270 likes | 396 Views
Security in the Real World – Plenary Day Two. Steve Lamb Technical Security Advisor http://blogs.msdn.com/steve_lamb stephlam@microsoft.com. “Good Security enables business to do more with less risk” Hold off the Rocket Science Apply Technology to Support the Business Policy
E N D
Security in the Real World – Plenary Day Two Steve Lamb Technical Security Advisor http://blogs.msdn.com/steve_lamb stephlam@microsoft.com
“Good Security enables business to do more with less risk” • Hold off the Rocket Science • Apply Technology to Support the Business Policy • Learn how the business works • Don’t get in the way!
Implementing Application and Data Security • Defence in Depth • Best practises • SQL Server • Exchange • Small Business Server
Implementing Advanced Server and Client Security • Windows XP Service Pack 2 • Windows Server 2003 Service Pack 1
Applied Security Strategies • Evolution not Revolution • Risk Assessment • Emergency Response • Architect for Security
Security Risk Management • Security Risk Management Guide • Best practises from Industry and how we secure our infrastructure
Wireless Security - Let the Nightmare End! • Public Key Infrastructure • Out of the box "security" • Use existing hardware • Dynamic WEP / WPA • PEAP • EAL-TLS
Microsoft IT Data 100,000 e-mail accounts Single Instance SAP (1.7 Tb Db) 300,000+ PCs and devices Dublin Redmond Tukwila Silicon Valley Tokyo Charlotte 92,000 end users 89 countries Singapore Johannesburg 7,000,000 remote connections/month 3M+ e-mail messages per day internally 99.99% availability
Microsoft Security Environment • Environment • 300,000+ network-joined devices • 30,000+ business partners with connectivity needs • Frequent target of attack: • 100k+ intrusion attempts/probes/scans per month • 125k+ quarantined emails/month • Challenges • Culture based on autonomy and agility • Large population of mobile clients • Unique business requirements for software development • Running the business on N+1 platform as “first and best” customer
Corporate Security Vision Based on....Five Trustworthy Assurances • My identity is not compromised • Resources are secure and available • Data and communications are private • Roles and accountability are clearly defined • There is a timely response to risks and threats
Mitigate risk to the infrastructure through implementation of four key security strategies 1. Securethe Network Perimeter 2. Securethe NetworkInterior 3. SecureKey Assets 4.Enhance Monitoring and Auditing • Secure Wireless • Smart Cards for RAS • Secure Remote User • Messaging Firewall • Eliminate Weak Passwords • Acct Segregation • Patch Management • Network Segmentation • Smart Cards for Admin Access • Secure Source Code Assets • Lab Security Audit • Secure Environmental Remediation • Automate Vulnerability Scans • Forced Patching • Port Shutdown Security Strategies
Case Studies Domain Isolation with IPsec
What is IPsec? • Restricts “untrusted” from accessing “trusted” devices • Secure machines can access secure and non-secure machines • Non-secure machines can only speak with other non-secure machines • Provides basic packet filtering • Filtering behaviors: Permit, Block, Negotiate Security • Provides peer authentication, data integrity and optional encryption via “Negotiated Security” • Microsoft IT is not using encryption • Centrally Manageable and scalable • Does not require application changes • Functions at the network layer
DNS U1 U2 U2 X X B DHCP DC WINS Levels of Trusted Assets Microsoft Corporate Network SecureNet Labs (75,000) PocketPC/Xbox (18,000) MAC (2,000) Clients, Servers, Home LAN, Trustworthy Labs (203,000) Untrustworthy Boundary Machines (5,000) Infrastructure (500) ACL Controlled Internal Exclusions Internet ServersBusiness Partners DTaps (no connectivity to CorpNet) Extranet (1,800) External Exclusions
What is Not Impacted by IPsec • Microsoft IT-domain joined machines • Comply with the Microsoft IT policies • Use IPsec for secure communications • IPsec capable operating systems • Windows XP SP2 • Windows XP SP1 • Windows Server 2003 • Windows 2000 SP3/SP4 • Longhorn • Internet access • RAS/VPN via Secure Remote User • Windows XP Home • Pocket PC/Windows CE – in cradle
What is Impacted by IPsec • Macintosh • Pocket PC/Windows CE devices not in cradle • Smart Phones • Macintosh, Unix, Linux
Known Issues • LAN & CPU performance • Increased use of system resources • IPsec and Windows VPN servers • Private IP ranges (RFC 1918) • Network device issues • IPsec and NLB clusters • NAT-T • Troubleshooting issues
Securing Mobile Messaging Communications • Reduced exposure – the Exchange FE servers are in CorpNet rather than in the DMZ • ISA 2004 is used to protect Exchange FE servers – SSL bridging mode • Certificate on the FE server must be trusted and “verifiable” by ISA Corporate network Internet DMZ Mailbox Server Kerberos SSL SSL Clients Active Directory ISA Server Exchange 2003 FE(OWA, OMA, EAS, RPC/HTTPs)
Using IPSEC for Exchange • IPSEC was essential to secure Exchange 2000 FE-to-BE OWA transactions in MS IT environment • IPSEC policies example • Exchange FE: meany; TCP any80; Encrypt (Kerberos) • Exchange BE: Respond only • You can be really creative with IPSEC if “block on fail” is needed • Use GPO to apply IPSEC policies by server role • Exchange 2003 FE-to-BE uses Kerberos authentication • User credentials are encrypted by default • IPSEC is still possible to protect data traveling between FE and BE, but beware of data exposure at the next hop (SMTP)
A Using SSL/TLS • Does SSL/TLS provide security? DNS Request Spoofed DNS Response B C • Best Practices: • Use certificates trusted by communicating parties • Ensure that clients/servers perform full certificate validation (trust chain, common name, expiration, etc) • When enabling SSL, don’t permit non SSL connections
Top things to remember • Stay up-to-date with software and patch versions at all levels • Establish layered e-mail hygiene defenses • Enforce e-mail security at multiple levels • Secure Exchange servers by role • Consistently enforce OS security settings (for example, through Group Policies) • Do periodic audits to ensure that security levels are maintained • Be cognizant of security in upgrade scenarios • Use only secure authentication methods and enforce SSL/TLS or IPSEC where needed
Guidance and ToolsDelivering Support, Creating Community • Security tools • Microsoft Baseline Security Analyzer • http://www.microsoft.com/technet/Security/tools/default.mspx • Security Bulletin Search Tool • http://www.microsoft.com/technet/security/current.aspx • Guidance and training • Security Guidance Center • http://www.microsoft.com/security/guidance/default.mspx • E-Learning Clinics • https://www.microsoftelearning.com/security/ • Community engagement • Newsletters • http://www.microsoft.com/technet/security/secnews/newsletter.htm • Webcasts and chats • http://www.microsoft.com/seminar/events/security.mspx
Event InformationWhat’s Next? Technical Roadshow Post Event Website www.microsoft.com/uk/techroadshow/postevents Available from Monday 18th April Please complete your Evaluation Form!
http://www.microsoft.com/TwC © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.