微软蓝灰风格PPT模板

nullMicrosoft Security StrategyMicrosoft Security StrategySteven Adler Product Manager Microsoft EMEASession AgendaSession AgendaFocus on Customer Challenges Microsoft Security Strategy Secure Windows Initiative Strategic Technology Protection Program Trustworthy Computing Building the secure platform .NET Framework Windows .NET Summary QuestionsnullTechnology, Process, People What are the challenges?Products lack security features Products have bugs Insufficient technical standards Difficult to stay up-to-dateDesign for security Roles & responsibilities Vigilance Business continuity plans Stay up-to-date with security developmentProblem recognition Skills shortage Human errorMicrosoft Security StrategyMicrosoft Security StrategySecure Windows Initiative “Engineering For Security”Secure Windows Initiative “Engineering For Security”Goal: Eliminate Every Security Vulnerability Before The Product ShipsPeopleProcessTechnologyIndustry YardstickIndustry YardstickSource: Security Focus http://www.securityfocus.com/vulns/stats.shtmlSecure Windows InitiativeSecure Windows InitiativePeopleTrain, and keep current, every developer, tester, and program manager in the specific techniques of building secure productsProcessMake security a critical factor in design, coding and testing of every product Microsoft builds Cross-group design & code reviews Security Threat Analysis part of every design spec Red Team testing and code reviews Focus not confined to buffer overruns Security bug feedback loop & code sign-off requirements External reviews and testing by consultants and publicTechnologyBuild tools to automate everything possible in the quest to code the most secure products Prefix and Prefast for buffer overrun detection Updated as new vulnerabilities found Visual C++ 7.0 compiler improvements Domain-specific tools (i.e. RPC security stress)Secure Windows Initiative External Security ReviewSecure Windows Initiative External Security ReviewFIPS 140-1 evaluation of Cryptographic Service Provider (CSP) – Completed Government validation of base crypto algorithms in Windows Common Criteria evaluation – In Preparation Evaluation of Windows source code against International security criteria for evaluating Third party expert review of key components Source code licensed to over 80 universities, labs, and government agencies Strategic Technology Protection ProgramGoal: Help customers secure their Windows SystemsPeopleProcessTechnologyStrategic Technology Protection ProgramStrategic Technology Protection Program - Customers Need Our HelpStrategic Technology Protection Program - Customers Need Our HelpI didn’t know which patches I needed I didn’t know where to find the updates I didn’t know which machines to update We updated our production servers, but the rogue servers got infectedMore than 50% of the customers affected by Code Red were not patched in time for NimdaSTPP: “Get Secure”STPP: “Get Secure”Coming - Enterprise Security Tools Microsoft Baseline Security Analyzer SMS security patch rollout tool Windows Update Auto-update clientNow - Microsoft Security Toolkit Server oriented security resources. New server security tools and updates, Windows Update bootstrap client for Windows 2000Now - Security Assessment Program Offering Available immediately through MCS/PSSNow - Free Virus Support Hotline Contact your local PSS officeGet Secure Microsoft Security ToolkitGet Secure Microsoft Security ToolkitGets Windows NT and 2000 systems to secure baseline, even disconnected net Automates server updates One-button wizard and SMS Scripts Updates and Patches Includes all Service Packs and critical OS and IIS patches through 10/15 HFNetchk: patch level verifier IIS Lockdown & URLScanSTPP: “Stay Secure”STPP: “Stay Secure”Ongoing - Enhanced Product Security Provide greater security enhancements in the releases of all new products, including the Windows .NET Server family Spring 2002 - Federated Corporate Windows Update Program Allows enterprise to host and select Windows Update contentSpring 2002 - Windows 2000 Service Pack (SP3) Provide ability to install SP3 + security rollup with a single rebootJan. 2002 - Windows 2000 Security Rollup Patches Bundle all security fixes in single patches Reduces reboots and administrator burdenCorporate Update Server SolutionCorporate Update Server SolutionAutomatic Update (AU) client Automatically download and install critical updates Security patches, high impact bug fixes and new drivers when no driver is installed for a device Checks Windows Update service or Corporate Update server once a day New! Install at schedule time after automatic downloads Administrator control of configuration via registry-based policy Support for Windows .NET Server, Windows XP and Windows 2000 Update server Corporate hosted WU server to support download and install of critical updates through AU client Server synchronizes with the public Windows Update service Simple administrative model via IE Updates are not made available to clients until the administrator approves them Runs on Windows .NET Server and Windows 2000 ServerTrustworthy ComputingTrustworthy ComputingGoal: Make devices powered by computers and software as trustworthy as devices powered by electricity. A Trust TaxonomyA Trust TaxonomyAvailability At advertised levels Suitability Features fit function Integrity Against data loss or alteration Privacy Access authorized by end-user Reputation System and provider brandSecurity Resists unauthorized access Quality Performance criteria Dev Practices Methods, philosophy Operations Guidelines and benchmarks Business Practices Business model Policies Laws, regulations, standards, normsIntent Management assertions Risks What undermines intent, causes liability Implementation Steps to deliver intent Evidence Audit mechanismsGoalsMeansExecutionBuilding the secure platformBuilding the secure platformGoal: Provide IT with a secure, integrated foundation for managing how users, business, and technologies connect.Security in depthInfrastructure (PKI, Directory)Security in depthNetwork (IPSec, Wireless, VPN)Device (PDA, Laptops, PC’s, Servers)ApplicationManagementTypical Application ArchitectureFront EndTypical Application ArchitectureUsersBack EndAuthenticationNetwork AccessAuthorizationAuditAlertsSecure Network AccessFront EndSecure Network AccessUsersBack EndAuthorizationAuthenticationNetwork AccessFirewall VPN Wireless IPSECAuditAlertsFlexible AuthenticationFront EndFlexible AuthenticationUsersBack EndBasic HTTP Digest Kerberos Certificates SmartcardsAuthenticationNetwork AccessAuthorizationAuditAlertsRich Access ControlsFront EndRich Access ControlsUsersBack EndAuthenticationNetwork AccessAuthorizationAuditAlertsAccess Control Lists RolesSystem Wide AuditingFront EndSystem Wide AuditingUsersBack EndAuthorizationAuditAlertsAudit Actions Distributed Devices Audit PolicyAuthenticationNetwork AccessAlert InfrastructureFront EndAlert InfrastructureUsersBack EndAuthorizationAuditAlertsEvent Forwarding Filtering CorrelationAuthenticationNetwork AccessWindows Brings it TogetherWindows Brings it TogetherActive Directory Integrated network authentication Policy based management PKI Integrated PKI services and auto-enrollment Used by IPSEC, Smartcard, Code Signing etc. Networking Secure network access via 802.1x support Authenticated firewall access via Microsoft ISA server Protected Devices Encrypting File System Software Restriction Policies null© 2002 Microsoft Corporation. All rights reserved.