Security and Microsoft - PowerPoint PPT Presentation

1 / 49

About This Presentation

Title:

Security and Microsoft

Description:

Security and Microsoft. Carolyn Burke, MA, CISSP. Acting Senior Security Product ... The customer can expect that systems are resilient to attack, and that the ... – PowerPoint PPT presentation

Number of Views:77

Avg rating:3.0/5.0

Slides: 50

Provided by: carolyn112

Category:

more less

Transcript and Presenter's Notes

Title: Security and Microsoft

1
Security and Microsoft

Carolyn Burke, MA, CISSP
Acting Senior Security Product Manager, Microsoft
Canada
CEO, Integrity Incorporated

2
Welcome!!
3
Microsoft Trustworthy Computing Framework
4
Microsoft Trustworthy Computing Framework
GOALS
5
Microsoft Trustworthy Computing Framework
6
Microsoft Trustworthy Computing Framework

Committed to improving our products and services
Security is the utmost priority
Affecting change in developing, releasing, and
supporting our products

7
Microsoft Trustworthy Computing Framework

Four security components
3D C
Secure By Design
Secure By Default
Secure In Deployment
Communications

D
D
D
C
8
Microsoft Trustworthy Computing Framework
Means
9
Microsoft Trustworthy Computing Framework
Means

Secure by Design, Secure by Default, Secure
in Deployment
Fair Information Principles
Availability
Manageability
Accuracy
Usability
Responsiveness
Transparency

10
Microsoft Trustworthy Computing Framework

Execution

Intents
Implementation
Evidence
11
Microsoft Trustworthy Computing Framework
Fundamental problems to address

Policy
Processing
Complexity
Hardware, Redundancy
Machine-to-Machine Processes

Identity
People
Programming
Tools
Interoperability
Conceptual models

12
Microsoft Trustworthy Computing Framework

Essential also to our economy and society at
large
Multi-dimensional set of issues
Hard problems that require fundamental research
and advances in engineering will remain.
Step up to the challenge of tackling these
problems

13
Microsoft Trustworthy Computing Framework

Year in review 2003
Windows Server 2003 development team actually
halted production to do a complete security
review of the product before shipping
Exchange Server 2003, Office System 2003, Rights
Management Services, Systems Management Server
2003
More than 11,000 engineers in the company have
and continue to receive specialized training in
writing secure code.

14
Microsoft Trustworthy Computing Framework

Year in review 2003 Highlights
May Virus Information Alliance
August Protect Your PC campaign
October 5M million reward
Partnered with the U.S. Secret Service, FBI and
Interpol to launch a
October Launch Security Mobilization
December
patch management processes, policies and
technologies
global security guidance education programs
develop new safety technologies in Windows XP,
Windows Server 2003

15
Microsoft Trustworthy Computing Framework

2004
Microsoft is fully committed to the long-term
success of the Trustworthy Computing initiative
collaborate worldwide to address critical
technology trust issues
work to increase standardization of internal
development and quality assurance processes
companywide
share practices and productize internal
development tools
We will work to make our products more resilient,
and to develop privacy-enabling technologies. And
we will work to make the customer feedback loop
even stronger.

16
Security Mobilization

What it is and Isnt
Worldwide Response Initiative
Technical Response
User Response

17
Partner and Customer Implications

Developments since Oct 9 Security Positioning
Worldwide Response
National Subsidiary Communication
Licensee Communication

18
Microsoft Security Solutions and Resources
19
Improving SecurityResponding to the Crisis

Patches proliferating
Time to exploit decreasing
Exploits are more sophisticated
Current approach is not sufficient

20
The Exploit Process
Security Researchers
Exploit Coders
Worm Builders
Discover vulnerabilities
Reverse-engineer patches post exploit code to
the Web
Hack together worms with posted exploit code
worm toolkits
What Microsoft is doing
Collaborating to fix vulnerabilities Disclosing
responsibly
Building community consensus that disclosure is
not good Reaching out
Anti-VirusReward Program Assisting with
technical forensics work
Results
Fewer researchers disclosing irresponsibly
continuing to improve
More industry experts are speaking out against
exploit code
Two arrests around the Blaster worm
21
Youve Told Us
Our Action Items
The quality of the patching process is low and
inconsistent
Improve the Patching Experience
I need to know the right way to run a Microsoft
enterprise
Provide Guidance and Training
I cant keep upnew patches are released every
week
Mitigate Vulnerabilities Without Patches
There are still too many vulnerabilities in your
products
Continue Improving Quality
22
Improve the Patching Experience - New Patch
Policies

Extending security support to June 2004
Windows 2000 SP2
Windows NT4 Workstation SP6a
Security patches on a monthly predictable release
cycle

Allows for planning a predictable monthly test
and deployment cycle
Packaged as individual patches that can be
deployed together

NOTE Exceptions will be made if customers are at
immediate risk from viruses, worms, attacks or
other malicious activities
23
Improve the Patching Experience - Patch
Enhancements
Your Need
Our Response
24
Providing Guidance and Training - IT Professionals

Global Education Program
TechNet Security Seminars
Monthly Security Webcasts
Monthly Security Newsletter
www.microsoft.com/events
New Prescriptive Guidance
Patterns and practices
How-to configure for security
How Microsoft Secures Microsoft
Online Community
Security Zone for IT Professionals
Authoritative Enterprise Security Guidance
http//www.microsoft.com/technet/security/bestprac
.asp

25
Beyond Patching
Make customer more resilient to attack, even when
patches are not installed

Help stop known unknown vulnerabilities
Goal Make 7 out of every 10 patches installable
on your schedule

26
Delivering Security Technologies

Windows XP SP2
SECURING CLIENTS
Improved network protection
Safer email and Web browsing
Enhanced memory protection
Beta available, RTM based on customer feedback
Windows Server 2003 SP1
SECURING ENTERPRISE
Role-based security configuration
Inspected remote computers
Inspected internal environment
RTM H2 CY04 NOW!

27
Security technologies for clients
Security enhancements that protect computers,
even without patchesincluded in Windows XP SP2
more to follow
What it is
Helps stop network-based attacks, malicious
attachments and Web content, and buffer overruns
What it does

Network protection Improved ICF, DCOM, RPC
protection turned on by default
Safer browsing Pop-up blocking, protection from
accidental installation of potentially malicious
Web content
Memory protection Improved compiler checks to
reduce stack overruns, hardware NX support
Safer email Improved attachment blocking for
Outlook Express and IM

Key Features
28
Security technologies for Enterprises
Only clients that meet corporate security
standards can connectincluded in Windows Server
2003 SP1 more to follow
What it is
Protects enterprise assets from infected computers
What it does

Role-based security configuration Locks down
servers for their specific task
Inspected remote computers and internal
environment
Enforce specific corporate security requirements
such as patch level, AV signature level
firewall state
Ensure these standards are met when VPN and local
wired or wireless connections are made

Key Features
29
Continue Improving Quality Trustworthy Computing
Release Process
Design docs specifications

Each component team develops threat models,
ensuring that design blocks applicable threats

SecurityReview
Design

Apply security design coding standards
Tools to eliminate code flaws (PREfix PREfast)
Monitor block new attack techniques

M1
Develop Test
M2
Development, testing documentation
Development
Mn

Team-wide stand down
Threat model updates, code review, test
documentation scrub

Security Push
Beta
Product

Analysis against current threats
Internal 3rd party penetration testing

Security Audit
Release
Service Packs, QFEs

Fix newly discovered issues
Root cause analysis to proactively find and fix
related vulnerabilities

Security Response
Support
30
Continue Improving Quality
For some widely-deployed, existing products
Mandatory for all new products
Critical or important vulnerabilities in the
first
31
Commitment to Customers

Patch Investments
Extended Support for NT4 Workstation SP6a
Windows 2000 SP2
Improved Patching Experience
Global Education Effort
WW 500,000 customers trained by June 2004
New Security Expert Zone
Security Innovations
Security technologies for Windows client
Security technologies for Windows server
www.microsoft.com/security/IT

32
Lockdown servers, workstations and network
infrastructure
Design and deploy a proactive patch management
strategy
Centralize policy and access management
www.microsoft.com/technet/security/bestprac
33
Continue Improving QualityMaking Progress
23 Products In the TwC Release Process
.NET Framework (for 2002 2003) ASP.NET (for
2002 2003) Biztalk Server 2002 SP1 Commerce
Server 2000 SP4 Commerce Server 2002 SP1 Content
Management Server 2002 Exchange Server 2003 Host
Integration Server 2002 Identity Integration
Server 2003 Live Communications Server
2003 MapPoint.NET
Office 2003 Rights Mgmt Client Server
1.0 Services For Unix 3.0 SQL Server 2000
SP3 Visual Studio .NET 2002 Visual Studio .NET
2003 Virtual PC Virtual Server Windows CE
(Magneto) Windows Server 2003 Windows Server 2003
ADAM
34
Solutions

Identity Management
Integrated Identity Server Products and Services
Integration with Active Directory
Licensing
PIPEDA implications

35
Solutions

Perimeter Security
ISA 2000
ISA 2004

36
Security Solutions

Virus Information Alliance Anti-Virus

37
Security Solutions

Rights Management

38
Security Solutions

Privacy and Compliance

39
Resources

General
http//www.microsoft.com/security
Technical Resources for IT Professionals
http//www.microsoft.com/technet/security
Best Practices for Defense in Depth
http//www.microsoft.com/technet/security/bestprac
.asp
How Microsoft Secures Microsoft
http//www.microsoft.com/technet/itsolutions/msit/
security/mssecbp.asp
MSDN Security Development Tools
http//msdn.microsoft.com/security/downloads/tools
/ default.aspx

40
Security Guidance for IT Pros

Focused on operating a secure environment
Patterns practices for defense in depth
Enterprise security checklist the single place
for authoritative security guidance

Available Now
17 prescriptive books
How Microsoft secures Microsoft
Throughout 2004
More prescriptive how-to guides
Tools scripts to automate common tasks

41
ResourcesEnterprise Security Guidance

Design and Deploy a Proactive Patch Management
Strategy
Microsoft Guide to Security Patch Management
http//www.microsoft.com/technet/security/topics/p
atch
Lockdown Servers, Workstations and Network
Infrastructure
Microsoft Windows XP Security Guide Overview -
http//www.microsoft.com/technet/security/prodtech
/winclnt/secwinxp/default.asp
Threats and Countermeasures Guides for Windows
Server 2003 and Windows XP http//www.microsoft.c
om/technet/security/topics/hardsys/TCG/TCGCH00.asp
Windows Server 2003 Security http//www.microsoft
.com/technet/security/prodtech/win2003/w2003hg/sgc
h00.asp
Securing your Network
http//msdn.microsoft.com/en-us/dnnetsec/htm
l/THCMCh15.asp
Perimeter Firewall Service Design
http//www.microsoft.com/technet/itsolutions/msa/m
sa20ik/VMHTMLPages/VMHtm57.asp
Network Access Quarantine for Windows Server
2003 http//www.microsoft.com/windowsserver2003/t
echinfo/overview/quarantine.mspx
Centralize Policy and Access Management
Microsoft Identity and Access Management
Solution http//www.microsoft.com/technet/securit
y/topics/identity/idmanage
Architecture, Deployment, and Management
http//www.microsoft.com/technet/security/topics/a
rchitec