Windows Hello
Transcription
Windows Hello
Tech Data - Microsoft Windows 10 - Management-Features und Neuerungen im Bereich Sicherheit MS FY15 2HY Tech Data – Microsoft – Windows 10 Kontakt: Microsoft @ Tech Data Kistlerhofstr. 75 81379 München [email protected] +49 (0) 89 / 47 00 – 28 08 Bernd Sailer Lizenz- und Technologieberater [email protected] http://www.skilllocation.com Windows 10 für Unternehmen – Verwaltung Windows bietet die Verwaltungsfunktionen, die Unternehmen benötigen. Die Anforderungen von Unternehmen unterliegen einem stetigen Wandel. Windows 10 bietet Verwaltungsfunktionen, die diesen Anforderungen gerecht werden. Nähere Vergangenheit Heutige Situation Feste Arbeitszeiten und -plätze Vermischung von Arbeit und Privatleben PCs im LAN, mit Domäne verbunden Laptops, Tablets, Smartphones, überall und in allen Netzwerken Unternehmenseigene Geräte Unternehmenseigene und private Geräte, Daten und Apps Homogene IT-Infrastruktur Heterogene IT-Infrastruktur (Windows, Android, iOS, Chrome) Erweiterter Betriebssystem/Servicing Lifecycle Kürzere Updatezyklen, geringerer Geräte-Lifecycle Vor-Ort-Anwendungen und Dateifreigabe SaaS Anwendungen und Dateifreigabedienste Zugriffsrechte gelten nur im Unternehmen Zugriffskontrolle deckt Unternehmen, Apps und Benutzer ab Strikte Verwaltung und Richtlinien Cloudbasierte Verwaltung mit geringerer Kontrolle Gefahr durch Malware: Vandalismus und Kriminalität Gefahr durch Malware: Spionage und Cyber-Waffe Netzwerkgrenzen als äußerster Verteidigungsring Interne und externe Angriffe auf das Netzwerk Spezielle Geräte für bestimmte Aufgaben Dynamische Auswahl der Geräte Verfügbare Möglichkeiten/Varianten Identität Active Directory; Azure Active Directory Verwaltung Gruppenrichtlinien, System Center Configuration Manager, Third-Party-PC-Verwaltung; Intune, Third-Party-MDM Updates Windows Update; Windows Server Update Services (WSUS); Intune, Third-Party-MDM Infrastruktur Vor Ort oder in der Cloud Besitzer Unternehmen, CYOD; BYOD Diese Möglichkeiten lassen sich beliebig kombinieren, damit Unternehmen die optimale Lösung finden. Grundlegend Weiterführend Vollständige Kontrolle Exchange ActiveSync Active Directory und/oder Azure Active Directory Active Directory Verwaltung mobiler Endgeräte (Mobile Device Management, MDM) Gruppenrichtlinien System Center Windows Update Windows Update/MDM WSUS BYOD (Geräte im Privatbesitz) Unternehmenseigene und BYOD-Geräte Unternehmenseigene Geräte Zugriff nur per E-Mail Zugriff auf das Unternehmensnetzwerk und das Internet Unternehmensnetzwerk Produkte System Center Configuration Manager Microsoft Desktop Optimization Pack (MDOP) Cloud-Services Windows Server Azure Active Directory Azure RMS Microsoft Intune Windows Store Windows Update Active Directory Gruppenrichtlinien Windows Server Update Services (WSUS) Windows Client Windows Management Instrumentation (WMI) Windows Remote Management (WinRM) Windows Update Gruppenrichtlinien Client Mobile Device Management (MDM) PowerShell AppLocker Produkt System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager System Center Configuration Manager 2007 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 Microsoft Deployment Toolkit 2013 Unterstützt Verwaltung von Windows 10 Unterstützt Bereitstellung von Windows 10 Signifikante Verbesserungen erleichtern die Verwaltung mobiler und stationärer Geräte Vollständig vom Unternehmen verwaltete Geräte Device Lockdown BYOD: rudimentäre Sicherheitseinstellungen Smartphone Desktop Windows 8.1 Smartphone Desktop Windows 10 • Deregistrierung mit Warnhinweisen • Entfernung der Unternehmenskonfiguration (Apps, Zertifikate, Profile, Richtlinien) und verschlüsselten Unternehmensdaten ( EDP) • Vollständige Gerätelöschung • Remote-Sperre, Zurücksetzen der PIN, Klingeln und Finden • Erweiterte Inventarisierung für Compliance-Entscheidungen • Verwalteter Windows Store • Business Store Portal (BSP) App Bereitstellung; Lizenzrückforderung • Verwaltung von Unternehmens-Apps • Vereinfachte Verwaltung von Geschäfts-Apps • Verwaltung von Win32 Anwendungen (MSI) • App Inventarisierung (Geschäfts- und Windows Store Apps) • Liste erlaubter/verbotener Apps mit AppLocker • Unternehmensweiter Datenschutz • • • • • Konsistente MDM-Lösung für mobile und stationäre Geräte sowie IoTs Provisionierung Massenregistrierung Einfacher Bootstrap Ähnliche Protokolle Azure AD Integration • Zusätzliches Geräteinventar • Erweiterter Richtliniensatz Verwaltung der Clientzertifikate • Unternehmens-WLAN • VPN-Verwaltung • E-Mail-Provisionierung • MDM Push • Verwaltung der Geräteupdates • Konfiguration und Verwaltung von Kiosk, Startseite und Startmenü Unternehmenseigene Geräte • Gerät stellt Verbindung zu AD her und wird autorisiert • Gerät stellt Verbindung zu Azure AD her und wird autorisiert • Nutzer meldet sich mit seinem AD-Konto an • Nutzer meldet sich mit seinem Azure AD-Konto an • Gruppenrichtlinien + System Center • Intune/MDM • Einstellungen werden übernommen Unternehmensweites Single-Sign-On + cloudbasierte Services Geräte in Privatbesitz (BYOD) • Gerät stellt Verbindung zu AD oder Azure AD über Geräteregistrierung her, um sich für den Fernzugriff zu autorisieren • Nutzer meldet sich mit seinem Microsoft-Konto an, das mit einem Azure AD-Konto verknüpft wird • Intune/MDM Einfache Verbindung Windows Server Active Directory Self-service Single-SignOn Username ••••••••••• Andere Verzeichnisdienste SaaS Azure Intune Vor Ort Microsoft Azure Active Directory Office 365 Cloud EINE Verwaltungskonsole Intune Neu in Windows 10 Besser als in Windows 7 Neue Richtlinien zur Unterstützung neuer Windows 10 Funktionen: Neuerungen in Windows 8.1: • Verwaltung der Startseite und des Startmenüs • IPv6-Unterstützung für Drucker, VPN, Targeting • Einstellungen für „Project Spartan“ (Codename der neuen Browsergeneration) • Fortschrittliche Einstellungen zur Authentifizierung mittels PIN • Verwaltung von Universal-Apps • Zwischenspeichern von Richtlinien Neuerungen in Windows 8: • Optimierte Client-Anmeldung über DirectAccess • Optimierte Nutzung größerer Registry-Richtlinien (registry.pol) • Remote-Aktualisierung von Gruppenrichtlinien (GPUpdate) • Effizientere Hintergrundverarbeitung Windows 10: Mehr Sicherheit für Ihre Unternehmenskunden 01011 01101 Store Apps Cloud Services Business Store Portal Browser security Enterprise Data Protection IRM & S/MIME Device encryption Mobile Device Management Microsoft Passport Windows Hello Two Factor authentication Network security OS Services App Platform Trusted Boot Single source updates Only signed binaries Attestation UEFI Secure Boot TPM 2.0 shhh! Shared secrets Easily breached, stolen, or phished MICROSOFT PASSPORT USER CREDENTIAL YOUR DEVICE IS ONE OF THE FACTORS An asymmetrical key pair Provisioned via PKI or created locally via Windows 10 SECURED BY HARDWARE ACCESSING CREDENTIALS PIN Simplest implementation option No hardware dependencies User familiarity Windows Hello Improved security Ease of use Impossible to forget Sample design, UI not final introducing Microsoft "Passport" GOALS: Replace passwords with a private key made available solely through a “user gesture” (PIN, Windows Hello, remote device, etc.) Support both local Passport and Passport2Go (phone, USB dongle, etc.) Introduce MSFT Passport because of its convenience first and security first, UX must be at least as good as with passwords using Microsoft "Passport" THE CREDENTIAL To IT it’s familiar as it’s based on certificate or asymmetrical key pair To the user, it’s familiar, Windows Hello or PIN user gesture Proof-able with OTP, Code and PhoneFactor … Public key of Passport is mapped to an user account securing Microsoft "Passport" THE USAGE Keys are ideally generated in hardware (TPM) first, software as a last resort Hardware-bound keys can be attested Single “unlock gesture” provides access to multiple credentials origin isolated Browser support via JS/Webcrypto apis to create and use Passport for users IDP Create Account or proves identity Create and trust unique key User Unlock Windows identity container w/ PIN or Hello Active Directory Azure Active Directory Microsoft Account Other IDP’s 1 Authentication by validating this signed request 2 Authentication token Trusts tokens from IDP Resource Relying Party Token binding 4 Access Token 3 Activates with MS Account Adds Azure AD Account Azure AD Who owns this PC? This choice is important, and it isn’t easy to switch later. If this machine belongs to your organization, signing in with that ID will give you access to their resources. This device belongs to my organization This device belongs to me Help me choose Next Back Next Choose how you’ll connect You can connect Windows to your organization in one of two ways: Join to Azure AD Set up a local account (domain join later) Choose this option if your organization uses Office 365 or other business services from Microsoft. Your organization might collect info about you, install or remove apps, change settings or disable features, delete content, or reset your device. Talk to your support staff to learn more. Back Continue Let’s get you signed in Work or school account [email protected] I forgot my password Which account should I use? Sign in with the username and password you use with Office 365 (or other business services from Microsoft). Skip this step Privacy statement Back Sign in Let’s get you signed in Work or school account [email protected] ٠ ٠ ٠ ٠ ٠ ٠٠ I forgot my password Which account should I use? Sign in with the username and password you use with Office 365 (or other business services from Microsoft). Skip this step Privacy statement Back Sign in Let’s get you signed in Work or school account •••••••• I forgot my password Need help? Contact the Starbucks Help Desk at (206) 555-1234. This service is operated by Microsoft on behalf of Starbucks and is for the exclusive use of their employees and partners. Skip this step Privacy statement Back Sign in Taking you to the sign-in page for your organization Create a work PIN You’ll use your work PIN to unlock this device and access your organization’s apps and services. A PIN is faster to use and more secure than a password. How can short PIN be safer than a long password? Create PIN Select a verification option Send a text message to my phone number ending in 77 Call me at my phone number ending in 77 Send a notification to my authenticator app Use my authenticator app to get a security code Back Next Select a verification option Send a text message to my phone number ending in 77 Call me at my phone number ending in 77 Send a notification to my authenticator app Use my authenticator app to get a security code Back Next Create a work PIN Create a work PIN You’ll use your work PIN to unlock this device and access your organization’s apps and services. Use a 4-digit PIN Create a work PIN Create a work PIN You’ll use your work PIN to unlock this device and access your organization’s apps and services. PIN complexity requirements Create a work PIN Create a work PIN You’ll use your work PIN to unlock this device and access your organization’s apps and services. Your organization has set the following PIN complexity requirements: Minimum length is 8 Maximum length is 127 An uppercase letter is required … Applying changes. This might take a minute… Surface AAD Sync Apps on Premises Windows 10 Azure AD Joined or Domain Joined or BYOD + Add Work Account File Servers, Printers Key-based Cert-based AAD subscription Key-based Cert-based 3rd Party MDM/Intune AAD subscription PKI infrastructure 3rd Party MDM/Intune Key-based Cert-based AAD subscription AAD subscription AAD Sync w/ Public key write-back 3rd Party MDM/Intune 3rd Party MDM/Intune AAD subscription PKI infrastructure 3rd Party MDM/Intune AAD subscription PKI infrastructure SCCM 2012R2 SP2/2015 3rd Party MDM/Intune Key-based Cert-based AAD subscription AAD subscription AAD Sync w/ NGC key write-back AD DS 10 DCs AD FS 10 3rd Party MDM/Intune 3rd Party MDM/Intune SCCM 2012R2 SP2/2015 AAD subscription PKI infrastructure 3rd Party MDM/Intune AAD subscription PKI infrastructure SCCM 2012R2 SP2/2015 3rd Party MDM/Intune AD DS 10 schema AD FS 10 PKI infrastructure SCCM 2012R2 SP2/2015 Hello Bernd WINDOWS HELLO Fingerprint Iris Facial Windows 10 is moving the world to a more secure, password-free experience, powered by Microsoft Passport and Biometrics…… Enrollment :) Find a Face Discover Landmarks Detect Head Orientation Build & Secure Vector based Template Usage :) Find a Face Discover Landmarks Detect head Orientation Build Vector based Representation Does it match a Template? Recovery :) Find a Face Does not Match Template Type a PIN to verify your identity Looking for you. qwe r t yu i op a s d f gh j k s l & z x c vbnme 1 spac a / · r 2 e 3 Being a smart kid, Chris tries a picture of his mom from a photo laying around the house so he can watch that movie he wants Windows Hello is smarter however, and blocks his attempt • Liveliness and shape / size detection • Block common attempts to spoof a face • Photos • Videos • 3D printed model • Won’t stop very advanced face masks or models c h Windows Hello now requires a PIN to unlock the device • Require a Microsoft Passport PIN to move past unlock screen before Face or Iris will work again User Unlock Windows identity container w/ PIN or Hello EDP Policies Key Management Enterprise allowed apps Network / Storage App data flow management Block or Allow/Audit controls Selective wipe on un-enroll IDP Create Account or proves identity Create and trust unique key Active Directory Azure Active Directory Microsoft Account Other IDP’s 1 MDM enrollment 2 Authentication token MDM 4 Business Apps & Data (Managed) Personal Apps & Data (Unmanaged) Data exchange is controlled UPDATE ARTWORK Cortana assets from Shane Office UPDATE ARTWORK Cortana assets from Shane Pasting content from a Fabrikam file to a personal file is discouraged, and if you choose “paste anyway” your action and the content will be logged for IT review. Virtualization VIRTUAL SECURE MODE (VSM) VSM isolates sensitive Windows processes in a hardware based Hyper-V container VSM runs the Windows Kernel and a series of Trustlets (Processes) within it VSM protects VSM kernel and Trustlets even if Windows Kernel is fully compromised Requires processor virtualization extensions (e.g.: VT-X, VT-D) Hyper-Visor Code Integrity Virtual TPM Local Security Auth Service Virtual Secure Mode Apps Virtual Secure Mode (VSM) Windows Windows desktop can be configured to only run trusted apps, just like many mobile OS’s (e.g.: Windows Phone) DEVICE GUARD Hardware Rooted App Control Untrusted apps and executables, such as malware, are unable to run Device Guard is protected using VSM technology which offer’s zero day protection and tamper resistance Requires devices specially configured by either the OEM or IT Supports all apps including Universal and Desktop (Win32). DEVICE GUARD Getting Apps into the Circle of Trust Trusted apps can be created by IHV, ISV, and Organizations using a Microsoft provided signing service. Apps must be specially signed using the Microsoft signing service. No additional modification is required. Signing service will be made available to OEM’s, IHV, ISV’s, and Enterprises. 01011 01101 Store Apps Cloud Services Business Store Portal Browser security Enterprise Data Protection IRM & S/MIME Device encryption Mobile Device Management Microsoft Passport Windows Hello Two Factor authentication Network security OS Services App Platform Trusted Boot Single source updates Only signed binaries Attestation UEFI Secure Boot TPM 2.0 Windows 10 Enterprise with Software Assurance Exclusive Enterprise features Granular UX control and lockdown Pass the Hash Mitigations Telemetry control via GP/MDM Device Guard DirectAccess Windows to Go AppLocker BranchCache Flexibility in how you deploy and use Windows Virtualize, Manage, Restore with MDOP Microsoft User Experience Virtualization (UE-V) Microsoft Application Virtualization (App-V) Microsoft BitLocker Administration & Monitoring (MBAM) Microsoft Advanced Group Policy Management (AGPM) Microsoft Diagnostics and Recovery Toolset (DaRT) Access to Long Term Servicing Branch (10 years of support) Version rights, foundational benefits and support Version rights for future and past LTSBs Windows To Go Rights Virtualization rights Choice of and ability to mix: - Current Branch - Current Branch for Business - Long Term Servicing Branch 24x7 and extended hotfix support Training vouchers and elearning Technet benefits Now included with SA Access to ongoing exclusive Enterprise features New Preview-Builds stehen allen Unternehmen zur Verfügung • Dient zum Testen und für Feedback; nicht zur unternehmensweiten Bereitstellung geeignet PREVIEW WINDOWS INSIDERS Regelmäßige Aktualisierungen • Neue Funktionen werden umgehend zur Verfügung gestellt • Verbesserung und Optimierung bestehender Funktionen und Ausstattungsmerkmale • Basiert auf dem Feedback der Nutzer INTERNAL (MICROSOFT)