全方位防護 Windows 用戶端平台密籍大公開 Windows Vista 搭配 Forefront 建構最佳前端平台 簡志偉 技術副理 謝育倫 技術專員 大型企業業務暨經銷事業群 台灣微軟
Agenda 從 MS08-067 安全性公告談起 Windows Vista 如何對抗惡意程式的威脅 Vista 結合 FCS 建構最佳安全平台 DEMO 總結
從最近的 MS08-067 安全性公告談起… MS08-067:伺服器服務的弱點可能會允許遠端程式碼執行 事件描述: 如果使用者在受影響的系統上收到蓄意製作的 RPC 要求,則該弱點可能會允許遠端執行程式碼 在 Windows 2000、Windows XP、Windows Server 2003 系統上,攻擊者可以利用此弱點,不經驗證就執行任意程式碼。 此弱點也可能用來製作蠕蟲攻擊 Windows 2000/XP/Srv 2003 嚴重性等級: 重大 Windows Vista/Server 2008 重要性等於: 重要
為什麼 Vista 受到 MS08-607 的影響有限? 兩個情況會讓電腦暴露在威脅之下: 防火牆關閉 防火牆開啟,但是啟動檔案與列印分享 Windows Vista 在防火牆開啟並啟動檔案與列印分享的情形下: 如果網路類型設為”私人”,則系統或自動封鎖來自外部的RPC連線 如果網路類型設為”公開”,則系統在嘗試啟動檔案與列印分享之前會詢問使用者是否允許開啟
為什麼 Vista 受到 MS08-607 的影響有限? Windows Vista 的位址空間編排隨機化 (ASLR, Address Space Layout Randomization) 與資料執行防止 (DEP, Data Execution Protection) 可以讓攻擊變得更加困難 使用者帳戶控制 (UAC) + Integrity Level 強化減輕可能的危害: 在 UAC 啟動下需要經過授權 即使關閉 UAC,Integrity Level (IL) 的存取檢查依然持續運作 來自未知使用者執行序的 IL 為 ”Untrusted” 而執行物件的IL至少需 “Low”,因此存取檢查會失敗
Integrity Level 存取檢查說明 Mandatory Integrity Control (MIC) Token 中有 Mandatory Integrity Level (IL) SIDs Low (100) : 保護模式下的 IE7 Medium (200) : 一般正常的行程 High (300) : 提升權限後的行程 System (400) : 系統行程 預設所有行程與物件都是 Medium 等級 IL 會在 DACL 之前檢查 執行序的 IL 一定要大於等於物件的 IL,才可以修改該物件
Vista 如何協助防禦惡意程式 充份利用 Windows Vista 中新的安全性功能和增強的現有功能,保護用戶端電腦和公司資產免受惡意程式危害 使用者帳戶控制 (UAC) Windows Defender Windows 防火牆 Windows 資訊安全中心 惡意軟體移除工具 軟體限制原則 搭配 Forefront Client Security (FCS) 進一步提升對於病毒與惡意程式的防禦能力
FCS 大大降低 Windows 在加強安全性上面的相關成本 整合防護能力 從病毒、惡意程式到其他目前最新的威脅,FCS 都可以快速地偵測出 Ex: 第一時間阻擋 MS08-067 可能的安全性危害 簡化管理 可以透過群組員則集中管理 FCS,同時直接透過企業現有的 WSUS、SMS/SCCM 或其他 3rd party 的軟體派送機制更新病毒碼來簡化管理 報表 詳細的報表了解 Windows 受到病毒或惡意軟體危害的詳細資訊
FCS 與 Windows 的密切合作 FCS 進一步提升 Windows 安全性 強化 Windows 防火牆的防護能力 除了Windows 既有的 Windows Defender 防止惡意程式的威脅之外,FCS 同時整合防毒與防惡意程式的保護並集中管理,確保企業電腦的安全 強化 Windows 防火牆的防護能力 針對防火牆允許通過的程式,FCS 會加以掃描並偵測是否有任何惡意行為,確保程式執行的安全 與資訊安全中心整合 FCS 與 Windows 資訊管理中心直接整合,不需額外的管理介面,降低管理的複雜度
Forefront Client Security 如何協助 Windows 提升對抗惡意程式的防禦能力 謝育倫 技術專員
Forefront Client Security 特點 全面完整的防護 簡化的系統管理 重要的可見度與控制 Forefront VM Forefront Forefront
全面完整的防護 Forefront Client Security (FCS) 透過單一掃毒程式,達到防毒與防駭客程式的全面防護 1/3/2019 7:49 AM 全面完整的防護 Forefront Client Security (FCS) 透過單一掃毒程式,達到防毒與防駭客程式的全面防護 具備壓縮檔與封裝檔的完整掃描能力 使用 Windows Filter Manager 的即時監控 增強的保護技術,可掃描 user-mode 的rootkits、變形病毒,並具備探索式偵測技術可用來發現新病毒 Forefront © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
防毒 – 防間諜程式 建立在 FCS v1 版本上 1/3/2019 7:49 AM 產品名稱/ 能力 領導的競爭對手 Forefront Client Security Memory Footprint1 Server Client 58.6 Mbs 66.3 Mbs 56.5 Mbs 57.9 Mbs Avg Usage, CPU & Memory2 % Server Avg % Client Avg 30.5% 29.4% 2.0% 11.1% Boot time increase3 62% avg increase 4.5% avg increase Scanning time (quick) Network 1 (Avg)4 Network 2 (Avg)4 29.9 min 12.0 min 13.6 min 5.3 min Scanning time (full) 156.8 min 92.8 min 34.6 min 18.3 min 產品名稱/ 能力 領導的競爭對手 Forefront Client Security Memory Footprint1 Client – uninfected Client -infected 536 Mbs 593 Mbs 522 Mbs 495 Mbs Avg Usage, CPU & Memory2 % Client – uninfected % Client - infected 82.37% 88.56% 79% 81.6% Scanning time Uninfected client Infected client 147.69min 167.09min 81.82 min 95.33 min Application Startup time Starting Word with no AV – 1.725 2.425 sec 2.233 sec Starting IE with no AV – 2.275 3.6 sec 2.6 sec 60%+ less CPU usage 7% less CPU 14x faster at boot time 2x faster By combining a stable design with scanning innovations, the FCS agent efficiently uses system resources, scans quickly, and detects malware effectively. We commissioned West Coast Labs to do technical performance benchmarking on a number of dimensions. West Coast Labs used two test networks during the test program: Test Network One simulated a business environment where machines were older and had limited resources, Test Network Two simulated a business environment where machines were modern and up-to-date. As you can see in the above results, Forefront Client Security compared favorably against a number of competitors, particularly in average use of CPU and memory; boot time increase; and scan time. When you factor this against recent test results around malware detection, you can see that FCS is very competitive with leading vendors. Background information: All scanning tests were performed on both networks. A server of an identical specification, an Acer Aspire T180 PC, Athlon 64x2 with 1 Gb memory was used in each network. Test Network One was composed of five older machines and the server; the five client machines were: WCL007, 1.2 GHz, 504 Mb memory and a 20 Gb hard disk. WCL009, 900 MHz, 524 Mb memory and a 15.3 Gb hard disk. WCL018, 650 MHz, 650 Mb memory and a 20 Gb hard disk. WCL055, 1.3 GHz, 256 Mb memory and a 20 Gb hard disk. WCL064, 2.4 GHz, 256 Mb memory and a 40 Gb hard disk. Test Network Two was composed of Dell 170L(sd)s, all 2.66 GHz with 512 Mb RAM. All workstations ran unpatched Windows XP Professional SP2. The switches in use for each network were also different; Test Network One used an SMC EZ switch (10/100) while Test Network Two used a Dell PowerConnect 332L switch (10/100/1000). Boot-time increase: Measuring real-time scanning impact and on-access performance drag, pre-scheduled scanning performance drag and system responsiveness after on-demand scanning, including examples such as Word/Excel cold start speed. 2x faster in quick scans 5x faster in full scans Sources: West Coast Labs, AVTest.org, Performance benchmarking study with West Coast Labs. © 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
在 Windows Vista 上的防毒效能大評比 DEMO 在 Windows Vista 上的防毒效能大評比
結合 Windows Vista /Server 2008 全面完整的防護 1/3/2019 7:49 AM 結合 Windows Vista /Server 2008 全面完整的防護 可結合 Windows Vista 的 Network Access Protection (NAP) 可安裝在 Windows 2008 Hyper-V 中 提供 Windows Server Core 與 Cluster Services 防護 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
簡化的系統管理 中央控管機制可簡化管理的複雜度 定義單一的原則即包含了防毒、防駭客程式、弱點偵測的設定,提升管理效率 1/3/2019 7:49 AM 簡化的系統管理 中央控管機制可簡化管理的複雜度 定義單一的原則即包含了防毒、防駭客程式、弱點偵測的設定,提升管理效率 整合現有的基礎結構,可省下管理的學習時間 VM Forefront © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
作業系統安全基礎 資安監測系統 1/3/2019 7:49 AM MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
透視與控制問題點 透過安全狀態評估讓管理者了解現有環境中的潛在風險 提供階層式的報表 可定義安全性警示等級來獲得必要的安全資訊 具備防止洪水攻擊的能力 Forefront
1/3/2019 7:49 AM 通知管理與報表 19
總結 與 Windows 2000/XP 相比,Windows Vista 提供了更嚴謹的安全性原則與防護能力對抗惡意程式的威脅 結合 Windows Vista,Forefront Client Security 能提供使用者電腦最佳的效能與防護能力 確實貫徹企業的 IT 政策乃是維護企業網路安全的不二法門
Q&A
1/3/2019 © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.