microsoft security "beyond patching" security challenges, part ii

58
Beyond Patching Beyond Patching Dean Iacovelli Dean Iacovelli Chief Security Advisor – State and Local Chief Security Advisor – State and Local Government Government Microsoft Corporation Microsoft Corporation [email protected] [email protected]

Upload: sandra4211

Post on 18-Nov-2014

1.310 views

Category:

Documents


0 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Microsoft Security "Beyond Patching" Security Challenges, Part II

Beyond PatchingBeyond Patching

Dean IacovelliDean IacovelliChief Security Advisor – State and Local Chief Security Advisor – State and Local GovernmentGovernmentMicrosoft CorporationMicrosoft [email protected]@microsoft.com

Page 2: Microsoft Security "Beyond Patching" Security Challenges, Part II

ObjectivesObjectivesAddress your concerns about securityAddress your concerns about securityUpdate on current trendsUpdate on current trendsCurrent initiatives at MicrosoftCurrent initiatives at MicrosoftFuture security product/solution roadmapFuture security product/solution roadmap

AgendaAgenda1.1. Defining and managing the riskDefining and managing the risk2.2. System IntegritySystem Integrity3.3. Identity management Identity management 4.4. Trustworthy IdentityTrustworthy Identity5.5. Client protectionClient protection6.6. Server protectionServer protection7.7. Network protectionNetwork protection8.8. Summary, Q&ASummary, Q&A

Page 3: Microsoft Security "Beyond Patching" Security Challenges, Part II

My Role as SLG CSAMy Role as SLG CSAOverall security policy and strategy for MS SLGOverall security policy and strategy for MS SLG

MS spokesperson to/from SLG customersMS spokesperson to/from SLG customers

Information broker – resources, best practices, Information broker – resources, best practices, programsprograms

Coordinator for incident response Coordinator for incident response communication, security readiness communication, security readiness

Not goaled on revenueNot goaled on revenue

Basically: Help ensure SLG customers Basically: Help ensure SLG customers have a good experience dealing with have a good experience dealing with security on the MS platformsecurity on the MS platform

Page 4: Microsoft Security "Beyond Patching" Security Challenges, Part II

Your Feedback ?Your Feedback ?ChallengesChallenges

Worms / virusesWorms / viruses

SpywareSpyware

SpamSpam

Patch managementPatch management

Network access controlNetwork access control

Identity managementIdentity management

Best practices / guidanceBest practices / guidance

Looking at Linux for security reasons ?Looking at Linux for security reasons ?

Page 5: Microsoft Security "Beyond Patching" Security Challenges, Part II

National InterestNational Interest

Personal GainPersonal Gain

Personal FamePersonal Fame

CuriosityCuriosity

Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker

ExpertExpert SpecialistSpecialist

Vandal

Thief

Spy

TrespasserTools created Tools created by experts by experts now used by now used by less skilled less skilled attackers and attackers and criminalscriminals

Fastest Fastest growing growing segmentsegment

Author

Understanding Your Understanding Your AdversaryAdversary

Page 6: Microsoft Security "Beyond Patching" Security Challenges, Part II

State and Local Security State and Local Security TrendsTrendsAttacks becoming less numerous, more nastyAttacks becoming less numerous, more nasty

Viruses/worms still lead in financial cost BUTViruses/worms still lead in financial cost BUT6x increase in $ lost from unauthorized information access 6x increase in $ lost from unauthorized information access from 2004 to 2005 (FBI/CSI)from 2004 to 2005 (FBI/CSI)2x increase in $ lost from theft of proprietary information 2x increase in $ lost from theft of proprietary information from 2004 to 2005 (FBI/CSI)from 2004 to 2005 (FBI/CSI)Botnets (used for cyber extortion) have jumped from Botnets (used for cyber extortion) have jumped from average of 2500 machines in 2004 to 85,000 in 2006average of 2500 machines in 2004 to 85,000 in 2006

Why sniff the net when you can hack the site or the Why sniff the net when you can hack the site or the password?password?

95% reported 10+ website incidents last year (FBI/CSI)95% reported 10+ website incidents last year (FBI/CSI)15% of enterprise hosts have had keystroke loggers 15% of enterprise hosts have had keystroke loggers detected, 3x in 1 year (Webroot and Sophos)detected, 3x in 1 year (Webroot and Sophos)

Major NT4/Win 98 supportability issuesMajor NT4/Win 98 supportability issuesEnterprise patching and management still not under controlEnterprise patching and management still not under controlWhat your neighbor isn’t doing IS your problemWhat your neighbor isn’t doing IS your problem

Real cost is lost of trustReal cost is lost of trust

Page 7: Microsoft Security "Beyond Patching" Security Challenges, Part II

Closer Look at Malware Data Closer Look at Malware Data (MSRT)(MSRT)Release

Days Live

Executions

Disinfections

Value %

January 28 124,613,632 239,197 0.1920%

February

28 118,209,670 351,135 0.2970%

March 35 145,502,003 443,661 0.3049%

April 28 125,150,400 590,714 0.4720%

May 35 164,283,730 1,154,345 0.7027%

June 28 162,763,946 642,955 0.3950%

… … … … …

Total 362 1,804,565,652 8,679,656 0.481%

1

10

100

1000

10000

100000

1000000

Machines Cleaned

(log)

1 2 3 4 5 6 7 8 9

Malware per MachineSource: Microsoft

Trojans1%

Bots58%

Exploit Worms

15%

Mass Mailing Worms

15%

Rootkits10%

Instant Msg.

Worms1%

Page 8: Microsoft Security "Beyond Patching" Security Challenges, Part II

010203040506070

0 100 200 300 400

Site ranking based on number of hosted exploit URLs

Nu

mb

er

of h

ost

ed

e

xplo

it U

RL

s

Video game cheats

#3 in previous

chart CelebritiesSong lyrics

Page 9: Microsoft Security "Beyond Patching" Security Challenges, Part II

Trends in Security SpendingTrends in Security Spending$497 per employee$497 per employee

$354 operations$354 operations$143 capital$143 capitalEven worse for Even worse for smaller agencies - smaller agencies - as much as $650as much as $650

No economies of No economies of scalescale

SLG spends ~10x SLG spends ~10x Federal and most of Federal and most of private sectorprivate sectorLack of centralized Lack of centralized strategy / toolsstrategy / tools

Getting worse Getting worse Federal trending Federal trending down from CY05down from CY05SLG trending up SLG trending up

Various new state Various new state infosec laws may be infosec laws may be impacting costs but impacting costs but still serious issuestill serious issue

Page 10: Microsoft Security "Beyond Patching" Security Challenges, Part II

MS Security Statistical MS Security Statistical SnapshotSnapshot

263M263M downloads of XP SP2 downloads of XP SP275M 75M downloads of Microsoft Anti-downloads of Microsoft Anti-Spyware betaSpyware beta9.7M9.7M consumers using SP2 Firewall consumers using SP2 Firewall332M332M machines using Automatic machines using Automatic Update or Windows UpdateUpdate or Windows Update135 135 legal actions against spammers legal actions against spammers worldwideworldwide121121 phishing sites sued phishing sites sued578578 Microsoft CISSPs (and counting…) Microsoft CISSPs (and counting…)

Page 11: Microsoft Security "Beyond Patching" Security Challenges, Part II

Microsoft Security Strategy Microsoft Security Strategy OverviewOverview

Threat and Vulnerability MitigationThreat and Vulnerability Mitigation

Protect PCs Protect PCs & devices & devices

from from malicious malicious software software

ClientClientProtectioProtectio

nn Protect Protect servers servers

from from malicious malicious software software

ServerServerProtectioProtectio

nn

NetworkNetworkProtectioProtectio

nnProtect Protect network from network from

malicious malicious software & software &

inappropriate inappropriate access access

System IntegritySystem IntegrityMake systems inherently safer and more Make systems inherently safer and more

securesecure

Identity and Access Identity and Access ManagementManagement

Allow legitimate users secure access to Allow legitimate users secure access to machines, applications and datamachines, applications and data

Page 12: Microsoft Security "Beyond Patching" Security Challenges, Part II

Security Development LifecycleSecurity Development LifecycleSecurity Response CenterSecurity Response CenterBetter Updates And ToolsBetter Updates And Tools

Security Development Security Development LifecycleLifecycle

Page 13: Microsoft Security "Beyond Patching" Security Challenges, Part II

The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable

The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable

Code made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security Push

EvenEven if it was running if it was runningEvenEven if it was running if it was running IIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by default

EvenEven if it did have if it did have WebDAV enabledWebDAV enabledEvenEven if it did have if it did have WebDAV enabledWebDAV enabled

Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed) Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed)

EvenEven if it was vulnerable if it was vulnerableEvenEven if it was vulnerable if it was vulnerable IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003

EvenEven if it there was an if it there was an exploitable buffer exploitable buffer overrunoverrun

Would have occurred in Would have occurred in w3wp.exew3wp.exe which is which is now running as ‘network service’now running as ‘network service’

EvenEven if the buffer was if the buffer was large enoughlarge enoughEvenEven if the buffer was if the buffer was large enoughlarge enough

Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)

Threat Modeling ExampleThreat Modeling ExampleMS03-007MS03-007

Page 14: Microsoft Security "Beyond Patching" Security Challenges, Part II

* As of February 14, 2006* As of February 14, 2006

Bulletins sinceBulletins sinceTwC releaseTwC release

Service Pack 3Service Pack 3

Bulletins inBulletins inperiod prior period prior to releaseto release

1616

33

SQL Server 2000 SP3 SQL Server 2000 SP3 released 1/17/2003released 1/17/2003

20032003

ReleasedReleased05/31/200105/31/2001

ReleasedReleased11/17/200311/17/2003

Bulletins 820 Days Bulletins 820 Days After Product ReleaseAfter Product Release

77

1111

1027 Days After Product Release

89

Released11/29/2000

Released09/28/2003

50

Page 15: Microsoft Security "Beyond Patching" Security Challenges, Part II

Case StudyCase StudyHow We Tested WMF PatchHow We Tested WMF Patch

415 apps (ms & third party)415 apps (ms & third party)6 supported version of the o/s in 23 languages6 supported version of the o/s in 23 languages15k print variations, 2800 print pages verified15k print variations, 2800 print pages verified2000 wmf’s analyzed, 125 malicious wmf’s 2000 wmf’s analyzed, 125 malicious wmf’s testedtested12k images verified for regressions12k images verified for regressions22,000 hours of stress testing 22,000 hours of stress testing 450k total test cases450k total test cases

Page 16: Microsoft Security "Beyond Patching" Security Challenges, Part II

Patch Management InitiativePatch Management InitiativeProgress to DateProgress to Date

Informed & Informed & Prepared Prepared

CustomersCustomers

Informed & Informed & Prepared Prepared

CustomersCustomers

Superior Patch Superior Patch QualityQuality

Superior Patch Superior Patch QualityQuality

Consistent & Consistent & Superior Update Superior Update

ExperienceExperience

Consistent & Consistent & Superior Update Superior Update

ExperienceExperience

Best Patch & Best Patch & Update Update

Management Management SolutionsSolutions

Best Patch & Best Patch & Update Update

Management Management SolutionsSolutions

Better security bulletins and KB articlesBetter security bulletins and KB articlesIT SHOWCASE: How Microsoft IT Does Patch IT SHOWCASE: How Microsoft IT Does Patch

ManagementManagement

Better security bulletins and KB articlesBetter security bulletins and KB articlesIT SHOWCASE: How Microsoft IT Does Patch IT SHOWCASE: How Microsoft IT Does Patch

ManagementManagement

Microsoft UpdateMicrosoft UpdateWSUSWSUSSMS 2003SMS 2003

Microsoft UpdateMicrosoft UpdateWSUSWSUSSMS 2003SMS 2003

Standardized patch and update terminologyStandardized patch and update terminologyMoved from 8 installers to 2 (update.exe and Moved from 8 installers to 2 (update.exe and

MSI)MSI)Standardized patch naming and switch optionsStandardized patch naming and switch options

Standardized patch and update terminologyStandardized patch and update terminologyMoved from 8 installers to 2 (update.exe and Moved from 8 installers to 2 (update.exe and

MSI)MSI)Standardized patch naming and switch optionsStandardized patch naming and switch options

Improved patch testing process and coverageImproved patch testing process and coverageExpanded test process to include customersExpanded test process to include customersReduced reboots by 10%, targeting 50% in Reduced reboots by 10%, targeting 50% in

VistaVista

Improved patch testing process and coverageImproved patch testing process and coverageExpanded test process to include customersExpanded test process to include customersReduced reboots by 10%, targeting 50% in Reduced reboots by 10%, targeting 50% in

VistaVista

Page 17: Microsoft Security "Beyond Patching" Security Challenges, Part II

Update Impact AnalyzerUpdate Impact AnalyzerDetermine How Patches Will Affect Critical Determine How Patches Will Affect Critical AppsApps

Download update profiles

Enter data & get reports`

`

`

`

Uploadapplication profiles

Microsoft

Customer

Administrator

Page 18: Microsoft Security "Beyond Patching" Security Challenges, Part II

Fundamentals Fundamentals ““You can only manage what you can measure”You can only manage what you can measure”

……and you can only secure what you can manage (and find and you can only secure what you can manage (and find ))Decentralization may be a reality but it’s not a best Decentralization may be a reality but it’s not a best practicepractice

Set policySet policyActive DirectoryActive DirectoryCentral policy, local defenseCentral policy, local defenseDelegate back business-specific policy controlDelegate back business-specific policy control

Audit policyAudit policyTurning it on AFTER the incident much less usefulTurning it on AFTER the incident much less usefulDon’t wait for the incident to look at the logsDon’t wait for the incident to look at the logs

Standardize builds, supported applicationsStandardize builds, supported applicationsEnterprise assets are not toysEnterprise assets are not toysVista will make this easier, possible in XP too: Vista will make this easier, possible in XP too: http://www.microsoft.com/technet/prodtechnol/winxppro/mhttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx aintain/luawinxp.mspx

Page 19: Microsoft Security "Beyond Patching" Security Challenges, Part II

Beyond Patching: The Beyond Patching: The ProblemProblem

•Patching is no Patching is no longer strategiclonger strategic

• Moving from security Moving from security to operations like to operations like backupsbackups

•New threats New threats require new require new modelsmodels

• Internal network is Internal network is NOT trusted NOT trusted

• Medieval castle model Medieval castle model is the only responseis the only response

• Automated attacks Automated attacks require automated require automated defensesdefenses

Page 20: Microsoft Security "Beyond Patching" Security Challenges, Part II

Microsoft Security Strategy Microsoft Security Strategy OverviewOverview

Threat and Vulnerability MitigationThreat and Vulnerability Mitigation

Protect PCs Protect PCs & devices & devices

from from malicious malicious software software

ClientClientProtectioProtectio

nn Protect Protect servers servers

from from malicious malicious software software

ServerServerProtectioProtectio

nn

NetworkNetworkProtectioProtectio

nnProtect Protect network from network from

malicious malicious software & software &

inappropriate inappropriate access access

System IntegritySystem IntegrityMake systems inherently safer and more Make systems inherently safer and more

securesecure

Identity and Access Identity and Access ManagementManagement

Allow legitimate users secure access to Allow legitimate users secure access to machines, applications and datamachines, applications and data

Page 21: Microsoft Security "Beyond Patching" Security Challenges, Part II

Access Policy Access Policy ManagementManagement

Trustworthy Trustworthy IdentityIdentity

InformationInformationProtectionProtection

Provide access Provide access based on policybased on policy

Protect dataProtect datathroughout its throughout its

lifecyclelifecycle

Ensure users are Ensure users are who they claim who they claim to be; manage to be; manage

identity lifecycleidentity lifecycle

Directory ServicesDirectory ServicesLifecycle ManagementLifecycle ManagementStrong AuthenticationStrong AuthenticationFederated IdentityFederated IdentityCertificate ServicesCertificate Services

Role-based Access ControlRole-based Access ControlAudit Collections ServicesAudit Collections ServicesGroup Policy Management Group Policy Management ConsoleConsole

Rights Management ServicesRights Management ServicesEncryption ServicesEncryption ServicesSecure Protocols and Secure Protocols and ChannelsChannelsBack-up and Recovery Back-up and Recovery ServicesServices

Allow only legitimate users secure, policy-based Allow only legitimate users secure, policy-based access to machines, applications and dataaccess to machines, applications and data

Page 22: Microsoft Security "Beyond Patching" Security Challenges, Part II

FundamentalsFundamentalsReduceReduce

Consolidate to fewer identity storesConsolidate to fewer identity stores

Leverage metadirectories to simplify sign on, Leverage metadirectories to simplify sign on, automate/standardize identity business rulesautomate/standardize identity business rules

ReuseReuseLeverage globally relevant attributes across all Leverage globally relevant attributes across all applicationsapplications

Place non-globally relevant attributes in app-Place non-globally relevant attributes in app-coupled LDAP storescoupled LDAP stores

RecycleRecycleLeverage federation to use your credentials on Leverage federation to use your credentials on business partner networksbusiness partner networks

Page 23: Microsoft Security "Beyond Patching" Security Challenges, Part II

Threat and Vulnerability MitigationThreat and Vulnerability Mitigation

Protect Protect servers servers

from from malicious malicious software software

ServerServerProtectioProtectio

nn

NetworkNetworkProtectioProtectio

nnProtect Protect network from network from

malicious malicious software & software &

inappropriate inappropriate access access

Microsoft Security Strategy Microsoft Security Strategy OverviewOverview

Protect PCs Protect PCs & devices & devices

from from malicious malicious software software

ClientClientProtectioProtectio

nn

System IntegritySystem IntegrityMake systems inherently safer and more Make systems inherently safer and more

securesecure

Identity and Access Identity and Access ManagementManagement

Allow legitimate users secure access to Allow legitimate users secure access to machines, applications and datamachines, applications and data

Page 24: Microsoft Security "Beyond Patching" Security Challenges, Part II

FundamentalsFundamentalsMedieval castle modelMedieval castle model

The internal network is NOT trustedThe internal network is NOT trustedCentral policy, local defenseCentral policy, local defense

Leverage tools you already ownLeverage tools you already ownWindows firewallWindows firewallActive Directory group policyActive Directory group policyPhishing filters Phishing filters Encrypting file systemEncrypting file systemIPSec logical segmentationIPSec logical segmentation

Isolate what you can’t defendIsolate what you can’t defend

Page 25: Microsoft Security "Beyond Patching" Security Challenges, Part II

Helps protect the system fromHelps protect the system fromattacks from the networkattacks from the network

Provides system-level protection for Provides system-level protection for the base operating systemthe base operating system

Enables more secure Internet Enables more secure Internet experience for most common experience for most common

Internet tasks Internet tasks

Enables more secure Email and Enables more secure Email and Instant Messaging experienceInstant Messaging experience

Page 26: Microsoft Security "Beyond Patching" Security Challenges, Part II

Social Engineering ProtectionsPhishing Filter and Colored Address Bar

Dangerous Settings Notification

Secure defaults for all settings

Protection from ExploitsProtected Mode to prevent malicious software

Code quality improvements

ActiveX Opt-in

Internet Explorer 7Internet Explorer 7

Page 27: Microsoft Security "Beyond Patching" Security Challenges, Part II

Analyze your portfolio Analyze your portfolio of Applications, Web of Applications, Web Sites, and ComputersSites, and Computers

Evaluate operating Evaluate operating system deployments or system deployments or impact of operating impact of operating system updatessystem updates

Rationalize and Rationalize and Organize by Organize by Applications, Web Sites, Applications, Web Sites, and Computersand Computers

Prioritize compatibility Prioritize compatibility efforts with filtered efforts with filtered reportingreporting

Add and manage issues Add and manage issues and solutions for your and solutions for your personal computing personal computing environmentenvironment

Deploy automated Deploy automated mitigations to known mitigations to known compatibility issuescompatibility issues

Send/Receive Send/Receive compatibility compatibility information to Online information to Online Compatibility ExchangeCompatibility Exchange

Application Compatibility Toolkit Application Compatibility Toolkit V5.0V5.0

Page 28: Microsoft Security "Beyond Patching" Security Challenges, Part II

Remove most Remove most prevalent viruses prevalent viruses

Remove all Remove all known known

viruses viruses Real-time Real-time antivirusantivirus

Remove all Remove all known known

spywarespywareReal-time Real-time antispywareantispyware

Central reporting Central reporting and alertingand alerting

CustomizationCustomization

MicrosoftMicrosoftClientClient

Protection Protection

FOR INDIVIDUAL USERSFOR INDIVIDUAL USERS FOR FOR BUSINESSESBUSINESSES

MSRT MSRT Windows Windows DefenderDefender

Windows Windows Live Safety Live Safety

Center Center

Windows Windows OneCare OneCare

Live Live

IT Infrastructure IT Infrastructure IntegrationIntegration

Page 29: Microsoft Security "Beyond Patching" Security Challenges, Part II

Shared Computer Toolkit for Shared Computer Toolkit for Windows XPWindows XPWindows Disk ProtectionWindows Disk Protection

Prevent unapproved changes Prevent unapproved changes to the Windows partitionto the Windows partitionAllow critical updates and Allow critical updates and antivirus updatesantivirus updates

User RestrictionsUser RestrictionsRestrict untrusted users from Restrict untrusted users from files and settingsfiles and settingsLock user profiles for Lock user profiles for protection and privacyprotection and privacy

Profile ManagerProfile ManagerCreate “persistent” user Create “persistent” user profiles on unprotected profiles on unprotected partitionspartitionsDelete locked user profilesDelete locked user profiles

AccessibilityAccessibilityAccessibility settings & Accessibility settings & utilities when restrictedutilities when restrictedQuick access for repeat useQuick access for repeat use

Tools are scriptable. Additional command-line tools included.Comprehensive Help and Handbook with supplemental security guidance.

Getting StartedGetting Started•Use and learn about the ToolkitUse and learn about the Toolkit•Quick access toolbarQuick access toolbar

Page 30: Microsoft Security "Beyond Patching" Security Challenges, Part II

Next Generation Security and ComplianceNext Generation Security and Compliance

Identity & Access ControlIdentity & Access ControlThreat & Vulnerability Threat & Vulnerability

MitigationMitigation

Enable secure access to Enable secure access to informationinformationProtect against malware Protect against malware

and intrusionsand intrusions

Code IntegrityCode IntegrityIE Protected ModeIE Protected ModeWindows DefenderWindows DefenderIPSEC/Firewall integrationIPSEC/Firewall integrationNetwork Access ProtectionNetwork Access Protection

User Account ControlUser Account ControlPlug and Play SmartcardsPlug and Play SmartcardsGranular auditingGranular auditingSimplified Logon architectureSimplified Logon architecture

FundamentalsFundamentals

Security Development LifecycleSecurity Development LifecycleThreat ModelingThreat ModelingCode ScanningCode ScanningService HardeningService Hardening

Information ProtectionInformation ProtectionBitLocker Drive EncryptionBitLocker Drive EncryptionEFS Smartcard key storageEFS Smartcard key storageRMS clientRMS clientControl over removable device Control over removable device installationinstallationXPS Document + WPF APIsXPS Document + WPF APIs

Engineered for the Engineered for the futurefuture

Page 31: Microsoft Security "Beyond Patching" Security Challenges, Part II

InfoCard OverviewInfoCard OverviewSecure sharing of your info onlineSecure sharing of your info online

Simple user abstractionSimple user abstractionManage compartmentalized versions of your Manage compartmentalized versions of your identityidentityStrong computer generated keys instead of Strong computer generated keys instead of human generated passwordshuman generated passwords

Relates to familiar modelsRelates to familiar modelsGov’t ID card, driver’s license, credit card, Gov’t ID card, driver’s license, credit card, membership card, …membership card, …

Flexible issuanceFlexible issuanceSelf-issued – eBay, AmazonSelf-issued – eBay, AmazonIssued by external authority – Visa, GovernmentIssued by external authority – Visa, Government

Implemented as secure subsystemImplemented as secure subsystemProtected UI, anti-spoofing techniques, Protected UI, anti-spoofing techniques, encrypted storageencrypted storage

Built on WS-Federation web standardsBuilt on WS-Federation web standards

Page 32: Microsoft Security "Beyond Patching" Security Challenges, Part II

Threat and Vulnerability MitigationThreat and Vulnerability Mitigation

Protect Protect servers servers

from from malicious malicious software software

ServerServerProtectioProtectio

nn

NetworkNetworkProtectioProtectio

nnProtect Protect network from network from

malicious malicious software & software &

inappropriate inappropriate access access

Microsoft Security Strategy Microsoft Security Strategy OverviewOverview

Protect PCs Protect PCs & devices & devices

from from malicious malicious software software

ClientClientProtectioProtectio

nn

System IntegritySystem IntegrityMake systems inherently safer and more Make systems inherently safer and more

securesecure

Identity and Access Identity and Access ManagementManagement

Allow legitimate users secure access to Allow legitimate users secure access to machines, applications and datamachines, applications and data

Page 33: Microsoft Security "Beyond Patching" Security Challenges, Part II

Security Configuration Wizard Security Configuration Wizard Windows Server 2003 SP1Windows Server 2003 SP1Security lockdown tool for Windows Server 2003

Roles-based paradigmFocused on Attack Surface Reduction

Disables unnecessary servicesDisables unnecessary web extensionsBlocks unnecessary portsConfigures audit SACLs

Operational infrastructure

Client-Server deployment infrastructureSupport for Group Policy-based deploymentCompliance AnalysisRollback support

Page 34: Microsoft Security "Beyond Patching" Security Challenges, Part II

Microsoft Antigen Line of ProductsMicrosoft Antigen Line of Products

RTM in Q2 2006RTM in Q2 2006

HighlightsHighlights Unique multi-engine approach for Unique multi-engine approach for faster detection and broader faster detection and broader protection protection

Integrated virus and spam Integrated virus and spam protectionprotection

Integrated Microsoft AV engineIntegrated Microsoft AV engine

Threat & Vulnerability Threat & Vulnerability MitigationMitigation

Page 35: Microsoft Security "Beyond Patching" Security Challenges, Part II

Threat and Vulnerability MitigationThreat and Vulnerability Mitigation

Protect Protect servers servers

from from malicious malicious software software

ServerServerProtectioProtectio

nn

NetworkNetworkProtectioProtectio

nnProtect Protect network from network from

malicious malicious software & software &

inappropriate inappropriate access access

Microsoft Security Strategy Microsoft Security Strategy OverviewOverview

Protect PCs Protect PCs & devices & devices

from from malicious malicious software software

ClientClientProtectioProtectio

nn

System IntegritySystem IntegrityMake systems inherently safer and more Make systems inherently safer and more

securesecure

Identity and Access Identity and Access ManagementManagement

Allow legitimate users secure access to Allow legitimate users secure access to machines, applications and datamachines, applications and data

Page 36: Microsoft Security "Beyond Patching" Security Challenges, Part II

Policy Validation Policy Validation Determines whether the computers are Determines whether the computers are compliant with the company’s security policy. compliant with the company’s security policy. Compliant computers are deemed “healthy.”Compliant computers are deemed “healthy.”

Network RestrictionNetwork RestrictionRestricts network access to computers based Restricts network access to computers based on their health.on their health.

RemediationRemediationProvides necessary updates to allow the Provides necessary updates to allow the computer to “get healthy.” Once healthy, the computer to “get healthy.” Once healthy, the network restrictions are removed.network restrictions are removed.

Ongoing ComplianceOngoing ComplianceChanges to the company’s security policy or to Changes to the company’s security policy or to the computers’ health may dynamically result the computers’ health may dynamically result in network restrictions.in network restrictions.

Network Access ProtectionNetwork Access ProtectionLonghorn Server (2007)Longhorn Server (2007)

Page 37: Microsoft Security "Beyond Patching" Security Challenges, Part II

Requesting access. Requesting access. Here’s my newHere’s my new

health status.health status.

Network Access Protection Network Access Protection WalkthroughWalkthrough

IAS PolicyIAS PolicyServerServer

ClientClient

Network Network Access Access DeviceDevice

(DHCP, VPN)(DHCP, VPN)

Remediation Remediation Servers Servers

May I have access?May I have access?Here’s my current Here’s my current health status. health status.

Should this client be Should this client be restricted basedrestricted basedon its health? on its health?

Ongoing policy updates Ongoing policy updates to IAS Policy Server to IAS Policy Server

You are given You are given restricted accessrestricted accessuntil fix-up.until fix-up.

Can I have Can I have updates?updates?

Here you go.Here you go.

According to policy, According to policy, the client is not up to the client is not up to date. Quarantine date. Quarantine client, request it to client, request it to update.update.

Corporate NetworkCorporate Network

Restricted NetworkRestricted Network

Client is granted access to full intranet. Client is granted access to full intranet.

System Health System Health Servers Servers

According to policy, According to policy, the client is up to the client is up to date. date.

Grant access.Grant access.

Page 38: Microsoft Security "Beyond Patching" Security Challenges, Part II

NAP - Enforcement NAP - Enforcement OptionsOptions

EnforcemenEnforcementt

Healthy ClientHealthy Client Unhealthy ClientUnhealthy Client

DHCPDHCP Full IP address Full IP address given, full accessgiven, full access Restricted set of routesRestricted set of routes

VPN (MS and 3VPN (MS and 3rdrd Party)Party) Full accessFull access Restricted VLANRestricted VLAN

802.1X802.1X Full accessFull access Restricted VLANRestricted VLAN

IPsecIPsec

Can communicate Can communicate with any trusted with any trusted peerpeer

Healthy peers reject Healthy peers reject connection requests connection requests from unhealthy from unhealthy systemssystems

Complements layer 2 protectionComplements layer 2 protectionWorks with existing servers and Works with existing servers and

infrastructureinfrastructureFlexible isolationFlexible isolation

Page 39: Microsoft Security "Beyond Patching" Security Challenges, Part II

NAP Partner CommunityNAP Partner Community

Page 40: Microsoft Security "Beyond Patching" Security Challenges, Part II

Beta available now Beta available now

Preparing for NAP will take effort and time!Preparing for NAP will take effort and time!

Deployment preparation tasks:Deployment preparation tasks:Health Modeling Health Modeling

Health Policy Zoning Health Policy Zoning

IAS (RADIUS) DeploymentIAS (RADIUS) Deployment

Zone Enforcement SelectionZone Enforcement Selection

Exemption AnalysisExemption Analysis

Change Process ControlChange Process Control

Phased rolloutPhased rolloutRollout VPN solution to test health policyRollout VPN solution to test health policy

Rollout IPSec segmentation to test wired Rollout IPSec segmentation to test wired enforcementenforcement

Getting StartedGetting Started

Page 41: Microsoft Security "Beyond Patching" Security Challenges, Part II

RoadmapRoadmap

Se

rvic

esS

erv

ices

Pla

tform

Pla

tform

Pro

duct

sP

rodu

cts

Frontbridge hosted Frontbridge hosted services for anti-services for anti-virus and anti-virus and anti-spam filteringspam filtering(for businesses)(for businesses)

ISA Server 2004ISA Server 2004

Sybari Antigen anti-Sybari Antigen anti-spam and anti-virus spam and anti-virus for Email, IM and for Email, IM and SharePointSharePoint

Windows XPSP2Windows XPSP2

Windows Server 2003 SP1Windows Server 2003 SP1

Anti-malware toolsAnti-malware tools

Microsoft UpdateMicrosoft Update

Windows Server Windows Server Update ServicesUpdate Services

Windows Live OneCareWindows Live OneCare(for consumers)(for consumers)

Microsoft Client ProtectionMicrosoft Client Protection

Microsoft Antigen Anti-Microsoft Antigen Anti-virus and Anti-spam for virus and Anti-spam for messaging and messaging and collaboration serverscollaboration servers

ISA Server 2006ISA Server 2006

Windows AntiSpywareWindows AntiSpywareWindows VistaWindows Vista

FirewallFirewallServices HardeningServices Hardening

Next generation of Next generation of services services

Content filtering servicesContent filtering services

Next generation of Next generation of security products security products

Network Access Network Access ProtectionProtectionIPSec EnhancementsIPSec EnhancementsAudit Collection ServicesAudit Collection Services

Page 42: Microsoft Security "Beyond Patching" Security Challenges, Part II

Summary Summary It’s all one network. Period. It’s all one network. Period.

Need to be securing for tomorrow’s Need to be securing for tomorrow’s threats, not yesterday’sthreats, not yesterday’s

Defense in depth is and has always been Defense in depth is and has always been the only effective strategythe only effective strategy

Enterprise patch management will free Enterprise patch management will free us for more strategic workus for more strategic work

Every machine deserves a good Every machine deserves a good defensedefense

Page 43: Microsoft Security "Beyond Patching" Security Challenges, Part II

Contact info:Contact info:Dean Iacovelli

Chief Security Advisor - State and Local Government

Microsoft [email protected]

Slides available at: Slides available at: www.iacovelli.info/work/

secgtc.ppt

Page 44: Microsoft Security "Beyond Patching" Security Challenges, Part II

AppendixAppendix

Page 45: Microsoft Security "Beyond Patching" Security Challenges, Part II

Tools / ProductsTools / ProductsApplication Compatibility Toolkit 5.0 beta sign upApplication Compatibility Toolkit 5.0 beta sign uphttp://connect.microsoft.com/ Network Access ProtectionNetwork Access Protectionhttp://www.microsoft.com/naphttp://www.microsoft.com/nap Microsoft Baseline Security Analyzer (MBSA)Microsoft Baseline Security Analyzer (MBSA)http://www.microsoft.com/mbsa http://www.microsoft.com/mbsa Windows Server Update Services (WSUS)Windows Server Update Services (WSUS)http://www.microsoft.com/wsushttp://www.microsoft.com/wsusWindows Server Update Services (WSUS)Windows Server Update Services (WSUS)http://www.microsoft.com/http://www.microsoft.com/wsuswsusIE 7IE 7http://www.microsoft.com/windows/ie/default.mspxhttp://www.microsoft.com/windows/ie/default.mspxClient ProtectionClient Protectionhttp://www.microsoft.com/windowsserversystem/solutions/securhttp://www.microsoft.com/windowsserversystem/solutions/security/clientprotection/default.mspxity/clientprotection/default.mspx

Vista securityVista securityhttp://www.microsoft.com/technet/windowsvista/security/defaulhttp://www.microsoft.com/technet/windowsvista/security/default.mspxt.mspxSecurity Configuration Wizard Security Configuration Wizard http://www.microsoft.com/windowsserver2003/technologies/sechttp://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspxurity/configwiz/default.mspx

Page 46: Microsoft Security "Beyond Patching" Security Challenges, Part II

Guidance and TrainingGuidance and TrainingMICROSOFTMICROSOFTSecurity Development Lifecycle: Security Development Lifecycle:

http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.ahttp://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.aspsp

Security Guidance Centers Security Guidance Centers http://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidanceSecurity Online Training Security Online Training https://https://www.microsoftelearning.comwww.microsoftelearning.com/security//security/XP SP2 deployment training: XP SP2 deployment training: https://www.microsoftelearning.com/xpsp2https://www.microsoftelearning.com/xpsp2Microsoft IT Security Showcase Microsoft IT Security Showcase

http://www.microsoft.com/technet/itsolutions/msit/default.mspx#EDBAAAhttp://www.microsoft.com/technet/itsolutions/msit/default.mspx#EDBAAASecurity Newsletter Security Newsletter http://www.microsoft.com/http://www.microsoft.com/technet/security/secnews/default.mspxtechnet/security/secnews/default.mspxSecurity Events and Webcasts Security Events and Webcasts http://www.microsoft.com/seminar/events/http://www.microsoft.com/seminar/events/security.mspxsecurity.mspxSecurity Notifications via e-mail Security Notifications via e-mail http://www.microsoft.com/http://www.microsoft.com/

technet/security/bulletin/notify.mspxtechnet/security/bulletin/notify.mspxMS Security blogs: MS Security blogs:

http://www.microsoft.com/technet/security/community/articles/art_malwarefaq.mspxhttp://www.microsoft.com/technet/security/community/articles/art_malwarefaq.mspx Security Bulletin Search Page http://www.microsoft.com/technet/security/current.aspxSecurity Bulletin Search Page http://www.microsoft.com/technet/security/current.aspxSecurity Bulletin Webcast http://www.microsoft.com/technet/security/bulletin/summary.mspxSecurity Bulletin Webcast http://www.microsoft.com/technet/security/bulletin/summary.mspxWriting Secure Code, 2nd edition http://www.microsoft.com/mspress/books/5957.aspWriting Secure Code, 2nd edition http://www.microsoft.com/mspress/books/5957.aspBuilding and Configuring More Secure Web Sites Building and Configuring More Secure Web Sites

http://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.asphttp://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.aspWindows XP Security Guide, includes SP2 Windows XP Security Guide, includes SP2

http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspxhttp://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspxSecurity Risk Management Guide http://go.microsoft.com/fwlink/?LinkId=30794Security Risk Management Guide http://go.microsoft.com/fwlink/?LinkId=30794Windows NT 4.0 and Windows 98 Threat Mitigation Guide http://go.microsoft.com/fwlink/?Windows NT 4.0 and Windows 98 Threat Mitigation Guide http://go.microsoft.com/fwlink/?

linkid=32048linkid=32048Microsoft Identity and Access Management Series http://go.microsoft.com/fwlink/?Microsoft Identity and Access Management Series http://go.microsoft.com/fwlink/?

LinkId=14841LinkId=14841OTHEROTHERFBI / CSI 2005 security survey: FBI / CSI 2005 security survey:

http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml;jsessionid=KPE5WYV1ICYNCQSNDBEhttp://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml;jsessionid=KPE5WYV1ICYNCQSNDBECKH0CJUMEKJVN CKH0CJUMEKJVN

Page 47: Microsoft Security "Beyond Patching" Security Challenges, Part II

Age Age (days)(days) NameName ServerServer MaxSizeMaxSize

02.0002.00 nubela.netnubela.net dns.nubela.netdns.nubela.net 1072510725

10.9410.94 winnt.bigmoney.biz (randex)winnt.bigmoney.biz (randex) winnt.bigmoney.bizwinnt.bigmoney.biz 23932393

09.6609.66 PS 7835 - y.eliteirc.co.ukPS 7835 - y.eliteirc.co.uk y.eliteirc.co.uky.eliteirc.co.uk 20612061

09.1309.13 y.stefanjagger.co.uk (#y)y.stefanjagger.co.uk (#y) y.stefanjagger.co.uky.stefanjagger.co.uk 18321832

03.1003.10 ganjahaze.comganjahaze.com ganjahaze.comganjahaze.com 15071507

01.0401.04 PS 8049 - 1.j00g0t0wn3d.netPS 8049 - 1.j00g0t0wn3d.net 1.j00g0t0wn3d.net1.j00g0t0wn3d.net 36893689

10.9310.93 pub.isonert.netpub.isonert.net pub.isonert.netpub.isonert.net 537537

08.0708.07 irc.brokenirc.netirc.brokenirc.net irc.brokenirc.netirc.brokenirc.net 649649

01.0201.02 PS 8048 - grabit.zapto.orgPS 8048 - grabit.zapto.org grabit.zapto.orggrabit.zapto.org 6262

10.3410.34 dark.naksha.netdark.naksha.net dark.naksha.netdark.naksha.net UNKUNK

08.9608.96 PS 7865 - lsd.25u.comPS 7865 - lsd.25u.com lsd.25u.comlsd.25u.com UNKUNK

UNKUNK PS ? - 69.64.38.221PS ? - 69.64.38.221 69.64.38.22169.64.38.221 UNKUNK

As of 6 March 2006:Tracking 13053 bot-nets of which 8524 are activeAverage size is 85,000 computers

Page 48: Microsoft Security "Beyond Patching" Security Challenges, Part II
Page 49: Microsoft Security "Beyond Patching" Security Challenges, Part II

DD DDDD

Reduce size of Reduce size of high risk layershigh risk layers

Segment the Segment the servicesservices

Increase # Increase # of layersof layers

Kernel DriversKernel Drivers

Windows Service HardeningWindows Service HardeningDefense In Depth – Defense In Depth – Factoring/ProfilingFactoring/Profiling

DD

DD User-mode DriversUser-mode Drivers

DDDD DD

Service Service 11

Service Service 22

Service Service 33

ServiceService……

Service Service ……

Service Service AA

Service Service BB

Page 50: Microsoft Security "Beyond Patching" Security Challenges, Part II

Vista Service ChangesVista Service ChangesServices common to both platformsServices common to both platforms

Windows XP SP2Windows XP SP2LocalSysteLocalSystemm

Wireless Wireless ConfigurationConfiguration

System Event System Event NotificationNotification

Network Network Connections Connections (netman)(netman)

COM+ Event COM+ Event SystemSystem

NLANLA

RasautoRasauto

Shell Hardware Shell Hardware DetectionDetection

ThemesThemes

TelephonyTelephony

Windows AudioWindows Audio

Error ReportingError Reporting

WorkstationWorkstation

ICSICS

RemoteAccessRemoteAccess

DHCP ClientDHCP Client

W32timeW32time

RasmanRasman

browserbrowser

6to46to4

Help and supportHelp and support

Task schedulerTask scheduler

TrkWksTrkWks

Cryptographic Cryptographic ServicesServices

Removable StorageRemovable Storage

WMI Perf AdapterWMI Perf Adapter

Automatic updatesAutomatic updates

WMIWMI

App ManagementApp Management

Secondary LogonSecondary Logon

BITSBITS

NetworkNetworkServiceService

DNS ClientDNS Client

Local Local ServiceService

SSDPSSDPWebClientWebClientTCP/IP NetBIOS helperTCP/IP NetBIOS helperRemote registryRemote registry

Vista clientVista clientLocalSystemLocalSystemFirewall Firewall RestrictedRestricted

Removable StorageRemovable Storage

WMI Perf AdapterWMI Perf Adapter

Automatic updatesAutomatic updates

WMIWMI

App ManagementApp Management

Secondary LogonSecondary Logon

LocalSystemLocalSystemDemand startedDemand started

BITSBITS

Network Network ServiceServiceFully RestrictedFully Restricted

DNS ClientDNS Client

ICSICS

RemoteAccessRemoteAccess

DHCP ClientDHCP Client

W32timeW32time

RasmanRasman

browserbrowser

6to46to4

Task schedulerTask scheduler

IPSEC ServicesIPSEC Services

ServerServer

NLANLA

Network Network ServiceServiceNetwork Network RestrictedRestricted

TrkWksTrkWks

Cryptographic ServicesCryptographic Services

Local ServiceLocal ServiceNo Network No Network AccessAccess

Wireless ConfigurationWireless Configuration

System Event System Event NotificationNotification

Network ConnectionsNetwork Connections

Shell Hardware Shell Hardware DetectionDetection

RasautoRasauto

ThemesThemes

COM+ Event COM+ Event SystemSystem

Local ServiceLocal ServiceFully RestrictedFully Restricted

TelephonyTelephony

Windows AudioWindows Audio

TCP/IP NetBIOS helperTCP/IP NetBIOS helper

WebClientWebClient

SSDPSSDP

Error ReportingError Reporting

Event LogEvent Log

WorkstationWorkstation

Remote registryRemote registry

Page 51: Microsoft Security "Beyond Patching" Security Challenges, Part II

Windows Vista FirewallWindows Vista FirewallCombined firewall and IPsec Combined firewall and IPsec managementmanagement

New management tools – Windows New management tools – Windows Firewall with Advanced Security Firewall with Advanced Security MMC snap-in MMC snap-in

Reduces conflicts and coordination Reduces conflicts and coordination overhead between technologiesoverhead between technologies

Firewall rules become more intelligentFirewall rules become more intelligentSpecify security requirements such as Specify security requirements such as authentication and encryptionauthentication and encryption

Specify Active Directory computer or Specify Active Directory computer or user groupsuser groups

Outbound filteringOutbound filteringEnterprise management feature – not Enterprise management feature – not for consumersfor consumers

Simplified protection policy reduces Simplified protection policy reduces management overheadmanagement overhead

Page 52: Microsoft Security "Beyond Patching" Security Challenges, Part II

User Account Control (UAC)User Account Control (UAC)

Previously known as “LUA”Previously known as “LUA”

Users will logon as non-administrator by Users will logon as non-administrator by defaultdefault

Protects the system from the userProtects the system from the user

Enables the system to protect the userEnables the system to protect the user

Consent UI allows elevation to administratorConsent UI allows elevation to administrator

Applications and administrator tools should be Applications and administrator tools should be UAP awareUAP aware

Differentiate capabilities based on UAPDifferentiate capabilities based on UAP

Apply correct security checks to product featuresApply correct security checks to product features

Start testing your software against Vista now!Start testing your software against Vista now!

Page 53: Microsoft Security "Beyond Patching" Security Challenges, Part II

Standard UAC PromptStandard UAC Prompt

Page 54: Microsoft Security "Beyond Patching" Security Challenges, Part II

Application Installation as a Application Installation as a Standard UserStandard User

Page 55: Microsoft Security "Beyond Patching" Security Challenges, Part II

Group Policy Group Policy Device Device

RestrictionRestriction

Page 56: Microsoft Security "Beyond Patching" Security Challenges, Part II

BitLocker™ Drive BitLocker™ Drive Encryption Encryption

Designed specifically to Designed specifically to prevent malicious users prevent malicious users from breaking Windows from breaking Windows file and system file and system protectionsprotections

Provides data protection Provides data protection on Windows systems, on Windows systems, even when the system is even when the system is in unauthorized hands or in unauthorized hands or is running a different or is running a different or exploiting Operating exploiting Operating SystemSystem

A Trusted Platform A Trusted Platform Module (TPM) or USB Module (TPM) or USB flash drive is used for flash drive is used for key storagekey storage

BitLockerBitLocker

Page 57: Microsoft Security "Beyond Patching" Security Challenges, Part II

Trusted Platform ModuleSmartcard-like module on system motherboard

Helps protect secrets

Performs cryptographic functions

Can create, store and manage keys

Performs digital signature operations

Holds Platform Measurements (hashes)

Anchors chain of trust for keys and credentials

Protects itself against attacks

TPM 1.2 spec: TPM 1.2 spec: www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org

Page 58: Microsoft Security "Beyond Patching" Security Challenges, Part II