A apresentação está carregando. Por favor, espere

A apresentação está carregando. Por favor, espere

Windows Vista Recursos de Segurança (1)

Apresentações semelhantes


Apresentação em tema: "Windows Vista Recursos de Segurança (1)"— Transcrição da apresentação:

1 Windows Vista Recursos de Segurança (1)
<SLIDETITLE INCLUDE=7>Title Slide</SLIDETITLE> <KEYWORDS>Title</KEYWORDS> <KEYMESSAGE>Title</KEYMESSAGE> <SLIDEBUILDS>0</SLIDEBUILDS> <SLIDESCRIPT> Hello and welcome to this Microsoft TechNet session on security features in Windows Vista. My name is {insert name}. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>Let’s look at some of the topics we will cover today.</TRANSITION> <TRANSITION LENGTH=2>Let’s look at some of the topics we will cover today.</TRANSITION> <TRANSITION LENGTH=4>Let’s look at some of the topics we will cover today.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM></ITEM> </ADDITIONALINFORMATION> Eduardo Petizme MVP ISA Server (Segurança) Gerente Infra-Estrutura TI

2 O que iremos ver Fundamentos de segurança
Protegendo recursos da empresa Características Anti-malware <SLIDETITLE INCLUDE=7>What We Will Cover?</SLIDETITLE> <KEYWORDS>Key Topics</KEYWORDS> <KEYMESSAGE>What we will cover in this session</KEYMESSAGE> <SLIDEBUILDS>3</SLIDEBUILDS> <SLIDESCRIPT> When Microsoft Windows Vista arrives later this year, there will be over 1 billion PCs in use worldwide. Not only are there more PCs, but people are doing more with them. Businesses depend on PCs for their core business processes; they store more information digitally; and employees rely on their PCs to communicate with each other. Among home Internet users in the United States, broadband connections and online banking are more common than ever, and the PC has become the entertainment hub for photos, music, gaming, and video. Unfortunately, with more valuable information being stored and transferred online, computers have become an even greater target for attackers, identity thieves, and other criminals. Originally, most virus-writers were motivated by curiosity and personal fame. Today, they are motivated by money. A stolen credit card number can be worth as much as $100 on the black market. As a result, phishing web sites grew by nearly 500 percent in one year. And more than 25 percent of Help desk time today is spent dealing with spyware. With so much motivation to compromise computer systems, users require computers with new levels of protection. During the development of Windows Vista, we took a holistic approach to security that produces a fundamentally more secure operating system than earlier versions of Windows while still integrating easily into your current computing infrastructure. [BUILD1] Building on the significant security advances in Windows XP Service Pack 2, Windows Vista includes fundamental architectural changes that help to make you more secure from evolving threats, including worms, viruses, and malware. Windows Vista was designed and developed using Microsoft’s Security Development Lifecycle (SDL), a rigorous process that significantly reduces the number and severity of security-related design and coding defects. These improvements minimize the operating system’s attack surface area, which is key to improving system and application integrity, helping you more securely manage and isolate your networks.

3 What We Will Cover - Notes
Security fundamentals Protecting your company’s resources Anti-malware features [BUILD2] You need to protect your company’s resources. To assist you in this, we’ve developed Windows Vista to provide secure access to system resources. User Account Control allows you to better manage users’ desktops and allows them access to only business-necessary resources. With improved auditing support, you can better monitor what information your users are accessing. Companies are increasingly concerned about the company and customer data that is on lost or stolen portable computers. There are many stories in the news about laptops with sensitive and confidential data stolen from corporations or government agencies. A new feature in Windows Vista, BitLocker Drive Encryption can protect these systems by encrypting the entire system volume, including all the data. Additionally, with Windows Vista you can control installation of common devices, such as USB flash drives, to protect your data from leaving your network. [BUILD3] Malware, such as viruses, worms, spyware, and other potentially unwanted software, can cause a wide range of problems, including theft of personal information, slower PC performance, and the appearance of unwanted advertising. The effects of malware can range from mere annoyances to significant problems that take a considerable amount of time and money to fix. We believe the best approach to stopping malware is to layer security features. Windows Vista contains several layered security features that help prevent malware from installing, and that help find and remove malware if it has already been installed. These include Automatic Updates and Windows Security Center, the new Windows Vista Firewall, and Internet Explorer Protected Mode. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>As we go through today's session, you will hear various Microsoft acronyms and terminology.</TRANSITION> <TRANSITION LENGTH=2>As we go through today's session, you will hear various Microsoft acronyms and terminology.</TRANSITION> <TRANSITION LENGTH=4>As we go through today's session, you will hear various Microsoft acronyms and terminology.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM></ITEM> </ADDITIONALINFORMATION>

4 Agenda Fundamentos de segurança do Windows Vista™
Mitigating Ameaças e Vulnerabilidades Controlando Acesso e Identidade Protegendo Informações <SLIDETITLE INCLUDE=7>Agenda: Windows Vista Security Fundamentals</SLIDETITLE> <KEYWORDS>Agenda</KEYWORDS> <KEYMESSAGE>Agenda</KEYMESSAGE> <SLIDEBUILDS>3</SLIDEBUILDS> <SLIDESCRIPT> Windows Vista offers many advances in security and compliance. We’ll begin by looking at some of the Windows Vista security fundamentals. This will take us through the security development life cycle, including threat modeling and code reviews. Then we will look at Windows service hardening. [BUILD1] Next, we will show how Windows Vista improves upon threat and vulnerability mitigation. These include Internet Explorer Protected Mode, Windows Defender, and Network Access Protection. [BUILD2] Companies are faced with a constant trade-off between security and productivity. We will show how Windows Vista introduces User Access Control in an effort to do away with this trade-off. Then we’ll look at other steps taken to enhance identity and access control, such as Plug and Play smartcards and granular auditing. [BUILD3] Finally, we are going to look at how to protect a company’s most important asset: its information. BitLocker Drive Encryption, used either alone or with a trusted platform module, secures the computer’s entire drive. The use of EFS smartcards and RMS clients also reduces the threat of information leakage. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>One of administrator’s most requested features in an operating system is a “secure by default” behavior.</TRANSITION> <TRANSITION LENGTH=2>One of administrator’s most requested features in an operating system is a “secure by default” behavior.</TRANSITION> <TRANSITION LENGTH=4>One of administrator’s most requested features in an operating system is a “secure by default” behavior.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM></ITEM> </ADDITIONALINFORMATION>

5 Fundamentos Windows Vista
Seguro por Padrão Fundamentos Windows Vista <SLIDETITLE INCLUDE=7>Windows Vista Fundamentals</SLIDETITLE> <KEYWORDS>security, security advisors, threat modeling, common criteria certification</KEYWORDS> <KEYMESSAGE>Design goals and practices behind Windows Vista security.</KEYMESSAGE> <SLIDEBUILDS>2</SLIDEBUILDS> <SLIDESCRIPT> Therefore, with Windows Vista, there are several processes in place to ensure that Windows Vista is secure by design. [BUILD1] An improved Security Development Lifecycle (SDL) process was implemented for Windows Vista. Before any of the features of the operating system are implemented, we wanted to make sure that the code itself is secure. This is done by looking at the product end-to-end with security in mind. The process starts with periodic mandatory security training for all of our developers and program managers. Through this training, the teams gain a deeper understanding of what security threats exist and how to write secure code to protect against these threats. We also have security advisors for all the various parts of the operating system. This means that even developers working on a piece of the operating system that has no relation to security will still have a security advisor to help them understand the threat model for that operating system component. This threat modeling has been done throughout the design phase to help ensure that the code is created with security in mind, rather than being identified as a security risk after it is implemented. Throughout the build process, the product has been reviewed by security experts and tested both internally and externally. All of this helps contribute to a highly secure product. [BUILD2] Finally, Windows Vista has been designed with Common Criteria certification in mind. This is a set of evaluation criteria set by the United States government for judging the security of computer systems. By meeting these criteria, we are making sure that the product meets the requirements for use in the most secure installations. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>With Windows XP, services don’t run at a high level of security.</TRANSITION> <TRANSITION LENGTH=2>With Windows XP, services don’t run at a high level of security.</TRANSITION> <TRANSITION LENGTH=4>With Windows XP, services don’t run at a high level of security.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/MSPress/books/8753.asp</ITEM> </ADDITIONALINFORMATION> SDL Melhorado Common Criteria certification

6 Windows Vista Service Hardening
Reduzir o tamanho da camada de alto-risco Segmentar os serviços Aumentar o número de camadas <SLIDETITLE INCLUDE=7>Windows Vista Service Hardening</SLIDETITLE> <KEYWORDS>service hardening, security layers, privileges, outbound filtering</KEYWORDS> <KEYMESSAGE>Introduce the new service hardening with Windows Vista.</KEYMESSAGE> <SLIDEBUILDS>3</SLIDEBUILDS> <SLIDESCRIPT> Fewer security layers with Window XP mean a larger attack service for exploiting vulnerabilities. Also, some drivers can run in both kernel mode and user mode, meaning that it’s easier for malware to manipulate a service or driver that runs in kernel mode. And, since many of these services run at a high-privilege level, if a service is compromised, the threat of it having access to the entire system is quite real. Windows Service Hardening with Windows Vista increases the level of security against these malware threats to services. With service hardening, if a vulnerability is found in a service and compromised by exploit code, that exploit code isn’t allowed to propagate to other computers on the network. [BUILD1] With Windows Vista, the number of security layers between the user and the system kernel has been increased. In addition, the size of the high-risk layers has been reduced. This means that the amount of code that has to run at the kernel level has been significantly reduced. For example, with previous versions of Windows, there were printer drivers that had some kernel-mode code and some user-mode code. With Windows Vista, the printer drivers have been moved into user mode exclusively so that there’s no kernel code in the drivers themselves. This has been done for a variety of services, and by making sure that services run with the least amount of privileges required, the system becomes more secure. [BUILD2] The services that do require higher privileges have been segmented so that there’s some lower-privileged code running and some higher-privileged code running. Again, the key is reducing the amount of code that is high-privilege. Also, by using outbound filtering on the firewall with some other components, applications or operating systems can be profiled when they start, such as regarding which network ports they can use, where in the file system they can write, and where in the registry they can write. D Service Service 1 Service … Service 2 Service A Service 3 Service B Kernel drivers D User-mode drivers

7 Agenda Fundamentos de segurança do Windows Vista™
Mitigating Ameaças e Vulnerabilidades Controlando Acesso e Identidade Protegendo Informações <SLIDETITLE INCLUDE=7>Agenda: Threat and Vulnerability Mitigation</SLIDETITLE> <KEYWORDS>Agenda</KEYWORDS> <KEYMESSAGE>Agenda</KEYMESSAGE> <SLIDEBUILDS>0</SLIDEBUILDS> <SLIDESCRIPT> Now that we have introduced some of the fundamentals of Windows Vista security, let’s delve into threat and vulnerability mitigation with Windows Vista. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>Internet Explorer 7 provides significant improvements over Internet Explorer 6.</TRANSITION> <TRANSITION LENGTH=2>Internet Explorer 7 provides significant improvements over Internet Explorer 6.</TRANSITION> <TRANSITION LENGTH=4>Internet Explorer 7 provides significant improvements over Internet Explorer 6.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM></ITEM> </ADDITIONALINFORMATION>

8 Windows® Internet Explorer® 7.0
Proteção contra engenharia social <SLIDETITLE INCLUDE=7>Internet Explorer 7.0</SLIDETITLE> <KEYWORDS>Internet Explorer 7.0, IE7, social engineering, exploits, protection</KEYWORDS> <KEYMESSAGE>Running Internet Explorer in Protected Mode</KEYMESSAGE> <SLIDEBUILDS>4</SLIDEBUILDS> <SLIDESCRIPT> Namely, it greatly reduces the attack surface by which many kinds of malware can enter a computer. Malware can install in two ways: by tricking users, or by exploiting vulnerabilities in the operating system or applications. Previous versions of Internet Explorer were the vehicle for multiple social engineering tricks and exploits. Among the improvements to Internet Explorer 7 is the new phishing filter. The Phishing Filter helps users identify malicious websites that might seek to extract personal information or install malware. The Phishing Filter uses heuristics, such as images hosted on another server or the use of IP address instead of domain names, to identify suspicious websites. It also checks sites against a list of known phishing sites. In addition, Internet Explorer 7 uses the address bar as a visual queue to convey information about the intent of a website: green for known good sites, yellow for suspicious sites, and red for known phishing sites. [BUILD1] Since Internet Explorer 7 adds support for International Domain Names in URLs, it also detects a variety of spoofing options for malicious actors. While might have been spoofed with a “1” instead of an “i,” replacing an “o” with an umlaut creates more options for attackers. Because of this, Internet Explorer 7 notifies you when visually similar characters in the URL are not expressed in the same language, thus protecting you against sites that could otherwise appear as known, trustworthy sites. [BUILD2] In addition to social engineering protections, Internet Explorer 7 provides greater protection from exploits. First, Unified URL Parsing means that the URL parsing capabilities in Internet Explorer 7 have been rewritten and unified as one. [BUILD3] Another significant improvement with Internet Explorer 7 is the ability for ActiveX opt-in. Since Internet Explorer 6, we have been progressively tightening down freedoms we gave to ActiveX. Now, we require users to opt-in to use any pre-installed ActiveX control as well as new controls. Phishing filter e barra de endereços colorida Notificação de configurações perigosas Padrão de segurança para Internationalized Domain Names (IDNs)

9 Windows® Internet Explorer® 7.0
Proteção contra exploits Social engineering protections Unified URL parsing Melhorias na qualidade do código através do Security Development Lifecycle (SDL) Microsoft® ActiveX® Opt-In feature Protected Mode para prevenir software malicioso (malware) <SLIDETITLE INCLUDE=7>Internet Explorer 7.0</SLIDETITLE> <KEYWORDS>Internet Explorer 7.0, IE7, social engineering, exploits, protection</KEYWORDS> <KEYMESSAGE>Running Internet Explorer in Protected Mode</KEYMESSAGE> <SLIDEBUILDS>4</SLIDEBUILDS> <SLIDESCRIPT> Namely, it greatly reduces the attack surface by which many kinds of malware can enter a computer. Malware can install in two ways: by tricking users, or by exploiting vulnerabilities in the operating system or applications. Previous versions of Internet Explorer were the vehicle for multiple social engineering tricks and exploits. Among the improvements to Internet Explorer 7 is the new phishing filter. The Phishing Filter helps users identify malicious websites that might seek to extract personal information or install malware. The Phishing Filter uses heuristics, such as images hosted on another server or the use of IP address instead of domain names, to identify suspicious websites. It also checks sites against a list of known phishing sites. In addition, Internet Explorer 7 uses the address bar as a visual queue to convey information about the intent of a website: green for known good sites, yellow for suspicious sites, and red for known phishing sites. [BUILD1] Since Internet Explorer 7 adds support for International Domain Names in URLs, it also detects a variety of spoofing options for malicious actors. While might have been spoofed with a “1” instead of an “i,” replacing an “o” with an umlaut creates more options for attackers. Because of this, Internet Explorer 7 notifies you when visually similar characters in the URL are not expressed in the same language, thus protecting you against sites that could otherwise appear as known, trustworthy sites. [BUILD2] In addition to social engineering protections, Internet Explorer 7 provides greater protection from exploits. First, Unified URL Parsing means that the URL parsing capabilities in Internet Explorer 7 have been rewritten and unified as one. [BUILD3] Another significant improvement with Internet Explorer 7 is the ability for ActiveX opt-in. Since Internet Explorer 6, we have been progressively tightening down freedoms we gave to ActiveX. Now, we require users to opt-in to use any pre-installed ActiveX control as well as new controls. Phishing filter and colored address bar Dangerous settings notification Secure defaults for Internationalized Domain Names (IDNs)

10 Proteção Avançada Malware
HKLM Arquivos de Programas Acesso Admin-Rights Instala driver e executa Windows Update Exploit pode instalar malware Acesso User-Rights HKCU Meus Documentos Pasta Inicialização Internet Explorer 6 <SLIDETITLE INCLUDE=7>Advanced Malware Protection</SLIDETITLE> <KEYWORDS>Internet Explorer, Malware protection, admin rights, user rights, temp internet files</KEYWORDS> <KEYMESSAGE>Advanced malware protection over Internet Explorer 6.</KEYMESSAGE> <SLIDEBUILDS>1</SLIDEBUILDS> <SLIDESCRIPT> Users running Internet Explorer 6 with administrator right expose several ways for malware to exploit the system. [BUILD1] With Windows Vista, there are several measures taken for advanced malware protection. These include Protected Mode in Internet Explorer 7, ActiveX Opt-in, and the new phishing filter, in addition to the new Windows Vista Firewall. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1> Internet Explorer 7 in Windows Vista offers two major security improvements.</TRANSITION> <TRANSITION LENGTH=2> Internet Explorer 7 in Windows Vista offers two major security improvements.</TRANSITION> <TRANSITION LENGTH=4> Internet Explorer 7 in Windows Vista offers two major security improvements.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/technet/security/alerts/info/malware.mspx</ITEM> </ADDITIONALINFORMATION> Mudança de config., download de imagem Exploit pode instalar malware Arq. Temp. Internet Arquivos e configurações não-confiáveis Conteúdo Cache Web

11 Proteção Avançada Malware
HKLM Arquivos de Programas Acesso Admin-Rights Internet Explorer 7 Compact Redirector Controle Integridade IEAdmin Instala um controle ActiveX Acesso User-Rights HKCU Meus Documentos Pasta Inicialização Internet Explorer 6 <SLIDETITLE INCLUDE=7>Advanced Malware Protection</SLIDETITLE> <KEYWORDS>Internet Explorer, Malware protection, admin rights, user rights, temp internet files</KEYWORDS> <KEYMESSAGE>Advanced malware protection over Internet Explorer 6.</KEYMESSAGE> <SLIDEBUILDS>1</SLIDEBUILDS> <SLIDESCRIPT> Users running Internet Explorer 6 with administrator right expose several ways for malware to exploit the system. [BUILD1] With Windows Vista, there are several measures taken for advanced malware protection. These include Protected Mode in Internet Explorer 7, ActiveX Opt-in, and the new phishing filter, in addition to the new Windows Vista Firewall. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1> Internet Explorer 7 in Windows Vista offers two major security improvements.</TRANSITION> <TRANSITION LENGTH=2> Internet Explorer 7 in Windows Vista offers two major security improvements.</TRANSITION> <TRANSITION LENGTH=4> Internet Explorer 7 in Windows Vista offers two major security improvements.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/technet/security/alerts/info/malware.mspx</ITEM> </ADDITIONALINFORMATION> IEUser Mudança de Conf., download de imagem Arq. Temp. Internet Arquivos e configurações não-confiáveis Arquivos e configurações redirecionado

12 Controles desabilitados por padrão
ActiveX Opt-In <SLIDETITLE INCLUDE=7>ActiveX Opt-in</SLIDETITLE> <KEYWORDS>Internet Explorer 7.0, ActiveX Opt-In, ActiveX</KEYWORDS> <KEYMESSAGE>IE7 improves security with ActiveX Opt-In.</KEYMESSAGE> <SLIDEBUILDS>3</SLIDEBUILDS> <SLIDESCRIPT> The first one is ActiveX Opt-in. ActiveX Opt-in is one of the steps taken to ensure “secure by default” behavior. To reduce the attack surface, ActiveX Opt-in will automatically disable ActiveX controls that are rarely used or that were never intended to be invoked in Internet Explorer. ActiveX Opt-in is designed to give users more control over the software running on their PCs. Controls that users have installed through a web download or that have been used in Internet Explorer before upgrading to Internet Explorer 7 will be enabled by default. [BUILD1] Users will also have the option to enable controls as needed using the same Information Bar they have used to install new controls since Windows XP SP2. [BUILD2] Once the user has chosen to enable the ActiveX control, Internet Explorer 7 will confirm the install and then enable the control. While the final implementation is still being developed, the goal is a safer browsing experience for users with the add-ons they value already enabled. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>The second major security improvement with Windows Vista is Internet Explorer Protected Mode.</TRANSITION> <TRANSITION LENGTH=2>The second major security improvement with Windows Vista is Internet Explorer Protected Mode.</TRANSITION> <TRANSITION LENGTH=4>The second major security improvement with Windows Vista is Internet Explorer Protected Mode.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/windows/ie/default.mspx</ITEM> </ADDITIONALINFORMATION> Internet Explorer 7 Controles desabilitados por padrão

13 IE7 confirma instalação Controle ActiveX habilitado
ActiveX Opt-In IE7 bloqueia controle ActiveX <SLIDETITLE INCLUDE=7>ActiveX Opt-in</SLIDETITLE> <KEYWORDS>Internet Explorer 7.0, ActiveX Opt-In, ActiveX</KEYWORDS> <KEYMESSAGE>IE7 improves security with ActiveX Opt-In.</KEYMESSAGE> <SLIDEBUILDS>3</SLIDEBUILDS> <SLIDESCRIPT> The first one is ActiveX Opt-in. ActiveX Opt-in is one of the steps taken to ensure “secure by default” behavior. To reduce the attack surface, ActiveX Opt-in will automatically disable ActiveX controls that are rarely used or that were never intended to be invoked in Internet Explorer. ActiveX Opt-in is designed to give users more control over the software running on their PCs. Controls that users have installed through a web download or that have been used in Internet Explorer before upgrading to Internet Explorer 7 will be enabled by default. [BUILD1] Users will also have the option to enable controls as needed using the same Information Bar they have used to install new controls since Windows XP SP2. [BUILD2] Once the user has chosen to enable the ActiveX control, Internet Explorer 7 will confirm the install and then enable the control. While the final implementation is still being developed, the goal is a safer browsing experience for users with the add-ons they value already enabled. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>The second major security improvement with Windows Vista is Internet Explorer Protected Mode.</TRANSITION> <TRANSITION LENGTH=2>The second major security improvement with Windows Vista is Internet Explorer Protected Mode.</TRANSITION> <TRANSITION LENGTH=4>The second major security improvement with Windows Vista is Internet Explorer Protected Mode.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/windows/ie/default.mspx</ITEM> </ADDITIONALINFORMATION> Usuário concede acesso (opts-in) Internet Explorer 7 IE7 confirma instalação Controle ActiveX habilitado

14 Internet Explorer Protected Mode
<SLIDETITLE INCLUDE=7>Internet Explorer Protected Mode</SLIDETITLE> <KEYWORDS>Internet Explorer, Protected Mode</KEYWORDS> <KEYMESSAGE>Running Internet Explorer in Protected Mode</KEYMESSAGE> <SLIDEBUILDS>1</SLIDEBUILDS> <SLIDESCRIPT> Protected Mode offers users a powerful security enhancement by reducing the severity of threats faced by malicious attacks. Internet Explorer Protected Mode builds upon User Account Control to safeguard user data and settings even when you’re logged on as a standard user. When browsing the Web, even if you’re not an administrator, you have the ability to change your home page, to delete files in your My Documents folder, and to perform other similar operations. With Internet Explorer Protected Mode, we are making sure that an application or piece of malware can’t do those same things without your consent. [BUILD1] One way that we’ve done this is by allowing Internet Explorer to write only to the Temporary Internet Files folder and to no other location. So when you’re browsing the Web, a piece of malware can only write to the Temporary Internet Files folder; it can’t place a file in your Startup folder or change your home page or perform any similar operation without your explicit consent. This is done by running a broker process that has parts of Internet Explorer running with both low and high privileges. The broker process maintains communication between those two operations, so if you do want to save a Web page or install a control, with your consent, the broker process allows that to happen. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1> Internet Explorer 7 with Windows Vista provides dynamic protection against fraudulent websites.</TRANSITION> <TRANSITION LENGTH=2> Internet Explorer 7 with Windows Vista provides dynamic protection against fraudulent websites.</TRANSITION> <TRANSITION LENGTH=4> Internet Explorer 7 with Windows Vista provides dynamic protection against fraudulent websites.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/windows/ie/default.mspx</ITEM> </ADDITIONALINFORMATION> C:\...\Temporary Internet Files C:\...\Startup

15 Phishing Filter Compara Web site com lista local de sites legítimos
<SLIDETITLE INCLUDE=7>Phishing filter</SLIDETITLE> <KEYWORDS>Internet Explorer, IE7, Phishing filter</KEYWORDS> <KEYMESSAGE>New phishing filter with IE7.</KEYMESSAGE> <SLIDEBUILDS>4</SLIDEBUILDS> <SLIDESCRIPT> This protection is provided by the phishing filter included with Internet Explorer 7. The Phishing Filter uses three methods to help protect users from phishing scams. First, it compares the addresses of websites visited against a large list of sites known to Microsoft as legitimate. This list of sites is stored on your computer. [BUILD1] Second, as websites are visited, the phishing filter uses special heuristics and scans the page for special characteristics common to a phishing website. This heuristics engine is also stored on your computer. Since attackers and attacks change frequently, these heuristics, as well as the list of legitimate sites, are continuously updated through a centralized, dynamically updated Microsoft service. The user has the choice to opt into the service. It has two modes: automatic or as needed, both of which will have Internet Explorer ask you if you want to send the website address to Microsoft to be checked. The dynamic service check allows the latest heuristics to be used and also provides instant access to an updated list of legitimate websites. [BUILD2] Finally, through the service, the site is checked against a live list of known phishing sites. This live list is highly dynamic and becomes out-of-date within hours, making it more efficient for you to access through the internet. This list is not stored on your computer in order to save space and processing time. [BUILD3] The Phishing Filter will work in the background until the user visits a website on the list of reported phishing sites. When this happens, Internet Explorer will display a warning web page and a red notification shield on the address bar at the top of the browser. From the warning web page, you can continue or close the page. Verifica o Web site por caracteristicas comuns de phishing sites Dupla verificação site com serviço online Microsoft de phishing sites reportados

16 Phishing Filter <SLIDETITLE INCLUDE=7>Phishing filter</SLIDETITLE> <KEYWORDS>Internet Explorer, IE7, Phishing filter</KEYWORDS> <KEYMESSAGE>New phishing filter with IE7.</KEYMESSAGE> <SLIDEBUILDS>4</SLIDEBUILDS> <SLIDESCRIPT> This protection is provided by the phishing filter included with Internet Explorer 7. The Phishing Filter uses three methods to help protect users from phishing scams. First, it compares the addresses of websites visited against a large list of sites known to Microsoft as legitimate. This list of sites is stored on your computer. [BUILD1] Second, as websites are visited, the phishing filter uses special heuristics and scans the page for special characteristics common to a phishing website. This heuristics engine is also stored on your computer. Since attackers and attacks change frequently, these heuristics, as well as the list of legitimate sites, are continuously updated through a centralized, dynamically updated Microsoft service. The user has the choice to opt into the service. It has two modes: automatic or as needed, both of which will have Internet Explorer ask you if you want to send the website address to Microsoft to be checked. The dynamic service check allows the latest heuristics to be used and also provides instant access to an updated list of legitimate websites. [BUILD2] Finally, through the service, the site is checked against a live list of known phishing sites. This live list is highly dynamic and becomes out-of-date within hours, making it more efficient for you to access through the internet. This list is not stored on your computer in order to save space and processing time. [BUILD3] The Phishing Filter will work in the background until the user visits a website on the list of reported phishing sites. When this happens, Internet Explorer will display a warning web page and a red notification shield on the address bar at the top of the browser. From the warning web page, you can continue or close the page.

17 Windows Vista Firewall
<SLIDETITLE INCLUDE=7>Windows Vista Firewall</SLIDETITLE> <KEYWORDS>Windows Firewall, Windows Firewall with Advanced Security, IPSec</KEYWORDS> <KEYMESSAGE>Introduce the new Windows Firewall and IPSec integration.</KEYMESSAGE> <SLIDEBUILDS>2</SLIDEBUILDS> <SLIDESCRIPT> If your computer is not protected when you connect to the Internet, attackers can gain access to personal information on your computer. These attackers can install code on your computer that destroys files or causes malfunctions. They can also use your computer to cause problems on other home and business computers connected to the Internet. A firewall helps to screen out many kinds of malicious Internet traffic before it reaches your system. [BUILD1] One of the new features with the Windows Firewall with Windows Vista is its integration with IP Security. IP Security, commonly called IPSec, is a suite of IP protocols used to provide secure communication. IPSec policies and filters distributed by Group Policy provide authorization for authenticated users and computers. IPSec provides the ability to protect communication between workgroups, local area network computers, domain clients and servers, branch offices, extranets, and roving clients. Although support for IPSec is built into Windows 2000 and later, in Windows XP and Windows Server 2003, Windows Firewall and IPSec are configured separately. While the purpose of Windows Firewall was to block or allow incoming traffic, IPSec could also be configured to block or allow incoming traffic. Because blocking and allowing traffic behavior for incoming traffic could be configured through two different, separate services, it was possible to have duplicate or contradictory settings. In addition, Windows Firewall and IPSec supported different configuration options for specifying allowed incoming traffic. For example, Windows Firewall allowed exceptions by specifying the application name, but IPSec did not. IPSec allowed exceptions based on an IP protocol number, and Windows Firewall did not. IPsec

18 Windows Vista Firewall
<SLIDETITLE INCLUDE=7>Windows Vista Firewall</SLIDETITLE> <KEYWORDS>Windows Firewall, Windows Firewall with Advanced Security, IPSec</KEYWORDS> <KEYMESSAGE>Introduce the new Windows Firewall and IPSec integration.</KEYMESSAGE> <SLIDEBUILDS>2</SLIDEBUILDS> <SLIDESCRIPT> If your computer is not protected when you connect to the Internet, attackers can gain access to personal information on your computer. These attackers can install code on your computer that destroys files or causes malfunctions. They can also use your computer to cause problems on other home and business computers connected to the Internet. A firewall helps to screen out many kinds of malicious Internet traffic before it reaches your system. [BUILD1] One of the new features with the Windows Firewall with Windows Vista is its integration with IP Security. IP Security, commonly called IPSec, is a suite of IP protocols used to provide secure communication. IPSec policies and filters distributed by Group Policy provide authorization for authenticated users and computers. IPSec provides the ability to protect communication between workgroups, local area network computers, domain clients and servers, branch offices, extranets, and roving clients. Although support for IPSec is built into Windows 2000 and later, in Windows XP and Windows Server 2003, Windows Firewall and IPSec are configured separately. While the purpose of Windows Firewall was to block or allow incoming traffic, IPSec could also be configured to block or allow incoming traffic. Because blocking and allowing traffic behavior for incoming traffic could be configured through two different, separate services, it was possible to have duplicate or contradictory settings. In addition, Windows Firewall and IPSec supported different configuration options for specifying allowed incoming traffic. For example, Windows Firewall allowed exceptions by specifying the application name, but IPSec did not. IPSec allowed exceptions based on an IP protocol number, and Windows Firewall did not.

19 demo Configurando Windows Firewall Configurar um regra de entrada
<SLIDETITLE>Demonstration: {Demonstration Title}</SLIDETITLE> <KEYWORDS></KEYWORDS> <KEYMESSAGE>.</KEYMESSAGE> <SLIDEBUILDS>0</SLIDEBUILDS> <SLIDESCRIPT> </SLIDESCRIPT> <SLIDETRANSITION></SLIDETRANSITION> <ADDITIONALINFORMATION> <ITEM></ITEM> </ADDITIONALINFORMATION>

20 Windows® Defender Melhorias na deteção e remoção
Redesenhado e simplificado a interface do usuário Proteção para todos usuários Proteção em tempo real <SLIDETITLE INCLUDE=7>Windows Defender</SLIDETITLE> <KEYWORDS>Windows Defender, spyware</KEYWORDS> <KEYMESSAGE>Windows Defender has been improved to prevent spyware.</KEYMESSAGE> <SLIDEBUILDS>3</SLIDEBUILDS> <SLIDESCRIPT> Windows Defender replaces Microsoft Windows Client Protection. Windows Defender is a security technology that helps protect you from spyware and other potentially unwanted software. Spyware is a general term used for software that performs certain behaviors, such as advertising, collecting personal information, or changing the configuration of your computer, generally without appropriately obtaining your consent. With Windows Defender, known spyware on your computer can be detected and removed. This helps reduce negative effects caused by spyware, including slow computer performance, annoying pop-up ads, unwanted changes to Internet settings, and unauthorized use of your private information. This enhanced protection improves Internet browsing safety by helping to guard the places where spyware can enter your computer. Windows Defender, included with Windows Vista, offers additional performance and security enhancements. [BUILD1] Based on a new engine, Windows Defender is able to detect and remove more threats posed by spyware and other potentially unwanted software. Real-time protection, which helps prevent unwanted software from being installed, has also been enhanced to better monitor critical points in the operating system for changes. [BUILD2] The Windows Defender user interface has been redesigned to make common tasks such as scanning and removal easier to accomplish, and offers a warning system that adapts alert levels according to the severity of a threat. A critical aspect of any antispyware solution is the ability to determine which programs are truly unwanted, which is compounded by the continual distribution of new spyware and other unwanted software. With Windows Client Protection, the worldwide SpyNet community plays a key role in determining which suspicious programs are classified as spyware. SpyNet is a voluntary network of users that helps uncover new threats quickly to ensure that all users are better protected. Any user can choose to join SpyNet and report potential spyware to Microsoft.

21 Network Access Protection
Policy Servers Windows Vista Client Microsoft Network Policy Server Fix-Up Servers <SLIDETITLE INCLUDE=7>Network Access Protection</SLIDETITLE> <KEYWORDS>Network Access Protection, NAP, NPS, Network Policy Server, health certificate, health policies</KEYWORDS> <KEYMESSAGE>Network Access Protection requires compliance with health policies.</KEYMESSAGE> <SLIDEBUILDS>3</SLIDEBUILDS> <SLIDESCRIPT> NAP functions on four levels: It validates compliance to policy; it restricts access-based compliance to policy; it remediates as necessary; and it grants access accordingly. NAP ensures the client’s ongoing compliance to policy. The NAP platform functions in real time. It recognizes, quarantines, and remediates threats before they can even pose a problem for the network. The process of NAP begins with a client attempting to access the network. [BUILD1] When this client requests access to the network, it must present its current health status. [BUILD2] Then, the DHCP, VPN, or Switch Router relays the client’s health status to a Network Policy Server, or NPS. [BUILD3] The NPS will then validate the health status against IT-defined health policies. [BUILD4] If the client is policy-compliant, it’s given immediate access to the corporate network. DHCP, VPN Switch/Router Corporate Network

22 Agenda Fundamentos de segurança do Windows Vista™
Mitigating Ameaças e Vulnerabilidades Controlando Acesso e Identidade Protegendo Informações <SLIDETITLE INCLUDE=7>Agenda: Identity and Access Control</SLIDETITLE> <KEYWORDS>Agenda</KEYWORDS> <KEYMESSAGE>Agenda</KEYMESSAGE> <SLIDEBUILDS>0</SLIDEBUILDS> <SLIDESCRIPT> We’ve explored the steps taken with Windows Vista to ensure threat and vulnerability mitigation. Now let’s take a look at some of the improvements to identity and access control. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>Several challenges exist now with regards to identity and access control.</TRANSITION> <TRANSITION LENGTH=2>Several challenges exist now with regards to identity and access control.</TRANSITION> <TRANSITION LENGTH=4>Several challenges exist now with regards to identity and access control.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM></ITEM> </ADDITIONALINFORMATION>

23 Desafios <SLIDETITLE INCLUDE=7>Current Challenges</SLIDETITLE> <KEYWORDS>Current Challenges, admin users</KEYWORDS> <KEYMESSAGE>Introduce User Account Control</KEYMESSAGE> <SLIDEBUILDS>2</SLIDEBUILDS> <SLIDESCRIPT> First, with many users operating with administrative privileges, desktops are not being managed correctly. Viruses and spyware can damage the system while users are operating with these elevated privileges. Also, enterprise users operating with elevated privileges can compromise the corporation. Inexperienced users can also make changes that require reimaging the computer to undo them. [BUILD1] While this problem can be fixed by taking away administrative privileges from users, it can result in loss of productivity. Many line-of-business applications require elevated privileges to run, so without administrative privileges, these applications won’t work. With each new operating system release, IT administrators must reevaluate these applications for compatibility issues due to inconsistent configuration settings between the operating systems. [BUILD2] Along with line-of-business applications requiring elevated privileges, many common operating system configuration tasks also require elevated privileges. For example, without administrative privileges, users are not able to change the time zone on their computers. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>One of the new features in Windows Vista designed to tackle some of these challenges is User Account Control.</TRANSITION> <TRANSITION LENGTH=2>One of the new features in Windows Vista designed to tackle some of these challenges is User Account Control.</TRANSITION> <TRANSITION LENGTH=4>One of the new features in Windows Vista designed to tackle some of these challenges is User Account Control.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx</ITEM> </ADDITIONALINFORMATION>

24 Windows® User Account Control
Permite que o sistema execute como Usuário padrão Permite aplicações selecionadas executar em contexto elevado <SLIDETITLE INCLUDE=7>User Account Control</SLIDETITLE> <KEYWORDS>User Account Control, privileges, elevated privileges, application compatibility</KEYWORDS> <KEYMESSAGE>Introduce User Account Control</KEYMESSAGE> <SLIDEBUILDS>2</SLIDEBUILDS> <SLIDESCRIPT> User Account Control allows the systems to run as a standard user. Also, users can run select applications in an elevated context. This means that when a standard user tries to do something that requires administrator privileges, when he or she starts that application or does something that requires elevated privileges, he or she will be prompted for administrative credentials. [BUILD1] If, on the other hand, the user is a member of the local administrators group, he or she will still be prompted for consent. In this way, we are making sure that applications and malware do not use your administrative privileges without your explicit consent, and as you will see in a moment, these prompts and dialog boxes make it very clear to the user when he or she is about to take an action that has system-wide impact. [BUILD2] Another new feature of User Account Control involves application compatibility. Many applications currently fail under Windows XP if they are not running with administrator privileges, because they attempt to write to restricted places that have system-wide impact, such as the Program Files folder or the HKEY LOCAL MACHINE registry key. With file virtualization and registry redirection, writes to those areas will be redirected to a per-user location, as we’ll see in the next demonstration. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>Actions that require elevated privilege or user consent are indicated by a shield icon.</TRANSITION> <TRANSITION LENGTH=2>Actions that require elevated privilege or user consent are indicated by a shield icon.</TRANSITION> <TRANSITION LENGTH=4>Actions that require elevated privilege or user consent are indicated by a shield icon.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx</ITEM> </ADDITIONALINFORMATION> Corrige e remove permissões administrativas inapropriadas Virtualização de arquivos e registro provendo compatibilidade

25 Exemplo User Account Control
<SLIDETITLE INCLUDE=7>User Account Control Sample</SLIDETITLE> <KEYWORDS>User Account Control, elevated privileges, permissions</KEYWORDS> <KEYMESSAGE>Running programs with elevated permissions</KEYMESSAGE> <SLIDEBUILDS>1</SLIDEBUILDS> <SLIDESCRIPT> The shield icon appears next to any task requiring elevated permissions. For example, a user accessing Advanced System Settings, Hardware, Backup and Restore, or Change Settings will be prompted for administrative credentials. On the other hand, administrator accounts will be prompted for permission to allow the program to run. [BUILD1] As you work through the various user interfaces for advanced options, for example, Windows Vista will continue to prompt you for permission to run any application or system component that requires elevated permissions. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>Let’s look at some other instances where you might see elevation prompts.</TRANSITION> <TRANSITION LENGTH=2>Let’s look at some other instances where you might see elevation prompts.</TRANSITION> <TRANSITION LENGTH=4>Let’s look at some other instances where you might see elevation prompts.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://go.microsoft.com/?linkid= </ITEM> </ADDITIONALINFORMATION>

26 Privilégio Elevado <SLIDETITLE INCLUDE=7>Elevation Privileges</SLIDETITLE> <KEYWORDS>User Account Control, elevated privileges</KEYWORDS> <KEYMESSAGE>Logging on with administrative permissions</KEYMESSAGE> <SLIDEBUILDS>0</SLIDEBUILDS> <SLIDESCRIPT> If you are logged on as a standard user and attempt to run the Disk Cleanup Wizard, you will be prompted to select the account to use that will allow this elevated privilege. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>Again, if you are already logged on with an account that has administrative rights, you will still be prompted for consent when you try to perform actions that may have system-wide impact, although you will not need to provide additional credentials.</TRANSITION> <TRANSITION LENGTH=2>Again, if you are already logged on with an account that has administrative rights, you will still be prompted for consent when you try to perform actions that may have system-wide impact, although you will not need to provide additional credentials.</TRANSITION> <TRANSITION LENGTH=4>Again, if you are already logged on with an account that has administrative rights, you will still be prompted for consent when you try to perform actions that may have system-wide impact, although you will not need to provide additional credentials.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/technet/windowsvista/security/uac.mspx</ITEM> </ADDITIONALINFORMATION>

27 Alertas Aplicativo do Sistema Operacional Aplicação Assinada
<SLIDETITLE INCLUDE=7>Consent Prompts</SLIDETITLE> <KEYWORDS>User Account Control, consent prompts, privileges</KEYWORDS> <KEYMESSAGE>Administrator permission dialog boxes</KEYMESSAGE> <SLIDEBUILDS>0</SLIDEBUILDS> <SLIDESCRIPT> For example, when logged on as the administrator, you may see a dialog box asking for permission to run a known system utility. Another dialog box may recognize, for example, Adobe Photoshop as a signed, trusted application. A third dialog box may ask your permission to run an application called getrichquick.exe. Different colors are displayed for each level of trust. This is meant to keep users from just automatically clicking Allow whenever the dialog box appears. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>Now let’s see the effects of UAP on our Windows Vista system.</TRANSITION> <TRANSITION LENGTH=2>Now let’s see the effects of UAP on our Windows Vista system.</TRANSITION> <TRANSITION LENGTH=4>Now let’s see the effects of UAP on our Windows Vista system.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/technet/windowsvista/library/0d75f c9e-ac08-4c21f5c6c2d9.mspx</ITEM> </ADDITIONALINFORMATION> Aplicação Assinada Aplicação não-assinada

28 demo User Account Control Configurações básico:
Usuário (habilitar / desabilitar) Avançado: Secpol.msc Local policies/security options

29 Uso de Privilégio Administrativo Nova Infra-estrutura Logging
Auditoria Melhorada Categoria Principal Logon/ Logoff Acesso File System Acesso Registro Uso de Privilégio Administrativo <SLIDETITLE INCLUDE=7>Improved Auditing</SLIDETITLE> <KEYWORDS>Auditing, Logging</KEYWORDS> <KEYMESSAGE>Logging and Auditing in Windows Vista is improved.</KEYMESSAGE> <SLIDEBUILDS>1</SLIDEBUILDS> <SLIDESCRIPT> Auditing in Windows Vista provides more granularity. Auditing categories now include multiple subcategories, such as logon, logoff, file system access, registry access, and use of administrative privilege, thus reducing the number of irrelevant events. [BUILD1] Windows Vista provides a new logging infrastructure. It is easier to filter through the logs and find the event you’re looking for. Tasks can also be tied to specific events with the Task Scheduler. For example, when an event, such as administrative privilege use, occurs, an can be sent automatically to an auditor. In addition, integrated audit event forwarding collects and forwards critical audit data to a central location, enabling enterprises to better organize and analyze audit data. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>Another infrastructure change is improvements to the authentication process.</TRANSITION> <TRANSITION LENGTH=2>Another infrastructure change is improvements to the authentication process.</TRANSITION> <TRANSITION LENGTH=4>Another infrastructure change is improvements to the authentication process.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/technet/windowsvista/evaluate/overvw.mspx</ITEM> </ADDITIONALINFORMATION> Nova Infra-estrutura Logging

30 Melhorias Autenticação
Winlogon GINA.dll <SLIDETITLE INCLUDE=7>Authentication Improvements</SLIDETITLE> <KEYWORDS>Winlogon, GINA, authentication</KEYWORDS> <KEYMESSAGE>GINA dlls are ignored with Windows Vista.</KEYMESSAGE> <SLIDEBUILDS>1</SLIDEBUILDS> <SLIDESCRIPT> There are a number of other core security infrastructure upgrades to be aware of in Windows Vista. First, the Graphical Identification and Authentication credential input extension model has been deprecated in favor of a more simple and straightforward credential provider model. With previous versions of Windows, the GINA operates in the context of the Winlogon process; therefore, the GINA DLL is loaded early in the boot process. The GINA DLL must follow rules so that the integrity of the system is maintained, particularly with respect to interaction with the user. The purpose of a GINA DLL is to provide customizable user identification and authentication procedures. The default GINA does this by delegating SAS event monitoring to Winlogon, which receives and processes CTL+ALT+DEL secure attention sequences. [BUILD1] Window Vista ignores GINA DLLs. The new authentication model allows vendors to write credential providers with ease compared to writing a GINA. Previously, there could only be one GINA on a system, which sometimes made deployment difficult and limited the flexibility of the system. Windows Vista now enables you to have multiple providers and select a particular one as the default. For example, you can easily deploy a multifactor authentication credential provider method without overwriting a default single-factor authentication provider. To add a provider, all you need to do is to put registration information for the DLL in the registry and export the entry points for the credential provider APIs. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>We have also enhanced the overall user experience by providing Plug and Play support for many Smartcard readers.</TRANSITION> <TRANSITION LENGTH=2>We have also enhanced the overall user experience by providing Plug and Play support for many Smartcard readers.</TRANSITION> <TRANSITION LENGTH=4>We have also enhanced the overall user experience by providing Plug and Play support for many Smartcard readers.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/technet/technetmag/issues/2006/05/FirstLook/default.aspx</ITEM> <ITEM>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/winlogon_and_gina.asp</ITEM> </ADDITIONALINFORMATION> GINA=Graphical Identification and Authentication

31 Suporte Plug and Play Smartcard
<SLIDETITLE INCLUDE=7>Plug and Play Smartcard Support</SLIDETITLE> <KEYWORDS>Plug and Play Smartcard</KEYWORDS> <KEYMESSAGE>Simplified plug and play smartcard support.</KEYMESSAGE> <SLIDEBUILDS>1</SLIDEBUILDS> <SLIDESCRIPT> Typically, in earlier versions of Windows, you had to pick a Smartcard and Smartcard reader, and then load a specialized certificate service provider onto the computer, and perhaps special drivers for the reader. [BUILD1] With Plug and Play in Windows Vista, the goal is for you to simply plug your Smartcard reader into your computer, insert your Smartcard, type your PIN number for the Smartcard, and then quickly log on to your network or make your VPN connection. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>Other security changes involve more integrated control.</TRANSITION> <TRANSITION LENGTH=2>Other security changes involve more integrated control.</TRANSITION> <TRANSITION LENGTH=4>Other security changes involve more integrated control.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/technet/community/chats/trans/windowsnet/06_0222_tn_active.mspx</ITEM> </ADDITIONALINFORMATION>

32 Controle Integrado Controle sobre instalação de dispositivos móveis
<SLIDETITLE INCLUDE=7>Integrated Control</SLIDETITLE> <KEYWORDS>device installation, restart manager, security center</KEYWORDS> <KEYMESSAGE>Advanced security control</KEYMESSAGE> <SLIDEBUILDS>2</SLIDEBUILDS> <SLIDESCRIPT> First, we’ve addressed one of our top customer requests, which is giving you control over removable device installation. This addresses the concern of users taking corporate intellectual property away on a USB flash device. In high-security environments, this is a critical request. In Windows Vista, you have the ability to control what devices can be installed, so you’ll be able to set policies that allow mouse devices and keyboards to be installed but no other type of removable devices, such as a USB drive. We’ll see this in the final demonstration of the session in a few moments. [BUILD1] Another new technology in Windows Vista is the Restart Manager. The intent of Restart Manager is to significantly reduce the number of patches that require a system reboot. For example, when you download and begin to install a patch, Restart Manager will look at the patch and identify any processes that are holding a DLL, or services that are using that DLL, and will be able to proactively stop these services, allow the patch to be deployed, and then restart the services. The design goal is to reduce patch-related reboots by at least 50 percent. [BUILD2] From a Security Center standpoint, we’ve added features to provide more visibility and also added anti-malware software status to the Security Center. This supports both Microsoft Anti-Spyware as well as third-party products. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>Now we will look at how you can manage control over removable device installation.</TRANSITION> <TRANSITION LENGTH=2>Now we will look at how you can manage control over removable device installation.</TRANSITION> <TRANSITION LENGTH=4>Now we will look at how you can manage control over removable device installation.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/technet/windowsvista/evaluate/feat/secfeat.mspx</ITEM> </ADDITIONALINFORMATION> Gerenciador de reinicialização Melhoria Security Center

33 demo Bloqueando dispositivos não autorizados
Bloquear a instalação de USB flash drive <SLIDETITLE>Demonstration: {Demonstration Title}</SLIDETITLE> <KEYWORDS></KEYWORDS> <KEYMESSAGE>.</KEYMESSAGE> <SLIDEBUILDS>0</SLIDEBUILDS> <SLIDESCRIPT> </SLIDESCRIPT> <SLIDETRANSITION></SLIDETRANSITION> <ADDITIONALINFORMATION> <ITEM></ITEM> </ADDITIONALINFORMATION>

34 Agenda Fundamentos de segurança do Windows Vista™
Mitigating Ameaças e Vulnerabilidades Controlando Acesso e Identidade Protegendo Informações <SLIDETITLE INCLUDE=7>Agenda: Understanding Engineering Excellence</SLIDETITLE> <KEYWORDS>Agenda</KEYWORDS> <KEYMESSAGE>Agenda</KEYMESSAGE> <SLIDEBUILDS>0</SLIDEBUILDS> <SLIDESCRIPT> One of the main reasons for identity and access control is information protection. Let’s explore safeguards in Windows Vista that protect your information. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>In our ever-expanding world of technology, information is easily available.</TRANSITION> <TRANSITION LENGTH=2>In our ever-expanding world of technology, information is easily available.</TRANSITION> <TRANSITION LENGTH=4>In our ever-expanding world of technology, information is easily available.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM></ITEM> </ADDITIONALINFORMATION>

35 Proteção dados Windows Vista
Policy Definition and Enforcement Rights Management Services <SLIDETITLE INCLUDE=7>Windows Vista Data Protection</SLIDETITLE> <KEYWORDS>Rights Management Services, Encrypted File System, Bitlocker Drive Encryption, data protection</KEYWORDS> <KEYMESSAGE>Three levels of data protection</KEYMESSAGE> <SLIDEBUILDS>2</SLIDEBUILDS> <SLIDESCRIPT> With rights management services, you can set policy rules on documents and ensure that those documents are viewable only by those to whom you’ve granted permission. RMS works with specific productivity applications that have been written to integrate with this security feature, such as Microsoft Office 2003 and Office 2007. [BUILD1] Next, we have user-based file encryption with the Encrypted File System, or EFS, which has been in Windows since Windows You might use EFS if you have a computer that has multiple users and you want to encrypt that data at the per-user level to keep one user from accessing another user’s data. In Windows Vista, there are several EFS enhancements, including the ability to store your EFS keys on a Smartcard, as well as the ability, in conjunction with Windows Server “Longhorn,” to copy EFS-protected data to a Windows Server “Longhorn” file server and have that file stay encrypted end to end. [BUILD2] The third thing that we’ve done from a data-protection standpoint is give you the ability to perform drive-level encryption. BitLocker Drive Encryption is an integral new security feature in Windows Vista that provides complete offline data and operating system protection for your computer. BitLocker ensures that data stored on a computer is not revealed if the computer is tampered with when the installed operating system is offline. This helps protect your data from theft or unauthorized viewing by encrypting the entire Windows volume. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>Another way that data is protected at the computer level is through BitLocker Drive Encryption.</TRANSITION> <TRANSITION LENGTH=2>Another way that data is protected at the computer level is through BitLocker Drive Encryption.</TRANSITION> <TRANSITION LENGTH=4>Another way that data is protected at the computer level is through BitLocker Drive Encryption.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>http://www.microsoft.com/technet/windowsvista/evaluate/feat/secfeat.mspx</ITEM> </ADDITIONALINFORMATION> User-Based File System Encryption Encrypted File System Drive-Level Encryption Windows® BitLocker™ Drive Encryption

36 BitLocker Drive Encryption
Proteção melhorada com todo disco protegido Usabilidade com proteção escalável de segurança Capacidade de implementação em empresas Resistente a alterações offline Caracteristicas de disaster recovery integrada <SLIDETITLE INCLUDE=7>BitLocker Drive Encryption</SLIDETITLE> <KEYWORDS>BitLocker Drive Encryption, security</KEYWORDS> <KEYMESSAGE>Introduce Bitlocker</KEYMESSAGE> <SLIDEBUILDS>2</SLIDEBUILDS> <SLIDESCRIPT> BitLocker Drive Encryption is a data-protection feature available in Windows Vista Enterprise and Windows Vista Ultimate editions for client computers and in Windows Server "Longhorn.” BitLocker is a response by Microsoft to one of our top customer requests: Address the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned PC hardware with a tightly integrated solution in the Windows operating system. BitLocker prevents a thief who boots another operating system or runs a software hacking tool from breaking Windows Vista file and system protections or performing offline viewing of the files stored on the protected drive. BitLocker enhances data protection by bringing together two major sub-functions: system volume encryption and checking the integrity of early-boot components. Drive encryption protects data by preventing unauthorized users from breaking Windows file and system protection on lost or stolen computers. The entire system volume is encrypted, including the swap and hibernation files. Checking the integrity of early-boot components helps to ensure that data decryption is performed only if those components appear tamper-free and that the encrypted drive is located in the original computer. BitLocker offers the option to lock the normal boot process until the user supplies a PIN, much like an ATM card PIN, or inserts a USB flash drive that contains keying material. These added security measures provide multifactor authentication and assurance that the computer will not boot or resume from hibernation until the correct PIN or USB flash drive is presented. Finally, BitLocker provides enhanced recovery options. BitLocker has a disaster recovery console integrated into the early boot components to provide for data retrieval. In the default setting, BitLocker requires no user actions, and even activation itself can be done remotely and automatically. By being tightly integrated with Windows Vista, BitLocker provides a seamless, secure, and easily manageable data protection solution for the enterprise. For example, BitLocker optionally leverages an enterprise’s existing Active Directory Domain Services infrastructure to remotely escrow recovery keys. Based upon policy, BitLocker can also be set to back up keys and passwords onto a USB dongle or to a file location. A recovery password should also be set by the administrator so that Windows operation can continue as normal.

37 BitLocker Drive Encryption
<SLIDETITLE INCLUDE=7>BitLocker Drive Encryption</SLIDETITLE> <KEYWORDS>BitLocker Drive Encryption, security</KEYWORDS> <KEYMESSAGE>Introduce Bitlocker</KEYMESSAGE> <SLIDEBUILDS>2</SLIDEBUILDS> <SLIDESCRIPT> BitLocker Drive Encryption is a data-protection feature available in Windows Vista Enterprise and Windows Vista Ultimate editions for client computers and in Windows Server "Longhorn.” BitLocker is a response by Microsoft to one of our top customer requests: Address the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned PC hardware with a tightly integrated solution in the Windows operating system. BitLocker prevents a thief who boots another operating system or runs a software hacking tool from breaking Windows Vista file and system protections or performing offline viewing of the files stored on the protected drive. BitLocker enhances data protection by bringing together two major sub-functions: system volume encryption and checking the integrity of early-boot components. Drive encryption protects data by preventing unauthorized users from breaking Windows file and system protection on lost or stolen computers. The entire system volume is encrypted, including the swap and hibernation files. Checking the integrity of early-boot components helps to ensure that data decryption is performed only if those components appear tamper-free and that the encrypted drive is located in the original computer. BitLocker offers the option to lock the normal boot process until the user supplies a PIN, much like an ATM card PIN, or inserts a USB flash drive that contains keying material. These added security measures provide multifactor authentication and assurance that the computer will not boot or resume from hibernation until the correct PIN or USB flash drive is presented. Finally, BitLocker provides enhanced recovery options. BitLocker has a disaster recovery console integrated into the early boot components to provide for data retrieval. In the default setting, BitLocker requires no user actions, and even activation itself can be done remotely and automatically. By being tightly integrated with Windows Vista, BitLocker provides a seamless, secure, and easily manageable data protection solution for the enterprise. For example, BitLocker optionally leverages an enterprise’s existing Active Directory Domain Services infrastructure to remotely escrow recovery keys. Based upon policy, BitLocker can also be set to back up keys and passwords onto a USB dongle or to a file location. A recovery password should also be set by the administrator so that Windows operation can continue as normal.

38 BitLocker Drive Encryption
<SLIDETITLE INCLUDE=7>BitLocker Drive Encryption</SLIDETITLE> <KEYWORDS>BitLocker Drive Encryption, security</KEYWORDS> <KEYMESSAGE>Introduce Bitlocker</KEYMESSAGE> <SLIDEBUILDS>2</SLIDEBUILDS> <SLIDESCRIPT> BitLocker Drive Encryption is a data-protection feature available in Windows Vista Enterprise and Windows Vista Ultimate editions for client computers and in Windows Server "Longhorn.” BitLocker is a response by Microsoft to one of our top customer requests: Address the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned PC hardware with a tightly integrated solution in the Windows operating system. BitLocker prevents a thief who boots another operating system or runs a software hacking tool from breaking Windows Vista file and system protections or performing offline viewing of the files stored on the protected drive. BitLocker enhances data protection by bringing together two major sub-functions: system volume encryption and checking the integrity of early-boot components. Drive encryption protects data by preventing unauthorized users from breaking Windows file and system protection on lost or stolen computers. The entire system volume is encrypted, including the swap and hibernation files. Checking the integrity of early-boot components helps to ensure that data decryption is performed only if those components appear tamper-free and that the encrypted drive is located in the original computer. BitLocker offers the option to lock the normal boot process until the user supplies a PIN, much like an ATM card PIN, or inserts a USB flash drive that contains keying material. These added security measures provide multifactor authentication and assurance that the computer will not boot or resume from hibernation until the correct PIN or USB flash drive is presented. Finally, BitLocker provides enhanced recovery options. BitLocker has a disaster recovery console integrated into the early boot components to provide for data retrieval. In the default setting, BitLocker requires no user actions, and even activation itself can be done remotely and automatically. By being tightly integrated with Windows Vista, BitLocker provides a seamless, secure, and easily manageable data protection solution for the enterprise. For example, BitLocker optionally leverages an enterprise’s existing Active Directory Domain Services infrastructure to remotely escrow recovery keys. Based upon policy, BitLocker can also be set to back up keys and passwords onto a USB dongle or to a file location. A recovery password should also be set by the administrator so that Windows operation can continue as normal.

39 Trusted Platform Module (TPM)
Encrypted Data Encrypted Volume Key Encrypted Full Volume Encryption Key <SLIDETITLE INCLUDE=7>Trusted Platform Module</SLIDETITLE> <KEYWORDS>Trusted Platform Module, TPM</KEYWORDS> <KEYMESSAGE>What is a Trusted Platform Module?</KEYMESSAGE> <SLIDEBUILDS>1</SLIDEBUILDS> <SLIDESCRIPT> This helps protect your data from theft or unauthorized viewing by encrypting the entire Windows volume. BitLocker Drive Encryption is designed to offer a smooth user experience with systems that have a compatible TPM microchip and BIOS. A compatible TPM is defined as a version 1.2 TPM with any appropriate BIOS modifications required to support the Static Root of Trust Measurement as defined by the Trusted Computing Group. The TPM interacts with BitLocker Drive Encryption to help provide seamless protection at system start-up. The TPM helps protect secrets and provides another chain of trust for keys and credentials. A TPM is a microcontroller that stores keys, passwords, and digital certificates. Normally, it is attached to the motherboard; however, it can be used in any computing device that requires its functions. TPM specifications require cryptographic algorithms: RSA, SHA-1, and HMAC. The TPM provides secure storage and key generation capabilities, similar to other hardware authentication devices, so it can be used to create or store both user and platform identity credentials for use in authentication. The TPM can also protect and authenticate user passwords, thereby providing an effective solution integrating strong, multifactor authentication directly into the computing platform. With the addition of complementary technologies, such as Smartcards, tokens, and biometrics, the TPM enables true computer and user authentication. [BUILD1] BitLocker-enabled systems using TPM-only authentication can be used just like any other system. After starting Windows, users are prompted for their domain user name and password, which is a normal logon experience. Unless informed about the feature, users will not be aware that there is an extra level of protection on their computers. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>Customers have several choices of how to deploy BitLocker, with a range of ease of use versus security choices.</TRANSITION> <TRANSITION LENGTH=2>Customers have several choices of how to deploy BitLocker, with a range of ease of use versus security choices.</TRANSITION> <TRANSITION LENGTH=4>Customers have several choices of how to deploy BitLocker, with a range of ease of use versus security choices.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>https://www.trustedcomputinggroup.org/groups/tpm/</ITEM> </ADDITIONALINFORMATION> TPM Cleartext Data Volume Master Key Full Volume Encryption Key

40 Spectrum da Proteção Somente TPM Facilidade de Uso Somente Dongle
******* TPM & PIN <SLIDETITLE INCLUDE=7>Spectrum of Protection</SLIDETITLE> <KEYWORDS>Trusted Platform Module, TPM, Dongle, Bitlocker</KEYWORDS> <KEYMESSAGE>Ways to deploy Bitlocker.</KEYMESSAGE> <SLIDEBUILDS>3</SLIDEBUILDS> <SLIDESCRIPT> From an ease-of-use standpoint, the TPM-only solution is completely transparent to the user. There is no special user interaction necessary in this mode, because the decryption key is released if the operating system hasn’t been tampered with, based on operating system measurements that are stored in the TPM chip. [BUILD1] If you want to deploy BitLocker to a computer without a TPM chip, the dongle-only solution is the only choice. The key to decrypt the volume is stored on a USB flash device with this deployment method. The user has to plug in the USB dongle each time the computer is booted, so ease of use isn’t as good as with the TPM. The major downside to this deployment method is that it’s reliant on human behavior. If the user leaves the USB flash drive with the decryption key in his or her laptop bag and a thief gets the laptop bag, this person can decrypt the user’s data. With this deployment method, the user needs to keep the USB flash device separate from the portable computer, for example, on a keychain. [BUILD2] A TPM-plus-PIN solution is the best balance between security and usability. With this solution, the user simply has to enter a PIN each time the system is booted. [BUILD3] The most secure, and least usable, way of deployment is TPM plus Dongle. With this deployment method, the system will only boot if the operating system hasn’t been tampered with while offline, and if the user inserts the correct USB flash device. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1> You can be confident that Windows Vista is the most secure operating system that we have ever shipped. </TRANSITION> <TRANSITION LENGTH=2> You can be confident that Windows Vista is the most secure operating system that we have ever shipped. </TRANSITION> <TRANSITION LENGTH=4> You can be confident that Windows Vista is the most secure operating system that we have ever shipped. </TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM>https://www.trustedcomputinggroup.org/groups/tpm/</ITEM> </ADDITIONALINFORMATION> TPM & Dongle Segurança

41 Conclusão Windows Vista é o sistema operacional Windows mais seguro hoje em dia Windows Vista protege usuários Outras melhorias em segurança ajudam a proteger dados e fácil de implementar <SLIDETITLE INCLUDE=7>Session Summary</SLIDETITLE> <KEYWORDS>Summary</KEYWORDS> <KEYMESSAGE>Summary</KEYMESSAGE> <SLIDEBUILDS>2</SLIDEBUILDS> <SLIDESCRIPT> Steps have been taken at Microsoft to ensure that Windows Vista has gone through the Software Development Lifecycle and that it adheres to code integrity standards. In addition, Windows Service Hardening ensures that critical Windows services only perform expected activities relating to the file system, registry, and the network. [BUILD1] Windows Vista includes features to protect users. User Account Control, while also providing security in your network, can allow users to perform business-related activities to stay productive. For example, laptop users can change the time zone and set power settings, which wasn’t previously available without elevated permissions. Protected Mode in Internet Explorer 7 limits Internet Explorer to just enough privileges to browse the Web but not enough to modify user files or settings by default. This allows users to get the information they need, while still protecting the computer against malicious sites. [BUILD2] From Rights Management Services and BitLocker Drive Encryption, to improved Smartcard functionality and deployment, there are many exciting new security features in Windows Vista. </SLIDESCRIPT> <SLIDETRANSITION> <TRANSITION LENGTH=1>To get more information on the products and technologies we have covered today, we have some online resources available that can help.</TRANSITION> <TRANSITION LENGTH=2>To get more information on the products and technologies we have covered today, we have some online resources available that can help.</TRANSITION> <TRANSITION LENGTH=4>To get more information on the products and technologies we have covered today, we have some online resources available that can help.</TRANSITION> </SLIDETRANSITION> <COMMENT></COMMENT> <ADDITIONALINFORMATION> <ITEM></ITEM> </ADDITIONALINFORMATION>

42 Seu potencial. Nossa inspiração.MR
© 2006 Microsoft Corporation. Todos os direitos reservados. O propósito desta apresentação é apenas informativa. Microsoft não faz nenhuma garantia expressa ou implícita nesta apresentação. Seu potencial. Nossa inspiração.MR


Carregar ppt "Windows Vista Recursos de Segurança (1)"

Apresentações semelhantes


Anúncios Google