identity management and security summit - partner technical session jamie sharp cissp microsoft...
Post on 18-Dec-2015
216 views
TRANSCRIPT
Identity Management and Security Summit - Partner Technical Session
Jamie Sharp CISSPMicrosoft [email protected]
Agenda - MS QuickStart Agenda - MS QuickStart for Operating Secure for Operating Secure ServersServers
Service OverviewService OverviewDeliverables and ResourcesDeliverables and ResourcesGoals of the engagementGoals of the engagementKey concepts to communicate to the Key concepts to communicate to the customercustomer
Fixed-price ServiceFixed-price Service
Sold as 2 weeks. Partner sets price.Sold as 2 weeks. Partner sets price.96 hours delivery consultant(s)96 hours delivery consultant(s)
2 weeks (80hrs)2 weeks (80hrs)plus 2 days for auxiliary expert, research, etc.plus 2 days for auxiliary expert, research, etc.
32 hours QA delivered by Microsoft expert 32 hours QA delivered by Microsoft expert (fee for QA & IP license)(fee for QA & IP license)Engagement is simply “fixed price” to the Engagement is simply “fixed price” to the customer, do not discuss specific hours.customer, do not discuss specific hours.
Target CustomersTarget Customers
In it’s “pure” form, the target is the In it’s “pure” form, the target is the mid-size corporation 500-10,000 mid-size corporation 500-10,000 seats. Larger customers can be seats. Larger customers can be accommodatedaccommodatedInvested in Windows 2000: Some Invested in Windows 2000: Some value to NT 4 customer but the value to NT 4 customer but the prescriptive guidance assumes prescriptive guidance assumes Windows 2000.Windows 2000.Looking to understand their current Looking to understand their current exposure and what is possible to exposure and what is possible to achieve.achieve.
Consultant RequirementsConsultant Requirements
MCSE (Active Directory Architect)MCSE (Active Directory Architect)CISSP or equivalent cert/experienceCISSP or equivalent cert/experienceITIL Foundations or MOF EssentialsITIL Foundations or MOF EssentialsComfortable in a Project Lead RoleComfortable in a Project Lead RoleMS QuickStart trainedMS QuickStart trainedComfortable in presenting and Comfortable in presenting and leading design sessionsleading design sessions
Project ScheduleProject Schedule
Week #1Week #1Brief Security IntroBrief Security IntroAssessmentAssessment
Week #2 Week #2 Brief Operations OverviewBrief Operations OverviewOperations WorkshopOperations WorkshopPrescriptive Configuration Guidance Prescriptive Configuration Guidance and Designand Design
Consultant ResourcesConsultant Resources
PresentationsPresentationsSecurity IntroSecurity IntroOperations OverviewOperations Overview
Delivery GuideDelivery GuideSecurity Operations Guide Security Operations Guide WorksheetWorksheetConsultant Guide for SOG WorksheetConsultant Guide for SOG Worksheet
Consultant DeliverablesConsultant Deliverables
Resource Planning GuideResource Planning GuideAssessmentAssessment
Known vulnerability spreadsheetKnown vulnerability spreadsheetBaseline Security analyzerBaseline Security analyzerAssessment report templateAssessment report template
Configuration GuidanceConfiguration GuidanceSecurity Operations Guide Windows 2000 Security Operations Guide Windows 2000 ServerServerMicrosoft Operations Framework Core Microsoft Operations Framework Core DocumentsDocumentsSecurity Operations Guide WorksheetSecurity Operations Guide Worksheet
Tools UsedTools Used
Microsoft Baseline Security AnalyzerMicrosoft Baseline Security AnalyzerHFNetChkHFNetChkGroup policies and security Group policies and security templatestemplatesIIS Lockdown and URLScanIIS Lockdown and URLScanEventCombMTEventCombMTDCDiag, NetDiag, NSLookUp, DCDiag, NetDiag, NSLookUp, RepAdmin, GPResult, GPOTool, etc.RepAdmin, GPResult, GPOTool, etc.
Techniques UsedTechniques Used
Thread modeling: S.T.R.I.D.E.Thread modeling: S.T.R.I.D.E.Risk managementRisk managementChange, Configuration and Release Change, Configuration and Release management management Maintaining hotfixes & service packsMaintaining hotfixes & service packsOngoing monitoring and assessmentOngoing monitoring and assessmentIncident responseIncident response
Engagement GoalsEngagement GoalsGet secure: Get secure:
Security assessmentSecurity assessmentApplication of current OS updatesApplication of current OS updatesHost configuration best practicesHost configuration best practices
Stay secure:Stay secure:Operational best practicesOperational best practicesLeverage Active Directory to implement Leverage Active Directory to implement management of servers by roll using management of servers by roll using organizational units, group policies, and organizational units, group policies, and delegation of administrationdelegation of administrationIdentify update procedures to keep patches Identify update procedures to keep patches up to dateup to dateUse auxiliary tools like URLScan to help Use auxiliary tools like URLScan to help protect IIS servers from yet-to-be discovered protect IIS servers from yet-to-be discovered vulnerabilitiesvulnerabilities
Engagement GoalsEngagement Goals
Just an assessment, even a full Just an assessment, even a full assessment would NOT be enough.assessment would NOT be enough.A “Plan to Operate Securely”, turns the A “Plan to Operate Securely”, turns the findings in the assessment into findings in the assessment into manageable configuration and operations manageable configuration and operations tasks and gets them moving in a positive tasks and gets them moving in a positive direction.direction.Without the Assessment, the “Plan to Without the Assessment, the “Plan to Operate Securely” may not have the Operate Securely” may not have the weight/backing it needs. weight/backing it needs. Both are needed!Both are needed!
Why is the Engagement so Why is the Engagement so Short?Short?
We’re going for quick results, results We’re going for quick results, results that can be demonstrated for the that can be demonstrated for the client.client.Follow-on work will be necessary, Follow-on work will be necessary, this engagement is only the start.this engagement is only the start.Assessment gives justification for the Assessment gives justification for the effort of the follow-on work and the effort of the follow-on work and the best practices show that it is a best practices show that it is a doable effort.doable effort.
SummarySummary
Microsoft QuickStart Service is a Microsoft QuickStart Service is a complete packaged servicecomplete packaged serviceUse the resources provided to youUse the resources provided to youManage to the time allowedManage to the time allowedAvoid scope creepAvoid scope creepThe Assessment and the Planning do The Assessment and the Planning do not create an endpoint, it is a not create an endpoint, it is a quick quick startstart
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
AgendaAgendaUnderstanding SecurityUnderstanding Security
Current SituationCurrent Situation
Solution ComponentsSolution Components
RoadmapRoadmap
WirelessWireless
VPNVPN
PerimeterPerimeter
Understanding Security
Understanding SecurityUnderstanding Security
Risk ManagementRisk ManagementResourcesResourcesThreatsThreatsVulnerabilitiesVulnerabilitiesExploitsExploitsCountermeasuresCountermeasures
Defence in DepthDefence in Depth
Assume prior layers failAssume prior layers fail
Policies and Procedures
Physical Security
Perimeter Defenses
Network Defenses
Application Defenses
Host Defenses
Data Defenses
Principle of Least PrivilegePrinciple of Least Privilege
Any administrator, user, service Any administrator, user, service etc. that needs to perform a task, etc. that needs to perform a task, should only be granted the should only be granted the minimum rights and permissions minimum rights and permissions necessary to perform that task.necessary to perform that task.
Threat ModelingThreat Modeling
You cannot build secure You cannot build secure infrastructure or applications infrastructure or applications unless you understand the unless you understand the associated threats.associated threats.
Security ChallengesSecurity Challenges
PeoplePeople
Process
Process
Tech
nolo
gy
Tech
nolo
gy
Products lack Products lack security featuressecurity featuresProducts have bugsProducts have bugsMany issues are not Many issues are not addressed by addressed by technical standardstechnical standardsToo hard to stay Too hard to stay up-to-dateup-to-date
Design for securityDesign for securityRoles & Roles & responsibilitiesresponsibilitiesAudit, track, follow-upAudit, track, follow-upResponse plansResponse plansStay up-to-date with Stay up-to-date with security developmentsecurity development
Lack of knowledgeLack of knowledgeLack of commitmentLack of commitmentHuman errorHuman error
Current Situation
Patches proliferatingPatches proliferatingTime to exploit Time to exploit decreasingdecreasingExploits are more Exploits are more sophisticated sophisticated Current approach is not Current approach is not sufficientsufficient
Security is our #1 PrioritySecurity is our #1 PriorityThere is no silver bulletThere is no silver bullet
Change requires innovationChange requires innovation
151151180180
331331
Blaster
Blaster
Welchia/ Nachi
Welchia/ Nachi
NimdaNimda
2525
SQL Slammer
SQL Slammer
Days between patch Days between patch and exploitand exploit
CurrentCurrent Situation Situation
You’ve Told UsYou’ve Told Us Our Action ItemsOur Action Items
““I can’t keep up…new I can’t keep up…new patches are released patches are released every week”every week”
““The quality of the The quality of the patching process is low patching process is low and inconsistent”and inconsistent”
““I need to know the right I need to know the right way to run a Microsoft way to run a Microsoft enterprise”enterprise”
““There are still too many There are still too many vulnerabilities in your vulnerabilities in your products”products”
Provide Guidance Provide Guidance and Trainingand Training
Mitigate Vulnerabilities Mitigate Vulnerabilities Without PatchesWithout Patches
Continue Improving Continue Improving QualityQuality
Improve the Patching Improve the Patching ExperienceExperience
Customer FeedbackCustomer Feedback
Addressing The SituationAddressing The SituationSecurity and Patch Management Security and Patch Management Priority #1 Priority #1 at Microsoftat Microsoft
Comprehensive tactical Comprehensive tactical and and strategic approach to addressing strategic approach to addressing the situationthe situation
Trustworthy Computing InitiativeTrustworthy Computing InitiativeSD3+C Security frameworkSD3+C Security frameworkPatch Management InitiativePatch Management Initiative
Patch Management Patch Management InitiativeInitiativeProgress to DateProgress to Date
Informed & Informed & Prepared CustomersPrepared Customers
Informed & Informed & Prepared CustomersPrepared Customers
Superior Patch Superior Patch QualityQuality
Superior Patch Superior Patch QualityQuality
Consistent & Consistent & Superior Update Superior Update
ExperienceExperience
Consistent & Consistent & Superior Update Superior Update
ExperienceExperience
Best Patch & Best Patch & Update Update
Management Management SolutionsSolutions
Best Patch & Best Patch & Update Update
Management Management SolutionsSolutions
Rationalized patch severity rating levelsRationalized patch severity rating levelsBetter security bulletins and KB articlesBetter security bulletins and KB articlesSecurity Readiness Kit; Patch Management guidance, Security Readiness Kit; Patch Management guidance, etc.etc.
Rationalized patch severity rating levelsRationalized patch severity rating levelsBetter security bulletins and KB articlesBetter security bulletins and KB articlesSecurity Readiness Kit; Patch Management guidance, Security Readiness Kit; Patch Management guidance, etc.etc.
Developed Patch & Update Management tools Developed Patch & Update Management tools roadmaproadmapSUS 2.0 in development: significantly enhanced SUS 2.0 in development: significantly enhanced capabilitiescapabilitiesSMS 2003 delivers expanded patch and update SMS 2003 delivers expanded patch and update management capabilitiesmanagement capabilities
Developed Patch & Update Management tools Developed Patch & Update Management tools roadmaproadmapSUS 2.0 in development: significantly enhanced SUS 2.0 in development: significantly enhanced capabilitiescapabilitiesSMS 2003 delivers expanded patch and update SMS 2003 delivers expanded patch and update management capabilitiesmanagement capabilities
Standardized patch and update terminologyStandardized patch and update terminologyStandardized patch naming and installer switch Standardized patch naming and installer switch options*options*Installer consolidation plan in place – will go from ~8 Installer consolidation plan in place – will go from ~8 to 2to 2Reduced patch release frequency from 1/week to Reduced patch release frequency from 1/week to 1/month1/month
Standardized patch and update terminologyStandardized patch and update terminologyStandardized patch naming and installer switch Standardized patch naming and installer switch options*options*Installer consolidation plan in place – will go from ~8 Installer consolidation plan in place – will go from ~8 to 2to 2Reduced patch release frequency from 1/week to Reduced patch release frequency from 1/week to 1/month1/monthImproved patch testing process and coverageImproved patch testing process and coverageExpanded test process to include customersExpanded test process to include customersReduced reboots by 10%; reduced patch size by up Reduced reboots by 10%; reduced patch size by up to 75%**to 75%**
Improved patch testing process and coverageImproved patch testing process and coverageExpanded test process to include customersExpanded test process to include customersReduced reboots by 10%; reduced patch size by up Reduced reboots by 10%; reduced patch size by up to 75%**to 75%**
More on the Patch Management Initiative in the More on the Patch Management Initiative in the Roadmap Section of this presentation…Roadmap Section of this presentation…
*Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0*Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0
**75% for Windows Update installs, more than 25% for other patches**75% for Windows Update installs, more than 25% for other patches
Solution Components
Successful Patch Successful Patch ManagementManagement
Tools &Tools &TechnologiesTechnologies
Repeatable Repeatable ProcessesProcesses
Trained PeopleTrained People
Patch Management Patch Management ProcessProcess1. Assess Environment to be Patched1. Assess Environment to be Patched
Periodic TasksPeriodic TasksA. Create/maintain baseline of systemsA. Create/maintain baseline of systems
B. Access patch managementB. Access patch management architecture (is it fit for purpose) architecture (is it fit for purpose)
C. Review Infrastructure/C. Review Infrastructure/ configuration configuration
Ongoing TasksOngoing TasksA. Discover AssetsA. Discover AssetsB. Inventory ClientsB. Inventory Clients
1. Assess1. Assess 2. 2. IdentifyIdentify
4. Deploy4. Deploy 3. 3. Evaluate Evaluate
2. Identify New Patches2. Identify New Patches
TasksTasksA. Identify new patchesA. Identify new patches
B. Determine patch relevanceB. Determine patch relevance (includes threat assessment) (includes threat assessment)
C. Verify patch authenticity & integrityC. Verify patch authenticity & integrity (no virus: installs on isolated (no virus: installs on isolated system) system)
3. Evaluate & Plan Patch Deployment3. Evaluate & Plan Patch Deployment
TasksTasksA. Obtain approval to deploy patchA. Obtain approval to deploy patch
B. Perform risk assessmentB. Perform risk assessment
C. Plan patch release processC. Plan patch release process
D. Complete patch acceptance testingD. Complete patch acceptance testing
4. Deploy the Patch4. Deploy the Patch
TasksTasksA. Distribute and install patchA. Distribute and install patchB. Report on progressB. Report on progressC. Handle exceptionsC. Handle exceptions
D. Review deploymentD. Review deployment
Patch Management Patch Management GuidanceGuidancePrescriptive guidance from Microsoft for Prescriptive guidance from Microsoft for
effective effective patch managementpatch management
Uses Microsoft Operations Framework (MOF)Uses Microsoft Operations Framework (MOF)Based on ITIL* (defacto standard for IT best Based on ITIL* (defacto standard for IT best practices) practices)
Details requirements for effective patch Details requirements for effective patch management:management:
Technical & operational pre-requisitesTechnical & operational pre-requisites
Operational processes & how technology supports Operational processes & how technology supports themthem
Daily, weekly, monthly & as-needed tasks to be Daily, weekly, monthly & as-needed tasks to be performedperformed
Testing optionsTesting options
Three patch management guidance offeringsThree patch management guidance offeringsMicrosoft Guide to Security Patch ManagementMicrosoft Guide to Security Patch Management****Patch Management using Software Update ServicesPatch Management using Software Update Services*** *** Patch Management using Systems Management ServerPatch Management using Systems Management Server******
*Information Technology Infrastructure Library*Information Technology Infrastructure Library
**Emphasizes security patching & overall security management**Emphasizes security patching & overall security management
***Comprehensive coverage of patch management using the specified technology***Comprehensive coverage of patch management using the specified technology
MBSAMBSA
Helps identify vulnerable Windows Helps identify vulnerable Windows systemssystems
Scans for missing Scans for missing securitysecurity patches and patches and common common securitysecurity mis-configurations mis-configurations
Scans various versions of Windows and Scans various versions of Windows and other Microsoft applicationsother Microsoft applications
Scans local or multiple remote systems via Scans local or multiple remote systems via
GUI or command line invocationGUI or command line invocation
Generates XML scan reports on each Generates XML scan reports on each scanned systemscanned system
Runs on Windows Server 2003, Runs on Windows Server 2003, Windows 2000 and Windows XPWindows 2000 and Windows XP
Integrates with SUS & SMSIntegrates with SUS & SMS
Evaluate & Plan
New Update
Deploy
Identify
Assess
Software Update ServicesSoftware Update ServicesDeploys Windows security patches, Deploys Windows security patches, security rollups, critical updates*, and security rollups, critical updates*, and service packs onlyservice packs only
Deploys above content for Windows Deploys above content for Windows 2000, 2000, Windows Server 2003 and Windows Windows Server 2003 and Windows XP onlyXP only
Provides patch download, deployment, Provides patch download, deployment, and installation configuration options and installation configuration options
Bandwidth optimized content Bandwidth optimized content deploymentdeployment
Provides central administrative control Provides central administrative control over which patches can be installed over which patches can be installed from Windows Updatefrom Windows Update
Provides basic patch installation Provides basic patch installation status loggingstatus logging *Including critical driver updates*Including critical driver updates
Evaluate & Plan
Identify
Assess
New Update
Deploy
SMS 2003SMS 2003Identifies & deploys missing Windows Identifies & deploys missing Windows and Office security patches on target and Office security patches on target systemssystems
Can deploy any patch, update, or Can deploy any patch, update, or application in Windows environmentsapplication in Windows environments
Inventory management & inventory Inventory management & inventory based targeting of software installsbased targeting of software installs
Install verification and detailed Install verification and detailed reportingreporting
Flexible scheduling of content sync & Flexible scheduling of content sync & installsinstalls
Central, full administrative control Central, full administrative control over installsover installs
Bandwidth optimized content Bandwidth optimized content distributiondistribution
Software metering and remote Software metering and remote control capabilitiescontrol capabilities
Identify
New Update
Deploy
Assess
Evaluate & Plan
CustomCustomer Typeer Type ScenarioScenario
CustomCustomer er
ChooseChoosess
Large or Large or Medium Medium EnterpriEnterprisese
Want single flexible patch management solution with Want single flexible patch management solution with extended level of control to patch & update (+ extended level of control to patch & update (+ distribute) all softwaredistribute) all software
SMSSMS
Want patch management solution with basic level of Want patch management solution with basic level of control that updates Windows 2000 and newer control that updates Windows 2000 and newer versions* of Windows**versions* of Windows**
SUSSUS
Small Small BusinessBusiness
Have at least 1 Windows server and 1 IT Have at least 1 Windows server and 1 IT administrator**administrator** SUSSUS
All other scenariosAll other scenariosWindowWindow
s s UpdateUpdate
ConsumConsumerer All scenariosAll scenarios
WindowWindows s
UpdateUpdate
*Windows 2000, Windows XP, Windows Server 2003*Windows 2000, Windows XP, Windows Server 2003
**Customer uses Windows Update or manual process for other OS versions & applications software**Customer uses Windows Update or manual process for other OS versions & applications software
Choosing A Patch Management Choosing A Patch Management SolutionSolutionTypical Customer DecisionsTypical Customer Decisions
Adopt the solution that Adopt the solution that best meets the best meets the needsneeds of your organisation of your organisation
Roadmap
Informed & Prepared Informed & Prepared CustomersCustomers
Q3 ‘03Q2 ‘03 Q4 ‘03 Q1 ‘04 Q2 ‘04
Security Bulletin Teleconferences
Improved KB Articles
Patch Management Guides
GTM PartnershipDeliverablesBulletin
Search Page
Revised Patch Management Guides
Q4 ‘02 Q1 ‘03 Q3 ‘04
Clearer SeverityRating Levels
Patch Management
GuidesSecurity Readiness Kit
(Guides, Tools, Best Practices)
Patch ManagementRoadmap
Informed and Prepared CustomersInformed and Prepared Customers
Patch Management White Paper
Sustaining EngineeringPractices White Paper
*See *See http://www.microsoft.com/usa/webcasts/upcoming/default.asp for upcoming web casts
New Security & Patch Management workshopsNew Security & Patch Management workshopsRegular web casts on security patch management*Regular web casts on security patch management*Updated roadmap, whitepapers, and guidanceUpdated roadmap, whitepapers, and guidance
Consistent & Superior Consistent & Superior Update ExperienceUpdate Experience
Q4 ‘03Q3 ‘03 Q1 ‘04 Q2 ‘04 Q3 ‘04Q1 ‘03 Q2 ‘03 Q4 ‘04
Consistent & Superior Update ExperienceConsistent & Superior Update ExperienceConsistent & Superior Update ExperienceConsistent & Superior Update Experience
MSI 3.0
2 Installers: MSI, Update.exe
Standard naming and signing
Standard terminology for documentation
Standard installer switches defined
MSI 3.0 supports uninstall, binary delta patching, etc. – Q2 2004MSI 3.0 supports uninstall, binary delta patching, etc. – Q2 2004Converge to two installers – Q4 2004Converge to two installers – Q4 2004Monthly patch delivery for non-emergency patches - TodayMonthly patch delivery for non-emergency patches - Today
Add/Remove Program Improvements
Patches & Security Bulletins released
once a month
Standard Titles*
Standard Registry Entries
Standard Property Sheet
Standard Detection Manifest
*For Add/Remove Programs, Windows Update, and Download Center*For Add/Remove Programs, Windows Update, and Download Center
Superior Patch QualitySuperior Patch Quality
Q3 ‘03Q2 ‘03 Q4 ‘03 Q1 ‘04 Q2 ‘04Q4 ‘02 Q1 ‘03 Q3 ‘04
Superior Patch QualitySuperior Patch Quality
25% Reductionin Patch Size
10% Reductionin Patch Reboots
75% Reduction in Patch Size*
90% Reduction in Patch Size
30% Reductionin Patch Reboots**
*For Windows Update installs, more than 25% reduction for other patches*For Windows Update installs, more than 25% reduction for other patches**For Windows Server 2003 patches**For Windows Server 2003 patches
Patch test process includes participating customers
Up to 75% reduction in patch size* Up to 75% reduction in patch size* 10% reduction in patch reboots 10% reduction in patch reboots Patch test process extended to include customersPatch test process extended to include customers
MBSAMBSA
Overall directionOverall directionMBSA update scanning functionality integrated MBSA update scanning functionality integrated into into Windows patch management functionalityWindows patch management functionality
MBSA becomes Windows assessment & MBSA becomes Windows assessment & mitigation enginemitigation engine
Near- and Intermediate-term plansNear- and Intermediate-term plansMBSA 1.2 (Q4 2003) MBSA 1.2 (Q4 2003)
Improves report consistency, product coverage, Improves report consistency, product coverage, and locale supportand locale support
Integrates Office Update Inventory ToolIntegrates Office Update Inventory Tool
MBSA 2.0 (Q2 2004)MBSA 2.0 (Q2 2004)Update scanning functionality migrates to SUS Update scanning functionality migrates to SUS 2.0 / Microsoft Update2.0 / Microsoft Update
MBSA leverages SUS 2.0 for update scanningMBSA leverages SUS 2.0 for update scanning
SUS 2.0SUS 2.0
Support for additional Microsoft Support for additional Microsoft productsproductsAdministrative controlAdministrative controlDeployment & targetingDeployment & targetingBandwidth efficiencyBandwidth efficiencyScale out Scale out Status reportingStatus reporting
Patch Management Patch Management FunctionalityFunctionalityFuture DirectionFuture DirectionLonger-term (Longhorn time frame)Longer-term (Longhorn time frame)
SUS functionality integrated into Windows SUS functionality integrated into Windows
SUS supports updating of all Microsoft softwareSUS supports updating of all Microsoft software
SUS infrastructure can be used to build patch SUS infrastructure can be used to build patch management solutions for 3management solutions for 3rdrd party and in-house built party and in-house built softwaresoftware
SMS patch management built on SUS infrastructure and SMS patch management built on SUS infrastructure and delivers advanced patch management functionality delivers advanced patch management functionality
Near-termNear-termSUS 2.0 (Spring 2004)SUS 2.0 (Spring 2004)
Single infrastructure for patch managementSingle infrastructure for patch management
Support for additional Microsoft productsSupport for additional Microsoft products
Significant improvements in patch management Significant improvements in patch management functionalityfunctionality
SMS 2003 Update Management Feature Pack (H2 2004)SMS 2003 Update Management Feature Pack (H2 2004)Leverages SUS for update scanning & downloadLeverages SUS for update scanning & download
Leverages SUS client (Automatic Updates) for installsLeverages SUS client (Automatic Updates) for installs
Wireless
Huge fear of wirelessHuge fear of wirelessRooted in misunderstandings of Rooted in misunderstandings of securitysecurityWireless can be made secureWireless can be made secure
Takes workTakes workNeed to understand problemNeed to understand problemNeed to plan for secure solutionNeed to plan for secure solution
Current SituationCurrent Situation
WEP IssuesWEP Issues
Key and initialisation vector reuseKey and initialisation vector reuseKnown plaintext attackKnown plaintext attackPartial known plaintext attackPartial known plaintext attackWeaknesses in RC4 key scheduling Weaknesses in RC4 key scheduling algorithmalgorithmAuthentication forgingAuthentication forgingRealtime decryptionRealtime decryptionMore InformationMore Information
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.hthttp://www.isaac.cs.berkeley.edu/isaac/wep-faq.htmlml
WEP - WEP - Wired Equivalent PrivacyWired Equivalent Privacy
Solution Today - 802.1XSolution Today - 802.1XPort-based access control Port-based access control mechanism defined by IEEEmechanism defined by IEEE
Works on anything, wired and wirelessWorks on anything, wired and wirelessAccess point must support 802.1XAccess point must support 802.1XNo special WIC requirementsNo special WIC requirements
Allows choice of authentication Allows choice of authentication methods using EAPmethods using EAP
Chosen by peers at authentication timeChosen by peers at authentication timeAccess point doesn’t care about EAP Access point doesn’t care about EAP methodsmethods
Manages keys automagicallyManages keys automagicallyNo need to preprogram WICsNo need to preprogram WICs
Solution Today - EAPSolution Today - EAP
Link-layer security frameworkLink-layer security frameworkSimple encapsulation protocol for Simple encapsulation protocol for authentication mechanismsauthentication mechanismsRuns over any link layer, lossy or Runs over any link layer, lossy or losslesslossless
No built-in securityNo built-in securityDoesn’t assume physically secure linkDoesn’t assume physically secure linkAuthentication methods must Authentication methods must incorporate their own securityincorporate their own security
AuthN Supported in AuthN Supported in WindowsWindows
EAP-MD5 disallowed for wirelessEAP-MD5 disallowed for wirelessCan’t create encrypted session Can’t create encrypted session between supplicant and authenticatorbetween supplicant and authenticatorWould transfer password hashes in the Would transfer password hashes in the clearclearCannot perform mutual authenticationCannot perform mutual authentication
Vulnerable to man-in-the-middle attacksVulnerable to man-in-the-middle attacks
EAP-TLS in Windows XP releaseEAP-TLS in Windows XP releaseRequires client certificatesRequires client certificatesBest to have machine and userBest to have machine and user
Service pack 1 adds protected EAP Service pack 1 adds protected EAP (PEAP)(PEAP)
Protected EAP (PEAP)Protected EAP (PEAP)
Extension to EAPExtension to EAPAllows use of any secure authentication Allows use of any secure authentication mechanism for EAPmechanism for EAP
No need to write individual EAP-enabled No need to write individual EAP-enabled methodsmethods
Windows PEAP allows:Windows PEAP allows:MS-CHAPv2—passwordsMS-CHAPv2—passwordsTLS (SSL channel)—certificatesTLS (SSL channel)—certificates
PEAP-EAP-TLS a little slower than EAP-TLSPEAP-EAP-TLS a little slower than EAP-TLS
SecurID—but not tested/supported for wirelessSecurID—but not tested/supported for wirelessFor many deployments, machine and user For many deployments, machine and user passwords still are necessarypasswords still are necessaryPEAP enables secure wireless nowPEAP enables secure wireless now
Allows easy migration to certificates and Allows easy migration to certificates and smartcards latersmartcards later
802.1X & EAP Provides802.1X & EAP Provides
Mutual device authenticationMutual device authenticationWorkstation and authentication serverWorkstation and authentication serverNo rogue access pointsNo rogue access pointsPrevents man-in-the-middle attacksPrevents man-in-the-middle attacksEnsures key is transferred to correct Ensures key is transferred to correct entityentity
User authenticationUser authenticationNo unauthorized access or interceptionNo unauthorized access or interception
WEP key uniqueness and WEP key uniqueness and regenerationregenerationPacket/disassociation spoofing Packet/disassociation spoofing preventionprevention
WPA - An Interim Until WPA - An Interim Until 802.11i802.11iGoalsGoals
Require secure networkingRequire secure networkingSolve WEP issues with software and Solve WEP issues with software and firmware upgradesfirmware upgradesProvide secure wireless for SOHOProvide secure wireless for SOHO
No RADIUS neededNo RADIUS needed
Be forward compatible with 802.11iBe forward compatible with 802.11iBe available todayBe available todayWPA Wireless Security Update in WPA Wireless Security Update in Windows XP Windows XP http://support.microsoft.com/?kbid=815485http://support.microsoft.com/?kbid=815485
The Future - 802.11iThe Future - 802.11i
IEEE is working on 802.11iIEEE is working on 802.11iReplacement for WEPReplacement for WEPIncludes TKIP (Includes TKIP (Temporal Key Integrity Temporal Key Integrity Protocol) Protocol) , 802.1x, and keyed integrity , 802.1x, and keyed integrity checkcheckMandatory AES (Mandatory AES (Advanced Encryption Advanced Encryption Standard) Standard) Addresses all currently known Addresses all currently known vulnerabilities and poor implementation vulnerabilities and poor implementation decisionsdecisions
Need to be IEEE member to read Need to be IEEE member to read work in progresswork in progressExpected ratification in Q4 2003Expected ratification in Q4 2003
VPN
Remote Access TrendsRemote Access Trends
Explosive growth of mobile usersExplosive growth of mobile users63.4M handheld computers to be sold by 63.4M handheld computers to be sold by 2003*2003*
Increasing methods of accessIncreasing methods of accessApplication specific accessApplication specific access
Combined functionalityCombined functionality VPN and Firewall combined platformsVPN and Firewall combined platforms
* Source - (IDC)* Source - (IDC)
VPN Solution ComponentsVPN Solution Components
VPN Server
Internet
ISPTelecommuter
Mobile Worker
Administrator
Corporate NetworkClients
Gateway
Protocols
Authentication
Policy
Deployment Tools
File/Print Server
Database Server
Web Server
Email Server
Domain Controller
IAS Server
Windows VPN ComponentsWindows VPN Components
ClientClient
GatewayGateway
ProtocolsProtocols
AuthenticationAuthentication
PolicyPolicy
Integrated VPN clientIntegrated VPN client
Routing and Remote Routing and Remote Access ServicesAccess Services
Platform Support for Platform Support for Industry Standard Industry Standard
ProtocolsProtocols
Internet Authentication Internet Authentication Services Services
& Active Directory& Active Directory
Windows XPWindows XP
Windows ServerWindows Server20032003
Deployment Deployment ToolsTools
Connection ManagerConnection ManagerAdministration KitAdministration Kit
Windows XP Professional Windows XP Professional
ClientClient
Gateway Gateway
ProtocolsProtocols
AuthenticationAuthentication
DeploymentDeploymentToolsTools
PolicyPolicy
Integrated VPN ClientIntegrated VPN ClientInitiates connection to remote Initiates connection to remote networks.networks.
SimplicitySimplicity New Connections WizardNew Connections Wizard Automatic protocol detectionAutomatic protocol detection
SecuritySecurity Client state check with Client state check with
“Quarantine”“Quarantine” Supports advanced security and Supports advanced security and
encryptionencryption Supports certificates, smart Supports certificates, smart
cards, token cards and morecards, token cards and more
Windows Server GatewayWindows Server Gateway
ClientClient
GatewayGateway
ProtocolsProtocols
AuthenticationAuthentication
DeploymentDeploymentToolsTools
PolicyPolicy
Routing and Remote Access ServicesRouting and Remote Access ServicesLink clients to private networksLink clients to private networks
• SecuritySecurity• Secure remote access connection Secure remote access connection
technologytechnology• Per session VPN packet filtersPer session VPN packet filters
• PerformancePerformance• Offload hardware encryption Offload hardware encryption
supportedsupported• Load Balance support for VPN Load Balance support for VPN
• ManageabilityManageability• Integrated Active DirectoryIntegrated Active Directory™™
authenticationauthentication• Supports standards based Supports standards based
Authentication Servers (RADIUS)Authentication Servers (RADIUS)
Windows XP & Server 2003 Windows XP & Server 2003 ProtocolsProtocols
ClientClient
GatewayGateway
ProtocolsProtocols
AuthenticationAuthentication
DeploymentDeploymentToolsTools
PolicyPolicy
Industry Standard ProtocolsIndustry Standard ProtocolsSpecify link capabilities and Specify link capabilities and encrypts data traffic.encrypts data traffic.
• SecuritySecurity• Advanced security with L2TP/IPSec Advanced security with L2TP/IPSec
tunneling protocols. tunneling protocols. • PKI authentication supportPKI authentication support• Legacy user authentication support Legacy user authentication support
with PPTPwith PPTP• Support for Smart Cards with EAPSupport for Smart Cards with EAP
• InteroperabilityInteroperability• IETF standards based solutions IETF standards based solutions
• Network TransparencyNetwork Transparency• Multi-protocol and Multi-cast supportMulti-protocol and Multi-cast support
ClientClient
GatewayGateway
ProtocolsProtocols
AuthenticationAuthentication
DeploymentDeploymentToolsTools
PolicyPolicy
Internet Authentication ServicesInternet Authentication ServicesValidates user access to the Validates user access to the networknetworkDirectory IntegrationDirectory Integration
• Integrates with Active DirectoryIntegrates with Active DirectoryInteroperabilityInteroperability
• Authenticates other 3Authenticates other 3rdrd party VPN party VPN products that support RADIUSproducts that support RADIUS
SecuritySecurity• Support for “Quarantine”Support for “Quarantine”
New authentication supportNew authentication support• Smart Cards, Token Cards, Smart Cards, Token Cards,
Fingerprint scanners and moreFingerprint scanners and more
Windows Server Windows Server AuthenticationAuthentication
Windows Server PoliciesWindows Server Policies
ClientClient
GatewayGateway
ProtocolsProtocols
AuthenticationAuthentication
DeploymentDeploymentToolsTools
PolicyPolicy
AD Group PolicyAD Group PolicyNetwork policies for users to gain access Network policies for users to gain access
SecuritySecurity• Enforcement of policies to check the Enforcement of policies to check the
state of the client via quarantine state of the client via quarantine serviceservice
• Restricted access based on group Restricted access based on group membershipmembership
ManageabilityManageability• Centralized user management with Centralized user management with
integration of AD and authentication integration of AD and authentication serviceservice
Windows Server Windows Server Deployment ToolsDeployment Tools
ClientClient
GatewayGateway
ProtocolsProtocols
AuthenticationAuthentication
DeploymentDeploymentToolsTools
PolicyPolicy
Connection Manager Administration KitConnection Manager Administration KitCreate and manage client connection Create and manage client connection configurationsconfigurations
Central ConfigurationCentral Configuration• Create pre-configured dial-up Create pre-configured dial-up
connection software for simplified connection software for simplified client experienceclient experience
ExtensibilityExtensibility• Customizable help files, help-desk Customizable help files, help-desk
numbers, and morenumbers, and more• Configurable connect actions to Configurable connect actions to
launch custom code before or after launch custom code before or after connectionconnection
Phonebook ManagementPhonebook Management• Automatic phonebook updates for Automatic phonebook updates for
local ISP access numberslocal ISP access numbers
Components of Network Components of Network Access Quarantine ControlAccess Quarantine Control
White Paper: Network Access Quarantine Control in Windows Server 2003 http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx
Perimeter
What is ISA Server?What is ISA Server?
High Performance Web cacheHigh Performance Web cacheMulti-layered firewallMulti-layered firewall
Packet Level (static and dynamic filters)Packet Level (static and dynamic filters)Circuit Level (stateful inspection)Circuit Level (stateful inspection)Application Level (payload inspection)Application Level (payload inspection)Network Address Translation (NAT)Network Address Translation (NAT)
Centralised or Distributed Centralised or Distributed ManagementManagementICSA CertifiedICSA CertifiedCommon Criteria EAL2 CertifiedCommon Criteria EAL2 Certified
Current SituationCurrent Situation
Traditional firewalls focus on packet Traditional firewalls focus on packet filtering and stateful inspectionfiltering and stateful inspectionToday’s attacks freely bypass thisToday’s attacks freely bypass thisPorts are overloaded & can be Ports are overloaded & can be exploitedexploited
Port 80 YesterdayPort 80 Yesterday—Web browsing only—Web browsing onlyPort 80 TodayPort 80 Today—Web browsing, OWA, —Web browsing, OWA, XML Web Services, …XML Web Services, …
Packet filtering and stateful Packet filtering and stateful inspection are not enoughinspection are not enough
Application-layer Firewalls Application-layer Firewalls are Necessaryare Necessary
Application-layer firewalls are required Application-layer firewalls are required to stop these attacksto stop these attacks
Enable deep content inspectionEnable deep content inspectionRequirement for network security todayRequirement for network security today
InternetInternet
Packet filtering Packet filtering firewall/routerfirewall/router
Packet filtering Packet filtering firewall/routerfirewall/router
Application-Application-layer firewalllayer firewallApplication-Application-layer firewalllayer firewall
to internalto internal
networknetwork
to internalto internal
networknetwork
““To provide edge security in this application To provide edge security in this application centric world…application-layer firewalls will centric world…application-layer firewalls will be required”be required” —John Pescatore, —John Pescatore, GartnerGartner
ISA Deployment BenefitsISA Deployment BenefitsCost-effective to build, monitor Cost-effective to build, monitor and operateand operateIntegrated with Windows Integrated with Windows security and compatible with security and compatible with non-Windows hostsnon-Windows hostsSaves bandwidth by caching Saves bandwidth by caching frequently accessed contentfrequently accessed contentProvides a firewall engine with Provides a firewall engine with application layer inspectionapplication layer inspectionEnables QOS, detailed reporting, Enables QOS, detailed reporting, strong user authentication and strong user authentication and high availabilityhigh availability
Partner OpportunitiesPartner Opportunities
Implementing good patch Implementing good patch management processmanagement processEliminate fear of wireless networksEliminate fear of wireless networksRevisiting corporate remote access Revisiting corporate remote access strategiesstrategiesEvaluate the security of customer’s Evaluate the security of customer’s DMZ environmentsDMZ environmentsRegularly check Regularly check www.microsoft.com/securitywww.microsoft.com/security
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.