brad albrecht senior security program manager microsoft corporation session code: osp201
TRANSCRIPT
Advances in Microsoft Office Client Security: Keeping Enterprise Data SafeBrad AlbrechtSenior Security Program ManagerMicrosoft Corporation
SESSION CODE: OSP201
Session Objectives and Takeaways
Session Objective(s): Explain Office 2010 Security
Today’s risk is not macrosSecurity is working in the backgroundOffice 2010 security is game changingFile Validation, Protected View, Better user experience
Threat Landscape
* Diagram from SANS – The Top Cyber Security Risks
Num
ber o
f Vul
nera
biliti
es
Applications
OS Libraries
OS Transport
Network
How do we protect ourselves from these threats?
• Attack Resilience• Layered Defences• Integrity Protection
Protection Technology
• Encryption• Data Protection• Enterprise Management• Secure Collaboration
Core Security
• Threat Modelling• Validation Tools• Secure Coding Practices• Security Development Lifecycle• Intensive Distributing Fuzzing
Security Engineering
Security Engineering
Valid File Fuzzer Fuzzed File
Target Application
Security Development Lifecycle (SDL)Intensive Distributing Fuzzing
Layered Defenses
Harden the Attack Surface
Reduce the Attack Surface
Improve User Experience
Mitigate the Exploits
Security EngineeringSecurity Development Lifecycle FoundationIntensive Distributed Fuzzing
Integrate OS AdvancesSupport for DEP/NXLeverage WIC Image ParsersRobust & Agile Cryptography
Harden the Attack Surface
Harden the Attack Surface
Reduce the Attack Surface
Reduce the Attack Surface
Office File ValidationBinary filesRuns automatically on openEvaluates file for ‘correctness’Protects against unknown exploitsFaster updates for changes to rulesReduce the
Attack Surface
Reduce the Attack Surface
Gatekeeper vs MSRC cases
Mitigate the Exploits
Protected Viewer ‘Sandbox’
Word, Excel, PPT files can run in the ‘sandbox’Prevents harmful documents from damaging user data and OSHelp users make better trust decisions
Protected Viewer
Office Protected Viewer
Files that failed File Validation Files that don’t comply
with File Block Policy
Files in unsafe folders
All Outlook Attachments
Files from the Internet Zone
Mitigate the Exploits
Improve User Experience
Better information to make trust decisionsAvoid forcing choice between security and productivityRemembers users selections for security decisions, and does not ask againReduced Prompts
Improve User Experience
‘My Stuff’...
Improve User Experience
IncomingStrong protection from all classes of malware
inside sandbox.
Trust decisions are ‘sticky’View document before trust decision is made. Many
scenarios stop here – reading is enough.
Open email attachment
‘Gatekeeper’Validation
SandboxedViewer
User Clicks ‘Enable’
Document opens, fully enabled
SaveDocument
ReopenDocument
Office 2007 Prompts
Protecting your documents
Encryption EnterpriseMgmtData Protection Digital Signature
Information Rights ManagementUsers can control permissionsRestrictions on sensitive dataCopy prevention
Enable Collaboration between two enterprisesCan lock down content
Data Protection
Data Protection
Encryption
Full Crypto Agility via native CNG SupportAllows agility in organizationsEffective in Govt organizations
Integrity ChecksValidates encrypted messages
Enforce Domain password complexityEnabled through GPO
Encryption
Digital Signature
Timestamping RFC 3161Documents valid after certificate expires
XAdESInternational standardEnables stronger signatures
Digital Signature
EnterpriseMgmt
Define policies and use Office to enforce themMore IT Admin control in 2010More granularity within group policy management
Enterprise Management
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
htResources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet
OfficeITPro.com
http://microsoft.com/msdn
http://msdn.microsoft.com/office
Learning
Complete an evaluation on CommNet and enter to win!
Play the Microsoft Office & SharePoint Track Tag Contest
Download the Microsoft Tag ReaderOpen the internet browser on your mobile phone and visit http://gettag.mobi
Come to the Expo Hall – Yellow Section OSP Info Desk for Official Rules & Collect Additional Tags!
Grand Prize (1)Xbox 360 Prize Package and Microsoft®
Office 2010
Daily Prizes40 copies of
Microsoft® Office 2010
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
JUNE 7-10, 2010 | NEW ORLEANS, LA