BITLOCKER Windows Server 2012 Javier Dominguez Premier Field Engineer /Microsoft

Tech Ready 15 4/1/2017 Objetivos de la Sesión Entender cuales son las características nuevas incorporadas en Bitlocker para Windows 8 y Windows Server 2012 Identificar los problemas que nuestros clientes expresaron sobre MBAM v1.0 Describir las características de MBAM v2.0 que reducirán el costo total de la solución y mejoraran el cumplimiento con estándares BitLocker en Windows 8 y Server 2012 es mas fácil de implantar y manejar MBAM 2.0 corrige los problemas principales reportados en BitLocker y MBAM 1.0 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Mejoras en Bitlocker Seguridad Mejorada – Garantizar Cumplimiento Integración Reducir Costos MBAM 1.0 vs. 2.0

Mejoras en Bitlocker

Mejoras en Aprovisionamiento Tech Ready 15 4/1/2017 Mejoras en Aprovisionamiento El aprovisionamiento es uno de los problemas principales: Ha sido un reto no importa el fabricante El aprovisionamiento de TPM es complejo para TI y los usuarios El cifrado toma mucho tiempo En Win 8 y Server 2012 Bitlocker ofrece: Auto Provisioning solventa la mayoría de los problemas relacionados con el aprovisionamiento de TPM Protección Instantánea con Encrypted Hard Drive Cifrado rápido vía Used Disk Space Only Encryption Cifrado de dispositivos en paralelo con el proceso de creación de imágenes y no después © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Key Protectors para Disco Pre-Aprovisionados Tipo de Disco Key Protector Sistema Operativo TPM TPM+PIN Startup Key (sistemas sin TPM) Contraseña (sistemas sin TPM) Disco de Datos Desbloqueo Automático Contraseña Smart Card Disco Extraible

Bitlocker Pre-Provision Tech Ready 15 4/1/2017 Bitlocker Pre-Provision © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

demo Instalar Bitlocker en Windows Server 2012.

Beneficios Encrypted Hard Drives Tech Ready 15 4/1/2017 Beneficios Encrypted Hard Drives MEJOR PERFORMANCE SEGURIDAD BASADA EN HARDWARE FACILIDAD DE USO © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Mejoras en Experiencia del Usuario Tech Ready 15 4/1/2017 Mejoras en Experiencia del Usuario Eliminar la necesidad de la autenticación pre-boot (Dispositivos Conectados) Menos problemas de soporte en dispositivos certificados para Win 8 o Win Server 2012 El cifrado de dispositivos es automáticamente aprovisionado (OOBE) para dispositivos Windows RT Los usuarios no se involucran en la complejidad del aprovisionamiento de TPM Desbloqueo Automático de las particiones de sistema cuando hay conexión a la red corporativa © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Tech Ready 15 4/1/2017 Network Unlock Permite desbloquear automáticamente los volúmenes del sistema operativo durante el inicio Facilita el despliegue de parches La experiencia del usuario mejora Requerimientos: TPM + PIN Protector Bitlocker Network Unlock Feature Windows Deployment Services DHCP GPOs de Network Unlock UEFI Firmware con EFI DHCP Drivers Certificado 2048 bits © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Network Unlock Boot Manager detects Network Unlock Tech Ready 15 4/1/2017 Network Unlock Boot Manager detects Network Unlock DHCP UEFI Driver gets IP & broadcast WDS detects vendor request – decrypts WDS Sends encrypted network key © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

demo Configurar Network Unlock.

Mejoras en Seguridad Mejoras del anti-hammering para el inicio de sesión Windows en dispositivos protegidos por Bitlocker Reinicio de Protección de forma automática cuando un dispositivo pasa a modo suspendido Forzar BitLocker en dispositivos no incluidos en el dominio

Mejoras en la Preparacion para la Empresa Tech Ready 15 4/1/2017 Mejoras en la Preparacion para la Empresa Soporte para Almacenamientos: Storage Area Networks (SAN) Windows Server Cluster Autenticación multifactor funciona en escenarios desatendidos Network protector Habilita autenticación de 2 factores en escenarios servidor Simplifica el proceso de parcheo en dispositivos desatendidos © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Bitlocker en Clustered Volumes Los volúmenes pueden ser físicos o unidad lógica como una LUN en una SAN o incluso un NAS El volumen puede ser un CSV PowerShell y mange-bde son la interfaz recomendada para administrar bitlocker en volúmenes CSV

Pasos para Habilitar Bitlocker en Cluster Disks Poner el disco en mantenimiento Habilitar Bitlocker usando un password protector Determinar el CON Agregar un AD SID al CSV usando en CON Iniciar el disco nuevamente

Feedback sobre BitLocker

¿Qué escuchamos de los clientes? Cuando un dispositivo se pierde , es necesario poder contar con un reporte que indique si estaba cifrado Determinar el cumplimiento es difícil. Se necesita de poder conocer el cumplimiento organizacional Una larga lista de políticas para Bitlocker. Necesitamos una forma mas simple de tomar la decisión correcta Cuando los usuarios pierden su PIN, su productividad se pierde. Necesitamos un servicio recuperación “Selfservice” El proceso de cifrado puede ser complicado. Se necesita una forma mas eficiente de asegurar el cumplimiento

MBAM 2.0

¿Qué es Microsoft BitLocker Administration and Monitoring? MBAM 1.0 se enfocaba en: Simplificar el aprovisionamiento y despliegue Proveer reportes(eg: complimiento & auditoria) Simplificar la recuperación MBAM 2.0 introduce mejoras : Mejoras en seguridad Integración con otras tecnologías (SCCM) Reducir costos (Riesgo Reducido)

Opciones de Despliegue (Arquitectura) Dos opciones están disponibles: Standalone Mode; Integrated Mode Modo integrado soporta SCCM 2007/2012 Stand Alone Mode Integrated Mode MBAM SCCM Compliance Status Database  Compliance Reports Audit Database Audit Reports Recovery Database Admin and Monitoring Server Policy Template

Arquitectura Standalone Active Directory Domain Services & Group Policy Infrastructure Portals Web Services SQL Database Compliance Reports HelpDesk Portal Admin Web Service Reporting Web Site Self-service Portal Self-Srv Web Service Recovery Audit & Compliance GPO Recovery Web Service MBAM Client and BitLocker Reporting Web Service SSRS Portals Web Services SQL Database Compliance Reports Client Computer

Resumen de los Features Nuevos… MBAM 1.0 MBAM 2.0 Cumplimiento y Seguridad Single User Recovery Keys  Compliance Reporting Audit Reporting Forced Encryption Complex PIN FIPS Support Integracion Windows 7 Support (Ultimate; Enterprise) Windows 8 Support (Professional; Enterprise) System Center Integration (2007; 2012) Reducción de Costos Helpdesk Recovery Console Self-help Recovery Console Simplified Provisioning Fast Provisioning (Windows 8)

http://bit.ly/DescargaWS2012

http://bit.ly/ws2012ebook

http://bit.ly/AzureItPro

http://bit.ly/ITCamps2012

Serie de Webcasts Windows Server 2012 http://bit.ly/Webcasts2012

Sigue a TechNet España http://www.facebook.com/TechNet.Spain http://www.twitter.com/TechNet_es http://linkd.in/TechNetSpain

BITLOCKER Windows Server 2012 Javier Dominguez Premier Field Engineer /Microsoft