bring your own device demo maak een windows to go stick

Windows 8 After & BeyondRaymond P. L. Comvalius

About the speaker

Raymond P. L. ComvaliusConsultant, trainer and authorMVP Windows Expert IT Pro sinds 2011

raymond.comvalius@nextxpert.nl

@nextxpert

Text/Icon/Pic

About this session

After & Beyond

Windows to Go

User Environment Virtualization

User Account Control

Enhanced Protected Mode

1.033 slides

5 demos

0 minutes of Q&A

100% cloud free

Bring Your Own Device

Windows to Go

Start Windows 8 vanaf USB-stick

Liefst USB 3.0 voor performance

Blokkeer interne schijvenDriversDirect AccessBitLocker

Waarom niet op JOU computer?

Building Windows to Go

ToolsDiskpartDISMBcdBootWindows 8 ImageNotepad

Text/Icon/Pic

DemoMaak een Windows to Go stick

User Environment Virtualization

User State Virtualization?

2009 White Paper:Folder RedirectionOffline FoldersRoaming Profiles

User Environment Virtualization

2012: New addition to MDOPUE-V (Hoe spreek ik dit uit?)MS alternatief voor roaming profilesIntegratie met App-V en Remote Desktop

UE-V requirements• OS:• Windows 7• Windows Server 2008 R2• Windows 8• Windows 8 Server

• A shared folder per user• A shared folder for SettingsTemplates• Offlline Files for offline use• UE-V Agent Software on the client

UE-V Management• UE-V Generator• XML Settings template

• Tools• WMI• Registry• PowerShell

Text/Icon/Pic

Built-in Templates• Office 2010• IE9 & 10• Windows Settings• Themes• Ease of Access

• Windows Accessoires• Notepad• Paint• Wordpad• Etc.

Triggers• Windows• Log on & Log off• Lock & Unlock• Remote Session start

• Applications• Application Start & Stop

UE-V Pro’s & Con’s• Pro• Eindelijk white list voor

roaming settings• Weinig vereisten• Simpel te implementeren

• Con• Weinig settings templates• Niet in het OS• Beperkt tot bestanden in

%userprofile%• Kopieert alleen statische

informatie

DemoUser Environment Virtualization

User Account Control

Windows User Types

• The Administrator• The account named ‘administrator’

• An Administrator• Your name with administrator privileges

• Protected Administrator• AKA: ‘Administrator in Admin Approval Mode’

• Standard User• Your name without administrator privileges

User-SID

Standardizing the User Token

Create a token objectAct as part of the operating system Take ownership of files and other objects Load and unload device driversBack up files and directoriesRestore files and directoriesImpersonate a client after authentication Modify an object labelDebug programs

AdministratorsBackup OperatorsPower UsersNetwork Configuration Operators

Group Policy Creator OwnersSchema AdminsEnterprise AdminsDenied RODC Password Replication Group

Local/Builtin Group SIDs

Domain Group SIDs

Mandatory Label

Rights/Privileges

DemoAnalyse van het User Access Token

User Account Control – “Best Practice”• Uitschakelen• Metro Apps doen het niet meer• IE verliest “Protected Mode”

• Password to Elevate• Kans voor malware

Integrity Levels• Mandatory Access Control• Levels are part of the ACLs and Tokens• Lower level object has limited access to higher level objects• Used to protect the OS and for Internet Explorer Protected

Mode

System High Medium(Default)

Low

Services Administrators

Standard Users

IE Protected Mode

Standardizing the User Token

Integrity level: High (Elevated Token)

Integrity level: Medium

User-SID

Local/Builtin Group SIDs

Domain Group SIDs

Mandatory Label

Rights/Privileges

IE protected mode• Only with User Account Control enabled• iexplore.exe runs with Low Integrity Level• User Interface Privilege Isolation (UIPI)

Internet Explorer 8

Internet Explorer 9

IE Broker mechanismiexplore.exe

Protected-mode Broker Object

UI frame Favorites BarCommand

Bar

iexplore.exe (tab process 1)

Browser Helper Objects

Toolbar Extensions

ActiveX Controls

Tab 1 Tab n

iexplore.exe (tab process n)

Browser Helper Objects

Toolbar Extensions

ActiveX Controls

Tab 1 Tab n

Low Integrity LevelProtected Mode = On

Medium Integrity LevelProtected Mode = Off

Inte

rnet/

Intra

net

Truste

d S

ites

DemoIntegrity Levels

Enhanced Protected Mode• Preventie tegen cross-zone attacks • “Cross-Site-Request-Forgery (CSRF)”• “Intranet Port Scanning”

• Standaard in Metro Internet Explorer• Bescherming van Intranet resources• 127.0.0.1 vs localhost

AppContainer• Voor programmeurs in de Metro UI• Vooraf moet bekend zijn wat Apps mogen:

• documentLibrary• musicLibrary• videoLibrary• picturesLibrary• microphone• Webcam• removableStorage• Location• Proximity

• internetClient• internetClientServer• textMessaging• privateNetworkClient• privateNetworkClientServe

r• certificates

DemoEnhanced Protected Mode

Samenvatting

Defining the business case

Form factorsMetro InterfaceSecurityApps

Text/Icon/Pic

Weet waar je aan begint

Client Operating System (Windows 8)

Hardware

Drivers

IE

HD- encr

Firewall

Office Middle ware

Layered apps Business app

s Base apps

AV Mgt

Agents

LAN Wifi 3G

Remote

Access

Internet

Access

SCCM

AV Mgt

Remote

Desktop

App-V

Mail Intranet

Unified Comm

s

AD

PKI

File Svc

Print Svc

Deploy

Infra Services

Werkplek

Profile Mgt

Config

Q&A