1 / 27

Security in the Real World – Plenary Day Two

Security in the Real World – Plenary Day Two. Steve Lamb Technical Security Advisor http://blogs.msdn.com/steve_lamb stephlam@microsoft.com. “Good Security enables business to do more with less risk” Hold off the Rocket Science Apply Technology to Support the Business Policy

brayton
Download Presentation

Security in the Real World – Plenary Day Two

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security in the Real World – Plenary Day Two Steve Lamb Technical Security Advisor http://blogs.msdn.com/steve_lamb stephlam@microsoft.com

  2. “Good Security enables business to do more with less risk” • Hold off the Rocket Science • Apply Technology to Support the Business Policy • Learn how the business works • Don’t get in the way!

  3. Coming up today…

  4. Implementing Application and Data Security • Defence in Depth • Best practises • SQL Server • Exchange • Small Business Server

  5. Implementing Advanced Server and Client Security • Windows XP Service Pack 2 • Windows Server 2003 Service Pack 1

  6. Applied Security Strategies • Evolution not Revolution • Risk Assessment • Emergency Response • Architect for Security

  7. Security Risk Management • Security Risk Management Guide • Best practises from Industry and how we secure our infrastructure

  8. Wireless Security - Let the Nightmare End! • Public Key Infrastructure • Out of the box "security" • Use existing hardware • Dynamic WEP / WPA • PEAP • EAL-TLS

  9. Case Study – how we secure our infrastructure

  10. Microsoft IT Data 100,000 e-mail accounts Single Instance SAP (1.7 Tb Db) 300,000+ PCs and devices Dublin Redmond Tukwila Silicon Valley Tokyo Charlotte 92,000 end users 89 countries Singapore Johannesburg 7,000,000 remote connections/month 3M+ e-mail messages per day internally 99.99% availability

  11. Microsoft Security Environment • Environment • 300,000+ network-joined devices • 30,000+ business partners with connectivity needs • Frequent target of attack: • 100k+ intrusion attempts/probes/scans per month • 125k+ quarantined emails/month • Challenges • Culture based on autonomy and agility • Large population of mobile clients • Unique business requirements for software development • Running the business on N+1 platform as “first and best” customer

  12. Corporate Security Vision Based on....Five Trustworthy Assurances • My identity is not compromised • Resources are secure and available • Data and communications are private • Roles and accountability are clearly defined • There is a timely response to risks and threats

  13. Mitigate risk to the infrastructure through implementation of four key security strategies 1. Securethe Network Perimeter 2. Securethe NetworkInterior 3. SecureKey Assets 4.Enhance Monitoring and Auditing • Secure Wireless • Smart Cards for RAS • Secure Remote User • Messaging Firewall • Eliminate Weak Passwords • Acct Segregation • Patch Management • Network Segmentation • Smart Cards for Admin Access • Secure Source Code Assets • Lab Security Audit • Secure Environmental Remediation • Automate Vulnerability Scans • Forced Patching • Port Shutdown Security Strategies

  14. Case Studies Domain Isolation with IPsec

  15. What is IPsec? • Restricts “untrusted” from accessing “trusted” devices • Secure machines can access secure and non-secure machines • Non-secure machines can only speak with other non-secure machines • Provides basic packet filtering • Filtering behaviors: Permit, Block, Negotiate Security • Provides peer authentication, data integrity and optional encryption via “Negotiated Security” • Microsoft IT is not using encryption • Centrally Manageable and scalable • Does not require application changes • Functions at the network layer

  16. DNS U1 U2 U2 X X B DHCP DC WINS Levels of Trusted Assets Microsoft Corporate Network SecureNet Labs (75,000) PocketPC/Xbox (18,000) MAC (2,000) Clients, Servers, Home LAN, Trustworthy Labs (203,000) Untrustworthy Boundary Machines (5,000) Infrastructure (500) ACL Controlled Internal Exclusions Internet ServersBusiness Partners DTaps (no connectivity to CorpNet) Extranet (1,800) External Exclusions

  17. What is Not Impacted by IPsec • Microsoft IT-domain joined machines • Comply with the Microsoft IT policies • Use IPsec for secure communications • IPsec capable operating systems • Windows XP SP2 • Windows XP SP1 • Windows Server 2003 • Windows 2000 SP3/SP4 • Longhorn • Internet access • RAS/VPN via Secure Remote User • Windows XP Home • Pocket PC/Windows CE – in cradle

  18. What is Impacted by IPsec • Macintosh • Pocket PC/Windows CE devices not in cradle • Smart Phones • Macintosh, Unix, Linux

  19. Known Issues • LAN & CPU performance • Increased use of system resources • IPsec and Windows VPN servers • Private IP ranges (RFC 1918) • Network device issues • IPsec and NLB clusters • NAT-T • Troubleshooting issues

  20. Securing Mobile Messaging Communications • Reduced exposure – the Exchange FE servers are in CorpNet rather than in the DMZ • ISA 2004 is used to protect Exchange FE servers – SSL bridging mode • Certificate on the FE server must be trusted and “verifiable” by ISA Corporate network Internet DMZ Mailbox Server Kerberos SSL SSL Clients Active Directory ISA Server Exchange 2003 FE(OWA, OMA, EAS, RPC/HTTPs)

  21. Using IPSEC for Exchange • IPSEC was essential to secure Exchange 2000 FE-to-BE OWA transactions in MS IT environment • IPSEC policies example • Exchange FE: meany; TCP any80; Encrypt (Kerberos) • Exchange BE: Respond only • You can be really creative with IPSEC if “block on fail” is needed • Use GPO to apply IPSEC policies by server role • Exchange 2003 FE-to-BE uses Kerberos authentication • User credentials are encrypted by default • IPSEC is still possible to protect data traveling between FE and BE, but beware of data exposure at the next hop (SMTP)

  22. A Using SSL/TLS • Does SSL/TLS provide security? DNS Request Spoofed DNS Response B C • Best Practices: • Use certificates trusted by communicating parties • Ensure that clients/servers perform full certificate validation (trust chain, common name, expiration, etc) • When enabling SSL, don’t permit non SSL connections

  23. Top things to remember • Stay up-to-date with software and patch versions at all levels • Establish layered e-mail hygiene defenses • Enforce e-mail security at multiple levels • Secure Exchange servers by role • Consistently enforce OS security settings (for example, through Group Policies) • Do periodic audits to ensure that security levels are maintained • Be cognizant of security in upgrade scenarios • Use only secure authentication methods and enforce SSL/TLS or IPSEC where needed

  24. Guidance and ToolsDelivering Support, Creating Community • Security tools • Microsoft Baseline Security Analyzer • http://www.microsoft.com/technet/Security/tools/default.mspx • Security Bulletin Search Tool • http://www.microsoft.com/technet/security/current.aspx • Guidance and training • Security Guidance Center • http://www.microsoft.com/security/guidance/default.mspx • E-Learning Clinics • https://www.microsoftelearning.com/security/ • Community engagement • Newsletters • http://www.microsoft.com/technet/security/secnews/newsletter.htm • Webcasts and chats • http://www.microsoft.com/seminar/events/security.mspx

  25. Event InformationWhat’s Next? Technical Roadshow Post Event Website www.microsoft.com/uk/techroadshow/postevents Available from Monday 18th April Please complete your Evaluation Form!

  26. http://www.microsoft.com/TwC © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

More Related