Introduction to Desktop security
CNCI (Comprehensive National Cybersecurity Initiative), 2009.3 2009 년 3 월, 미국의 DHS(Department of Homeland Security) 는포괄적국가사이버안전정책발표 사이버침해사고에대한사후대응전략에서사전예방중심으로변환 12 개핵심전략으로구성되었으며, 비밀로분류된국가안보에관한대통령명령 23(NSPD54/HSPD23) 을근거로하고있고내용의일부만공개 핵심기술 FDCC(Federal Desktop Core Configuration): 연방기관내업무용데스트탑 PC 및노트북보안강화 TIC(Trusted Internet Connection): 연방기관간인터넷경로보안체제강화 Einstein 프로그램 : 연방기관간인터넷통신감시체제구축 TI C 연방기관과외부와의모든트래픽을점검 연방정부의모든 PC 의보안성검토 FDCC 적용 교통부 TI C Einstein 센서 인터넷 국무부 재무부 TI C 이상징후 4,300 여개의외부인터넷과의연결점을 100 개미만으로축소 국토안보부 2
1 From Unmanaged To Managed Patch and deploy current OS and all applications Restrict administrative privileges No user should run as local admin on their workstation, even administrators Domain admins should never logon to workstations or member servers in the domain (only on domain controllers) Service accounts with high privileges are a risk Whitelist applications
3 ( 대다수 ) 사용자는일반사용자권한으로실행 보안설정과정책적용 사용이승인되지않은애플리케이션을로컬관리자가추가하는것을허락하지않음 서비스계정에대한강한통제 도메인관리자에대한강한통제 원하는구성에서벗어나는지능동적으로감시
4 베이스라인유지 무엇이 규범 인지인식하고이를주기적으로집행 정책의명확성 데이터보호가지상목표!
기존환경 안전한 PC 관리환경 특징 : 중요정보보관및공무수행 좀비 PC 등침입경로 중요정보유출 그룹별보안정책관리 보안프로그램관리 운영체제보안관리 보안패치관리 보안정책및관리서버 ( 중앙통제 ) 문제해결 사용자 ( 비전문가 ) 에의한관리 취약한윈도우설정 보안프로그램관리소홀 보안관리서버 ( 전문가 ) 에의한관리
SW 배포및 PC 관리인프라부실 보안팀의과도한제한 전체적인절차와표준부재 무언가잘못되기만하면 lockdown 에책임을전가 사용자는흔히시스템을개인자산으로간주 Lockdown 시도에대한막후방해와저항 Lockdown 을피하기위해대안제품사용 오작동하는기존애플리케이션교체비용 6
9 1. 관리자권한제거 2. 좋은평가를받는보안정책표준개발및구현 3. 감시와능동적수정으로 lockdown 상황유지
8 미연방정부 US DoD STIGs(Security Technical Implementation Guides) US Air Force, SDC(Standard Desktop Configuration) Standardized locked-down configuration (XP SP2) DISA(Defense Information Systems Agency) Gold Disk Standard 국립표준기술연구소 (NIST) Federal Desktop Core Configuration(FDCC) US Government Configuration Baseline(USGCB) - 연방기관에서사용하는모든업무용 PC와노트북에동일한보안설정을강제적용하여동일한보안수준유지 - 동일규격의제품제작으로조달비용및소용시간감소 Microsoft security guidance Security Compliance Manager(SCM) 에포함되어있음
9 실제사용환경기반, 대규모배포 미공군 550,000 데스크톱과랩톱표준화 이론에머문정책이아님 Active Directory 도메인에들여올수있는그룹정책객체들 (Group Policy Objects, GPOs) 이제공됨 경제적이유 FISMA 스코어카드와연계됨 규정준수 집행방법이제공됨 Security Content Automation Protocol (SCAP)
1 문서화되고입증된데스크톱보안설정의업계표준 제정협력기관 Microsoft NIST Defense Information Systems Agency National Security Agency 미예산관리국 (OMB) 의요구 700개이상의설정을명시적으로정의 처음에는윈도우 7을위한설정으로시작 현재는윈도우 XP와윈도우비스타를위한설정도정의됨
( 대다수 ) 사용자는일반사용자권한으로실행 수신방화벽 On 파일과프린터공유 Off 무선네트워크 Off IE8 보호모드 On 암호길이 12 에서 15 문자로설정 ActiveX 컨트롤, 서명되지않은드라이버, 통제가능 1
1 표준사용자계정요구 관리자들은별도의관리자계정을가짐 사용자가최소권한만으로실행하므로프로세스도최소의권한만으로실행 낮은권한의프로세스는침해가발생하더라도시스템이미치는손상이적음 LUA는애플리케이션개발에큰영향을미침
잠재적보안위험성 PC 보안강화 15
2
1 한 GPO 는컴퓨터구성, 사용자구성두섹션으로구성 보안베이스라인도컴퓨터설정과사용자설정을가짐 컴퓨터와사용자설정을분리할필요가있을수있음
FDCC 팀에서 100 회가넘는참여 다양한전문분야에서일하는 22명의컨설턴트 프로그램관리자 여러전문도구출시 LGPO tool 로컬시스템에서 GPO 실험 LUA Buglight 주로윈도우 XP용애플리케이션대상 IEZoneAnalyzer IE security zone 비교 Security Configuration Manager Microsoft Security Guidance SCAP 커맨드릿 기타다양한주제로발표와토의 2
데스크톱보안강화는시스템을 lockdown 에서출발 USGCB 는 lockdown 된시스템에기초하여안전한데스크톱환경을추구하는보안지침 USGCB 는그룹정책을집행할수있는잘구축된디렉터리서비스에의해가장효과적으로실현됨 기존애플리케이션의호환성이핵심적문제 Microsoft 는 FDCC/USGCB 의핵심기여자및협력자
2 NIST USGCB site The United States Government Configuration Baseline Microsoft USGCB site http://www.microsoft.com/industry/government/solutions/usgcb/default.aspx USGCB Tech Blog http://blogs.technet.com/b/fdcc/ SCAP validated tools http://nvd.nist.gov/scapproducts.cfm Microsoft Trustworthy Computing http://www.microsoft.com/about/twc/
Introduction to BYOD security
What is BYOD (Bring Your Own Device)? Recent trend of employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources. Globally, 88% of executives report employees are using their personal computing technologies for business purposes today* Globally, 62% of executives say they are now have or are planning to have a BYOD program for smartphones and tablets* * Gartner: Using Peer-to-Peer communities to Drive BYOD self-support; Aug 3, 2012
BYOD blurs the line between enterprise and personal computing, which significantly complicates the job of governance, risk, and compliance management Defining a security policy Enforcing security policies Information on devices Interactions with the cloud Unmanaged connections to the internal network Source: http://www.cioupdate.com/technology-trends/byod-byoc-may-change-everything-about-security.html
Pros For businesses Reduced Cost (employee devices) Employees take care of personal devices Embracing newer technologies For employees Empowerment Work with preferred technology Exclusive control over features Cons For businesses Company information less secure Administrative effort Increase Cost (Infrastructure & Administrative) May need to pay for phone service for the devices Compliance, Legal & HR Considerations For employees May not fully control their devices Out-of-pocket expense Responsible for device maintenance
What personal devices are employees bringing to work? Personal computers (Windows, Mac OS X, others)
Trust Risk Access Employee influences Company influences Employee manages Company manages Employee purchases Company purchases Source: http://blogs.msdn.com/b/arnoha/archive/2012/04/09/a-framework-for-byod-byoc.aspx Freedom
Benefits: Agility Productivity Happier end users Technology issues: Devices Limit mobile-device access Deploy device policies Control device access Manage remote devices Data Classify the company s intellectual property (IP) Prevent data leaks Encrypt business data Network Protect IP from devices Quarantine devices Control access to company content from unmanaged devices Applications Access applications from any device Objective: use any device anytime, anywhere Challenge: regardless of ownership, make everything just work, and ensure that intellectual property is protected Cloud services Virtual desktop FIREWALL DATA SERVERS
Too many identities and credentials Potential damage to corporate network by infected devices Access from compromised or hacked accounts Denial of service (DoS) and other attacks on corporate resources exposed over the Internet Password brute force or account lockout DoS attacks Expired or changed password leads to prompts by several apps Unintentional exposure to HBI corporate data and services Credentials exposure Expired or changed password leads to prompts by several apps Corporate data lands in consumer services (SkyDrive, Dropbox) and on devices that can be lost Hard to determine whether the authorization policy is working as intended
Windows 8 enterprise scenarios How can Windows 8 and Windows Server 2012 help enable a secure BYOD scenario? More specifically, how can they help protect a company s information and assets?
Windows 8 enterprise scenarios Support a mobile workforce * On any device certified for use with Windows 7 or Windows 8
Helps protect the OS volume XXXXX XXXXX
XXXXX Helps protect the data drive XXXXX
Windows To Go: Your portable workspace A consistent Windows 8 experience on any device with Windows To Go Systems Management Tools App-V Folder redirection App-V Booting from internal hard drive 01100111 11010011 11001001 10001001 Folder redirection App-V FIREWALL Folder redirection Booting from external USB drive 01100111 11010011 11001001 10001001 BitLocker
RemoteFX delivers a consistently rich user experience to users over Remote LAN Desktop or WAN (irrespective of deployment model) Virtualization Host Server Manager RemoteFX Corporate LAN Remote Desktop Web Access Remote Desktop Gateway Internet or WAN Hardware and Software GPUs Remote Desktop Connection Rich multimedia Broker USB Redirection SQL Remote Desktop Database Session Host Multi Touch WAN acceleration Single Sign On Remote Desktop Licensing
Powered by Windows Server 2012 Remote Desktop Services Corporate office Desktop sessions Pooled VMs Personal VMs Branch office FIREWALL Home Library / Coffee house 1 platform 1 experience 3 deployment choices Efficient management Best value for VDI Rich experience online everywhere
Managed Unmanaged System Center 2012 Configuration Manager Unify user management across devices through Windows Intune integration Automatically deliver applications in the most appropriate format for each device Support for Windows 8 and Mac OS Unified console to manage on-premises and cloud-based devices with Windows Intune Windows Intune Help secure and manage devices through the cloud Provision applications to devices without requiring a full domain join Windows Server 2012 Improve VDI user experience over WAN links for branch offices and remote users Simplify VDI configuration and management to reduce VDI storage costs Apply automatic and manual classification of files to tag data across the organization Control access to files to apply safety-net policies for information governance
Centralized management across platforms
Determine user access rights, and then deliver based on device type Same user, same app, different device
Server Manager Remote Desktop virtualization host Remote Desktop Web Access Remote Desktop Connection Broker Virtual desktop collection SQL database Remote Desktop session host Remote Desktop Gateway Remote Desktop licensing Session collection
USER EMPOWERMENT Mobility Choice of personal devices Social networking Whatever I want just make it work IT CONTROLS Cost Reliability Security Efficiency I would like to, but there are limitations RISK AND COMPLIANCE
2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.