keywords: events, logging, troubleshooting, userenv.dll Key Message: The Group Policy engine no longer relies on the trace logging found within userenv.dll. Slide Builds: 1 Slide Script: The main log for Group Policy used to be a log file named userenv.log, which contained function trace statements with supporting data. Cryptic error messages typically resulted in no consistent diagnosis or resolution information. In addition, profile load and unload functions shared this log file, making the log sometimes difficult to diagnose. This log file was used in conjunction with the Resultant Set of Policy Microsoft Management Console to diagnose and resolve Group Policy problems. Thus, the Userenv.log is not IT-admin friendly; furthermore, many users are not aware of this log. Finally, each Group Policy extension has a different format and location of its log, resulting in unconsolidated centralized reporting. [BUILD1] With Windows Vista, the Group Policy engine no longer relies on the trace logging found within userenv.dll. Instead, it is treated as its own component with a new Group Policy Service, a stand-alone service that runs under the Svchost process for the purpose of reading and applying Group Policy. The addition of this service includes new, more descriptive event log messages specific to Group Policy and its related functions. This new logging makes problems with Group Policy easier to diagnose. Windows Vista and Windows Server “Longhorn” use a new event-management logging tool called “Crimson.” The Group Policy log takes advantage of this technology to create XML-based event logs and support application channels. With the logging technology, event logs from different sources, such as a workstation and a domain controller, can be viewed in a single console using subscriptions. This simplifies troubleshooting and reduces administrative time. Finally, using Task Manager, you can associate actions to events. For example, you can have an sent when a certain event occurs in the Group Policy log through a scheduled task. Múltiplos Logs Operational Events Cryptic Error Messages

12 demonstração Demo Usando os Recursos da Group Policy Utilizando o GPMC
Utilizando o Events and Logging Slide Title: Demonstration: Using Group Policy Features Keywords: Demonstration Key Message: Demonstration Slide Builds: 0 Slide Script: In this demonstration, we will show how to enable settings for Internet Explorer 7.0 through Group Policy. We’ll also show how to access the Group Policy logging container within the Windows Vista Event Viewer. Slide Transition: Administrative Template files contain markup language used to describe registry-based policy settings, and are the major type of policy setting that you can manage using Group Policy. Slide Comment: Additional Information:

13 Administrative Template Files
%windir%\policydefinitions Printing.admx inetres.admx … %windir%\policydefinitions \en-us Printing.adml inetres.adml Windows Vista Administrative Computer (English) <sysvol>\policies\policydefinitions Printing.admx inetres.admx .. \en-us Printing.adml inetres.adml \fr \ .. Slide Title: Administrative Template Files Keywords: ADM files, ADMX files, Administrative template files, multilingual support Key Message: New Administrative Template files make it easier to manage registry-based policy settings in Windows Vista and Windows Server "Longhorn." Slide Builds: 1 Slide Script: Originally released for Windows NT4, Administrative Template files use a unique file format known as ADM files. In the Sysvol folder of each domain controller, each domain GPO maintained a single folder called the Group Policy Template, or GPT. The GPT stored all the ADM files that were used in Group Policy Object Editor when the GPOs were last created or edited. With ADM files, when policy settings needed to be presented to the user interface in different languages, you couldn’t use the GPT to store ADM files for both languages. This is because the GPT can only store one set of ADM files. %windir%\policydefinitions Printing.admx inetres.admx … %windir%\policydefinitions \fr Printing.adml inetres.adml Windows Vista Administrative Computer (French)

14 Administrative Template Files- Notes
%windir%\policydefinitions Printing.admx inetres.admx … %windir%\policydefinitions \en-us Printing.adml inetres.adml Windows Vista Administrative Computer (English) <sysvol>\policies\policydefinitions Printing.admx inetres.admx .. \en-us Printing.adml inetres.adml \fr \ .. [BUILD2] In Windows Vista, the ADM files are replaced by an XML-based file format known as ADMX files. These new Administrative Template files make it easier to manage registry-based policy settings in Windows Vista and Windows Server "Longhorn." ADMX files have a central store, which is a domain-wide directory created in the Sysvol. This reduces the need for additional storage and greater replication traffic resulting from increasing numbers of GPOs. In addition to a central store, ADMX files also provide multilingual support. ADMX files are divided into language-neutral and language-specific resources, available to all Group Policy administrators. These factors allow Group Policy tools to adjust their user interface according to the administrator's configured language, which is a big improvement for global organizations. For example, let’s say you create a GPO from a Windows Vista administrative workstation configured for English. Then, you save the GPO and link it to the domain deployed across geographic boundaries. A colleague in Paris browses the same domain using GPMC and selects the GPO created in English. She can view and edit the policy settings in French. The original Group Policy administrator, who created this GPO, will still see all the settings, including the changes from the French administrator, in English. There is also administrative interoperability between Windows Vista or Windows Server "Longhorn" and Windows 2000 or Windows Server 2003 platforms. This is because Group Policy administrative tools in Windows Vista can read and create both ADMX and ADM files; the Group Policy administrative tools use the core operating system ADMX files from the local computer before the creation of the central store. You can use Windows Vista to view all Group Policy settings, both in ADMX and ADM files, and use Windows Vista to create Group Policy Objects for Windows Vista, Windows XP, Windows Server 2003, and Windows 2000 Systems. However, any policy settings that exist only in the ADMX files will be available only from Windows Vista or Windows Server "Longhorn." Slide Transition: Editing a domain-based GPO involves several more steps than editing a local GPO. Slide Comment: Additional Information: %windir%\policydefinitions Printing.admx inetres.admx … %windir%\policydefinitions \fr Printing.adml inetres.adml Windows Vista Administrative Computer (French)

15 demonstration Demo Editing Domain-based GPOs Using ADMX Files
Create ADMX Central Store Slide Title: Demonstration: Editing Domain-based GPOs Using ADMX Files Keywords: Demonstration Key Message: Demonstration Slide Builds: 0 Slide Script: In this demonstration, we will create a central, domain-wide storage location for the new Windows Vista ADMX policy templates and populate this storage location with the templates. Slide Transition: Group Policy benefits from improvements to the File Replication service, known as DFS Replication, and storage of the new ADMX files to reduce usage of network bandwidth and Sysvol storage costs. Slide Comment: Additional Information:

16 Replicação do DFS e SYSVOL
ADM File ADMX File Slide Title: DFS Replication and Sysvol Keywords: FRS, DFS Replication, Sysvol, ADM, ADMX Key Message: Group Policy benefits from DFS Replication and storage of the new ADMX files to reduce usage of network bandwidth and Sysvol storage costs. Slide Builds: 2 Slide Script: DFS Replication is a new state-based, multimaster replication engine that supports replication scheduling and bandwidth throttling. DFS Replication uses a new Remote Differential Compression algorithm, which allows DFS Replication to only replicate the differences between two servers, resulting in lower bandwidth use during replication. The Windows Server 2003 System Volume, SYSVOL, is a collection of folders and reparse points in the file systems that exist on each domain controller in a domain. SYSVOL provides a standard location to store important elements of GPOs and scripts. The file replication service would monitor SYSVOL, and when a change occurs to a file stored on SYSVOL, it would automatically replicate the changed file to the SYSVOL folders on the other domain controllers in the domain. [BUILD1] In earlier operating systems, whenever you created a GPO, all the default ADM files were added to the GPO, which equaled about 4 MB of storage cost per GPO. When all GPOs changed, replication traffic would spike, for example, during the modification of permissions on GPOs during an upgrade from a Windows 2000 domain to a Windows Server 2003 domain. This situation caused all ADM files across GPOs to replicate at once, which can impact network bandwidth availability and performance. [BUILD2] This process is replaced in Windows Vista with a central store on Sysvol containing the new ADMX files. Now GPOs created using Windows Vista do not each contain ADMX files, which creates less data replication using DFS Replication. As long as all Group Policy administrators use the Windows Vista client, new GPOs will not contain either ADM or ADMX files inside the GPO. Then, with the use of DFS replication, only the differences in the GPO are replicated. Slide Transition: These two changes will greatly reduce the amount of storage and network bandwidth needed after the Group Policy administrator changes a GPO. Slide Comment: Additional Information:

17 Escolhendo a Opção Certa
Exemplos de Tipos de Políticas Client Help Slide Title: Choosing the Right Settings Keywords: antivirus, BITS, client help, disk failure diagnostics, DVD Video burning, MMTP, networking quarantine, security protection, shell application management, UAP Key Message: The number of Group Policy settings has increased, from approximately 1,700 in Windows Server 2003 with SP1 to approximately 3,000 in Windows Vista and Windows Server “Longhorn.” Slide Builds: 9 Slide Script: The number of Group Policy settings has increased, from approximately 1,700 in Windows Server 2003 with Service Pack 1 to approximately 3,000 in Windows Vista and Windows Server “Longhorn.” Here is a sampling of the new features. [BUILD1] You can configure the new Background Intelligent Transfer Service Neighbor Casting feature to facilitate peer-to-peer file transfer within a domain. [BUILD2] Client Help will determine where your users access Help systems that may include untrusted content, and you can direct your users to the online Help or to local offline Help. [BUILD3] Disk Failure Diagnostics controls the level of information displayed by the hard disk diagnostics technology included with Windows Vista. [BUILD4] You can also use the DVD Video Burning setting to customize the video disk authoring experience. [BUILD5] The Model-based Management Tools Platform setting allows administrators to start automatically at logon the Out of Box Experience or Initial Configuration Tasks window. [BUILD6] Network Quarantine manages three components: Health Registration Authority, Internet Authentication Service, and Network Access Protection. Network Quarantine options will require additional configuration, instructions for which will be available when Vista is released. BITS Disk Failure Diagnostics DVD Video Burning Shell Application Management MMTP Network Quarantine Security Protection UAC

18 UAC Policy Settings Slide Title: UAC Policy Settings
Keywords: User Account Control, UAC Key Message: UAC in Windows Vista helps increase security. Slide Builds: 2 Slide Script: UAC is a new set of features in Windows Vista that works to create a balance between the privileges of an administrator account and the security of a standard user account. Before Windows Vista, activities such as surfing the Web, sending , and using productivity programs required special administrative privileges; however, these activities shouldn’t require higher privileges. UAC with Windows Vista makes it easy to perform these activities and be productive only using standard user accounts. Most of the time, users will run with standard privileges. But when they need to perform an administrative task, like installing a new program, Windows Vista will allow them to perform the task with administrative privileges. By limiting the amount of time they run with administrative rights, it is more difficult for malware to have computer-wide impact. [BUILD1] UAC settings are established through Group Policy settings, and are created as a per-computer setting. Settings can be created for administrators and standard users. When a user tries to run a program with administrative privileges, you can change the behavior to either no prompt or to prompt for credentials. The default (and recommended) behavior is to prompt for credentials. [BUILD2] There is an additional configuration option for administrator accounts: you can change the behavior on elevation event to not prompt, prompt for credentials, or prompt for consent. In addition to the setting for behavior on elevation event, you have the option to run all users, including administrators, as UAC users. This option is enabled by default. Slide Transition: Windows Vista provides an important step in security and desktop management by combining Windows Firewall and IPSec Management into a single user experience. Slide Comment: Additional Information:

19 Windows Firewall e IPSec
Slide Title: Windows Firewall and IPSec Keywords: IPSec, Windows Firewall, Isolation scenarios Key Message: Windows Firewall and IPSec management are combined in Windows Vista. Slide Builds: 2 Slide Script: IP Security, commonly called IPSec, is a suite of IP protocols used to provide secure communication. IPSec policies and filters distributed by Group Policy provide authorization for authenticated users and computers. IPSec provides the ability to protect communication between workgroups, local area network computers, domain clients and servers, branch offices, extranets, and roving clients. Although IPSec has encryption capability, it is mostly used for end-to-end authentication. Windows Firewall with Windows Vista blocks both incoming and outgoing traffic. The new Windows Firewall monitors incoming traffic and drops all unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer or to unsolicited traffic that has been specified as allowed. By blocking incoming traffic, Windows Firewall helps prevent the infection of computers by network-level viruses and worms that spread through unsolicited incoming traffic. The new Windows Firewall can also block outgoing traffic. For example, a network administrator can configure the new Windows Firewall with a set of exceptions to block all traffic to specific addresses containing either sensitive or undesirable content. The default behavior of the new Windows Firewall is to block all incoming traffic unless it is solicited or it matches a configured exception. The default for outgoing traffic is to allow all unless it matches a configured exception. [BUILD1] By combining both the new Windows Firewall and IPSec, administrators are able to better enforce isolation scenarios. By enforcing isolation scenarios, you are able to increase security by restricting network resource access to domain-joined computers. Administrators are continually faced with the challenge of providing accessibility to authorized computers and users while maintaining security. A Server and Domain Isolation solution based on IPSec and Active Directory enables administrators to dynamically segment their Windows environment into more secure and isolated logical networks, based on policy and without costly changes to their network infrastructure or applications. This creates an additional layer of policy-driven protection, and helps better protect against costly network attacks, prevent unauthorized access to trusted networked resources, achieve regulatory compliance, and reduce operational costs.

20 Melhoramentos de Segurança
Windows Defender Wireless e Wired Configuration Slide Title: Security Enhancements Keywords: Windows Defender, wireless configuration, wired configuration, network access protection, public key policy, IE 7.0 Key Message: The policy settings with Windows Vista include many security enhancements. Slide Builds: 4 Slide Script: Windows Defender is an antispyware utility that is included with Windows Vista. Group Policy settings allow you to enable or disable real-time protection and scanning. In addition, you can manage signature downloads. [BUILD1] Group Policy settings are available for both wireless and wired service configuration. For example, you can make different policy settings for wired and wireless 802.1x. [BUILD2] Network Access Protection, or NAP, is included with Windows Vista. With NAP, a computer has to be compliant with health policies set by an administrator in order to access network resources. For example, an administrator can set a policy to not allow a computer to connect if its firewall is not enabled. This allows administrators to make sure that all computers in the network are compliant with security protocols. With Group Policy, you can control the quarantine setting for non-compliant computers. [BUILD3] With Windows Vista, there is enhanced Public Key Policy configuration, which includes more policy settings for certificates. [BUILD4] With previous version of Windows, you had to configure Internet Explorer Group Policy using Internet Explorer Maintenance Tools or Internet Explorer Administration Kit. Internet Explorer version 7.0, included with Windows Vista, can be fully managed through registry-based Group Policy. You can now manage most features of Internet Explorer in one place without having to use these toolkits. This feature gives you a consistent way to manage Internet Explorer settings for both users and computers. Slide Transition: In addition to security enhancements, Windows Vista has policy settings to improve desktop management. Slide Comment: Additional Information: Network Access Protection Configurações de PKI Internet Explorer 7.0 Version 7.0

21 Gerenciamento de Desktops
Windows Shell Management Printer Management Power Management Slide Title: Desktop Management Keywords: power settings, energy savings, windows shell management, printer management Key Message: Group Policy settings allow for better desktop management. Slide Builds: 2 Slide Script: With Windows Vista, Group Policy control over power settings allows businesses to control energy costs. The power management capabilities with Windows Vista include Group Policy support for all in-box power settings. All power settings are enabled either per-user or per-computer. Also, there is a separate power plan for when a user isn’t logged on to the system. The energy saving settings are enabled by default, so there isn’t any administrator configuration necessary. Sleep is the default behavior for when the system is turned off. System sleep idle timeouts and display blanking timeouts are also enabled. [BUILD1] The improved desktop management in Windows Vista also includes Windows Shell management. There are policy settings for logon, Start Menu, and Control Panel. Also, you can define the timeout for the screensaver and you can restrict users to only apply the built-in screensavers. There are settings to force prompting and not allow users to save credentials. Finally, there are policy settings for item sharing, PC to PC, and folder redirection. [BUILD2] Another area of desktop management is printer management. You can use policy settings to deploy printers to computers or to other users. You can roll out trusted printer drivers and prevent installation of untrusted printer drivers. Finally, you can delegate printer installation rights. All these settings are provided to help ease customer pain points and provide a more secure, easier-to-deploy network. Slide Transition: Group Policy settings can be used to prevent the installation of restricted devices with Windows Vista. Slide Comment: Additional Information:

22 Device Installation Policy Settings
Device Driver Slide Title: Device Installation Policy Settings Keywords: device installation, device identification strings, device setup classes Key Message: You can use the Group Policy settings in Windows Vista to specify which identifier that controls device installation and configuration to allow or block. Slide Builds: 4 Slide Script: When you want to connect a device, such as a USB device, to your computer, the device will need to communicate with the Windows operating system through a device driver. This driver is usually included with the device, and needs to be installed before attaching the device. To install a device driver, Windows detects the device, recognizes its type, and then finds the device driver that matches that type. Windows uses two types of identifiers to control device installation and configuration: device identification strings and device setup classes. [BUILD1] There are security risks with small removable storage devices, such as USB storage devices, MP3 players, and CD/DVD burners. These devices can introduce unwanted data or malware into the computer. In addition, it can aid a user stealing confidential data. These risks are significant, and customers want granular control over the installation and removal of devices. To enable control over device installation, Windows Vista introduces several policy settings. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. There are several settings that you can configure to control users’ ability to install devices. [BUILD2] First, you can prevent installation of all devices. This will make it so that users cannot install and update drivers for any devices. [BUILD3] You can also prevent installation of devices that match specific device IDs. With this setting, users can’t install or update the driver for a device if its hardware ID or compatible ID matches one in the list. If you set this policy, it will take precedence over any other policy settings that allow users to install a device. Device Driver Device Identification Strings Device Setup Classes

23 demonstração Demo Bloqueando Dispositivos com a Group Policy
Bloqueando a Instalação de um Dispositivo USB Slide Title: Demonstration: Installing Devices with Group Policy Keywords: Demonstration Key Message: Demonstration Slide Builds: 0 Slide Script: In this demonstration, we are going to show several options for restricting device installation with Group Policy. Slide Transition: QoS policies in Windows Vista allow you to either prioritize or manage the sending rate for outgoing network traffic. Slide Comment: Additional Information:

24 QoS Policies A/V Traffic Source IPv4/IPv6 addresses
Slide Title: QoS Policies Keywords: QoS Policies, DSCP value, network traffic, qWave Key Message: QoS policies in Windows Server "Longhorn" and Windows Vista allow IT staff to either prioritize or manage the sending rate for outgoing network traffic. Slide Builds: 3 Slide Script: As mentioned earlier, although currently most network traffic is delivered on a "best effort" basis, users and applications with specific network performance requirements may require preferential service levels. Starting with Windows 2000, applications had to be written or modified to used the Generic QoS application programming interface, or GQoS API. Now, with Windows Server Longhorn and Windows Vista, you can prioritize traffic and manage sending rates for any networking application. QoS in Windows Vista allows IT departments to centrally manage network bandwidth sent by computers running Windows Vista, regardless of the application and across an entire Active Directory infrastructure. Because the traffic management is occurring at the network layer, applications do not need to be written or modified to use GQoS APIs, allowing traffic management for existing applications. With a QoS policy, you can manage the use of bandwidth by setting a throttle rate for outbound traffic. The throttle rate set in a QoS policy will limit the total outgoing network traffic to a specified rate. [BUILD1] In addition, with QoS policies, you can define the priority of traffic. You can configure a QoS policy to mark outbound network traffic with a Differentiated Services Code Point, or DSCP value, which allows classification at the IP level. When routers receive the traffic, they will use the DSCP value to decide in which queue to place the packet. You can configure how the routers will respond to traffic according to the DSCP values. The routers will use your configured settings to place the traffic into either a high-priority, best-effort, or lower-than-best-effort queue. This policy ensures that more critical network traffic gets preference and is not delayed by other lower-priority traffic. Both DSCP marking and throttling can be used together to manage traffic effectively. A/V Traffic Source IPv4/IPv6 addresses Destination IPv4/IPv6 addresses Protocol Source or destination ports

25 Resumo Melhor administração da GPO Restrição de instalação dos devices
Gerencimento de tráfego de rede Slide Title: Summary Keywords: Summary Key Message: Summary Slide Builds: 2 Slide Script: Group Policy with Windows Vista is greatly improved over previous versions of Windows. There are over a thousand additional settings that can be managed through the GPMC, which is now included with Windows Vista. Group Policy functions more independently and doesn’t rely on ICMP. New ADMX files allow for multilingual support and less storage room on SYSVOL. [BUILD1] One of the great improvements with Windows Vista is the ability to restrict device installation. This will help secure your network by making it so that users can only install approved devices. [BUILD2] Finally, Windows Vista introduces QoS polices that allow you to specify network bandwidth and network traffic priority. This will improve efficiency in your organization and allow for network-sensitive traffic to get priority. Slide Transition: To get more information on the products and technologies we have covered today, we have some online resources available that can help. Slide Comment: Additional Information:

26

27

28

29

30

31 Seu potencial. Nossa inspiração.MR
© 2006 Microsoft Corporation. Todos os direitos reservados. O propósito desta apresentação é apenas informativa. Microsoft não faz nenhuma garantia expressa ou implícita nesta apresentação. Seu potencial. Nossa inspiração.MR