Beyond patching
Download
1 / 58

Microsoft Security - PowerPoint PPT Presentation


  • 386 Views
  • Updated On :

Beyond Patching. Dean Iacovelli Chief Security Advisor – State and Local Government Microsoft Corporation [email protected] Objectives Address your concerns about security Update on current trends Current initiatives at Microsoft Future security product/solution roadmap Agenda

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Microsoft Security ' - Jims


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Beyond patching l.jpg

Beyond Patching

Dean Iacovelli

Chief Security Advisor – State and Local Government

Microsoft Corporation

[email protected]


Slide2 l.jpg

Objectives

Address your concerns about security

Update on current trends

Current initiatives at Microsoft

Future security product/solution roadmap

Agenda

Defining and managing the risk

System Integrity

Identity management

Trustworthy Identity

Client protection

Server protection

Network protection

Summary, Q&A


My role as slg csa l.jpg
My Role as SLG CSA

Overall security policy and strategy for MS SLG

MS spokesperson to/from SLG customers

Information broker – resources, best practices, programs

Coordinator for incident response communication, security readiness

Not goaled on revenue

Basically: Help ensure SLG customers have a good experience dealing with security on the MS platform


Your feedback l.jpg
Your Feedback ?

Challenges

Worms / viruses

Spyware

Spam

Patch management

Network access control

Identity management

Best practices / guidance

Looking at Linux for security reasons ?


Understanding your adversary l.jpg
Understanding Your Adversary

National Interest

Personal Gain

Personal Fame

Curiosity

Spy

Fastest

growing

segment

Thief

Tools created by experts now used by less skilled attackers and criminals

Trespasser

Vandal

Author

HobbyistHacker

Script-Kiddy

Expert

Specialist


State and local security trends l.jpg
State and Local Security Trends

Attacks becoming less numerous, more nasty

Viruses/worms still lead in financial cost BUT

6x increase in $ lost from unauthorized information access from 2004 to 2005 (FBI/CSI)

2x increase in $ lost from theft of proprietary information from 2004 to 2005 (FBI/CSI)

Botnets (used for cyber extortion) have jumped from average of 2500 machines in 2004 to 85,000 in 2006

Why sniff the net when you can hack the site or the password?

95% reported 10+ website incidents last year (FBI/CSI)

15% of enterprise hosts have had keystroke loggers detected, 3x in 1 year (Webroot and Sophos)

Major NT4/Win 98 supportability issues

Enterprise patching and management still not under control

What your neighbor isn’t doing IS your problem

Real cost is lost of trust



Slide8 l.jpg

#3 in

previous

chart

Video game cheats

Celebrities

Song lyrics


Trends in security spending l.jpg
Trends in Security Spending

$497 per employee

$354 operations

$143 capital

Even worse for smaller agencies - as much as $650

No economies of scale

SLG spends ~10x Federal and most of private sector

Lack of centralized strategy / tools

Getting worse

Federal trending down from CY05

SLG trending up

Various new state infosec laws may be impacting costs but still serious issue


Ms security statistical snapshot l.jpg
MS Security Statistical Snapshot

263M downloads of XP SP2

75M downloads of Microsoft Anti-Spyware beta

9.7M consumers using SP2 Firewall

332M machines using Automatic Update or Windows Update

135 legal actions against spammers worldwide

121 phishing sites sued

578 Microsoft CISSPs (and counting…)


Microsoft security strategy overview l.jpg
Microsoft Security Strategy Overview

Threat and Vulnerability Mitigation

Client

Protection

Server

Protection

Network

Protection

Protect PCs & devices from malicious software

Protect servers from malicious software

Protect network from malicious software & inappropriate access

Identity and Access Management

Allow legitimate users secure access to machines, applications and data

System Integrity

Make systems inherently safer and more secure


Security development lifecycle l.jpg
Security Development Lifecycle

  • Security Development Lifecycle

  • Security Response Center

  • Better Updates And Tools


Threat modeling example ms03 007 l.jpg
Threat Modeling ExampleMS03-007

The underlying DLL (NTDLL.DLL) not vulnerable

Code made more conservative during Security Push

IIS 6.0 not running by default on Windows Server 2003

Even if it was vulnerable

IIS 6.0 doesn’t have WebDAV enabled by default

Even if it was running

Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed)

Even if it did have WebDAV enabled

Even if the buffer was large enough

Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)

Even if it there was an exploitable buffer overrun

Would have occurred in w3wp.exe which is now running as ‘network service’


Focus yielding results l.jpg
Focus Yielding Results

16

89

Service Pack 3

3

Bulletins sinceTwC release

Bulletins inperiod prior to release

50

SQL Server 2000 SP3 released 1/17/2003

11

7

Released05/31/2001

Released11/17/2003

Released09/28/2003

Released11/29/2000

1027 Days After Product Release

Bulletins 820 Days After Product Release

2003

* As of February 14, 2006


Case study how we tested wmf patch l.jpg
Case StudyHow We Tested WMF Patch

415 apps (ms & third party)

6 supported version of the o/s in 23 languages

15k print variations, 2800 print pages verified

2000 wmf’s analyzed, 125 malicious wmf’s tested

12k images verified for regressions

22,000 hours of stress testing

450k total test cases


Patch management initiative progress to date l.jpg
Patch Management InitiativeProgress to Date

  • Better security bulletins and KB articles

  • IT SHOWCASE: How Microsoft IT Does Patch Management

  • Standardized patch and update terminology

  • Moved from 8 installers to 2 (update.exe and MSI)

  • Standardized patch naming and switch options

  • Improved patch testing process and coverage

  • Expanded test process to include customers

  • Reduced reboots by 10%, targeting 50% in Vista

Informed & Prepared Customers

Consistent & Superior Update Experience

Superior Patch Quality

  • Microsoft Update

  • WSUS

  • SMS 2003

Best Patch & Update Management Solutions


Update impact analyzer determine how patches will affect critical apps l.jpg
Update Impact AnalyzerDetermine How Patches Will Affect Critical Apps


Fundamentals l.jpg
Fundamentals

“You can only manage what you can measure”

…and you can only secure what you can manage (and find )

Decentralization may be a reality but it’s not a best practice

Set policy

Active Directory

Central policy, local defense

Delegate back business-specific policy control

Audit policy

Turning it on AFTER the incident much less useful

Don’t wait for the incident to look at the logs

Standardize builds, supported applications

Enterprise assets are not toys

Vista will make this easier, possible in XP too: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx


Beyond patching the problem l.jpg
Beyond Patching: The Problem

  • Patching is no longer strategic

    • Moving from security to operations like backups

  • New threats require new models

    • Internal network is NOT trusted

    • Medieval castle model is the only response

    • Automated attacks require automated defenses


Microsoft security strategy overview20 l.jpg
Microsoft Security Strategy Overview

Threat and Vulnerability Mitigation

Client

Protection

Server

Protection

Network

Protection

Protect PCs & devices from malicious software

Protect servers from malicious software

Protect network from malicious software & inappropriate access

Identity and Access Management

Allow legitimate users secure access to machines, applications and data

System Integrity

Make systems inherently safer and more secure


Slide21 l.jpg

Provide access based on policy

Protect datathroughout its lifecycle

Ensure users are who they claim to be; manage identity lifecycle

Allow only legitimate users secure, policy-based access to machines, applications and data

Trustworthy Identity

Access Policy Management

InformationProtection

Directory Services

Lifecycle Management

Strong Authentication

Federated Identity

Certificate Services

Rights Management Services

Encryption Services

Secure Protocols and Channels

Back-up and Recovery Services

Role-based Access Control

Audit Collections Services

Group Policy Management Console


Fundamentals22 l.jpg
Fundamentals

Reduce

Consolidate to fewer identity stores

Leverage metadirectories to simplify sign on, automate/standardize identity business rules

Reuse

Leverage globally relevant attributes across all applications

Place non-globally relevant attributes in app-coupled LDAP stores

Recycle

Leverage federation to use your credentials on business partner networks


Microsoft security strategy overview23 l.jpg
Microsoft Security Strategy Overview

Threat and Vulnerability Mitigation

Client

Protection

Server

Protection

Network

Protection

Protect PCs & devices from malicious software

Protect servers from malicious software

Protect network from malicious software & inappropriate access

Identity and Access Management

Allow legitimate users secure access to machines, applications and data

System Integrity

Make systems inherently safer and more secure


Fundamentals24 l.jpg
Fundamentals

Medieval castle model

The internal network is NOT trusted

Central policy, local defense

Leverage tools you already own

Windows firewall

Active Directory group policy

Phishing filters

Encrypting file system

IPSec logical segmentation

Isolate what you can’t defend


Slide25 l.jpg

Helps protect the system from

attacks from the network

Enables more secure Email and

Instant Messaging experience

Enables more secure Internet experience for most common Internet tasks

Provides system-level protection for

the base operating system


Internet explorer 7 l.jpg
Internet Explorer 7

Social Engineering Protections

  • Phishing Filter and Colored Address Bar

  • Dangerous Settings Notification

  • Secure defaults for all settings

Protection from Exploits

  • Protected Mode to prevent malicious software

  • Code quality improvements

  • ActiveX Opt-in


Application compatibility toolkit v5 0 l.jpg
Application Compatibility Toolkit V5.0

Analyze your portfolio of Applications, Web Sites, and Computers

Evaluate operating system deployments or impact of operating system updates

Rationalize and Organize by Applications, Web Sites, and Computers

Prioritize compatibility efforts with filtered reporting

Add and manage issues and solutions for your personal computing environment

Deploy automated mitigations to known compatibility issues

Send/Receive compatibility information to Online Compatibility Exchange


Slide28 l.jpg

Windows

Live Safety Center

Windows OneCare

Live

Microsoft

Client

Protection

MSRT

Windows Defender

Remove most prevalent viruses

Remove all known viruses

Real-time antivirus

Remove all known spyware

Real-time antispyware

Central reporting and alerting

Customization

IT Infrastructure Integration

FOR INDIVIDUAL USERS

FOR BUSINESSES


Shared computer toolkit for windows xp l.jpg
Shared Computer Toolkit for Windows XP

Windows Disk Protection

Prevent unapproved changes to the Windows partition

Allow critical updates and antivirus updates

User Restrictions

Restrict untrusted users from files and settings

Lock user profiles for protection and privacy

Profile Manager

Create “persistent” user profiles on unprotected partitions

Delete locked user profiles

Accessibility

Accessibility settings & utilities when restricted

Quick access for repeat use

  • Getting Started

  • Use and learn about the Toolkit

  • Quick access toolbar

Tools are scriptable. Additional command-line tools included.

Comprehensive Help and Handbook with supplemental security guidance.


Slide30 l.jpg

Enable secure access to information

Information Protection

Protect against malware and intrusions

Next Generation Security and Compliance

Threat & Vulnerability Mitigation

Fundamentals

Identity & Access Control

Engineered for the future

User Account Control

Plug and Play Smartcards

Granular auditing

Simplified Logon architecture

Code Integrity

IE Protected Mode

Windows Defender

IPSEC/Firewall integration

Network Access Protection

Security Development Lifecycle

Threat Modeling

Code Scanning

Service Hardening

BitLocker Drive Encryption

EFS Smartcard key storage

RMS client

Control over removable device installation

XPS Document + WPF APIs


Infocard overview secure sharing of your info online l.jpg
InfoCard OverviewSecure sharing of your info online

Simple user abstraction

Manage compartmentalized versions of your identity

Strong computer generated keys instead of human generated passwords

Relates to familiar models

Gov’t ID card, driver’s license, credit card, membership card, …

Flexible issuance

Self-issued – eBay, Amazon

Issued by external authority – Visa, Government

Implemented as secure subsystem

Protected UI, anti-spoofing techniques, encrypted storage

Built on WS-Federation web standards


Microsoft security strategy overview32 l.jpg
Microsoft Security Strategy Overview

Threat and Vulnerability Mitigation

Client

Protection

Server

Protection

Network

Protection

Protect PCs & devices from malicious software

Protect servers from malicious software

Protect network from malicious software & inappropriate access

Identity and Access Management

Allow legitimate users secure access to machines, applications and data

System Integrity

Make systems inherently safer and more secure


Security configuration wizard windows server 2003 sp1 l.jpg
Security Configuration Wizard Windows Server 2003 SP1

Security lockdown tool for Windows Server 2003

Roles-based paradigm

Focused on Attack Surface Reduction

Disables unnecessary services

Disables unnecessary web extensions

Blocks unnecessary ports

Configures audit SACLs

Operational infrastructure

Client-Server deployment infrastructure

Support for Group Policy-based deployment

Compliance Analysis

Rollback support


Slide34 l.jpg

Microsoft Antigen Line of Products

Threat & Vulnerability Mitigation

  • Highlights

    • Unique multi-engine approach for faster detection and broader protection

    • Integrated virus and spam protection

    • Integrated Microsoft AV engine

RTM in Q2 2006


Microsoft security strategy overview35 l.jpg
Microsoft Security Strategy Overview

Threat and Vulnerability Mitigation

Client

Protection

Server

Protection

Network

Protection

Protect PCs & devices from malicious software

Protect servers from malicious software

Protect network from malicious software & inappropriate access

Identity and Access Management

Allow legitimate users secure access to machines, applications and data

System Integrity

Make systems inherently safer and more secure


Network access protection longhorn server 2007 l.jpg

Policy Validation

Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy.”

Network Restriction

Restricts network access to computers based on their health.

Remediation

Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed.

Ongoing Compliance

Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.

Network Access ProtectionLonghorn Server (2007)


Network access protection walkthrough l.jpg
Network Access Protection Walkthrough

System Health

Servers

Corporate Network

Restricted Network

Remediation

Servers

Here you go.

Can I have updates?

Ongoing policy updates to IAS Policy Server

May I have access?

Here’s my current

health status.

Should this client be restricted based

on its health?

Requesting access. Here’s my new

health status.

Client

According to policy, the client is up to date.

Grant access.

According to policy, the client is not up to date. Quarantine client, request it to update.

You are given restricted access

until fix-up.

Network

Access

Device

(DHCP, VPN)

IAS Policy

Server

Client is granted access to full intranet.

Play video




Getting started l.jpg

Beta available now

Preparing for NAP will take effort and time!

Deployment preparation tasks:

Health Modeling

Health Policy Zoning

IAS (RADIUS) Deployment

Zone Enforcement Selection

Exemption Analysis

Change Process Control

Phased rollout

Rollout VPN solution to test health policy

Rollout IPSec segmentation to test wired enforcement

Getting Started


Roadmap l.jpg
Roadmap

Frontbridge hosted services for anti-virus and anti-spam filtering(for businesses)

Windows Live OneCare(for consumers)

Next generation of services

Services

Microsoft Client Protection

Microsoft Antigen Anti-virus and Anti-spam for messaging and collaboration servers

ISA Server 2006

ISA Server 2004

Sybari Antigen anti-spam and anti-virus for Email, IM and SharePoint

Content filtering services

Next generation of security products

Products

Windows XPSP2

Windows Server 2003 SP1

Anti-malware tools

Microsoft Update

Windows Server UpdateServices

Network Access Protection

IPSec Enhancements

Audit Collection Services

  • Windows AntiSpyware

  • Windows Vista

    • Firewall

    • Services Hardening

Platform


Summary l.jpg
Summary

It’s all one network. Period.

Need to be securing for tomorrow’s threats, not yesterday’s

Defense in depth is and has always been the only effective strategy

Enterprise patch management will free us for more strategic work

Every machine deserves a good defense


Slide43 l.jpg

Contact info:

Dean Iacovelli

Chief Security Advisor -

State and Local Government

Microsoft Corporation

[email protected]

Slides available at:

www.iacovelli.info/work/secgtc.ppt



Tools products l.jpg
Tools / Products

Application Compatibility Toolkit 5.0 beta sign up

http://connect.microsoft.com/

Network Access Protection

http://www.microsoft.com/nap

Microsoft Baseline Security Analyzer (MBSA)

http://www.microsoft.com/mbsa

Windows Server Update Services (WSUS)

http://www.microsoft.com/wsus

Windows Server Update Services (WSUS)

http://www.microsoft.com/wsus

IE 7

http://www.microsoft.com/windows/ie/default.mspx

Client Protection

http://www.microsoft.com/windowsserversystem/solutions/security/clientprotection/default.mspx

Vista security

http://www.microsoft.com/technet/windowsvista/security/default.mspx

Security Configuration Wizard

http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx


Guidance and training l.jpg
Guidance and Training

MICROSOFT

Security Development Lifecycle: http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp

Security Guidance Centers http://www.microsoft.com/security/guidance

Security Online Training https://www.microsoftelearning.com/security/

XP SP2 deployment training: https://www.microsoftelearning.com/xpsp2

Microsoft IT Security Showcase http://www.microsoft.com/technet/itsolutions/msit/default.mspx#EDBAAA

Security Newsletter http://www.microsoft.com/technet/security/secnews/default.mspx

Security Events and Webcasts http://www.microsoft.com/seminar/events/security.mspx

Security Notifications via e-mail http://www.microsoft.com/technet/security/bulletin/notify.mspx

MS Security blogs: http://www.microsoft.com/technet/security/community/articles/art_malwarefaq.mspx

Security Bulletin Search Page http://www.microsoft.com/technet/security/current.aspx

Security Bulletin Webcast http://www.microsoft.com/technet/security/bulletin/summary.mspx

Writing Secure Code, 2nd edition http://www.microsoft.com/mspress/books/5957.asp

Building and Configuring More Secure Web Sites http://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.asp

Windows XP Security Guide, includes SP2 http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspx

Security Risk Management Guide http://go.microsoft.com/fwlink/?LinkId=30794

Windows NT 4.0 and Windows 98 Threat Mitigation Guide http://go.microsoft.com/fwlink/?linkid=32048

Microsoft Identity and Access Management Series http://go.microsoft.com/fwlink/?LinkId=14841

OTHER

FBI / CSI 2005 security survey: http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml;jsessionid=KPE5WYV1ICYNCQSNDBECKH0CJUMEKJVN


Slide47 l.jpg

As of 6 March 2006:Tracking 13053 bot-nets of which 8524 are activeAverage size is 85,000 computers


Windows service hardening defense in depth factoring profiling l.jpg

Reduce size of high risk layers

Segment the services

Increase # of layers

Windows Service HardeningDefense In Depth – Factoring/Profiling

D

D

D

D

D

D

D

D

Service

Service

1

Service…

Service

2

Service

A

Service

3

Service

B

Kernel Drivers

User-mode Drivers


Vista service changes services common to both platforms l.jpg
Vista Service ChangesServices common to both platforms


Windows vista firewall l.jpg
Windows Vista Firewall

Combined firewall and IPsec management

New management tools – Windows Firewall with Advanced Security MMC snap-in

Reduces conflicts and coordination overhead between technologies

Firewall rules become more intelligent

Specify security requirements such as authentication and encryption

Specify Active Directory computer or user groups

Outbound filtering

Enterprise management feature – not for consumers

Simplified protection policy reduces management overhead


User account control uac l.jpg
User Account Control (UAC)

Previously known as “LUA”

Users will logon as non-administrator by default

Protects the system from the user

Enables the system to protect the user

Consent UI allows elevation to administrator

Applications and administrator tools should be UAP aware

Differentiate capabilities based on UAP

Apply correct security checks to product features

Start testing your software against Vista now!





Bitlocker drive encryption l.jpg
BitLocker™ Drive Encryption

Designed specifically to prevent malicious users from breaking Windows file and system protections

Provides data protection on Windows systems, even when the system is in unauthorized hands or is running a different or exploiting Operating System

A Trusted Platform Module (TPM) or USB flash drive is used for key storage

BitLocker


Slide57 l.jpg

Trusted Platform ModuleSmartcard-like module on system motherboard

Helps protect secrets

Performs cryptographic functions

Can create, store and manage keys

Performs digital signature operations

Holds Platform Measurements (hashes)

Anchors chain of trust for keys and credentials

Protects itself against attacks

TPM 1.2 spec: www.trustedcomputinggroup.org


ad