nullMicrosoft Security StrategyMicrosoft Security StrategySteven Adler
Product Manager
Microsoft EMEASession AgendaSession AgendaFocus on Customer Challenges
Microsoft Security Strategy
Secure Windows Initiative
Strategic Technology Protection Program
Trustworthy Computing
Building the secure platform
.NET Framework
Windows .NET
Summary
QuestionsnullTechnology, Process, People What are the challenges?Products lack security features
Products have bugs
Insufficient technical standards
Difficult to stay
up-to-dateDesign for security
Roles & responsibilities
Vigilance
Business continuity plans
Stay up-to-date with security developmentProblem recognition
Skills shortage
Human errorMicrosoft Security StrategyMicrosoft Security StrategySecure Windows Initiative
“Engineering For Security”Secure Windows Initiative
“Engineering For Security”Goal: Eliminate Every Security Vulnerability Before The Product ShipsPeopleProcessTechnologyIndustry YardstickIndustry YardstickSource: Security Focus http://www.securityfocus.com/vulns/stats.shtmlSecure Windows InitiativeSecure Windows InitiativePeopleTrain, and keep current, every developer, tester, and program manager in the specific techniques of building secure productsProcessMake security a critical factor in design, coding and testing of every product Microsoft builds
Cross-group design & code reviews
Security Threat Analysis part of every design spec
Red Team testing and code reviews
Focus not confined to buffer overruns
Security bug feedback loop & code sign-off requirements
External reviews and testing by consultants and publicTechnologyBuild tools to automate everything possible in the quest to code the most secure products
Prefix and Prefast for buffer overrun detection
Updated as new vulnerabilities found
Visual C++ 7.0 compiler improvements
Domain-specific tools (i.e. RPC security stress)Secure Windows Initiative
External Security ReviewSecure Windows Initiative
External Security ReviewFIPS 140-1 evaluation of Cryptographic Service Provider (CSP) – Completed
Government validation of base crypto algorithms in Windows
Common Criteria evaluation – In Preparation
Evaluation of Windows source code against International security criteria for evaluating
Third party expert review of key components
Source code licensed to over 80 universities, labs, and government agencies
Strategic Technology
Protection ProgramGoal: Help customers secure their Windows SystemsPeopleProcessTechnologyStrategic Technology
Protection ProgramStrategic Technology Protection Program - Customers Need Our HelpStrategic Technology Protection Program - Customers Need Our HelpI didn’t know which patches I needed
I didn’t know where to find the updates
I didn’t know which machines to update
We updated our production servers, but the rogue servers got infectedMore than 50% of the customers affected by Code Red were not patched in time for NimdaSTPP: “Get Secure”STPP: “Get Secure”Coming - Enterprise Security Tools
Microsoft Baseline Security Analyzer
SMS security patch rollout tool
Windows Update Auto-update clientNow - Microsoft Security Toolkit
Server oriented security resources.
New server security tools and updates, Windows Update bootstrap client for Windows 2000Now - Security Assessment Program Offering
Available immediately through MCS/PSSNow - Free Virus Support Hotline Contact your local PSS officeGet Secure
Microsoft Security ToolkitGet Secure
Microsoft Security ToolkitGets Windows NT and 2000 systems to secure baseline, even disconnected net
Automates server updates
One-button wizard and SMS Scripts
Updates and Patches
Includes all Service Packs and critical OS and IIS patches through 10/15
HFNetchk: patch level verifier
IIS Lockdown & URLScanSTPP: “Stay Secure”STPP: “Stay Secure”Ongoing - Enhanced Product Security
Provide greater security enhancements in the releases of all new products, including the Windows .NET Server family Spring 2002 - Federated Corporate Windows Update Program
Allows enterprise to host and select Windows Update contentSpring 2002 - Windows 2000 Service Pack (SP3)
Provide ability to install SP3 + security rollup with a single rebootJan. 2002 - Windows 2000 Security Rollup Patches
Bundle all security fixes in single patches
Reduces reboots and administrator burdenCorporate Update Server SolutionCorporate Update Server SolutionAutomatic Update (AU) client
Automatically download and install critical updates
Security patches, high impact bug fixes and new drivers when no driver is installed for a device
Checks Windows Update service or Corporate Update server once a day
New! Install at schedule time after automatic downloads
Administrator control of configuration via registry-based policy
Support for Windows .NET Server, Windows XP and Windows 2000
Update server
Corporate hosted WU server to support download and install of critical updates through AU client
Server synchronizes with the public Windows Update service
Simple administrative model via IE
Updates are not made available to clients until the administrator approves them
Runs on Windows .NET Server and Windows 2000 ServerTrustworthy ComputingTrustworthy ComputingGoal: Make devices powered by computers and software as trustworthy as devices powered by electricity. A Trust TaxonomyA Trust TaxonomyAvailability At advertised levels
Suitability Features fit function
Integrity Against data loss or alteration
Privacy Access authorized by end-user
Reputation System and provider brandSecurity Resists unauthorized access
Quality Performance criteria
Dev Practices Methods, philosophy
Operations Guidelines and benchmarks
Business Practices Business model
Policies Laws, regulations, standards, normsIntent Management assertions
Risks What undermines intent, causes liability
Implementation Steps to deliver intent
Evidence Audit mechanismsGoalsMeansExecutionBuilding the secure platformBuilding the secure platformGoal: Provide IT with a secure, integrated foundation for managing how users, business, and technologies connect.Security in depthInfrastructure (PKI, Directory)Security in depthNetwork (IPSec, Wireless, VPN)Device (PDA, Laptops, PC’s, Servers)ApplicationManagementTypical Application ArchitectureFront EndTypical Application ArchitectureUsersBack EndAuthenticationNetwork AccessAuthorizationAuditAlertsSecure Network AccessFront EndSecure Network AccessUsersBack EndAuthorizationAuthenticationNetwork AccessFirewall VPN Wireless IPSECAuditAlertsFlexible AuthenticationFront EndFlexible AuthenticationUsersBack EndBasic HTTP Digest Kerberos Certificates
SmartcardsAuthenticationNetwork AccessAuthorizationAuditAlertsRich Access ControlsFront EndRich Access ControlsUsersBack EndAuthenticationNetwork AccessAuthorizationAuditAlertsAccess Control Lists
RolesSystem Wide AuditingFront EndSystem Wide AuditingUsersBack EndAuthorizationAuditAlertsAudit Actions
Distributed Devices
Audit PolicyAuthenticationNetwork AccessAlert InfrastructureFront EndAlert InfrastructureUsersBack EndAuthorizationAuditAlertsEvent Forwarding
Filtering
CorrelationAuthenticationNetwork AccessWindows Brings it TogetherWindows Brings it TogetherActive Directory
Integrated network authentication
Policy based management
PKI
Integrated PKI services and auto-enrollment
Used by IPSEC, Smartcard, Code Signing etc.
Networking
Secure network access via 802.1x support
Authenticated firewall access via Microsoft ISA server
Protected Devices
Encrypting File System
Software Restriction Policies
null© 2002 Microsoft Corporation. All rights reserved.
本文档为【微软蓝灰风格PPT模板】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。