Enhancing Customer Security: Ongoing Efforts to Help Customers Dave Sayers Technical Specialist Microsoft UK

Agenda Impact of Security on Business Security as an Enabler Trustworthy Computing Improving Security Improving the Patching Experience Security Technologies for Clients Security Technologies for Servers Commitment to Customers

Impact to Business Industry 90% detected security breaches 4 75% have financial loss from breaches 4 85% detected computer viruses 4 80% insider abuse of network access 4 95% of all breaches avoidable 5 Security 1 Source: Forrester Research 2 Source: Information Week, 26 November Source: Netcraft summary 4 Source: Computer Security Institute (CSI) Computer Crime and Security Survey Source: CERT, B devices on the Internet by M remote users by % increase in dynamic Web sites 3

Impact to Microsoft Customers Source: Forrester (Mar 03), Can Microsoft Be Secure?

Security As An Enabler Lower Total Cost of Ownership Fewer vulnerabilities Simplify patch management Downtime is expensive Increase Business Value Connect with customers Integrate with partners Empower employees ROI Connected Productive Total Costs Dependable Best Economics

What is Trustworthy Computing? “Trustworthy Computing” means that users can trust computers and networks to be reliable, secure, and private. They can also trust those who provide products and services.

Trustworthy Computing

Patches proliferating Time to exploit decreasing Exploits are more sophisticated Current approach is not sufficient Security is our #1 Priority There is no silver bullet Change requires innovation Blaster Welchia/ Nachi Nimda 25 SQL Slammer Days between patch and exploit Improving Security Responding to the Crisis

Security Researchers Discover vulnerabilities Collaborating to fix vulnerabilities Disclosing responsibly Fewer researchers disclosing irresponsibly; continuing to improve Exploit Coders Reverse-engineer patches & post exploit code to the Web Building community consensus that disclosure is not good Reaching out More industry experts are speaking out against exploit code Worm Builders Hack together worms with posted exploit code & worm toolkits Anti-Virus Reward Program Assisting with technical forensics work Two arrests around the Blaster worm What Microsoft is doing Results: The Exploit Process

You’ve Told Us Our Action Items “I can’t keep up…new patches are released every week” “The quality of the patching process is low and inconsistent” “I need to know the right way to run a Microsoft enterprise” “There are still too many vulnerabilities in your products” Provide Guidance and Training Mitigate Vulnerabilities Without Patches Continue Improving Quality Improve the Patching Experience

Progress To Date TAMs call Premier Customers proactively TAMs call Premier Customers proactively MSRC severity rating system MSRC severity rating system Free virus hotline Free virus hotline MSDN security guidance for developers MSDN security guidance for developers Office XP: Macros off by default Office XP: Macros off by default No sample code installed by default No sample code installed by default IIS and SQL Server off by default in Visual Studio.NET IIS and SQL Server off by default in Visual Studio.NET Deployment tools: MBSA, IIS Lockdown, SUS, WU, SMS Value Pack Deployment tools: MBSA, IIS Lockdown, SUS, WU, SMS Value Pack Created STPP to respond to customers Created STPP to respond to customers PAG for Windows 2000 Security Ops PAG for Windows 2000 Security Ops SD 3 + Communications Secure by Design Secure by Default Secure in Deployment Communications Security training for 11,000 engineers Security training for 11,000 engineers Security code reviews of old source Security code reviews of old source Threat modeling Threat modeling “Blackhat” test coverage “Blackhat” test coverage Buffer overrun detection in compile process Buffer overrun detection in compile process

Improve the Patching Experience New Patch Policies Extended security support to December 2004 Windows NT4 Server Security patches on a monthly predictable release cycle Allows for planning a predictable monthly test and deployment cycle Packaged as individual patches that can be deployed together NOTE: Exceptions will be made if customers are at immediate risk from viruses, worms, attacks or other malicious activities

Customer Pain Patch and update management is the #1 driver of dissatisfaction* among IT operations staff #1 activity that requires work after hours and on weekends #1 activity that’s a ‘waste of time’ *Based on results from survey of 462 IT Pros conducted in September Data shows % of total # of times the activity was listed as one of the top two drivers of 1) wasted time and 2) after hours or weekend work Activity SIT (1-3 SRVs) MIT/LIT (4-49 SRVs) EIT (50+ SRVs) 1. Updates, Patches, Hotfixes, Service Packs 16.9%22.7%22.6% 2. Application and SW Install / Upgrade 9.1%7.3%11.4% 3. Server – Management & Troubleshooting 3.9%8.3%6.3% ActivitySITMIT/LITEIT1. Updates, Patches, Hotfixes, Service Packs 20.7%22.9%25.6% 2. End User Support 11.7%15.3%8.8% 3. Communication / Meetings / Dealing with Corporate Issues 2.7%2.1%8.4%

By late 2004: Consolidation to 2 patch installers for W2k and later, SQL 2000, Office & Exchange 2003; all patches will behave the same way (update.exe, MSI 3.0) Improved tools consistency By mid-2004: Consistent results from MBSA, SUS, SMS, Windows Update (will all use SUS 2.0 engine for detection) Reduce patch complexity Reduce risk of patch deployment Now: Increased internal testing; customer testing of patches before release By mid-2004: Rollback capability for W2k generation products and later (MSI 3.0 patches) Reduce downtime Now: Continued focus on reducing reboots By late 2004: 30% of critical updates on Windows Server 2003 SP1 installed w/o rebooting (“hot patching”) Your Need Our Response Improve the Patching Experience Patch Enhancements Reduce patch size By late 2004: Substantially smaller patches for W2k generation and later OS & applications (Delta patching technology, next generation patching installers) Improved tools capabilities May 2004: Microsoft Update (MU) hosts patches for W2k server, and over time SQL 2000, Office & Exchange 2003 By mid-2004: SUS 2.0 receives content from MU & adds capabilities for targeting, basic reporting and rollback

Patching Technologies – SUS 1.0 Internal Windows Update Windows 2000 Professional, Windows 2000 Server, Windows XP, Windows Server 2003 For critical updates, security updates and service packs Administrators maintain control over which items are published

Windows Update Services Top Features Requested Software Update Services 1.0 SP1 Windows Update Services Support for service packs Install on SBS and domain controller Support for Office and other MS products Support additional update content types Update uninstall Update targeting Improve support for low bandwidth networks Reduce amount of data that needs to be downloaded Set polling frequency for downloading new updates Minimize need for end user interruption Emergency patch deployment (‘big red button’) * Deploy update for ISV and custom apps NT4 support

Global Education Program TechNet Security Seminars Monthly Security Webcasts New Prescriptive Guidance Patterns and practices How-to configure for security How Microsoft Secures Microsoft Online Community Security Zone for IT Professionals Authoritative Enterprise Security Guidance Providing Guidance and Training IT Professionals

Make customer more resilient to attack, even when patches are not installed Help stop known & unknown vulnerabilities Goal: Make 7 out of every 10 patches installable on your schedule Beyond Patching

Windows XP SP2 Improved network protection Safer and Web browsing Enhanced memory protection RTM based on customer feedback Windows Server 2003 SP1 Role-based security configuration Inspected remote computers Inspected internal environment RTM H2 CY04 Delivering Security Technologies

Security technologies for clients Security enhancements that protect computers, even without patches…included in Windows XP SP2; more to follow Helps stop network-based attacks, malicious attachments and Web content, and buffer overruns Network protection: Improved ICF, DCOM, RPC protection turned on by default Safer browsing: Pop-up blocking, protection from accidental installation of potentially malicious Web content Memory protection: Improved compiler checks to reduce stack overruns, hardware NX support Safer Improved attachment blocking for Outlook Express and IM What it is What it does Key Features

Securing the Server Platform Windows Server 2003 – Secure by Default IIS 6.0 Reduced Automatic Services Smart card requirements for administrative operations Limited use of blank passwords Encrypting the offline files database Software Restriction Policies Internet Connection Firewall IE Lockdown

Securing Active Directory Delegation of administration Security Policies Software Restriction Policies GPMC What-If Scenarios Import GPOs Cross-Forest Kerberos Trust Authentication Firewall SID Filtering Quotas Security Guides

Security technologies for Enterprises Only clients that meet corporate security standards can connect…included in Windows Server 2003 SP1; more to follow Protects enterprise assets from infected computers Role-based security configuration: Locks down servers for their specific task Inspected remote computers and internal environment: Enforce specific corporate security requirements such as patch level, AV signature level & firewall state Ensure these standards are met when VPN and local wired or wireless connections are made What it is What it does Key Features

Continue Improving Quality Trustworthy Computing Release Process M1 M2 Mn Beta Design Development Release Support Security Review Each component team develops threat models, ensuring that design blocks applicable threats Develop & Test Apply security design & coding standards Tools to eliminate code flaws (PREfix & PREfast) Monitor & block new attack techniques Security Push Team-wide stand down Threat model updates, code review, test & documentation scrub Security Audit Analysis against current threats Internal & 3 rd party penetration testing Security Response Fix newly discovered issues Root cause analysis to proactively find and fix related vulnerabilities Design docs & specifications Development, testing & documentation Product Service Packs, QFEs

Critical or important vulnerabilities in the first… 36 …90 days …180 days 821 TwC release? Yes No For some widely-deployed, existing products: Mandatory for all new products: Continue Improving Quality Bulletins since TwC release Shipped July 2002, 16 months ago (as of Nov. 2003) 1 Bulletins in 16 month period prior to TwC release 6 Service Pack 3 Bulletins since TwC release Shipped Jan. 2003, 10 months ago (as of Nov. 2003) 2 Service Pack 3 11 Bulletins in 10 month period prior to TwC release

Patch Investments Extended Support for NT4 Server Improved Patching Experience – Windows Update Services Global Education Effort 500,000 customers trained by June 2004 New Security “Expert Zone” PDC Security Symposium Security Innovations Security technologies for Windows client Security technologies for Windows server Commitment to Customers

H1 04 H2 04 FutureToday Extended support Monthly patch releases Baseline guidance Community Investments Windows XP SP2 Patching enhancements SMS 2003 Windows Update Services Microsoft Update Broad training Windows Server 2003 SP1 Security technologies Next generation inspection NGSCB Windows hardening Continued OS-level security technologies

Lockdown servers, workstations and network infrastructure Design and deploy a proactive patch management strategy Centralize policy and access management

Resources General Technical Resources for IT Professionals Best Practices for Defense in Depth How Microsoft Secures Microsoft security/mssecbp.asp security/mssecbp.asp MSDN Security Development Tools default.aspx default.aspx

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Resources Enterprise Security Guidance Design and Deploy a Proactive Patch Management Strategy Microsoft Guide to Security Patch Management: Lockdown Servers, Workstations and Network Infrastructure Microsoft Windows XP Security Guide Overview Threats and Countermeasures Guides for Windows Server 2003 and Windows XP: Windows Server 2003 Security: Securing your Network: ‑ us/dnnetsec/html/THCMCh15.asp ‑ us/dnnetsec/html/THCMCh15.asp ‑ us/dnnetsec/html/THCMCh15.asp Perimeter Firewall Service Design: 7.asp 7.asp 7.asp Network Access Quarantine for Windows Server 2003: Centralize Policy and Access Management Microsoft Identity and Access Management Solution: Architecture, Deployment, and Management:

Continue Improving Quality Making Progress.NET Framework (for 2002 & 2003) ASP.NET (for 2002 & 2003) Biztalk Server 2002 SP1 Commerce Server 2000 SP4 Commerce Server 2002 SP1 Content Management Server 2002 Exchange Server 2003 Host Integration Server 2002 Identity Integration Server 2003 Live Communications Server 2003 MapPoint.NET Office 2003 Rights Mgmt Client & Server 1.0 Services For Unix 3.0 SQL Server 2000 SP3 Visual Studio.NET 2002 Visual Studio.NET 2003 Virtual PC Virtual Server Windows CE (Magneto) Windows Server 2003 Windows Server 2003 ADAM 23 Products In the TwC Release Process

RatingDefinition Customer Action Critical Exploitation could allow the propagation of an Internet worm such as Code Red or Nimda without user action Apply the patch or workaround immediately Important Exploitation could result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources Apply patch or workaround as soon as is feasible Moderate Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, need for user action, or difficulty of exploitation Evaluate bulletin, determine applicability, proceed as appropriate Low Exploitation is extremely difficult, or impact is minimal Consider applying the patch at the next scheduled update interval Revised November 2002 More information at Improving Patching Experience Security Bulletin Severity Rating System Free Security Bulletin Subscription Service

The Forensics of a Virus Vulnerability reported to us / Patch in progress Bulletin & patch available No exploit Exploit code in public Worm in the world July 1July 16July 25Aug 11 Report Vulnerability in RPC/DDOM reported Vulnerability in RPC/DDOM reported MS activated highest level emergency response process MS activated highest level emergency response processBulletin MS delivered to customers (7/16/03) MS delivered to customers (7/16/03) Continued outreach to analysts, press, community, partners, government agencies Continued outreach to analysts, press, community, partners, government agenciesExploit X-focus (Chinese group) published exploit tool X-focus (Chinese group) published exploit tool MS heightened efforts to get information to customers MS heightened efforts to get information to customersWorm Blaster worm discovered –; variants and other viruses hit simultaneously (i.e. “SoBig”) Blaster worm discovered –; variants and other viruses hit simultaneously (i.e. “SoBig”) Blaster shows the complex interplay between security researchers, software companies, and hackers

Malicious Web content Buffer overrun attacks Port-based attacks Malicious attachments Malicious attachments Client Attack Vectors

Potentially infected remote client Potentially infected local client Enterprise Attack Vectors

Available Now 17 prescriptive books How Microsoft secures Microsoft Later this year and throughout 2004 More prescriptive & how-to guides Tools & scripts to automate common tasks Focused on operating a secure environment Patterns & practices for defense in depth Enterprise security checklist – the single place for authoritative security guidance Security Guidance for IT Pros