390 likes | 508 Views
E N D
Following the Code Red and Nimda attacks, Microsoft heard back from users that they were just sick of this. More than anything, it was the huge impact Code Red had on IIS users. It was horrendous…The problem is these patches are so frequent, Microsoft is adding to its resources to make sure you keep up with them. But my major issue is making the product better." John Pescatore, Gartner We will not rest until all our customers have what they need to get secure and stay secure. Brian Valentine, Microsoft What we discovered a few months ago is that, while we are doing a pretty good job providing [security tools and patches], it wasn't easy enough for our customers to roll them out. Because of our position in the industry, we felt it was our responsibility to make it as easy as possible for the customer to do what it takes to stay secure. Dave Thompson, Microsoft It's not that IIS is poorly written, but it's pretty clear that IIS and Microsoft are huge targets for viruses and other malicious code, putting the firm at risk. Matt Kesner, Fenwick & West
Microsoft:Get Secure, Stay Secure Securing Your IT Infrastructure Šarūnas KončiusSolutions Marketing SpecialistMicrosoft Latvia
Agenda • The challenge of security • People, process and technology • Strategic Technology Protection Program (STPP) • The Secure Infrastructure • Case study • Tools demo • Trustworthy Computing • Next steps
The Challenge of Security Internet-enabled businesses face challenges ensuring their technologies for computing and information assets are secure, fast and easy to interact with. The right access to the right content by the right people
Microsoft’s Commitment toCustomers: To do everything possible to enable every customer to work, communicate, and transact securely over the Internet
People, Process, TechnologyWhat are the industry challenges? • Products lack security features • Products have bugs • Many issues are not addressed by technical standards • Too hard to stay up-to-date • Design for security • Roles and responsibilities • Audit, track, follow-up • Calamity plans • Stay up-to-date with security development Process Technology People • Lack of knowledge • Lack of commitment • Human error
Life Was Much Simpler Back Then… Mainframe • Terminal access • “Glass house” • Physical security, limited connectivity
Life Was Much Simpler Back Then… Client-Server • LAN connectivity • File/print services • Limited external access
Internet Life Was Much Simpler Back Then… The Internet • “Always On” • E-mail, Instant Messaging • The Web Then the world became complex and difficult…
Security Breaches Have Real Costs Business Impact • According to the Computer Crime and Security Survey 2002, by the Computer Security Institute (CSI) and the FBI: • 90% detected computer security breaches • 80% acknowledged financial losses due to computer breaches • 40% of respondents quantified financial losses at $456 million, or $2 million per respondent • 40% detected system penetration from the outside; up from 25% in 2000 • 85% detected computer viruses • InformationWeek estimates: • Security breaches cost businesses $1.4 trillion worldwide this year • 2/3 of companies have experienced viruses, worms, or Trojan Horses • 15% have experienced Denial of Service attacks Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002 Source: InformationWeek.com, 10/15/01
Defense In Depth • Industry-wide security design methodology of layering defenses: • Perimeter defenses • Network defenses • Host defenses • Application defenses • Data and resources • Provides a method and framework for designing security into infrastructure • Prescriptive guidance and detail included in Microsoft Internet Data Center design guide
Microsoft Internet Data Center Guide: Security • Examples of topics included in Internet Data Center guide: • Defense In Depth strategy • Common hacker methods and prevention • Best practices for security IIS • Windows 2000 Active Directory design and security policies • Best practices for application security • Authentication
Microsoft Security Process Guidance • Based on British Standard 7799, included in Internet Data Center guide, a 4-phase process: • Assess • Define security requirements • Perform analysis of current and desired states • Design • Develop security solution • Utilize Defense In Depth framework • Deploy • Test and implement • Define and document policies, standards, procedures • Manage • Operational management • Review and reassess on a regular basis
Strategic TechnologyProtection Program Get Secure! Stay Secure! People Process Technology
People Technology Security Management and OperationsSecurity through people, process and technology Industry leading security response and support Free PSS virus related support at 1-866-PCSafety World-class security training Gold certified security partner program MCS Security assessment service offering Prescriptive guidance for building and managing security Pre-tested and certified configurations Microsoft Operations Framework Process Security roll-up packages Microsoft Baseline Security Analyzer Windows Update Microsoft Software Update Service
People Process Technology STPP: “Get Secure” Product Support Services (PSS) • 1-866-PCSAFETY – Free virus related support • Security News Groups – Microsoft.com/security Microsoft Consulting Services • Security Assessment • Security Quick Start Programs • ISA Quick Start Program People Process Microsoft.com/security • Server oriented security resources for server admins • New security tools and updates, • Security Notification Service Enterprise Security • Server security configuration scanner • SMS security patch rollout tool • Windows Update Auto-update client(Group Policy-enabled) Process Technology
People People Process Process Process Technology Technology Technology STPP: “Stay Secure” Windows 2000 Security Rollup Patches • Bundle all security fixes in single patches • Reduces reboots and administrator burden Windows 2000 Service Pack (SP3) • Provide ability to install SP3 + security rollupwith a single reboot Process Technology Microsoft Software Update Service (SUS) • Allows enterprise to host and selectWindows Update content Enhanced Product Security • Provide greater security enhancements in the releases of all new products, including theWindows .NET Server family
The Secure Infrastructure Secure Network Connectivity • Secure Internet connectivity (MSA & ISA) • Secure remote access (VPN, IAS) • Secure wireless networks (PKI + 802.1x) • Directory Services (AD & MMS) • Authentication (PKI, Kerberos, Passport) • Authorization (ACLs, Roles, Federation) • Policy-based management (GP, and GPMC) Integrated Solution for Identity Management • Tools (MBSA, MSUS) • Guidance (MOC, PAGs, Security Best Practices) • Services (MSQS, PSS, & professional services) • Products (SMS, MOM) Comprehensive Security Management and Operations
Network Access Challenges Wireless LAN VPN Gateway High management overhead • Multiple points of network access • Disparate access models • Multiple user databases and identities Vulnerable to unauthorized access • Data encryption over open networks • Weak wireless security via WEP • Weak credentials on VPN Firewall LAN Identity Repository
Secure VPN Gateway Standards-based VPN Gateway Password and smartcard authentication Secure wireless access (Windows) 802.1x Certificate-based authentication ICSA certified firewall (ISA server) Standards-based TCP/IP infrastructure DNS, DHCP, NAT IPv6 (Windows .NET) The Secure InfrastructureSecure Network Connectivity Wireless LAN VPN Gateway LAN Identity Repository
The Secure Infrastructure Secure Network Connectivity • Secure Internet connectivity (MSA & ISA) • Secure remote access (VPN, IAS) • Secure wireless networks (PKI + 802.1x) • Directory Services (AD & MMS) • Authentication (PKI, Kerberos, Passport) • Authorization (ACLs, Roles, Federation) • Policy-based management (GP, and GPMC) Integrated Solution for Identity Management • Tools (MBSA, MSUS) • Guidance (MOC, PAGs, Security Best Practices) • Services (MSQS, PSS, & professional services) • Products (SMS, MOM) Comprehensive Security Management and Operations
Identity Management Challenges Wireless LAN VPN Gateway email File Server Web Portal High management overhead • Different security access models • Multiple user identities to manage • Interoperability • Extends to the Internet (B2C, B2B, B2E) Vulnerable to unauthorized access • Security policy enforcement • Protection of sensitive data on the network • Flexible authentication methods LAN Unix App Web Services Identity Repository
UNIX App Active Directory The Secure InfrastructureActive Directory Wireless LAN VPN Gateway Common store for identity management • Application and NOS identities • Repository for security principles • Integrated policy-based management • Scales to the Internet Exchange SQL Server File Sharing LAN Web Services Identity Repository
UNIX Application Active Directory The Secure InfrastructureIntegrated Security Wireless LAN VPN Gateway Integrated Security Services • Kerberos authentication and authorization • Integrated PKI for authentication and encryption • Interoperable with UNIX via Kerberos and SFU • Interoperable with mainframes via HIS • Interoperable with Netware via SFN Exchange SQL Server File Sharing LAN Web Services
UNIX Application ActiveDirectory Non-AD Directory Active Directory Active Directory The Secure InfrastructureDirectory integration and synchronization Wireless LAN VPN Gateway Microsoft MetaDirectory Server • Directory integration (Active Directory and non-Active Directory) • Directory synchronization Exchange SQL Server File Sharing LAN Web Services
The Secure Infrastructure Secure Network Connectivity • Secure Internet connectivity (MSA & ISA) • Secure remote access (VPN, IAS) • Secure wireless networks (PKI + 802.1x) • Directory Services (AD & MMS) • Authentication (PKI, Kerberos, Passport) • Authorization (ACLs, Roles, Federation) • Policy-based management (GP, and GPMC) Integrated Solution for Identity Management • Tools (MBSA, MSUS) • Guidance (MOC, PAGs, Security Best Practices) • Services (MSQS, PSS, & professional services) • Products (SMS, MOM) Comprehensive Security Management and Operations
Products to Help Manage Your IT Security • Use Systems Management Server (SMS) 2.0 • Collect software/hardware inventory information • Deploy the HFNetChk tool, collect results and report on findings • Distribute Microsoft Security Tool Kit fixes to Windows desktops and servers • Receive status reports on the success of distribution • Use Microsoft Operations Manager (MOM) 2000 • Proactively manage the OS and applications through built-in security-related alerts and scripts • Continuously monitor Windows servers for possible attacks • Receive immediate alerts of possible security breaches • Produce reports that can showcase service levels are being met
Case Study Organization • Prominent global banking group with total assets of 614.6 billion euros • 110,000 employees worldwide with more than 700 branch offices Business challenges • Reducing administrative costs • Accelerating time-to-market for new applications • Upgrading intranet infrastructure meet increasing Web traffic
Results ABN-AMRO’s decision to deploy ISA Server: • Reduced bandwidth use between company’s branch offices and data center in the Netherlands • Allowed company to seamlessly integrate with the Windows 2000 Active Directory service • Enabled company to build a secure intranet infrastructure that provides single sign-on for users and minimizes the administrative burdens placed on information technology (IT) staff Components of solution: • Windows 2000 Server with Active Directory service • Microsoft Internet Security and Acceleration (ISA) Server 2000 Enterprise Edition
Customer Feedback "With ISA Server, we'll be able to deploy a reliable and scalable solution that will integrate seamlessly with the rest of our branch office intranet environment. We’ll be well-positioned to accommodate the new browser-based applications being developed to better meet the needs of our clients. ISA Server will enable us to do this in a manner that minimizes both our bandwidth requirements and administrative costs.” - Bert van Puffelen Vice President
Baseline Security Analyzer • Helps users and administrators • Scan Windows systems for missing patches andconfiguration problems • Can examine a single computer or multiple computers on a network • Runs on Windows 2000 and Windows XP • Will scan for missing patches and vulnerabilities in recent versions of: • Windows • Internet Information Server • SQL Server • Internet Explorer • Office • Creates and stores security reports for each computer scanned
Software Update Services Solution • Automatic Update (AU) client • Automatically download and install critical updates • Security patches, high impact bug fixes and new drivers when no driver is installed for a device • Checks Windows Update service or Corporate Update server once a day • New! Install at scheduled time after automatic downloads • Administrator control of configuration via registry-based policy • Support for Windows .NET Server, Windows XP and Windows 2000 • Software Update Services • Corporate hosted server supports download and install of critical updates through Automatic Update client • Server synchronizes with the public Windows Update service • Simple administrative model via IE • Updates are not made available to clients until the administrator approves them • Runs on Windows .NET Server and Windows 2000 Server
Trustworthy ComputingThe Big Picture Goals Means Execution AvailabilityFunctionality there when needed SuitabilityFeatures fit function PrivacyUser in control of their data IntegrityAgainst data loss or alteration ReputationSystem and provider brand PolicyGuidelines, standards, norms Dev PracticesMethods, philosophy Ops PracticesGuidelines and benchmarks Business PracticesBusiness model SecurityResists unauthorized access QualityUsability, reliability, performance IntentManagement assertions RisksWhat undermines intent, causes liability ImplementationSteps to deliver intent EvidenceAudit mechanisms
Lower Cost of Security Integrated infrastructure solution Centralized management of network resources Fewer identities and directories to manage Interoperability with other platforms ActiveDirectory Non-AD Directory Active Directory Bringing It All Together… VPN Gateway Wireless LAN Exchange File Sharing SQL Server LAN Web Applications UNIX Application Reduced Security Risk • Prescriptive guidance • Internet protection via firewall and content filtering • Security tools and services • Security patch management infrastructure
Next Steps • Microsoft Quick Start Security (MSQS) • Short, fixed cost programs designed to help you get secure and stay secure • MSQS for Planning Secure Systems • MSQS for Operating Secure Systems • Build security into the development process • SMI – engineering for security • New processes and tools for development and testing • Mobilization of resources to make it happen • Deploy a secure infrastructure • Windows 2000 Servers and ISA today • Windows .NET build on Windows 2000 security infrastructure • Best path to federation • Utilize security training available from Microsoft • Certified Partner Program
Security Resources To locate a partner who can help with Microsoft security solutions: Microsoft Certified Providers Directoryhttp://mcspreferral.microsoft.com/ Microsoft Consulting Serviceswww.microsoft.com/BUSINESS/services/mcs.asp For training and certification questions: Microsoft Training and Certificationwww.microsoft.com/training For technical information: White Paper: Microsoft Security Response Center Security Bulletin Severity Rating Systemwww.microsoft.com/technet/security/ topics/rating.asp CSI/FBI Computer Crimes and Security Survey 2002, Computer Security Institute: www.gocsi.com/ ISA Server information: www.microsoft.com/isa Hacking Exposed – Network Security Secrets & Solutions, 3rd Edition; Joel Scambray, Stuart McClure, George Kurtz For information about Microsoft security strategies and solutions: Primary resource: www.microsoft.com/security White Papers: Best Practices for Enterprise Security www.microsoft.com/technet/security/bpentsec.asp It’s Time to End Information Anarchywww.microsoft.com/technet/columns/security/noarch.asp The 10 Immutable Laws of Securitywww.microsoft.com/TechNet/security/10imlaws.asp