SCAP Adoption at Microsoft Accelerating the adoption of Microsoft technologies SCAP Adoption at Microsoft Kelly Hengesteg, Principal Group Manager

Agenda Solution Accelerators Microsoft Security Baselines System Center Configuration Manager Extensions for SCAP Security Compliance Manager Questions Microsoft.com/SolutionAccelerators

Solution Accelerator Team Accelerate the adoption of Microsoft technology in every organization Over 2.55 million downloads a year + 24M SysInternals downloads 4.39M Download page views 58% conversion rate Customer satisfaction 158 NSAT currently NSAT uplift 24 w/use of SA 87% accelerated adoption Partner satisfaction 128 NSAT currently 91% accelerated adoption 60.9% used by Partners Product impact Guidance Scripts and Code Scripts Tools NSAT is =  ((VSat% -(SDSat%+VDSat%))*100)+100 Models Microsoft.com/SolutionAccelerators

How Do We Build Accelerators? 4/5/2017 10:28 PM How Do We Build Accelerators? Engineering Best Practices Frameworks Products & Technologies Customers Partners Product Groups Microsoft Research Industry Input Solution Accelerators Partner and Microsoft Service offerings Product improvements TechNet Microsoft Learning Microsoft Press Output Speaking notes Inputs Seek a variety of input to drive the planning and development of Solution Accelerators. Customers and partners – what they needs, where business gaps are, scenario focuses etc Product groups – strategically align to their product road map and releases, to ensure relevance and optimal value of accelerators for customers, partners and MS MS IT: we do our own dog fooding Research: track market trends and changes, work with analysts, continual research programs through web and community to drive planning and development Industry: keep a tab on competitors and major market changes Engineering Deep integration of multiple elements MS product Third party product Best practices frameworks – MOF, RA Real world validation – customer, partner and MS labs Outputs Microsoft Services – more and more alignment between teams, with services building packaged offerings based on accelerators Product improvements preserves investment in accelerators as it ties to product teams Helps accelerate product evolution 71 feature sets THESE ARE 2005 NUMBERS I THINK FROM THE MMS PRESO 23 patents filed THESE ARE 2005 NUMBERS I THINK FROM THE MMS PRESO Microsoft learning – incorporation into training TechNet – publish of complete portfolio to drive value pro of the site Microsoft Press – included in books and our own titles PSS – 100% of accelerators by PSS Impact of all of this: High levels of customer and partner satisfaction Driving real: TCO/TCA Reliability Agility Product evolution Thought leadership Microsoft.com/SolutionAccelerators © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Most Popular Solution Accelerators Microsoft Deployment Toolkit 2010 Microsoft Assessment and Planning Toolkit Security Compliance Management Toolkit Malware Removal Starter Kit Infrastructure Planning and Design Guide Series Microsoft Operations Framework Microsoft.com/SolutionAccelerators

System Center Configuration Manager Extensions for SCAP Leverage existing SCCM Infrastructure to meet FDCC mandate System Center Configuration Manager Extensions for SCAP

System Center Configuration Manager Extensions for SCAP Attained NIST recognition for SCCM 2007 as a SCAP-validated tool with FDCC scanning capability June ‘09 Consume SCAP data streams Assess a system for compliance Report results in SCAP format System Center Configuration Manager Extensions for SCAP Enables agencies to take advantage of their existing SCCM infrastructures to meet the reporting requirements of the FDCC mandate Microsoft.com/SolutionAccelerators

Solution Architecture Command line tool that converts SCAP content for FDCC into DCM configuration packs Leverages SCCM 2007 feature of desired configuration management to conduct assessment Deploy SCMDCM script to clients to assess a subset of settings in the FDCC FDCC SCAP content Conversion tool SCAP2DCM SCCM DCM configuration pack Assesses client compliance SCCM 2007 SCMDCM script Command line tool that converts SCCM DCM assessments to SCAP format SCAP reports SCCM DCM report Conversion tool DCM2SCAP OVAL content specifies HKCU Interactive scanners work Remote & agent-based do not Impersonation works only if a user is actually logged on Can load locally stored profiles Enumerate list of profiles HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Filter as appropriate Load, scan, unload RegLoadKey function If any is not compliant consider the machine to not be compliant More issues Cannot load profile of a logged on user Users cannot log on if their profile is loaded and being scanned If you don’t unload hilarity ensues Copy each profile Load and scan the copies Still can’t scan logged on users this way, use impersonation For settings that we can’t scan with DCM for VBScript User rights File permissions Local groups Lockout policy Local user accounts Password policy Audit policies Output logs Admin input Microsoft.com/SolutionAccelerators

Requirements Packaging SCAP2DCM & DCM2SCAP conversion tools Current versions of both x86 and x64 Windows Requires Microsoft .NET 2.0 or later SCMDCM script Current versions of 32-bit Windows Packaging MSI SCAP2DCM.exe DCM2SCAP.exe ScmDcm.exe (packaged in ScmDcm.msi) Configuration files Release notes, user guide, FAQ, data mapping documentation Microsoft.com/SolutionAccelerators

Implementation Prerequisites Microsoft.com/SolutionAccelerators

Deploy Microsoft.com/SolutionAccelerators

Scan Microsoft.com/SolutionAccelerators

Security baselines

4/5/2017 10:28 PM Background Started developing security guides in 2002 (Windows 2000 Security Guide) The goal was to: Help reduce support costs due to …unsupportable configurations Reduce the conflicting security guidance available to our customers, drove the creation of the SCRB (Security Content Review Board) today resides in the TwC team Bring together multiple government agencies to collaborate and produce a unified guide actually started with windows 2000.  We had the goals of reducing support costs because people were recommending unsupportable configurations and reducing the amount of conflicting guidance out there.  Everyone was telling customers how to secure our platform except us.  We need to be able to talk about the fact that this is more than UA – we may put it in the notes that the windows server UA team took this on 3 times – and has come back to us on all three occasions because this is a more difficult engineering problem.  Some of this gets introduced when we talk about what a security guide is. Microsoft.com/SolutionAccelerators MICROSOFT CONFIDENTIAL © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Evolution of the Security Guide 4/5/2017 10:28 PM Evolution of the Security Guide Threats & Countermeasures Guidance Security Guide XLSM Excel listing of settings Internal Repository XML Appendix Security Guidance Threats & countermeasures* Guidance on the security model used and how to implement within your environment Detailed descriptions/Appendix of each group policy setting* Excel Spreadsheet GPOAccelerator Provides a listing of all settings (default, EC, SSLF); customers use to evaluate their own settings or variances from established baselines Group policy security baselines (setting a baseline: SET) A tool that automates the creation of the recommended security settings in your environment using group policies & GPMC *Sometimes a separate guide or chapter Enterprise Configuration (EC); Specialized Security Limited Functionality (SSLF) and Stand alone (subset of baseline security settings) Group Policy Objects SCCM DCM SCAP Security Templates (GPO’s) Microsoft.com/SolutionAccelerators MICROSOFT CONFIDENTIAL © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Security Compliance Management Toolkit Series An end-to-end solution to help you plan, deploy, and monitor your security baselines. Based on tested guidance by Microsoft security experts This Solution Accelerator is designed to help your organization meet its security and compliance requirements by providing the following resources: Prescriptive, tested, end-to-end security guidance from Microsoft for Windows Vista® Service Pack 1 (SP1), Windows XP® Professional SP3, Windows Server® 2008, Windows Server® 2003 SP2, and 2007 Microsoft Office SP1. Automated tools like the GPOAccelerator to help you configure and deploy recommended security settings. Configuration Packs for you to use with the desired configuration management (DCM) feature of Microsoft® System Center Configuration Manager 2007 SP1 to monitor the Microsoft security guidance deployed in your environment. You can also remediate security baseline issues with this functionality. Reporting functionality you can use to notify auditors that the computers in your environment are in compliance with best practices and the security recommendations for these Windows operating systems and Office applications. Security guide – The toolkits include new and updated security guides for Windows 7, Windows Vista, Windows XP, Windows Server 2008, Windows Server 2003 SP2, Microsoft Office 2007 SP1, and Internet Explorer 8. The guidance provides you with best practices and automated tools to help you plan and deploy your security baselines. Security Baseline Settings workbook – A resource that lists all of the prescribed settings for each of the preconfigured security baselines that the guides recommend. Attack Surface Reference workbook – A resource that lists the changes introduced as server roles are installed on computers running Windows Server 2003 and Windows Server 2008. Security Baseline XML – XML files that allow your organization to consume the data defined in the security baseline settings workbooks. DCM Configuration Pack User Guide – A step-by-step prescriptive user guide about how to use Configurations Packs with the DCM feature in Configuration Manager 2007 R2. Baseline Compliance Management Overview – The overview discusses best practices on how to monitor security baselines for Windows operating systems, Office applications, and Internet Explorer 8. GPOAccelerator tool – A tool that you can use to create all of the Group Policy objects (GPOs) you need to deploy your chosen security configuration. This release also supports Windows Server 2003, and creating security configurations on computers not joined to a domain. DCM Configuration Packs – Configuration Packs that provide prescriptive security information, which you can use to check the compliance of systems in your environment. Available as a free download from Microsoft Microsoft.com/SolutionAccelerators

Security Baseline Portfolio http://www.microsoft.com/securitycompliance Available Today Security Compliance Management Toolkit Includes GPO Accelerator, SCCM DCM configuration packs, and security guidance) Windows XP Security Baseline Windows Vista Security Baseline Windows Server 2003 Security Baseline Windows Server 2008 Security Baseline 2007 Office Security Baseline Windows 7 Security Baseline (just released) Bit Locker Security Baselines (just released) Internet Explorer 8.0 Security Baseline (just released) Hyper-V Security Guide Microsoft.com/SolutionAccelerators

Roadmap FY10 Exchange Server 2007 Security Baseline Windows Server 2008 R2 Security Baseline Hyper-V (R2 refresh) Security Guide SQL Server 2008 – RBDMS only Baseline Future Exchange Server 2010 Security Baseline Office 2010 Security Baseline Office SharePoint Server 2007 / 2010 Security Baseline

Security Compliance Manager Enabling Baseline Management Security Compliance Manager

Managing Security Baselines Tool provides: Exportation of baseline in multiple formats/standards Classified data (structuralized) Improved data presentation Unified experience from security baseline deployment to compliance check Ability to customize baseline Compare and merging of baselines Add XTrans name Microsoft.com/SolutionAccelerators

Current Requirements Want to see our work in progress? Check out our connect site here, https://connect.microsoft.com/site/sitehome.aspx?Sit eID=715 Security Compliance Manager: Enough free disk space/memory Admin must be logged on Windows Installer 2.0 or greater Current versions of both x86 and x64 Windows XP or later Requires Microsoft .NET 2.0 or later Requires SQL Express 2008 or later Microsoft Office 2007 SP2 or later (Word & Excel) Single instance/user mode only Availability: Beta Release early Feb ’10 RTM early April ‘10 Microsoft.com/SolutionAccelerators

demo Security Compliance Manager v.1.0

Future Ideas Capabilities: Increase export formats to include System Center Operations Manager (events) Provide import formats beyond SCM v.1.0 format System Center Operations Manager packs System Center Configuration Management DCM packs SCAP Provide full authoring mode for new settings and/or events Add XTrans name Microsoft.com/SolutionAccelerators

Questions? Follow-up questions contact us at SecWish@microsoft.com or Khengest@microsoft.com Microsoft.com/SolutionAccelerators

4/5/2017 10:28 PM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.