Windows Hello

Transcription

Windows Hello
Tech Data - Microsoft
Windows 10 - Management-Features und
Neuerungen im Bereich Sicherheit
MS FY15 2HY
Tech Data – Microsoft – Windows 10
Kontakt:
Microsoft @ Tech Data Kistlerhofstr. 75 81379 München
[email protected] +49 (0) 89 / 47 00 – 28 08
Bernd Sailer
Lizenz- und Technologieberater
[email protected]
http://www.skilllocation.com
Windows 10 für Unternehmen –
Verwaltung
Windows bietet die
Verwaltungsfunktionen, die
Unternehmen benötigen.
Die Anforderungen von Unternehmen
unterliegen einem stetigen Wandel.
Windows 10 bietet
Verwaltungsfunktionen, die diesen
Anforderungen gerecht werden.
Nähere Vergangenheit
Heutige Situation
Feste Arbeitszeiten und -plätze
Vermischung von Arbeit und Privatleben
PCs im LAN, mit Domäne verbunden
Laptops, Tablets, Smartphones, überall und in allen Netzwerken
Unternehmenseigene Geräte
Unternehmenseigene und private Geräte, Daten und Apps
Homogene IT-Infrastruktur
Heterogene IT-Infrastruktur (Windows, Android, iOS, Chrome)
Erweiterter Betriebssystem/Servicing Lifecycle
Kürzere Updatezyklen, geringerer Geräte-Lifecycle
Vor-Ort-Anwendungen und Dateifreigabe
SaaS Anwendungen und Dateifreigabedienste
Zugriffsrechte gelten nur im Unternehmen
Zugriffskontrolle deckt Unternehmen, Apps und Benutzer ab
Strikte Verwaltung und Richtlinien
Cloudbasierte Verwaltung mit geringerer Kontrolle
Gefahr durch Malware: Vandalismus und Kriminalität
Gefahr durch Malware: Spionage und Cyber-Waffe
Netzwerkgrenzen als äußerster Verteidigungsring
Interne und externe Angriffe auf das Netzwerk
Spezielle Geräte für bestimmte Aufgaben
Dynamische Auswahl der Geräte
Verfügbare Möglichkeiten/Varianten
Identität
Active Directory; Azure Active Directory
Verwaltung
Gruppenrichtlinien, System Center Configuration Manager,
Third-Party-PC-Verwaltung; Intune, Third-Party-MDM
Updates
Windows Update; Windows Server Update Services (WSUS);
Intune, Third-Party-MDM
Infrastruktur
Vor Ort oder in der Cloud
Besitzer
Unternehmen, CYOD; BYOD
Diese Möglichkeiten lassen sich beliebig kombinieren, damit Unternehmen die
optimale Lösung finden.
Grundlegend
Weiterführend
Vollständige Kontrolle
Exchange ActiveSync
Active Directory und/oder
Azure Active Directory
Active Directory
Verwaltung mobiler
Endgeräte (Mobile Device
Management, MDM)
Gruppenrichtlinien
System Center
Windows Update
Windows Update/MDM
WSUS
BYOD (Geräte im Privatbesitz)
Unternehmenseigene
und BYOD-Geräte
Unternehmenseigene Geräte
Zugriff nur per E-Mail
Zugriff auf das
Unternehmensnetzwerk
und das Internet
Unternehmensnetzwerk
Produkte
System Center Configuration Manager
Microsoft Desktop Optimization Pack (MDOP)
Cloud-Services
Windows Server
Azure Active Directory
Azure RMS
Microsoft Intune
Windows Store
Windows Update
Active Directory
Gruppenrichtlinien
Windows Server Update Services (WSUS)
Windows Client
Windows Management Instrumentation (WMI)
Windows Remote Management (WinRM)
Windows Update
Gruppenrichtlinien Client
Mobile Device Management (MDM)
PowerShell
AppLocker
Produkt
System Center 2012 R2
Configuration Manager
System Center 2012
Configuration Manager
System Center
Configuration Manager 2007
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008
Microsoft Deployment Toolkit 2013
Unterstützt Verwaltung von
Windows 10
Unterstützt Bereitstellung
von Windows 10
Signifikante Verbesserungen erleichtern die
Verwaltung mobiler und stationärer Geräte
Vollständig vom
Unternehmen
verwaltete Geräte
Device Lockdown
BYOD:
rudimentäre
Sicherheitseinstellungen
Smartphone
Desktop
Windows 8.1
Smartphone
Desktop
Windows 10
• Deregistrierung mit Warnhinweisen
• Entfernung der Unternehmenskonfiguration (Apps, Zertifikate,
Profile, Richtlinien) und verschlüsselten Unternehmensdaten ( EDP)
• Vollständige Gerätelöschung
• Remote-Sperre, Zurücksetzen der
PIN, Klingeln und Finden
• Erweiterte Inventarisierung für
Compliance-Entscheidungen
• Verwalteter Windows Store
• Business Store Portal (BSP) App
Bereitstellung; Lizenzrückforderung
• Verwaltung von Unternehmens-Apps
• Vereinfachte Verwaltung von
Geschäfts-Apps
• Verwaltung von Win32 Anwendungen
(MSI)
• App Inventarisierung (Geschäfts- und
Windows Store Apps)
• Liste erlaubter/verbotener Apps mit
AppLocker
• Unternehmensweiter Datenschutz
•
•
•
•
•
Konsistente
MDM-Lösung
für mobile und
stationäre Geräte
sowie IoTs
Provisionierung
Massenregistrierung
Einfacher Bootstrap
Ähnliche Protokolle
Azure AD Integration
• Zusätzliches Geräteinventar
• Erweiterter Richtliniensatz
Verwaltung der Clientzertifikate
• Unternehmens-WLAN
• VPN-Verwaltung
• E-Mail-Provisionierung
• MDM Push
• Verwaltung der Geräteupdates
• Konfiguration und Verwaltung
von Kiosk, Startseite und
Startmenü
Unternehmenseigene Geräte
• Gerät stellt Verbindung zu AD
her und wird autorisiert
• Gerät stellt Verbindung zu Azure
AD her und wird autorisiert
• Nutzer meldet sich mit seinem
AD-Konto an
• Nutzer meldet sich mit seinem
Azure AD-Konto an
• Gruppenrichtlinien + System
Center
• Intune/MDM
• Einstellungen werden
übernommen
Unternehmensweites Single-Sign-On + cloudbasierte Services
Geräte in Privatbesitz (BYOD)
• Gerät stellt Verbindung zu AD oder Azure AD über
Geräteregistrierung her, um sich für den Fernzugriff zu
autorisieren
• Nutzer meldet sich mit seinem Microsoft-Konto an, das
mit einem Azure AD-Konto verknüpft wird
• Intune/MDM
Einfache
Verbindung
Windows Server
Active Directory
Self-service
Single-SignOn
Username
•••••••••••
Andere Verzeichnisdienste
SaaS
Azure
Intune
Vor Ort
Microsoft Azure Active Directory
Office 365
Cloud
EINE Verwaltungskonsole
Intune
Neu in Windows 10
Besser als in Windows 7
Neue Richtlinien zur Unterstützung neuer Windows
10 Funktionen:
Neuerungen in Windows 8.1:
• Verwaltung der Startseite und des Startmenüs
• IPv6-Unterstützung für Drucker, VPN, Targeting
• Einstellungen für „Project Spartan“ (Codename der
neuen Browsergeneration)
• Fortschrittliche Einstellungen zur Authentifizierung
mittels PIN
• Verwaltung von Universal-Apps
• Zwischenspeichern von Richtlinien
Neuerungen in Windows 8:
• Optimierte Client-Anmeldung über DirectAccess
• Optimierte Nutzung größerer Registry-Richtlinien
(registry.pol)
• Remote-Aktualisierung von Gruppenrichtlinien
(GPUpdate)
• Effizientere Hintergrundverarbeitung
Windows 10: Mehr Sicherheit für Ihre
Unternehmenskunden
01011
01101
Store Apps
Cloud Services
Business Store Portal
Browser security
Enterprise Data Protection
IRM & S/MIME
Device encryption
Mobile Device Management
Microsoft Passport
Windows Hello
Two Factor authentication
Network security
OS Services
App Platform
Trusted Boot
Single source updates
Only signed binaries
Attestation
UEFI Secure Boot
TPM 2.0
shhh!
Shared secrets
Easily breached,
stolen, or phished
MICROSOFT PASSPORT
USER CREDENTIAL
YOUR DEVICE IS ONE OF
THE FACTORS
An asymmetrical key pair
Provisioned via PKI or created
locally via Windows 10
SECURED BY
HARDWARE
ACCESSING CREDENTIALS
PIN
Simplest implementation option
No hardware dependencies
User familiarity
Windows Hello
Improved security
Ease of use
Impossible to forget
Sample design, UI not final
introducing
Microsoft
"Passport"
GOALS:
Replace passwords with a private key made
available solely through a “user gesture” (PIN,
Windows Hello, remote device, etc.)
Support both local Passport and Passport2Go
(phone, USB dongle, etc.)
Introduce MSFT Passport because of its
convenience first and security first,
UX must be at least as good as with
passwords
using
Microsoft
"Passport"
THE CREDENTIAL
To IT it’s familiar as it’s based on
certificate or asymmetrical key pair
To the user, it’s familiar, Windows
Hello or PIN user gesture
Proof-able with OTP, Code and
PhoneFactor …
Public key of Passport is mapped to
an user account
securing
Microsoft
"Passport"
THE USAGE
Keys are ideally generated in hardware (TPM)
first, software as a last resort
Hardware-bound keys can be attested
Single “unlock gesture” provides access to
multiple credentials origin isolated
Browser support via JS/Webcrypto apis to
create and use Passport for users
IDP
Create Account or proves identity
Create and trust unique key
User Unlock
Windows identity
container w/ PIN
or Hello
Active Directory
Azure Active Directory
Microsoft Account
Other IDP’s
1
Authentication by validating this signed request
2
Authentication token
Trusts
tokens from
IDP
Resource
Relying Party
Token binding
4
Access Token
3
Activates with MS Account
Adds Azure AD Account
Azure AD
Who owns this PC?
This choice is important, and it isn’t easy to switch later. If this machine belongs to your organization, signing in with
that ID will give you access to their resources.
This device belongs to my organization
This device belongs to me
Help me choose
Next
Back
Next
Choose how you’ll connect
You can connect Windows to your organization in one of two ways:
Join to Azure AD
Set up a local account (domain join later)
Choose this option if your organization uses Office 365 or other business services from Microsoft.
Your organization might collect info about you, install or remove apps, change settings or disable
features, delete content, or reset your device. Talk to your support staff to learn more.
Back
Continue
Let’s get you signed in
Work or school account
[email protected]
I forgot my password
Which account should I use?
Sign in with the username and password you use with Office 365 (or
other business services from Microsoft).
Skip this step
Privacy statement
Back
Sign in
Let’s get you signed in
Work or school account
[email protected]
٠
٠
٠ ٠ ٠ ٠٠
I forgot my password
Which account should I use?
Sign in with the username and password you use with Office 365 (or
other business services from Microsoft).
Skip this step
Privacy statement
Back
Sign in
Let’s get you signed in
Work or school account
••••••••
I forgot my password
Need help?
Contact the Starbucks Help Desk at (206) 555-1234. This service is
operated by Microsoft on behalf of Starbucks and is for the exclusive
use of their employees and partners.
Skip this step
Privacy statement
Back
Sign in
Taking you to the sign-in page for
your organization
Create a work PIN
You’ll use your work PIN to unlock this device and access your
organization’s apps and services.
A PIN is faster to use and more secure than a password. How can
short PIN be safer than a long password?
Create PIN
Select a verification option
Send a text message to my phone number ending in 77
Call me at my phone number ending in 77
Send a notification to my authenticator app
Use my authenticator app to get a security code
Back
Next
Select a verification option
Send a text message to my phone number ending in 77
Call me at my phone number ending in 77
Send a notification to my authenticator app
Use my authenticator app to get a security code
Back
Next
Create a work PIN
Create a work PIN
You’ll use your work PIN to unlock this device and access your organization’s
apps and services.
Use a 4-digit PIN
Create a work PIN
Create a work PIN
You’ll use your work PIN to unlock this device and access your organization’s
apps and services.
PIN complexity requirements
Create a work PIN
Create a work PIN
You’ll use your work PIN to unlock this device and access your organization’s
apps and services.
Your organization has set the following PIN complexity
requirements:
Minimum length is 8
Maximum length is 127
An uppercase letter is required
…
Applying changes. This might take a minute…
Surface
AAD Sync
Apps on
Premises
Windows 10
Azure AD Joined or
Domain Joined or
BYOD + Add Work Account
File
Servers,
Printers
Key-based
Cert-based
AAD subscription
Key-based
Cert-based
3rd Party MDM/Intune
AAD subscription
PKI infrastructure
3rd Party MDM/Intune
Key-based
Cert-based
AAD subscription
AAD subscription
AAD Sync w/ Public key write-back
3rd Party MDM/Intune
3rd Party MDM/Intune
AAD subscription
PKI infrastructure
3rd Party MDM/Intune
AAD subscription
PKI infrastructure
SCCM 2012R2 SP2/2015
3rd Party MDM/Intune
Key-based
Cert-based
AAD subscription
AAD subscription
AAD Sync w/ NGC key write-back
AD DS 10 DCs
AD FS 10
3rd Party MDM/Intune
3rd Party MDM/Intune
SCCM 2012R2 SP2/2015
AAD subscription
PKI infrastructure
3rd Party MDM/Intune
AAD subscription
PKI infrastructure
SCCM 2012R2 SP2/2015
3rd Party MDM/Intune
AD DS 10 schema
AD FS 10
PKI infrastructure
SCCM 2012R2 SP2/2015
Hello Bernd
WINDOWS
HELLO
Fingerprint
Iris
Facial
Windows 10 is moving the world to a more secure, password-free experience,
powered by Microsoft Passport and Biometrics……
Enrollment
:)
Find a Face
Discover
Landmarks
Detect Head
Orientation
Build & Secure
Vector based
Template
Usage
:)
Find a Face
Discover
Landmarks
Detect head
Orientation
Build Vector
based
Representation
Does it match a
Template?
Recovery
:)
Find a Face
Does not
Match
Template
Type a PIN to
verify your
identity
Looking for
you.
qwe r t yu i op
a s d f gh j k s l
& z x c vbnme

1
spac
a
/
· r
2
e
3
Being a smart kid, Chris tries a
picture of his mom from a
photo laying around the house
so he can watch that movie he
wants
Windows Hello is smarter
however, and blocks his attempt
• Liveliness and shape / size detection
• Block common attempts to spoof a face
• Photos
• Videos
• 3D printed model
• Won’t stop very advanced face masks or models
c
h
Windows Hello now requires a
PIN to unlock the device
• Require a Microsoft Passport PIN to move past
unlock screen before Face or Iris will work
again
User Unlock
Windows identity
container w/ PIN
or Hello
EDP Policies
Key Management
Enterprise allowed apps
Network / Storage
App data flow management
Block or Allow/Audit controls
Selective wipe on un-enroll
IDP
Create Account or proves identity
Create and trust unique key
Active Directory
Azure Active Directory
Microsoft Account
Other IDP’s
1
MDM enrollment
2
Authentication token
MDM
4
Business
Apps & Data
(Managed)
Personal Apps
& Data
(Unmanaged)
Data exchange is
controlled
UPDATE ARTWORK
Cortana assets from Shane
Office
UPDATE ARTWORK
Cortana assets from Shane
Pasting content from a Fabrikam file to a
personal file is discouraged, and if you
choose “paste anyway” your action and the
content will be logged for IT review.
Virtualization
VIRTUAL SECURE MODE (VSM)
VSM isolates sensitive Windows
processes in a hardware based Hyper-V
container
VSM runs the Windows Kernel and a
series of Trustlets (Processes) within it
VSM protects VSM kernel and Trustlets
even if Windows Kernel is fully
compromised
Requires processor virtualization
extensions (e.g.: VT-X, VT-D)
Hyper-Visor
Code Integrity
Virtual TPM
Local Security
Auth Service
Virtual Secure Mode
Apps
Virtual Secure Mode (VSM)
Windows
Windows desktop can be configured
to only run trusted apps, just like many
mobile OS’s (e.g.: Windows Phone)
DEVICE GUARD
Hardware Rooted
App Control
Untrusted apps and executables, such
as malware, are unable to run
Device Guard is protected using VSM
technology which offer’s zero day
protection and tamper resistance
Requires devices specially configured
by either the OEM or IT
Supports all apps including Universal
and Desktop (Win32).
DEVICE GUARD
Getting Apps into
the Circle of Trust
Trusted apps can be created by IHV,
ISV, and Organizations using a
Microsoft provided signing service.
Apps must be specially signed using
the Microsoft signing service. No
additional modification is required.
Signing service will be made available
to OEM’s, IHV, ISV’s, and Enterprises.
01011
01101
Store Apps
Cloud Services
Business Store Portal
Browser security
Enterprise Data Protection
IRM & S/MIME
Device encryption
Mobile Device Management
Microsoft Passport
Windows Hello
Two Factor authentication
Network security
OS Services
App Platform
Trusted Boot
Single source updates
Only signed binaries
Attestation
UEFI Secure Boot
TPM 2.0
Windows 10 Enterprise with Software Assurance
Exclusive
Enterprise
features
Granular UX control and
lockdown
Pass the Hash Mitigations
Telemetry control via
GP/MDM
Device Guard
DirectAccess
Windows to Go
AppLocker
BranchCache
Flexibility in how you
deploy and use
Windows
Virtualize,
Manage, Restore
with MDOP
Microsoft User Experience
Virtualization (UE-V)
Microsoft Application
Virtualization (App-V)
Microsoft BitLocker
Administration
& Monitoring (MBAM)
Microsoft Advanced Group
Policy Management (AGPM)
Microsoft Diagnostics and
Recovery Toolset (DaRT)
Access to Long Term
Servicing Branch (10 years
of support)
Version rights,
foundational benefits
and support
Version rights for future and
past LTSBs
Windows To Go Rights
Virtualization rights
Choice of and ability to mix:
-
Current Branch
-
Current Branch for Business
-
Long Term Servicing Branch
24x7 and extended hotfix
support
Training vouchers and elearning
Technet benefits
Now included with SA
Access to ongoing exclusive Enterprise features
New
Preview-Builds stehen allen Unternehmen zur
Verfügung
• Dient zum Testen und für Feedback; nicht zur unternehmensweiten
Bereitstellung geeignet
PREVIEW
WINDOWS
INSIDERS
Regelmäßige Aktualisierungen
• Neue Funktionen werden umgehend zur Verfügung gestellt
• Verbesserung und Optimierung bestehender Funktionen und
Ausstattungsmerkmale
• Basiert auf dem Feedback der Nutzer
INTERNAL
(MICROSOFT)