Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enhancing Customer Security: Commitment and Progress Tyler S. Farmer Sr. Technology Specialist II Education Solutions Microsoft Corporation.

Similar presentations

Presentation on theme: "Enhancing Customer Security: Commitment and Progress Tyler S. Farmer Sr. Technology Specialist II Education Solutions Microsoft Corporation."— Presentation transcript:

1 Enhancing Customer Security: Commitment and Progress Tyler S. Farmer Sr. Technology Specialist II Education Solutions Microsoft Corporation

2 Agenda End of Life SituationCommitmentsProgress Challenges ahead

3 Product Lifecycle Guidelines 7 Year Lifecycle 5 years of “Mainstream Support” no-charge incident support, paid incident support, support charged on an hourly basis, support for warranty claims, and hotfix support. 2 more years of “Extended Support” all paid support options, security-related hotfix support (no charge.) Non-security related hotfix support requires a separate Extended Hotfix Support contract to be purchased within 90 days after Mainstream support ends. Microsoft will not accept requests for warranty support, design changes, or new features during the Extended support phase.

4 End of Life – NT Server 4.0 Regular support ends Dec. 2004. Security hotfix support ends Dec. 2004 Non-security hotfix support ends Dec. 2003.

5 End of Life – NT Workstation 4.0 Basically ended on June 30, 2003. Some Security patches still coming, probably with NT Server (June 2004).

6 End of Life – Windows 98 Regular support ended June 30, 2003. Paid incident support extended to June 30, 2006. This does not include new security fixes (available through Premier Support)

7 Microsoft Java Virtual Machine According to 2001 Settlement w/ Sun, Microsoft is no longer authorized to support Java VM, starting October 2004 This includes security patches Diagnostic tool coming “soon”

8 Most attacks occur here Situation Process, Guidance, Tools Critical Product ship VulnerabilitydiscoveredComponentmodified Patch released Patch deployed at customer site Why does this gap exist?

9 Exploit Timeline Days From Patch to Exploit The average is now nine days for a patch to be reverse- engineered As this cycle keeps getting shorter, patching is a less effective defense in large organizations Why does this gap exist? 151 180 331 Blaster Welchia/ Nachi Nimda 25 SQL Slammer exploit code patch Days between patch and exploit

10 The Forensics of a Virus Vulnerability reported to us / Patch in progress Bulletin & patch available No exploit Exploit code in public Worm in the world July 1July 16July 25Aug 11 Report Vulnerability in RPC/DDOM reported Vulnerability in RPC/DDOM reported MS activated highest level emergency response process MS activated highest level emergency response processBulletin MS03-026 delivered to customers (7/16/03) MS03-026 delivered to customers (7/16/03) Continued outreach to analysts, press, community, partners, government agencies Continued outreach to analysts, press, community, partners, government agenciesExploit X-focus (Chinese group) published exploit tool X-focus (Chinese group) published exploit tool MS heightened efforts to get information to customers MS heightened efforts to get information to customersWorm Blaster worm discovered –; variants and other viruses hit simultaneously (i.e. “SoBig”) Blaster worm discovered –; variants and other viruses hit simultaneously (i.e. “SoBig”) Blaster shows the complex interplay between security researchers, software companies, and hackers

11 Microsoft Commitment Build software and services that will help better protect our customers and the industry. Better processes and tools Guidance and training for our customers Technology innovation Trustworthy Computing quality improvements

12 You’ve Told Us Our Action Items “I can’t keep up…new patches are released every week” “The quality of the patching process is low and inconsistent” “I need to know the right way to run a Microsoft enterprise” “There are still too many vulnerabilities in your products” Provide Guidance and Training Mitigate Vulnerabilities Without Patches Continue Improving Quality Improve the Patching Experience

13 Improve the Patching Experience New Patch Policies Extending support to June 2004 Windows 2000 SP2 Windows NT SP6a Non-emergency security patches on a monthly release schedule Allows for planning a predictable monthly test and deployment cycle Packaged as individual patches that can be deployed together Achieves benefits of security rollup with increased flexibility Patches for emergency issues will still release immediately

14 By 5/04: Consolidating to 2 patch installers for W2K and higher, Office & Exchange. All patches will behave the same way (SUS 2.0, MSI 3.0) Extend patch automation to all products 11/03: SMS 2003 offers capability to patch all supported Microsoft platforms and applications By end of 2004, all MS patches behave the same at installation (MSI 3.0 + SUS 2.0) and available in one place: MS Update Reduce patch size Now: Reduced patch size by 35% or more. Will have 80% reduction by 5/04. (Delta patching technology and improved functionality with MSI 3.0) Reduce patch complexity Reduce risk of patch deployment Now : Increased internal testing; customer testing of patches pre- release. By 5/04: rollback capability for Windows, SQL, Exchange, Office Reduce downtime Now: 10% fewer reboots on W2K and higher By 5/04: 30% fewer reboots on Win 2003 (starting in SP1). Up to 70% reduction for next server Your Need Our Response Improve the Patching Experience Patch Enhancements

15 Available Now 17 prescriptive books How Microsoft secures Microsoft guidance & tools Later this year and throughout 2004 More prescriptive & how-to guides Tools & scripts to automate common tasks Focused on operating a secure environment Patterns & practices for defense in depth Enterprise security checklist – the single place for authoritative security guidance Security Guidance for IT Pros

16 Training & Guidance: IT Pros IT Pros: 500K customers to be trained by the end of 2004 Monthly Webcasts and Seminars New guidance on Security Guidance Kit CD New monthly newsletter Proactive communications Using Virus Information Alliance collective data for better threat response KB articles outline application security enhancements Global training with more guidance and best practices for securing systems and infrastructure

17 Global Education Program Developer Security Seminars MSDN Security Center PDC Symposium Developer Guidance patterns and practices “Building Secure ASP.NET Applications” “Improving Web Application Security” Microsoft Press “Writing Secure Code v 2.0” Guidance and Training: Developer

18 Training & Guidance: Consumers Consumers Protect Your PC education Syndicating content on retailer, OEM sites New bimonthly newsletter Ongoing outreach via consumer advocacy groups Blaster removal tool Build awareness to help develop a “maintenance mindset” and encourage best practices and make protections easier to enable

19 RatingDefinition Customer Action Critical Exploitation could allow the propagation of an Internet worm such as Code Red or Nimda without user action Apply the patch or workaround immediately Important Exploitation could result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources Apply patch or workaround as soon as is feasible Moderate Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, need for user action, or difficulty of exploitation Evaluate bulletin, determine applicability, proceed as appropriate Low Exploitation is extremely difficult, or impact is minimal Consider applying the patch at the next scheduled update interval Revised November 2002 More information at Improving Patching Experience Security Bulletin Severity Rating System Free Security Bulletin Subscription Service

20 Make corporations & perimeters more resilient to attack, even when patches are not installed Help stop known & unknown vulnerabilities Goal: Make 7 out of every 10 patches installable on your schedule Beyond Patching

21 Client Shielding Enhancements Security enhancements that protect computers, even without patches; Included in Win XP SP2 (H104) with more to follow Helps stop network-based attacks, file attachment viruses and buffer overruns Network Protection: Improved ICF protection turned on by default Safer email: Improved attachment blocking for Outlook Express and IM Safer browsing: Better user controls to prevent malicious ActiveX controls and Spyware Memory Protection: Improved compiler checks (/GS) to reduce stack overruns What it is What it does Key Features

22 Client Shielding Enhancements Network Protection Windows XP Internet Connection Firewall Helps stop network-based attacks, like Blaster, by closing unnecessary ports Protection turned on by default Improved interface makes it easier to configure Improved application compatibility Enhanced enterprise administration through Group Policy What it is What it does Key Features

23 Mitigate Vulnerabilities Safer E-mail & Instant Messaging Improved protection against malicious e-mail attachments and IM file transfers Helps stop viruses that spread through e-mail and IM, like SoBig.F More secure default settings Improved attachment blocking for Outlook Express and IM Increased Outlook Express security and reliability What it is What it does Key Features

24 Client Shielding Enhancements Safer Web Browsing Safer browsing using Internet Explorer Improved protection against malicious content on the Web Better protection against harmful Web downloads Better user controls to prevent malicious ActiveX controls and Spyware Reduced potential for IE buffer overruns What it is What it does Key Features

25 Client Shielding Enhancements Memory Protection Reduction of potential buffer overruns Helps prevent the execution of malicious code in memory normally reserved for data Improved compiler checks (/GS) to reduce stack overruns Improved heap overrun protection Leverages new processor innovations (NX) to prevent stack and heap overruns What it is What it does Key Features

26 Enterprise Shielding Enhancements Enterprise Quarantine Only clients that meet corporate security standards are allowed to connect; included in Win 2003 SP1 (H204) with more to follow Protects enterprise assets from infected computers Enforces specific corporate security requirements such as patch level, AV signature state and firewall state Ensure these standards are met when VPN connections are made by remote clients Wired or wireless connections are made by rogue and transient clients What it is What it does Key Features

27 Malicious Web content Buffer overrun attacks Port-based attacks Malicious e-mail attachments Malicious e-mail attachments Client Attack Vectors

28 Infected remote client Infected local client VPN & Internal Enterprise Quarantines

29 Continue Improving Quality Trustworthy Computing Release Process M1 M2 Mn Beta Design Development Release Support Security Review Each component team develops threat models, ensuring that design blocks applicable threats Develop & Test Apply security design & coding standards Tools to eliminate code flaws (PREfix & PREfast) Monitor & block new attack techniques Security Push Team-wide stand down Threat model updates, code review, test & documentation scrub Security Audit Analysis against current threats Internal & 3 rd party penetration testing Security Response Fix newly discovered issues Root cause analysis to proactively find and fix related vulnerabilities Design docs & specifications Development, testing & documentation Product Service Packs, QFEs

30 69 …90 days …150 days Critical or important vulnerabilities in the first… 1323 TwC release? Yes No For some widely-deployed, existing products: Mandatory for all new products: Bulletins since TwC release Shipped Jan. 2003, 8 months ago 1 Service Pack 3 Bulletins in prior period 9 Bulletins since TwC release Shipped July 2002, 14 months ago 0 Bulletins in prior period 5 Service Pack 3 Continue Improving Quality

31 Improving Quality: Windows Server 36 6 Days after availability Bulletins

32 Services Disabled by Default Alerter ASP.NET State ClipBook Distributed Link Tracking Server Fast User Switching Compat IMAPI CD-Burning COM Service Indexing Service License Logging Messenger NET Framework Support Service NetMeeting Remote Desktop Sharing Network DDE Portable Media Serial Number Remote Access Auto Connection Manager System Event Notification Task Scheduler Telnet Terminal Services Session Directory Themes Upload Manager Wireless Zero Configuration Web Client Windows Audio

33 Reduced Attack Surface Windows Server 2003 disables 20+ Services IIS is not installed on Windows 2003 Server Now IF you install IIS… IIS components IIS 5.0 clean install IIS 6.0 clean install Static file support enabledenabled ASPenableddisabled Server-side includes enableddisabled Internet Data Connector enableddisabled WebDAVenableddisabled Index Server ISAPI enableddisabled Internet Printing ISAPI enableddisabled CGIenableddisabled Frontpage Server Extensions enableddisabled Password Change Functionality enableddisabled SMTPenableddisabled FTPenableddisabled ASP.NETXdisabled BITSXdisabled

34 Technology Windows XP SP2 Easier, effective management of PC security that puts the customer in control Network protection, safer e-mail and Web browsing, memory protection Beta 1 released on December 19, 2003 Availability: target RTM H1 CY04 New security technologies for Windows XP to make systems more resilient against attack

35 Preview: Windows XP SP2 Windows Firewall enhancements with more granular control

36 Pop-up blocking


38 Technology Windows Server 2003 SP1 Role-based security configuration Network client and remote VPN inspection Availability: RTM H2 CY04 ISA Server 2004 Application Layer Filtering Simplified management tools Enhanced user interface Availability: RTM H1 CY04 Commitment: Update Windows Server 2003 and improve edge protection with technologies that enable a more secure infrastructure

39 Security for Tomorrow Author National Interest Personal Gain Personal Fame Curiosity Script-Kiddy Undergraduate Expert Specialist Vandal Thief Spy Trespasser

40 An Evolving Threat National Interest Personal Gain Personal Fame Curiosity Undergraduate Expert Specialist Largest area by volume Largest area by $ lost Script-Kiddy Largest segment by $ spent on defense Fastestgrowingsegment AuthorVandal Thief Spy Trespasser

41 An Evolving Threat National Interest Personal Gain Personal Fame Curiosity Undergraduate Expert Specialist Script-Kiddy Fastestgrowingsegment AuthorVandal Thief Spy Trespasser

42 Security for Tomorrow Better use of existing technology RPC over HTTP Identity management Secure wireless Industry involvement Continuing partnerships Expanding the Virus Information Alliance Expanding “Protect Your PC” outreach for consumers Enforcement Law enforcement assistance Reward fund Ongoing vigilance Continued internal training and focus on building secure code Leadership, innovation, partnership

43 Microsoft’s Commitments Steve Ballmer’s Speech – Oct. 9, 2003. “Security is our #1 Priority” #1 “We will move to one patching experience by May of next year that works across Windows and all of the application products.” #2 “Better quality in the patches” and “Rollback capability for all patches.” #3 “Reduce the size of patches.” #4 “Cut the # of reboots by 30%”

44 Microsoft’s Commitments Steve Ballmer’s Speech – Oct. 9, 2003. #5 – Microsoft Update instead of just Windows Update #6 – Monthly patches (except for critical) #7 – Starting in December, Technet Security training sessions #8 – Monthly Webcasts with Mike Nash # 9 – Report on “How Microsoft Secures Microsoft”

45 Microsoft’s Commitments Steve Ballmer’s Speech – Oct. 9, 2003. #10 – “Patching is critical, but insufficient” – Goal is to make 70% of patches installable on your schedule, not Microsoft’s This is the quarantine technologies mentioned earlier #11 – Browser work so Active X controls are “sandboxed”, limit potential damage #12 – Improve memory protection for buffer overruns

46 Microsoft’s Commitments Steve Ballmer’s Speech – Oct. 9, 2003. “There is much to do still, much, much, much to do on security. It's a journey.”

47 Resources General Consumers IT Professionals Patch Management Best Practices for Defense in Depth How Microsoft Secures Microsoft security/mssecbp.asp security/mssecbp.asp MSDN Security Development Tools default.aspx default.aspx

48 Now for the Gentle Q&A…

49 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

50 Screen shots to illustrate XP SP2

51 Windows Firewall Enhancements Firewall on Firewall off

52 Main control panel Group policy enabled Domain-joined & controlled by group policy

53 Main CPL Exceptions tab Firewall on: Default state of tab Alt text on mouseover

54 Main CPL Exceptions tab Group Policy enabled = Check box & name grayed out, details column added. Group Policy controlled items cannot be selected or edited, but alt text works on mouseover.

55 Main CPL Exceptions tab Advanced users may add up to two extra details columns by right-clicking in the header area: “Port No.” and “Open for”

56 From Exceptions tab Add/Edit a Program Add a Program Same format as “Open with” dialog Edit a Program Full path included for security reasons

57 Pop-up blocking


Download ppt "Enhancing Customer Security: Commitment and Progress Tyler S. Farmer Sr. Technology Specialist II Education Solutions Microsoft Corporation."

Similar presentations

Ads by Google