1 / 21

Security @ Microsoft

Security @ Microsoft. Anirudh Singh Rautela │ Technology Specialist - Security. Agenda. The Microsoft TWC Initiative Security & Privacy Progress Windows Platform Security. Trustworthy Computing. Predictable , consistent, responsive service Maintainable , easy to configure and manage

keely
Download Presentation

Security @ Microsoft

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security @ Microsoft Anirudh Singh Rautela │ Technology Specialist - Security

  2. Agenda • The Microsoft TWC Initiative • Security & Privacy Progress • Windows Platform Security

  3. Trustworthy Computing Predictable, consistent, responsive service Maintainable, easy to configure and manage Resilient, works despite changes Recoverable, easily restored Proven, ready to operate Commitment to customer-centric Interoperability Automated Policy based solutions Recognized industry leader, world-class partner Open, transparent Microsoft Security Response Center (MSRC) Microsoft Malware Protection Center (MMPC) Microsoft Security Engineering Center (MSEC) Microsoft Privacy Guidelines for developing Software and Services Microsoft Data Governance Framework Managing and Protecting Personal Information Secure against attacks Protects confidentiality, integrity and availability of data and systems Build solutions that protect privacy Safe guard your corporate data Protect Personal Privacy Microsoft Online Crash Analysis Engineering Excellence Training and Guidelines Microsoft Online Services with high reliability in multiple data centers Vendor Engagement and Windows Hardware Quality Lab Business Continuity explicitly designed in with prescriptive guidance Interop Vendor Alliance Open Source Software Lab Transparent Practices (SDL, Codeplex, etc.) SQL Server 2005 Visual Studio 2005 Windows Server 2003 SP1 Malicious SW Removal Tool Windows Defender Windows Live OneCare TWC Announced SDL begins Windows XP SP2 DSI Launched Windows Vista Office 2007 Forefront Windows Server 2008 SQL Server 2008 Windows Server 2003 2002 2003 2004 2005 2006 2007 2008

  4. Centers Supporting TwC Security TwC Security Protecting Microsoft customers throughout the entire life cycle (in development, deployment and operations) Microsoft Security Response Center (MSRC) Conception Microsoft Security Engineering Center (MSEC) EcoStrat Product Life Cycle MSRC Ops SDL MSRC Engineering Security Assurance Microsoft Malware Protection Center (MMPC) Security Science Release

  5. The Microsoft Security Development Lifecycle Goals • Protect Microsoft customers by • Reducing the numberof vulnerabilities • Reducing the severityof vulnerabilities Key Principles • Prescriptive yet practical approach • Proactive – not just “looking for bugs” • Eliminate security problems early • Secure by design Microsoft SecurityResponse Center Conception Best Practicesand Learning ProductDevelopment Incident Response Secure Design Final Security Review Secure Implementation Release Internal Testing Beta Testing Verification

  6. Embedding Security Into Software And Culture At Microsoft, we believe that delivering secure software requires Executive commitment  SDL a mandatory policy at Microsoft since 2004 Training Training Requirements Requirements Design Design Implementation Implementation Verification Verification Release Release Response Response • Core training • Core training • Analyze security and privacy risk • Define quality gates • Analyze security and privacy risk • Define quality gates • Threat modeling • Attack surface analysis • Threat modeling • Attack surface analysis • Specify tools • Enforce banned functions • Static analysis • Specify tools • Enforce banned functions • Static analysis • Dynamic/Fuzz testing • Verify threat models/attack surface • Dynamic/Fuzz testing • Verify threat models/attack surface • Response plan • Final security review • Release archive • Response plan • Final security review • Release archive • Response execution • Response execution Technology and Process Education Accountability Ongoing Process Improvements  6 month cycle

  7. Microsoft Security Strategy Infrastructure Optimization Microsoft Windows VistaSecurity Whitepapers Learning Paths forSecurity Professionals Microsoft SecurityAssessment Toolkit Microsoft SecurityIntelligence Report Microsoft IT Showcase SecurityReadiness Security Tools & Papers Educationand Training Prescriptive Guidance

  8. Security and Privacy Industry Partnerships Public Policy Law Enforcement Consumer Awareness Industry Partnership Global Infrastructure Alliance for Internet Safety Global Phishing Enforcement Initiative Digital PhishNet Virus Information Alliance

  9. Handy Admin tools & resources • Threats & Counter measures • Security Risk Management Guide • Fundamental Computer Investigation Guide for Windows • Microsoft Security Assessment Tool 4.0 • MBSA Tool & Scripts • Microsoft Security Compliance Manager • Security Awareness Toolkit • SysInternals Toolkit • Security Literature to read • Misc. Security Tools for Admins

  10. Security And Privacy Progress SDL and SD3 Defense in Depth Threat Mitigation • Microsoft Security Response Center (MSRC) • Microsoft Malware Protection Center (MMPC) • Windows Live OneCare and Forefront Client Security, powered by the Microsoft Malware Protection Center • SPAM (Sender ID, Phishing Filters) • Network Access Protection (NAP/NAC) • Security Development Lifecycle process • Engineered for security • Design threat modeling • SD3 • Secure by Design • Secure by Default • Secure In Deployment • Automated patching and update services • Malware Example • Consumer Education • Laws • Firewalls • Antivirus Products • Antispyware Products • Malicious Software Removal Tool • Memory Management (ASLR) • Law Enforcement

  11. Comparing Incidents BlasterAugust 2003 SasserApril 2004 ZotobAugust 2005 MS08-067October 2008 Before publicly known (MAPP) Alert and prescriptive guidance Within 1 day Within 2 hours 2 days prior Online guidance/ Webcast Within 10 days Within 2 days 3 times, 2x Same day Same day Free worm removal tool Within 38 days Within 3 days Within 3 days Didn’t need one* Days after the patch we knew of 1st exploit +11 days +4 days +2 days -11 days Products not affected by attacks Vista, Win7 Server 2008 none none XPSP2 *at the time of the security update release and the immediate aftermath

  12. Software Vulnerability DisclosuresBy half year – industry wide • Vulnerability disclosures in 2H08 down 3% from 1H08 • 2008 as a whole down 12% from 2H07 • Microsoft proportion only 5% of industry total Industry-wide vulnerabilitydisclosures by half-year, 2H03-2H08 Vulnerability disclosures for Microsoft products, by full year, 2004-2008

  13. What Are Experts Saying? “Why try to chase a difficult overflow out of Vista when you have Acrobat Reader installed, some antivirus software with shoddy file parsing, and the latest iTunes?” Given this situation, Microsoft deserves high praise for creating, formalizing, and improving SDL as it has led to better software for the masses.” Halvar Flake Security Researcher Microsoft BlueHatConference September 2007 Jon Oltsik Enterprise Strategy Group September 2008

  14. WINDOWS PLATFORM SECURITY Core improvements to the Operating Systems Security by Design, by Default and by Deployment

  15. Internet Explorer 8 Security Building on IE7 and addressing the evolving threat landscape • Social Engineering & Exploits • Reduce unwanted communications • Freedom from intrusion • International Domain Names • Pop-up Blocker • Increased usability • Browser & Web Server Exploits • Protection from deceptive websites, malicious code, online fraud, identity theft • Protection from harm • Secure Development Lifecycle • Extended Validation (EV) SSL certs • SmartScreen® Filter • Domain Highlighting • XSS Filter/ DEP/NX • ActiveX® Controls • Choice and control • Clear notice of information use • Provide only what is needed • Control of information • User-friendly, discoverable notices • P3P-enabled cookie controls • Delete Browsing History • InPrivate™ Browsing & Filtering

  16. SecurePlatform • Security Development Lifecycle (SDL) • Kernel Patch Protection • Kernel-mode Driver Signing • Secure Startup • Windows Service Hardening • x64 Hardware Integration Data Protection • Rights Management Services (RMS) • SharePoint, Exchange, Windows Mobile integration • Encrypting File System (EFS) • Bitlocker & Bitlocker To Go • Native smart card support • GINA Re-architecture • Certificate Services • Credential roaming • AppLockerTM • DirectAccess • User Account Control • Network Access Protection (NAP) • IPv6 • IPsec • Windows CardSpace SecureAccess • Windows Defender • IE Protected Mode • Address Space Layout Randomization (ASLR) • Data Execution Prevention (DEP) Malware Protection • Bi-directional Firewall / multi profile Support • Windows Security Center

  17. Security Development Lifecycle (SDL) • Windows Server Virtualization (Hypervisor) • Role Management Tool • OS File Integrity SecurePlatform Data Protection • Network Access Protection (NAP) • Server and Domain Isolation with IPsec • End-to-end Network Authentication • Windows Firewall With Advanced Security • On By Default • DirectAccess Network Protection • Rights Management Services (RMS) • Full volume encryption (Bitlocker) • USB Device-connection rules with Group Policy • Improved Auditing • Windows Server Backup • EFS Identity Access • Read-only Domain Controller (RODC) • Active Directory Federation Services (ADFS) • Administrative Role Separation • PKI Management Console • Online CertificateStatus Protocol

  18. Windows Server Core Server, Server Roles(for example only) • Minimal installation option • Low surface area more secure • Command line interface • Less patching/Less downtime TS IAS WebServer SharePoint Etc… Server With WinFx, Shell, Tools, etc. Server Core Server Roles DNS DHCP File/ Print AD Hyper-V BasicWeb Server Core Security, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems GUI, CLR, Shell, IE, Media, OE, etc.

  19. Services Encrypting File System (EFS) BitLocker™ Information Protection Identity & AccessManagement SystemsManagement Microsoft Security: Defense In Depth A well Managed Secure Infrastructure is the key! Edge Edge Server Applications Server Applications Network Access Protection (NAP) Client and Server OS Client and Server OS Certificate Lifecycle Management Active Directory Federation Services (ADFS) Mobile Device Manager 2008 TWC Data Protection Manager Configuration Manager 2007 SDL Operations Manager 2007

  20. THANK YOU!

More Related