Beyond PatchingBeyond Patching
Dean IacovelliDean IacovelliChief Security Advisor – State and Local Chief Security Advisor – State and Local GovernmentGovernmentMicrosoft CorporationMicrosoft [email protected]@microsoft.com
ObjectivesObjectivesAddress your concerns about securityAddress your concerns about securityUpdate on current trendsUpdate on current trendsCurrent initiatives at MicrosoftCurrent initiatives at MicrosoftFuture security product/solution roadmapFuture security product/solution roadmap
AgendaAgenda1.1. Defining and managing the riskDefining and managing the risk2.2. System IntegritySystem Integrity3.3. Identity management Identity management 4.4. Trustworthy IdentityTrustworthy Identity5.5. Client protectionClient protection6.6. Server protectionServer protection7.7. Network protectionNetwork protection8.8. Summary, Q&ASummary, Q&A
My Role as SLG CSAMy Role as SLG CSAOverall security policy and strategy for MS SLGOverall security policy and strategy for MS SLG
MS spokesperson to/from SLG customersMS spokesperson to/from SLG customers
Information broker – resources, best practices, Information broker – resources, best practices, programsprograms
Coordinator for incident response Coordinator for incident response communication, security readiness communication, security readiness
Not goaled on revenueNot goaled on revenue
Basically: Help ensure SLG customers Basically: Help ensure SLG customers have a good experience dealing with have a good experience dealing with security on the MS platformsecurity on the MS platform
Your Feedback ?Your Feedback ?ChallengesChallenges
Worms / virusesWorms / viruses
SpywareSpyware
SpamSpam
Patch managementPatch management
Network access controlNetwork access control
Identity managementIdentity management
Best practices / guidanceBest practices / guidance
Looking at Linux for security reasons ?Looking at Linux for security reasons ?
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Vandal
Thief
Spy
TrespasserTools created Tools created by experts by experts now used by now used by less skilled less skilled attackers and attackers and criminalscriminals
Fastest Fastest growing growing segmentsegment
Author
Understanding Your Understanding Your AdversaryAdversary
State and Local Security State and Local Security TrendsTrendsAttacks becoming less numerous, more nastyAttacks becoming less numerous, more nasty
Viruses/worms still lead in financial cost BUTViruses/worms still lead in financial cost BUT6x increase in $ lost from unauthorized information access 6x increase in $ lost from unauthorized information access from 2004 to 2005 (FBI/CSI)from 2004 to 2005 (FBI/CSI)2x increase in $ lost from theft of proprietary information 2x increase in $ lost from theft of proprietary information from 2004 to 2005 (FBI/CSI)from 2004 to 2005 (FBI/CSI)Botnets (used for cyber extortion) have jumped from Botnets (used for cyber extortion) have jumped from average of 2500 machines in 2004 to 85,000 in 2006average of 2500 machines in 2004 to 85,000 in 2006
Why sniff the net when you can hack the site or the Why sniff the net when you can hack the site or the password?password?
95% reported 10+ website incidents last year (FBI/CSI)95% reported 10+ website incidents last year (FBI/CSI)15% of enterprise hosts have had keystroke loggers 15% of enterprise hosts have had keystroke loggers detected, 3x in 1 year (Webroot and Sophos)detected, 3x in 1 year (Webroot and Sophos)
Major NT4/Win 98 supportability issuesMajor NT4/Win 98 supportability issuesEnterprise patching and management still not under controlEnterprise patching and management still not under controlWhat your neighbor isn’t doing IS your problemWhat your neighbor isn’t doing IS your problem
Real cost is lost of trustReal cost is lost of trust
Closer Look at Malware Data Closer Look at Malware Data (MSRT)(MSRT)Release
Days Live
Executions
Disinfections
Value %
January 28 124,613,632 239,197 0.1920%
February
28 118,209,670 351,135 0.2970%
March 35 145,502,003 443,661 0.3049%
April 28 125,150,400 590,714 0.4720%
May 35 164,283,730 1,154,345 0.7027%
June 28 162,763,946 642,955 0.3950%
… … … … …
Total 362 1,804,565,652 8,679,656 0.481%
1
10
100
1000
10000
100000
1000000
Machines Cleaned
(log)
1 2 3 4 5 6 7 8 9
Malware per MachineSource: Microsoft
Trojans1%
Bots58%
Exploit Worms
15%
Mass Mailing Worms
15%
Rootkits10%
Instant Msg.
Worms1%
010203040506070
0 100 200 300 400
Site ranking based on number of hosted exploit URLs
Nu
mb
er
of h
ost
ed
e
xplo
it U
RL
s
Video game cheats
#3 in previous
chart CelebritiesSong lyrics
Trends in Security SpendingTrends in Security Spending$497 per employee$497 per employee
$354 operations$354 operations$143 capital$143 capitalEven worse for Even worse for smaller agencies - smaller agencies - as much as $650as much as $650
No economies of No economies of scalescale
SLG spends ~10x SLG spends ~10x Federal and most of Federal and most of private sectorprivate sectorLack of centralized Lack of centralized strategy / toolsstrategy / tools
Getting worse Getting worse Federal trending Federal trending down from CY05down from CY05SLG trending up SLG trending up
Various new state Various new state infosec laws may be infosec laws may be impacting costs but impacting costs but still serious issuestill serious issue
MS Security Statistical MS Security Statistical SnapshotSnapshot
263M263M downloads of XP SP2 downloads of XP SP275M 75M downloads of Microsoft Anti-downloads of Microsoft Anti-Spyware betaSpyware beta9.7M9.7M consumers using SP2 Firewall consumers using SP2 Firewall332M332M machines using Automatic machines using Automatic Update or Windows UpdateUpdate or Windows Update135 135 legal actions against spammers legal actions against spammers worldwideworldwide121121 phishing sites sued phishing sites sued578578 Microsoft CISSPs (and counting…) Microsoft CISSPs (and counting…)
Microsoft Security Strategy Microsoft Security Strategy OverviewOverview
Threat and Vulnerability MitigationThreat and Vulnerability Mitigation
Protect PCs Protect PCs & devices & devices
from from malicious malicious software software
ClientClientProtectioProtectio
nn Protect Protect servers servers
from from malicious malicious software software
ServerServerProtectioProtectio
nn
NetworkNetworkProtectioProtectio
nnProtect Protect network from network from
malicious malicious software & software &
inappropriate inappropriate access access
System IntegritySystem IntegrityMake systems inherently safer and more Make systems inherently safer and more
securesecure
Identity and Access Identity and Access ManagementManagement
Allow legitimate users secure access to Allow legitimate users secure access to machines, applications and datamachines, applications and data
Security Development LifecycleSecurity Development LifecycleSecurity Response CenterSecurity Response CenterBetter Updates And ToolsBetter Updates And Tools
Security Development Security Development LifecycleLifecycle
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
Code made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security Push
EvenEven if it was running if it was runningEvenEven if it was running if it was running IIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by default
EvenEven if it did have if it did have WebDAV enabledWebDAV enabledEvenEven if it did have if it did have WebDAV enabledWebDAV enabled
Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed) Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed)
EvenEven if it was vulnerable if it was vulnerableEvenEven if it was vulnerable if it was vulnerable IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003
EvenEven if it there was an if it there was an exploitable buffer exploitable buffer overrunoverrun
Would have occurred in Would have occurred in w3wp.exew3wp.exe which is which is now running as ‘network service’now running as ‘network service’
EvenEven if the buffer was if the buffer was large enoughlarge enoughEvenEven if the buffer was if the buffer was large enoughlarge enough
Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)
Threat Modeling ExampleThreat Modeling ExampleMS03-007MS03-007
* As of February 14, 2006* As of February 14, 2006
Bulletins sinceBulletins sinceTwC releaseTwC release
Service Pack 3Service Pack 3
Bulletins inBulletins inperiod prior period prior to releaseto release
1616
33
SQL Server 2000 SP3 SQL Server 2000 SP3 released 1/17/2003released 1/17/2003
20032003
ReleasedReleased05/31/200105/31/2001
ReleasedReleased11/17/200311/17/2003
Bulletins 820 Days Bulletins 820 Days After Product ReleaseAfter Product Release
77
1111
1027 Days After Product Release
89
Released11/29/2000
Released09/28/2003
50
Case StudyCase StudyHow We Tested WMF PatchHow We Tested WMF Patch
415 apps (ms & third party)415 apps (ms & third party)6 supported version of the o/s in 23 languages6 supported version of the o/s in 23 languages15k print variations, 2800 print pages verified15k print variations, 2800 print pages verified2000 wmf’s analyzed, 125 malicious wmf’s 2000 wmf’s analyzed, 125 malicious wmf’s testedtested12k images verified for regressions12k images verified for regressions22,000 hours of stress testing 22,000 hours of stress testing 450k total test cases450k total test cases
Patch Management InitiativePatch Management InitiativeProgress to DateProgress to Date
Informed & Informed & Prepared Prepared
CustomersCustomers
Informed & Informed & Prepared Prepared
CustomersCustomers
Superior Patch Superior Patch QualityQuality
Superior Patch Superior Patch QualityQuality
Consistent & Consistent & Superior Update Superior Update
ExperienceExperience
Consistent & Consistent & Superior Update Superior Update
ExperienceExperience
Best Patch & Best Patch & Update Update
Management Management SolutionsSolutions
Best Patch & Best Patch & Update Update
Management Management SolutionsSolutions
Better security bulletins and KB articlesBetter security bulletins and KB articlesIT SHOWCASE: How Microsoft IT Does Patch IT SHOWCASE: How Microsoft IT Does Patch
ManagementManagement
Better security bulletins and KB articlesBetter security bulletins and KB articlesIT SHOWCASE: How Microsoft IT Does Patch IT SHOWCASE: How Microsoft IT Does Patch
ManagementManagement
Microsoft UpdateMicrosoft UpdateWSUSWSUSSMS 2003SMS 2003
Microsoft UpdateMicrosoft UpdateWSUSWSUSSMS 2003SMS 2003
Standardized patch and update terminologyStandardized patch and update terminologyMoved from 8 installers to 2 (update.exe and Moved from 8 installers to 2 (update.exe and
MSI)MSI)Standardized patch naming and switch optionsStandardized patch naming and switch options
Standardized patch and update terminologyStandardized patch and update terminologyMoved from 8 installers to 2 (update.exe and Moved from 8 installers to 2 (update.exe and
MSI)MSI)Standardized patch naming and switch optionsStandardized patch naming and switch options
Improved patch testing process and coverageImproved patch testing process and coverageExpanded test process to include customersExpanded test process to include customersReduced reboots by 10%, targeting 50% in Reduced reboots by 10%, targeting 50% in
VistaVista
Improved patch testing process and coverageImproved patch testing process and coverageExpanded test process to include customersExpanded test process to include customersReduced reboots by 10%, targeting 50% in Reduced reboots by 10%, targeting 50% in
VistaVista
Update Impact AnalyzerUpdate Impact AnalyzerDetermine How Patches Will Affect Critical Determine How Patches Will Affect Critical AppsApps
Download update profiles
Enter data & get reports`
`
`
`
Uploadapplication profiles
Microsoft
Customer
Administrator
Fundamentals Fundamentals ““You can only manage what you can measure”You can only manage what you can measure”
……and you can only secure what you can manage (and find and you can only secure what you can manage (and find ))Decentralization may be a reality but it’s not a best Decentralization may be a reality but it’s not a best practicepractice
Set policySet policyActive DirectoryActive DirectoryCentral policy, local defenseCentral policy, local defenseDelegate back business-specific policy controlDelegate back business-specific policy control
Audit policyAudit policyTurning it on AFTER the incident much less usefulTurning it on AFTER the incident much less usefulDon’t wait for the incident to look at the logsDon’t wait for the incident to look at the logs
Standardize builds, supported applicationsStandardize builds, supported applicationsEnterprise assets are not toysEnterprise assets are not toysVista will make this easier, possible in XP too: Vista will make this easier, possible in XP too: http://www.microsoft.com/technet/prodtechnol/winxppro/mhttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx aintain/luawinxp.mspx
Beyond Patching: The Beyond Patching: The ProblemProblem
•Patching is no Patching is no longer strategiclonger strategic
• Moving from security Moving from security to operations like to operations like backupsbackups
•New threats New threats require new require new modelsmodels
• Internal network is Internal network is NOT trusted NOT trusted
• Medieval castle model Medieval castle model is the only responseis the only response
• Automated attacks Automated attacks require automated require automated defensesdefenses
Microsoft Security Strategy Microsoft Security Strategy OverviewOverview
Threat and Vulnerability MitigationThreat and Vulnerability Mitigation
Protect PCs Protect PCs & devices & devices
from from malicious malicious software software
ClientClientProtectioProtectio
nn Protect Protect servers servers
from from malicious malicious software software
ServerServerProtectioProtectio
nn
NetworkNetworkProtectioProtectio
nnProtect Protect network from network from
malicious malicious software & software &
inappropriate inappropriate access access
System IntegritySystem IntegrityMake systems inherently safer and more Make systems inherently safer and more
securesecure
Identity and Access Identity and Access ManagementManagement
Allow legitimate users secure access to Allow legitimate users secure access to machines, applications and datamachines, applications and data
Access Policy Access Policy ManagementManagement
Trustworthy Trustworthy IdentityIdentity
InformationInformationProtectionProtection
Provide access Provide access based on policybased on policy
Protect dataProtect datathroughout its throughout its
lifecyclelifecycle
Ensure users are Ensure users are who they claim who they claim to be; manage to be; manage
identity lifecycleidentity lifecycle
Directory ServicesDirectory ServicesLifecycle ManagementLifecycle ManagementStrong AuthenticationStrong AuthenticationFederated IdentityFederated IdentityCertificate ServicesCertificate Services
Role-based Access ControlRole-based Access ControlAudit Collections ServicesAudit Collections ServicesGroup Policy Management Group Policy Management ConsoleConsole
Rights Management ServicesRights Management ServicesEncryption ServicesEncryption ServicesSecure Protocols and Secure Protocols and ChannelsChannelsBack-up and Recovery Back-up and Recovery ServicesServices
Allow only legitimate users secure, policy-based Allow only legitimate users secure, policy-based access to machines, applications and dataaccess to machines, applications and data
FundamentalsFundamentalsReduceReduce
Consolidate to fewer identity storesConsolidate to fewer identity stores
Leverage metadirectories to simplify sign on, Leverage metadirectories to simplify sign on, automate/standardize identity business rulesautomate/standardize identity business rules
ReuseReuseLeverage globally relevant attributes across all Leverage globally relevant attributes across all applicationsapplications
Place non-globally relevant attributes in app-Place non-globally relevant attributes in app-coupled LDAP storescoupled LDAP stores
RecycleRecycleLeverage federation to use your credentials on Leverage federation to use your credentials on business partner networksbusiness partner networks
Threat and Vulnerability MitigationThreat and Vulnerability Mitigation
Protect Protect servers servers
from from malicious malicious software software
ServerServerProtectioProtectio
nn
NetworkNetworkProtectioProtectio
nnProtect Protect network from network from
malicious malicious software & software &
inappropriate inappropriate access access
Microsoft Security Strategy Microsoft Security Strategy OverviewOverview
Protect PCs Protect PCs & devices & devices
from from malicious malicious software software
ClientClientProtectioProtectio
nn
System IntegritySystem IntegrityMake systems inherently safer and more Make systems inherently safer and more
securesecure
Identity and Access Identity and Access ManagementManagement
Allow legitimate users secure access to Allow legitimate users secure access to machines, applications and datamachines, applications and data
FundamentalsFundamentalsMedieval castle modelMedieval castle model
The internal network is NOT trustedThe internal network is NOT trustedCentral policy, local defenseCentral policy, local defense
Leverage tools you already ownLeverage tools you already ownWindows firewallWindows firewallActive Directory group policyActive Directory group policyPhishing filters Phishing filters Encrypting file systemEncrypting file systemIPSec logical segmentationIPSec logical segmentation
Isolate what you can’t defendIsolate what you can’t defend
Helps protect the system fromHelps protect the system fromattacks from the networkattacks from the network
Provides system-level protection for Provides system-level protection for the base operating systemthe base operating system
Enables more secure Internet Enables more secure Internet experience for most common experience for most common
Internet tasks Internet tasks
Enables more secure Email and Enables more secure Email and Instant Messaging experienceInstant Messaging experience
Social Engineering ProtectionsPhishing Filter and Colored Address Bar
Dangerous Settings Notification
Secure defaults for all settings
Protection from ExploitsProtected Mode to prevent malicious software
Code quality improvements
ActiveX Opt-in
Internet Explorer 7Internet Explorer 7
Analyze your portfolio Analyze your portfolio of Applications, Web of Applications, Web Sites, and ComputersSites, and Computers
Evaluate operating Evaluate operating system deployments or system deployments or impact of operating impact of operating system updatessystem updates
Rationalize and Rationalize and Organize by Organize by Applications, Web Sites, Applications, Web Sites, and Computersand Computers
Prioritize compatibility Prioritize compatibility efforts with filtered efforts with filtered reportingreporting
Add and manage issues Add and manage issues and solutions for your and solutions for your personal computing personal computing environmentenvironment
Deploy automated Deploy automated mitigations to known mitigations to known compatibility issuescompatibility issues
Send/Receive Send/Receive compatibility compatibility information to Online information to Online Compatibility ExchangeCompatibility Exchange
Application Compatibility Toolkit Application Compatibility Toolkit V5.0V5.0
Remove most Remove most prevalent viruses prevalent viruses
Remove all Remove all known known
viruses viruses Real-time Real-time antivirusantivirus
Remove all Remove all known known
spywarespywareReal-time Real-time antispywareantispyware
Central reporting Central reporting and alertingand alerting
CustomizationCustomization
MicrosoftMicrosoftClientClient
Protection Protection
FOR INDIVIDUAL USERSFOR INDIVIDUAL USERS FOR FOR BUSINESSESBUSINESSES
MSRT MSRT Windows Windows DefenderDefender
Windows Windows Live Safety Live Safety
Center Center
Windows Windows OneCare OneCare
Live Live
IT Infrastructure IT Infrastructure IntegrationIntegration
Shared Computer Toolkit for Shared Computer Toolkit for Windows XPWindows XPWindows Disk ProtectionWindows Disk Protection
Prevent unapproved changes Prevent unapproved changes to the Windows partitionto the Windows partitionAllow critical updates and Allow critical updates and antivirus updatesantivirus updates
User RestrictionsUser RestrictionsRestrict untrusted users from Restrict untrusted users from files and settingsfiles and settingsLock user profiles for Lock user profiles for protection and privacyprotection and privacy
Profile ManagerProfile ManagerCreate “persistent” user Create “persistent” user profiles on unprotected profiles on unprotected partitionspartitionsDelete locked user profilesDelete locked user profiles
AccessibilityAccessibilityAccessibility settings & Accessibility settings & utilities when restrictedutilities when restrictedQuick access for repeat useQuick access for repeat use
Tools are scriptable. Additional command-line tools included.Comprehensive Help and Handbook with supplemental security guidance.
Getting StartedGetting Started•Use and learn about the ToolkitUse and learn about the Toolkit•Quick access toolbarQuick access toolbar
Next Generation Security and ComplianceNext Generation Security and Compliance
Identity & Access ControlIdentity & Access ControlThreat & Vulnerability Threat & Vulnerability
MitigationMitigation
Enable secure access to Enable secure access to informationinformationProtect against malware Protect against malware
and intrusionsand intrusions
Code IntegrityCode IntegrityIE Protected ModeIE Protected ModeWindows DefenderWindows DefenderIPSEC/Firewall integrationIPSEC/Firewall integrationNetwork Access ProtectionNetwork Access Protection
User Account ControlUser Account ControlPlug and Play SmartcardsPlug and Play SmartcardsGranular auditingGranular auditingSimplified Logon architectureSimplified Logon architecture
FundamentalsFundamentals
Security Development LifecycleSecurity Development LifecycleThreat ModelingThreat ModelingCode ScanningCode ScanningService HardeningService Hardening
Information ProtectionInformation ProtectionBitLocker Drive EncryptionBitLocker Drive EncryptionEFS Smartcard key storageEFS Smartcard key storageRMS clientRMS clientControl over removable device Control over removable device installationinstallationXPS Document + WPF APIsXPS Document + WPF APIs
Engineered for the Engineered for the futurefuture
InfoCard OverviewInfoCard OverviewSecure sharing of your info onlineSecure sharing of your info online
Simple user abstractionSimple user abstractionManage compartmentalized versions of your Manage compartmentalized versions of your identityidentityStrong computer generated keys instead of Strong computer generated keys instead of human generated passwordshuman generated passwords
Relates to familiar modelsRelates to familiar modelsGov’t ID card, driver’s license, credit card, Gov’t ID card, driver’s license, credit card, membership card, …membership card, …
Flexible issuanceFlexible issuanceSelf-issued – eBay, AmazonSelf-issued – eBay, AmazonIssued by external authority – Visa, GovernmentIssued by external authority – Visa, Government
Implemented as secure subsystemImplemented as secure subsystemProtected UI, anti-spoofing techniques, Protected UI, anti-spoofing techniques, encrypted storageencrypted storage
Built on WS-Federation web standardsBuilt on WS-Federation web standards
Threat and Vulnerability MitigationThreat and Vulnerability Mitigation
Protect Protect servers servers
from from malicious malicious software software
ServerServerProtectioProtectio
nn
NetworkNetworkProtectioProtectio
nnProtect Protect network from network from
malicious malicious software & software &
inappropriate inappropriate access access
Microsoft Security Strategy Microsoft Security Strategy OverviewOverview
Protect PCs Protect PCs & devices & devices
from from malicious malicious software software
ClientClientProtectioProtectio
nn
System IntegritySystem IntegrityMake systems inherently safer and more Make systems inherently safer and more
securesecure
Identity and Access Identity and Access ManagementManagement
Allow legitimate users secure access to Allow legitimate users secure access to machines, applications and datamachines, applications and data
Security Configuration Wizard Security Configuration Wizard Windows Server 2003 SP1Windows Server 2003 SP1Security lockdown tool for Windows Server 2003
Roles-based paradigmFocused on Attack Surface Reduction
Disables unnecessary servicesDisables unnecessary web extensionsBlocks unnecessary portsConfigures audit SACLs
Operational infrastructure
Client-Server deployment infrastructureSupport for Group Policy-based deploymentCompliance AnalysisRollback support
Microsoft Antigen Line of ProductsMicrosoft Antigen Line of Products
RTM in Q2 2006RTM in Q2 2006
HighlightsHighlights Unique multi-engine approach for Unique multi-engine approach for faster detection and broader faster detection and broader protection protection
Integrated virus and spam Integrated virus and spam protectionprotection
Integrated Microsoft AV engineIntegrated Microsoft AV engine
Threat & Vulnerability Threat & Vulnerability MitigationMitigation
Threat and Vulnerability MitigationThreat and Vulnerability Mitigation
Protect Protect servers servers
from from malicious malicious software software
ServerServerProtectioProtectio
nn
NetworkNetworkProtectioProtectio
nnProtect Protect network from network from
malicious malicious software & software &
inappropriate inappropriate access access
Microsoft Security Strategy Microsoft Security Strategy OverviewOverview
Protect PCs Protect PCs & devices & devices
from from malicious malicious software software
ClientClientProtectioProtectio
nn
System IntegritySystem IntegrityMake systems inherently safer and more Make systems inherently safer and more
securesecure
Identity and Access Identity and Access ManagementManagement
Allow legitimate users secure access to Allow legitimate users secure access to machines, applications and datamachines, applications and data
Policy Validation Policy Validation Determines whether the computers are Determines whether the computers are compliant with the company’s security policy. compliant with the company’s security policy. Compliant computers are deemed “healthy.”Compliant computers are deemed “healthy.”
Network RestrictionNetwork RestrictionRestricts network access to computers based Restricts network access to computers based on their health.on their health.
RemediationRemediationProvides necessary updates to allow the Provides necessary updates to allow the computer to “get healthy.” Once healthy, the computer to “get healthy.” Once healthy, the network restrictions are removed.network restrictions are removed.
Ongoing ComplianceOngoing ComplianceChanges to the company’s security policy or to Changes to the company’s security policy or to the computers’ health may dynamically result the computers’ health may dynamically result in network restrictions.in network restrictions.
Network Access ProtectionNetwork Access ProtectionLonghorn Server (2007)Longhorn Server (2007)
Requesting access. Requesting access. Here’s my newHere’s my new
health status.health status.
Network Access Protection Network Access Protection WalkthroughWalkthrough
IAS PolicyIAS PolicyServerServer
ClientClient
Network Network Access Access DeviceDevice
(DHCP, VPN)(DHCP, VPN)
Remediation Remediation Servers Servers
May I have access?May I have access?Here’s my current Here’s my current health status. health status.
Should this client be Should this client be restricted basedrestricted basedon its health? on its health?
Ongoing policy updates Ongoing policy updates to IAS Policy Server to IAS Policy Server
You are given You are given restricted accessrestricted accessuntil fix-up.until fix-up.
Can I have Can I have updates?updates?
Here you go.Here you go.
According to policy, According to policy, the client is not up to the client is not up to date. Quarantine date. Quarantine client, request it to client, request it to update.update.
Corporate NetworkCorporate Network
Restricted NetworkRestricted Network
Client is granted access to full intranet. Client is granted access to full intranet.
System Health System Health Servers Servers
According to policy, According to policy, the client is up to the client is up to date. date.
Grant access.Grant access.
NAP - Enforcement NAP - Enforcement OptionsOptions
EnforcemenEnforcementt
Healthy ClientHealthy Client Unhealthy ClientUnhealthy Client
DHCPDHCP Full IP address Full IP address given, full accessgiven, full access Restricted set of routesRestricted set of routes
VPN (MS and 3VPN (MS and 3rdrd Party)Party) Full accessFull access Restricted VLANRestricted VLAN
802.1X802.1X Full accessFull access Restricted VLANRestricted VLAN
IPsecIPsec
Can communicate Can communicate with any trusted with any trusted peerpeer
Healthy peers reject Healthy peers reject connection requests connection requests from unhealthy from unhealthy systemssystems
Complements layer 2 protectionComplements layer 2 protectionWorks with existing servers and Works with existing servers and
infrastructureinfrastructureFlexible isolationFlexible isolation
NAP Partner CommunityNAP Partner Community
Beta available now Beta available now
Preparing for NAP will take effort and time!Preparing for NAP will take effort and time!
Deployment preparation tasks:Deployment preparation tasks:Health Modeling Health Modeling
Health Policy Zoning Health Policy Zoning
IAS (RADIUS) DeploymentIAS (RADIUS) Deployment
Zone Enforcement SelectionZone Enforcement Selection
Exemption AnalysisExemption Analysis
Change Process ControlChange Process Control
Phased rolloutPhased rolloutRollout VPN solution to test health policyRollout VPN solution to test health policy
Rollout IPSec segmentation to test wired Rollout IPSec segmentation to test wired enforcementenforcement
Getting StartedGetting Started
RoadmapRoadmap
Se
rvic
esS
erv
ices
Pla
tform
Pla
tform
Pro
duct
sP
rodu
cts
Frontbridge hosted Frontbridge hosted services for anti-services for anti-virus and anti-virus and anti-spam filteringspam filtering(for businesses)(for businesses)
ISA Server 2004ISA Server 2004
Sybari Antigen anti-Sybari Antigen anti-spam and anti-virus spam and anti-virus for Email, IM and for Email, IM and SharePointSharePoint
Windows XPSP2Windows XPSP2
Windows Server 2003 SP1Windows Server 2003 SP1
Anti-malware toolsAnti-malware tools
Microsoft UpdateMicrosoft Update
Windows Server Windows Server Update ServicesUpdate Services
Windows Live OneCareWindows Live OneCare(for consumers)(for consumers)
Microsoft Client ProtectionMicrosoft Client Protection
Microsoft Antigen Anti-Microsoft Antigen Anti-virus and Anti-spam for virus and Anti-spam for messaging and messaging and collaboration serverscollaboration servers
ISA Server 2006ISA Server 2006
Windows AntiSpywareWindows AntiSpywareWindows VistaWindows Vista
FirewallFirewallServices HardeningServices Hardening
Next generation of Next generation of services services
Content filtering servicesContent filtering services
Next generation of Next generation of security products security products
Network Access Network Access ProtectionProtectionIPSec EnhancementsIPSec EnhancementsAudit Collection ServicesAudit Collection Services
Summary Summary It’s all one network. Period. It’s all one network. Period.
Need to be securing for tomorrow’s Need to be securing for tomorrow’s threats, not yesterday’sthreats, not yesterday’s
Defense in depth is and has always been Defense in depth is and has always been the only effective strategythe only effective strategy
Enterprise patch management will free Enterprise patch management will free us for more strategic workus for more strategic work
Every machine deserves a good Every machine deserves a good defensedefense
Contact info:Contact info:Dean Iacovelli
Chief Security Advisor - State and Local Government
Microsoft [email protected]
Slides available at: Slides available at: www.iacovelli.info/work/
secgtc.ppt
AppendixAppendix
Tools / ProductsTools / ProductsApplication Compatibility Toolkit 5.0 beta sign upApplication Compatibility Toolkit 5.0 beta sign uphttp://connect.microsoft.com/ Network Access ProtectionNetwork Access Protectionhttp://www.microsoft.com/naphttp://www.microsoft.com/nap Microsoft Baseline Security Analyzer (MBSA)Microsoft Baseline Security Analyzer (MBSA)http://www.microsoft.com/mbsa http://www.microsoft.com/mbsa Windows Server Update Services (WSUS)Windows Server Update Services (WSUS)http://www.microsoft.com/wsushttp://www.microsoft.com/wsusWindows Server Update Services (WSUS)Windows Server Update Services (WSUS)http://www.microsoft.com/http://www.microsoft.com/wsuswsusIE 7IE 7http://www.microsoft.com/windows/ie/default.mspxhttp://www.microsoft.com/windows/ie/default.mspxClient ProtectionClient Protectionhttp://www.microsoft.com/windowsserversystem/solutions/securhttp://www.microsoft.com/windowsserversystem/solutions/security/clientprotection/default.mspxity/clientprotection/default.mspx
Vista securityVista securityhttp://www.microsoft.com/technet/windowsvista/security/defaulhttp://www.microsoft.com/technet/windowsvista/security/default.mspxt.mspxSecurity Configuration Wizard Security Configuration Wizard http://www.microsoft.com/windowsserver2003/technologies/sechttp://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspxurity/configwiz/default.mspx
Guidance and TrainingGuidance and TrainingMICROSOFTMICROSOFTSecurity Development Lifecycle: Security Development Lifecycle:
http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.ahttp://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.aspsp
Security Guidance Centers Security Guidance Centers http://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidanceSecurity Online Training Security Online Training https://https://www.microsoftelearning.comwww.microsoftelearning.com/security//security/XP SP2 deployment training: XP SP2 deployment training: https://www.microsoftelearning.com/xpsp2https://www.microsoftelearning.com/xpsp2Microsoft IT Security Showcase Microsoft IT Security Showcase
http://www.microsoft.com/technet/itsolutions/msit/default.mspx#EDBAAAhttp://www.microsoft.com/technet/itsolutions/msit/default.mspx#EDBAAASecurity Newsletter Security Newsletter http://www.microsoft.com/http://www.microsoft.com/technet/security/secnews/default.mspxtechnet/security/secnews/default.mspxSecurity Events and Webcasts Security Events and Webcasts http://www.microsoft.com/seminar/events/http://www.microsoft.com/seminar/events/security.mspxsecurity.mspxSecurity Notifications via e-mail Security Notifications via e-mail http://www.microsoft.com/http://www.microsoft.com/
technet/security/bulletin/notify.mspxtechnet/security/bulletin/notify.mspxMS Security blogs: MS Security blogs:
http://www.microsoft.com/technet/security/community/articles/art_malwarefaq.mspxhttp://www.microsoft.com/technet/security/community/articles/art_malwarefaq.mspx Security Bulletin Search Page http://www.microsoft.com/technet/security/current.aspxSecurity Bulletin Search Page http://www.microsoft.com/technet/security/current.aspxSecurity Bulletin Webcast http://www.microsoft.com/technet/security/bulletin/summary.mspxSecurity Bulletin Webcast http://www.microsoft.com/technet/security/bulletin/summary.mspxWriting Secure Code, 2nd edition http://www.microsoft.com/mspress/books/5957.aspWriting Secure Code, 2nd edition http://www.microsoft.com/mspress/books/5957.aspBuilding and Configuring More Secure Web Sites Building and Configuring More Secure Web Sites
http://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.asphttp://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.aspWindows XP Security Guide, includes SP2 Windows XP Security Guide, includes SP2
http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspxhttp://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspxSecurity Risk Management Guide http://go.microsoft.com/fwlink/?LinkId=30794Security Risk Management Guide http://go.microsoft.com/fwlink/?LinkId=30794Windows NT 4.0 and Windows 98 Threat Mitigation Guide http://go.microsoft.com/fwlink/?Windows NT 4.0 and Windows 98 Threat Mitigation Guide http://go.microsoft.com/fwlink/?
linkid=32048linkid=32048Microsoft Identity and Access Management Series http://go.microsoft.com/fwlink/?Microsoft Identity and Access Management Series http://go.microsoft.com/fwlink/?
LinkId=14841LinkId=14841OTHEROTHERFBI / CSI 2005 security survey: FBI / CSI 2005 security survey:
http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml;jsessionid=KPE5WYV1ICYNCQSNDBEhttp://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml;jsessionid=KPE5WYV1ICYNCQSNDBECKH0CJUMEKJVN CKH0CJUMEKJVN
Age Age (days)(days) NameName ServerServer MaxSizeMaxSize
02.0002.00 nubela.netnubela.net dns.nubela.netdns.nubela.net 1072510725
10.9410.94 winnt.bigmoney.biz (randex)winnt.bigmoney.biz (randex) winnt.bigmoney.bizwinnt.bigmoney.biz 23932393
09.6609.66 PS 7835 - y.eliteirc.co.ukPS 7835 - y.eliteirc.co.uk y.eliteirc.co.uky.eliteirc.co.uk 20612061
09.1309.13 y.stefanjagger.co.uk (#y)y.stefanjagger.co.uk (#y) y.stefanjagger.co.uky.stefanjagger.co.uk 18321832
03.1003.10 ganjahaze.comganjahaze.com ganjahaze.comganjahaze.com 15071507
01.0401.04 PS 8049 - 1.j00g0t0wn3d.netPS 8049 - 1.j00g0t0wn3d.net 1.j00g0t0wn3d.net1.j00g0t0wn3d.net 36893689
10.9310.93 pub.isonert.netpub.isonert.net pub.isonert.netpub.isonert.net 537537
08.0708.07 irc.brokenirc.netirc.brokenirc.net irc.brokenirc.netirc.brokenirc.net 649649
01.0201.02 PS 8048 - grabit.zapto.orgPS 8048 - grabit.zapto.org grabit.zapto.orggrabit.zapto.org 6262
10.3410.34 dark.naksha.netdark.naksha.net dark.naksha.netdark.naksha.net UNKUNK
08.9608.96 PS 7865 - lsd.25u.comPS 7865 - lsd.25u.com lsd.25u.comlsd.25u.com UNKUNK
UNKUNK PS ? - 69.64.38.221PS ? - 69.64.38.221 69.64.38.22169.64.38.221 UNKUNK
As of 6 March 2006:Tracking 13053 bot-nets of which 8524 are activeAverage size is 85,000 computers
DD DDDD
Reduce size of Reduce size of high risk layershigh risk layers
Segment the Segment the servicesservices
Increase # Increase # of layersof layers
Kernel DriversKernel Drivers
Windows Service HardeningWindows Service HardeningDefense In Depth – Defense In Depth – Factoring/ProfilingFactoring/Profiling
DD
DD User-mode DriversUser-mode Drivers
DDDD DD
Service Service 11
Service Service 22
Service Service 33
ServiceService……
Service Service ……
Service Service AA
Service Service BB
Vista Service ChangesVista Service ChangesServices common to both platformsServices common to both platforms
Windows XP SP2Windows XP SP2LocalSysteLocalSystemm
Wireless Wireless ConfigurationConfiguration
System Event System Event NotificationNotification
Network Network Connections Connections (netman)(netman)
COM+ Event COM+ Event SystemSystem
NLANLA
RasautoRasauto
Shell Hardware Shell Hardware DetectionDetection
ThemesThemes
TelephonyTelephony
Windows AudioWindows Audio
Error ReportingError Reporting
WorkstationWorkstation
ICSICS
RemoteAccessRemoteAccess
DHCP ClientDHCP Client
W32timeW32time
RasmanRasman
browserbrowser
6to46to4
Help and supportHelp and support
Task schedulerTask scheduler
TrkWksTrkWks
Cryptographic Cryptographic ServicesServices
Removable StorageRemovable Storage
WMI Perf AdapterWMI Perf Adapter
Automatic updatesAutomatic updates
WMIWMI
App ManagementApp Management
Secondary LogonSecondary Logon
BITSBITS
NetworkNetworkServiceService
DNS ClientDNS Client
Local Local ServiceService
SSDPSSDPWebClientWebClientTCP/IP NetBIOS helperTCP/IP NetBIOS helperRemote registryRemote registry
Vista clientVista clientLocalSystemLocalSystemFirewall Firewall RestrictedRestricted
Removable StorageRemovable Storage
WMI Perf AdapterWMI Perf Adapter
Automatic updatesAutomatic updates
WMIWMI
App ManagementApp Management
Secondary LogonSecondary Logon
LocalSystemLocalSystemDemand startedDemand started
BITSBITS
Network Network ServiceServiceFully RestrictedFully Restricted
DNS ClientDNS Client
ICSICS
RemoteAccessRemoteAccess
DHCP ClientDHCP Client
W32timeW32time
RasmanRasman
browserbrowser
6to46to4
Task schedulerTask scheduler
IPSEC ServicesIPSEC Services
ServerServer
NLANLA
Network Network ServiceServiceNetwork Network RestrictedRestricted
TrkWksTrkWks
Cryptographic ServicesCryptographic Services
Local ServiceLocal ServiceNo Network No Network AccessAccess
Wireless ConfigurationWireless Configuration
System Event System Event NotificationNotification
Network ConnectionsNetwork Connections
Shell Hardware Shell Hardware DetectionDetection
RasautoRasauto
ThemesThemes
COM+ Event COM+ Event SystemSystem
Local ServiceLocal ServiceFully RestrictedFully Restricted
TelephonyTelephony
Windows AudioWindows Audio
TCP/IP NetBIOS helperTCP/IP NetBIOS helper
WebClientWebClient
SSDPSSDP
Error ReportingError Reporting
Event LogEvent Log
WorkstationWorkstation
Remote registryRemote registry
Windows Vista FirewallWindows Vista FirewallCombined firewall and IPsec Combined firewall and IPsec managementmanagement
New management tools – Windows New management tools – Windows Firewall with Advanced Security Firewall with Advanced Security MMC snap-in MMC snap-in
Reduces conflicts and coordination Reduces conflicts and coordination overhead between technologiesoverhead between technologies
Firewall rules become more intelligentFirewall rules become more intelligentSpecify security requirements such as Specify security requirements such as authentication and encryptionauthentication and encryption
Specify Active Directory computer or Specify Active Directory computer or user groupsuser groups
Outbound filteringOutbound filteringEnterprise management feature – not Enterprise management feature – not for consumersfor consumers
Simplified protection policy reduces Simplified protection policy reduces management overheadmanagement overhead
User Account Control (UAC)User Account Control (UAC)
Previously known as “LUA”Previously known as “LUA”
Users will logon as non-administrator by Users will logon as non-administrator by defaultdefault
Protects the system from the userProtects the system from the user
Enables the system to protect the userEnables the system to protect the user
Consent UI allows elevation to administratorConsent UI allows elevation to administrator
Applications and administrator tools should be Applications and administrator tools should be UAP awareUAP aware
Differentiate capabilities based on UAPDifferentiate capabilities based on UAP
Apply correct security checks to product featuresApply correct security checks to product features
Start testing your software against Vista now!Start testing your software against Vista now!
Standard UAC PromptStandard UAC Prompt
Application Installation as a Application Installation as a Standard UserStandard User
Group Policy Group Policy Device Device
RestrictionRestriction
BitLocker™ Drive BitLocker™ Drive Encryption Encryption
Designed specifically to Designed specifically to prevent malicious users prevent malicious users from breaking Windows from breaking Windows file and system file and system protectionsprotections
Provides data protection Provides data protection on Windows systems, on Windows systems, even when the system is even when the system is in unauthorized hands or in unauthorized hands or is running a different or is running a different or exploiting Operating exploiting Operating SystemSystem
A Trusted Platform A Trusted Platform Module (TPM) or USB Module (TPM) or USB flash drive is used for flash drive is used for key storagekey storage
BitLockerBitLocker
Trusted Platform ModuleSmartcard-like module on system motherboard
Helps protect secrets
Performs cryptographic functions
Can create, store and manage keys
Performs digital signature operations
Holds Platform Measurements (hashes)
Anchors chain of trust for keys and credentials
Protects itself against attacks
TPM 1.2 spec: TPM 1.2 spec: www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org