Securing Your Data with Microsoft Technologies

1. Securing Your Data with Microsoft Technologies Mike Smith-Lonergan Sr. Technical Program Manager Microsoft Corporation MIKESL@microsoft.com TechEd 2006 - Securing your Data with Microsoft Technologies EFS, RMS, Full Volume Encryption, SQL 2005 - lots of encryption for overlapping sets of data. Which do you use, when and why? This talk will help you understand the common security basis for all these technologies, and then discuss the different threats for which each is and isn't suitable. Next we'll examine the best configuration settings to get the maximum security benefit for your organization, and finally look at current security attack scenarios and which security technologies will actually help protect your data against such attacks.TechEd 2006 - Securing your Data with Microsoft Technologies EFS, RMS, Full Volume Encryption, SQL 2005 - lots of encryption for overlapping sets of data. Which do you use, when and why? This talk will help you understand the common security basis for all these technologies, and then discuss the different threats for which each is and isn't suitable. Next we'll examine the best configuration settings to get the maximum security benefit for your organization, and finally look at current security attack scenarios and which security technologies will actually help protect your data against such attacks.

2. What you can expect Today Our current thinking on Scenarios & Solutions What technologies to use where and why 60 minutes for discussion & quick demo 15 minutes for questions at the end

3. Why Am I Talking To You About This? �When should I use X?� EFS, RMS, S/MIME, BDE, XPS, CAPI, CAPICOM, CAPI-NG, WS-Sec, Smart Cards� �What is the right encryption to use?� �Give me a strategic direction� Plus all the supporting technologies: CSPs, password hashing (LM, NTLM), cached password verifiers, SYSKEY, DPAPI, managed DPAPI classes�Plus all the supporting technologies: CSPs, password hashing (LM, NTLM), cached password verifiers, SYSKEY, DPAPI, managed DPAPI classes�

4. Where is your Data Stored? Q: Where is your biggest security exposure? Trick question! Statistics on where the most data is stored in the least-well-protected systems Clients (notebooks, desktops) Servers (branch office, data center) removable storage (flash, USB, DVD-RW) Mobile devices (phone, PDA, UMPC) Managing risk = focus attention on greatest exposures first � don�t try to solve problem all at once Server roles: F&P, email, docman/collab, RDBMS, SAN, HSM Statistics on where the most data is stored in the least-well-protected systems Clients (notebooks, desktops) Servers (branch office, data center) removable storage (flash, USB, DVD-RW) Mobile devices (phone, PDA, UMPC) Managing risk = focus attention on greatest exposures first � don�t try to solve problem all at once Server roles: F&P, email, docman/collab, RDBMS, SAN, HSM

5. Clients Documents Where do your users keep their documents? User Profile Outlook, Sharepoint, Desktop, Temp per-machine data Search index, file cache Documents - it may sound simple but in reality, many orgs have different standard locations for users� docs -root folder, redirect to server , Separate partition, -plus all the app-specific data locations (e.g. desktop search, MSDE/Access)Documents - it may sound simple but in reality, many orgs have different standard locations for users� docs -root folder, redirect to server , Separate partition, -plus all the app-specific data locations (e.g. desktop search, MSDE/Access)

6. Servers File Shares Collaboration store (e.g. Sharepoint) RDBMS (e.g. SQL) Mail (e.g. Exchange) SAN HSM Enterprise backup Where ISN�T Data stored?

7. Big Picture�

8. What Technologies Can Be Used? ACLs Rights Management (eek!) Role-based Access System encryption Application encryption

9. ACLs Classic approach Configuring: Windows Explorer, cacls.exe Group Policy/Secedit NEW! .NET Framework 2.0 (SDDL) Good: protect against online/remote attackers Bad: protecting against local Admins Ugly: protecting against offline attacks

10. ACLs example: File server Uses AD, Group Policy, Windows client Goal: users cannot see each others� files Server shares folder \\Server\Home Share permissions = Users: Change Folder root permissions allow: Users: Traverse folder, List folder, Create folders, Read (This folder only) Creator/owner: Change (Subfolders and files only) Result: User creates new folder Can do anything they want with that folder No other user can see inside that folder

11. Rights Management The �ACL� goes wherever the document goes Combines encryption with policy enforcement Good: protecting against offline, online attacks Bad: protecting against Super Users Ugly: protecting against Active Directory admins

12. Roles-based access (RBAC) Idealized approach Must combine with other tech ACLs Encryption Rights Management App-specific authorization (e.g. SQL, Exchange) Issues: Every Windows app has a different approach Still no better against offline attacks

13. RBAC scenario: rights management Leverage Active Directory, RMS, Office Assign users to groups (roles) in AD RMS Templates assign rights to groups Use RMS-enabled app (e.g. Office) to assign rights via templates RMS server and client grant limited access to documents

15. System encryption Encrypt each file = Encrypting File System (EFS) Encrypt each sector = BitLocker Drive Encryption (BDE) Good: protect against offline attack Bad: doesn�t protect against user error Ugly: doesn�t protect between systems

16. (BitLocker Data Encryption) (Encrypting File System) (Rights Management Services) BDE, EFS & RMS

17. Application Encryption Leverage each app�s data protection approach �Every� app has its own approach, e.g. Outlook S/MIME, SQL Server, Office, Winzip Good: there�s encryption Bad: hard to manage Ugly: brutal to manage across the enterprise

18. App example: SQL 2005 SQL 2005 uses DPAPI Comparable to EFS Multiple layers of keys Partition access Encrypt instances, databases, tables with separate keys Leverage HSM @ server level Advantages: keys managed with data, max perf, uses system libraries Disadvantages: Server & DB Ops can get keys

19. Scenarios Loss or Theft of PC aka �notebook in taxi� Reduced data leaks aka �whoopsie� Server-side encryption aka �untrustworthy Admins� End-to-end encryption aka �regulatory compliance� These are the most common These are the most common

20. (1) Loss or Theft of PC Threat: Attackers with infinite time, many tools, well-documented attack techniques Goal: mitigate the risk of Data exposure Reduce the risk, NOT eliminate Good Application Encryption Better Minimize the stored data System Encryption Don't bother with ACLs, RBAC, DRM

21. (1) Loss or Theft of PC EFS Mitigates offline attacks except against user account Prevents online attacks (on encrypted files) Threats focus on user�s password BitLocker with TPM or USB (Vista) Prevents offline attacks (replace passwords, copy hashes, change system files) Threats focus on user logons Ideal: BitLocker with TPM + EFS with Smart Card (Vista) Attacker with notebook + Smart Card needs PIN (not password) After �x� bad tries, Smart Card locked FOREVER

22. (1) Loss or Theft of PC Reality check: Windows XP today Attack focus: user passwords, cleartext data Tactics: Better passwords/phrases Encrypt significant sets of data EFS for Documents, email, desktop, TIF, server caches Smartcard logon per-PC Residual risk: pagefile fragments, hiberfile, cached logon verifiers Hey Mike, are you dreaming? We aren�t running Vista in our organizations. �Better passwords� = longer passphrases � then ditch the complexity Per-PC smartcard logon � XPSP2 Group Policy aka �Interactive logon: require smart card� If you believe every person that finds a lost laptop from your org is an uber-hacker just waiting to find some secrets company documents, well� then maybe you work for Microsoft. ? Hiberfile � encrypted in XPSP2Hey Mike, are you dreaming? We aren�t running Vista in our organizations. �Better passwords� = longer passphrases � then ditch the complexity Per-PC smartcard logon � XPSP2 Group Policy aka �Interactive logon: require smart card� If you believe every person that finds a lost laptop from your org is an uber-hacker just waiting to find some secrets company documents, well� then maybe you work for Microsoft. ? Hiberfile � encrypted in XPSP2

23. (2) Reduced data leaks Threat: Authorized users with legit access giving data to others Goal: mitigate the risk of spread of data Reduce, NOT eliminate Good ACLs, Role-based Access Better DRM, Application encryption Don't bother with System encryption

24. (2) Reduced data leaks ACL shared files on servers with RBAC groups Prevents users from granting each other permissions Leverage a rights management technology Reduces the amount of unprotected files Ideal: RM automatically assigned (RMS partners) Enforces RM protection according to pre-defined business rules Bonus: encryption on physical media Bonus: removable media policy (Vista) Bonus: encryption on physical media reduces the risk of accidentally left-behind CDs, USB drives, etc. allowing malicious people to find sensitive data on devices that become separated from the computer.Bonus: encryption on physical media reduces the risk of accidentally left-behind CDs, USB drives, etc. allowing malicious people to find sensitive data on devices that become separated from the computer.

25. (2) Reduced data leaks Reality check: user-initiated RMS is unreliable Risk focus: leaks to outsiders Tactics: �do not forward� emails from execs, legal, R&D RMS automation on servers (future) Converting AD roles to security-enabled Distribution Groups Experiment with WinFX, Print-to-XPS

26. (3) Server-Side Encryption Threat: some Admins have or grant themselves access with no oversight or detection Goal: mitigate the risk of widespread leaks Reduce, NOT eliminate Good Role-based Access Better System encryption, Application encryption, ERM Don't Bother with ACLs

27. (3) Server-Side Encryption Roles-based access on all servers (and clients) Prevents Admins from unaudited access to data EFS, BitLocker, RMS with central keys managed elsewhere Reduces opportunity for quick access to protected data Threats switch to impersonating users Bonus: audit for Object Access (Take Ownership, Change Permissions), Policy Change, System Events Bonus: role-separated audit collection

28. (4) End-to-end encryption Challenges Approaches Futures

29. (4) End to End: Challenges Lack of product integration Key management Keep keys close to data (performance, portability)? Keep keys far from data (security, administration)? Cross-platform issues Managing transitions between systems, applications and organizations

30. (4) End to End: Approaches Standard algorithms Third-party products Best-fit solutions Mitigate greatest exposures first Best-fit solutions are also known as �point solutions� or �as good as you can get for now�.Best-fit solutions are also known as �point solutions� or �as good as you can get for now�.

31. (4) End to End: Futures �information protection platform� Possibly integrate EFS, RMS, NGSCB WS-Sec (and other standards) .NET Framework 3.0 (WinFX) IPv6

32. Beyond Microsoft technologies Pervasive hardware-integrated crypto ISV encryption ISV rights management Smart cards other multi-factor access control

33. Calls to Action Fill out the Survey � Please! Give me specific feedback: Guidance you need for Protecting Data with Microsoft technologies What bugs you about the current product �stack� Send me email: MIKESL@microsoft.com When you get home� IT: Plan your AD schema upgrade! Dev: Download WinFX

34. Want More of Us? Breakout Session: Regulatory Compliance SEC211 with Bill Canning WED 8:30am CIS or Security Booth in TLC �Red� TechEd Connect AND� Focus Group: Data Protection (drop me a business card)

35. Resources

38. Sample IRM UI if needed or if demo�s not possibleSample IRM UI if needed or if demo�s not possible

39. Sample IRM UI if needed or if demo�s not possibleSample IRM UI if needed or if demo�s not possible

40. Safeguarding Confidential Data

41. RMS at MicrosoftExample of RMS Templates Corporate RMS templates available from the Permission menu of Outlook, Word, PowerPoint, and Excel