1. Beyond Patching Dean Iacovelli Chief Security Advisor – State and Local Government Microsoft Corporation deaniac@microsoft.com

2. Objectives Address your concerns about security Update on current trends Current initiatives at Microsoft Future security product/solution roadmap Agenda 1.Defining and managing the risk 2.System Integrity 3.Identity management 4.Trustworthy Identity 5.Client protection 6.Server protection 7.Network protection 8.Summary, Q&A

3. My Role as SLG CSA Overall security policy and strategy for MS SLG MS spokesperson to/from SLG customers Information broker – resources, best practices, programs Coordinator for incident response communication, security readiness Not goaled on revenue Basically: Help ensure SLG customers have a good experience dealing with security on the MS platform

4. Your Feedback ? Challenges Worms / viruses SpywareSpam Patch management Network access control Identity management Best practices / guidance Looking at Linux for security reasons ?

5. National Interest Personal Gain Personal Fame Curiosity Script-Kiddy Hobbyist Hacker Expert Specialist Vandal Thief Spy Trespasser Tools created by experts now used by less skilled attackers and criminals Fastestgrowingsegment Author Understanding Your Adversary

6. State and Local Security Trends Attacks becoming less numerous, more nasty Viruses/worms still lead in financial cost BUT 6x increase in $ lost from unauthorized information access from 2004 to 2005 (FBI/CSI) 2x increase in $ lost from theft of proprietary information from 2004 to 2005 (FBI/CSI) Botnets (used for cyber extortion) have jumped from average of 2500 machines in 2004 to 85,000 in 2006 Why sniff the net when you can hack the site or the password? 95% reported 10+ website incidents last year (FBI/CSI) 15% of enterprise hosts have had keystroke loggers detected, 3x in 1 year (Webroot and Sophos) Major NT4/Win 98 supportability issues Enterprise patching and management still not under control What your neighbor isn’t doing IS your problem Real cost is lost of trust

7. Closer Look at Malware Data (MSRT) Release Days Live Executions Disinfections Value% January28124,613,632239,1970.1920% February28118,209,670351,1350.2970% March35145,502,003443,6610.3049% April28125,150,400590,7140.4720% May35164,283,7301,154,3450.7027% June28162,763,946642,9550.3950% …………… Total3621,804,565,6528,679,6560.481% Source: Microsoft

8. Video game cheats #3 in previous chart Celebrities Song lyrics

9. Trends in Security Spending $497 per employee $354 operations $143 capital Even worse for smaller agencies - as much as $650 No economies of scale SLG spends ~10x Federal and most of private sector Lack of centralized strategy / tools Getting worse Federal trending down from CY05 SLG trending up Various new state infosec laws may be impacting costs but still serious issue

10. MS Security Statistical Snapshot 263M downloads of XP SP2 75M downloads of Microsoft Anti-Spyware beta 9.7M consumers using SP2 Firewall 332M machines using Automatic Update or Windows Update 135 legal actions against spammers worldwide 121 phishing sites sued 578 Microsoft CISSPs (and counting…)

11. Microsoft Security Strategy Overview Threat and Vulnerability Mitigation Protect PCs & devices from malicious software ClientProtection Protect servers from malicious software ServerProtectionNetworkProtection Protect network from malicious software & inappropriate access System Integrity Make systems inherently safer and more secure Identity and Access Management Allow legitimate users secure access to machines, applications and data

12. Security Development Lifecycle Security Response Center Better Updates And Tools Security Development Lifecycle

13. The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push Even if it was running IIS 6.0 doesn’t have WebDAV enabled by default Even if it did have WebDAV enabled Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it was vulnerable IIS 6.0 not running by default on Windows Server 2003 Even if it there was an exploitable buffer overrun Would have occurred in w3wp.exe which is now running as ‘network service’ Even if the buffer was large enough Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS) Threat Modeling Example MS03-007

14. * As of February 14, 2006 Bulletins since TwC release Service Pack 3 Bulletins in period prior to release 16 3 SQL Server 2000 SP3 released 1/17/2003 2003 Released 05/31/2001 Released 11/17/2003 Bulletins 820 Days After Product Release 7 11 1027 Days After Product Release 89 Released 11/29/2000 Released 09/28/2003 50 Focus Yielding Results

15. Case Study How We Tested WMF Patch 415 apps (ms & third party) 6 supported version of the o/s in 23 languages 15k print variations, 2800 print pages verified 2000 wmf’s analyzed, 125 malicious wmf’s tested 12k images verified for regressions 22,000 hours of stress testing 450k total test cases

16. Patch Management Initiative Progress to Date Informed & Prepared Customers Superior Patch Quality Consistent & Superior Update Experience Best Patch & Update Management Solutions Better security bulletins and KB articles IT SHOWCASE: How Microsoft IT Does Patch Management Better security bulletins and KB articles IT SHOWCASE: How Microsoft IT Does Patch Management Microsoft Update WSUS SMS 2003 Microsoft Update WSUS SMS 2003 Standardized patch and update terminology Moved from 8 installers to 2 (update.exe and MSI) Standardized patch naming and switch options Standardized patch and update terminology Moved from 8 installers to 2 (update.exe and MSI) Standardized patch naming and switch options Improved patch testing process and coverage Expanded test process to include customers Reduced reboots by 10%, targeting 50% in Vista Improved patch testing process and coverage Expanded test process to include customers Reduced reboots by 10%, targeting 50% in Vista

17. Update Impact Analyzer Determine How Patches Will Affect Critical Apps

18. Fundamentals “You can only manage what you can measure” …and you can only secure what you can manage (and find ) Decentralization may be a reality but it’s not a best practice Set policy Active Directory Central policy, local defense Delegate back business-specific policy control Audit policy Turning it on AFTER the incident much less useful Don’t wait for the incident to look at the logs Standardize builds, supported applications Enterprise assets are not toys Vista will make this easier, possible in XP too: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/ luawinxp.mspx http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/ luawinxp.mspx http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/ luawinxp.mspx

19. Beyond Patching: The Problem Patching is no longer strategicPatching is no longer strategic Moving from security to operations like backupsMoving from security to operations like backups New threats require new modelsNew threats require new models Internal network is NOT trustedInternal network is NOT trusted Medieval castle model is the only responseMedieval castle model is the only response Automated attacks require automated defensesAutomated attacks require automated defenses

20. Microsoft Security Strategy Overview Threat and Vulnerability Mitigation Protect PCs & devices from malicious software ClientProtection Protect servers from malicious software ServerProtectionNetworkProtection Protect network from malicious software & inappropriate access System Integrity Make systems inherently safer and more secure Identity and Access Management Allow legitimate users secure access to machines, applications and data

21. Access Policy Management Trustworthy Identity Information Protection Provide access based on policy Protect data throughout its lifecycle Ensure users are who they claim to be; manage identity lifecycle Directory Services Lifecycle Management Strong Authentication Federated Identity Certificate Services Role-based Access Control Audit Collections Services Group Policy Management Console Rights Management Services Encryption Services Secure Protocols and Channels Back-up and Recovery Services Allow only legitimate users secure, policy-based access to machines, applications and data

22. Fundamentals Reduce Consolidate to fewer identity stores Leverage metadirectories to simplify sign on, automate/standardize identity business rules Reuse Leverage globally relevant attributes across all applications Place non-globally relevant attributes in app-coupled LDAP stores Recycle Leverage federation to use your credentials on business partner networks

23. Threat and Vulnerability Mitigation Protect servers from malicious software ServerProtectionNetworkProtection Protect network from malicious software & inappropriate access Microsoft Security Strategy Overview Protect PCs & devices from malicious software ClientProtection System Integrity Make systems inherently safer and more secure Identity and Access Management Allow legitimate users secure access to machines, applications and data

24. Fundamentals Medieval castle model The internal network is NOT trusted Central policy, local defense Leverage tools you already own Windows firewall Active Directory group policy Phishing filters Encrypting file system IPSec logical segmentation Isolate what you can’t defend

25. Helps protect the system from attacks from the network Provides system-level protection for the base operating system Enables more secure Internet experience for most common Internet tasks Enables more secure Email and Instant Messaging experience

26. Social Engineering Protections Phishing Filter and Colored Address Bar Dangerous Settings Notification Secure defaults for all settings Protection from Exploits Protected Mode to prevent malicious software Code quality improvements ActiveX Opt-in Internet Explorer 7

27. Analyze your portfolio of Applications, Web Sites, and Computers Evaluate operating system deployments or impact of operating system updates Rationalize and Organize by Applications, Web Sites, and Computers Prioritize compatibility efforts with filtered reporting Add and manage issues and solutions for your personal computing environment Deploy automated mitigations to known compatibility issues Send/Receive compatibility information to Online Compatibility Exchange Application Compatibility Toolkit V5.0

28. Remove most prevalent viruses Remove all known viruses Real-time antivirus Remove all known spyware Real-time antispyware Central reporting and alerting Customization MicrosoftClientProtection FOR INDIVIDUAL USERS FOR BUSINESSES MSRT Windows Defender Windows Live Safety Center Windows OneCare Live IT Infrastructure Integration

29. Shared Computer Toolkit for Windows XP Windows Disk Protection Prevent unapproved changes to the Windows partition Allow critical updates and antivirus updates User Restrictions Restrict untrusted users from files and settings Lock user profiles for protection and privacy Profile Manager Create “persistent” user profiles on unprotected partitions Delete locked user profiles Accessibility Accessibility settings & utilities when restricted Quick access for repeat use Tools are scriptable. Additional command-line tools included. Comprehensive Help and Handbook with supplemental security guidance. Getting Started Use and learn about the Toolkit Use and learn about the Toolkit Quick access toolbar Quick access toolbar

30. Next Generation Security and Compliance Identity & Access Control Threat & Vulnerability Mitigation Enable secure access to information Protect against malware and intrusions Code Integrity IE Protected Mode Windows Defender IPSEC/Firewall integration Network Access Protection User Account Control Plug and Play Smartcards Granular auditing Simplified Logon architecture Fundamentals Security Development Lifecycle Threat Modeling Code Scanning Service Hardening Information Protection BitLocker Drive Encryption EFS Smartcard key storage RMS client Control over removable device installation XPS Document + WPF APIs Engineered for the future

31. InfoCard Overview Secure sharing of your info online Simple user abstraction Manage compartmentalized versions of your identity Strong computer generated keys instead of human generated passwords Relates to familiar models Gov’t ID card, driver’s license, credit card, membership card, … Flexible issuance Self-issued – eBay, Amazon Issued by external authority – Visa, Government Implemented as secure subsystem Protected UI, anti-spoofing techniques, encrypted storage Built on WS-Federation web standards

32. Threat and Vulnerability Mitigation Protect servers from malicious software ServerProtectionNetworkProtection Protect network from malicious software & inappropriate access Microsoft Security Strategy Overview Protect PCs & devices from malicious software ClientProtection System Integrity Make systems inherently safer and more secure Identity and Access Management Allow legitimate users secure access to machines, applications and data

33. Security Configuration Wizard Windows Server 2003 SP1 Security lockdown tool for Windows Server 2003 Roles-based paradigm Focused on Attack Surface Reduction Disables unnecessary services Disables unnecessary web extensions Blocks unnecessary ports Configures audit SACLs Operational infrastructure Client-Server deployment infrastructure Support for Group Policy- based deployment Compliance Analysis Rollback support

34. Microsoft Antigen Line of Products RTM in Q2 2006 Highlights Unique multi-engine approach for faster detection and broader protection Integrated virus and spam protection Integrated Microsoft AV engine Threat & Vulnerability Mitigation

35. Threat and Vulnerability Mitigation Protect servers from malicious software ServerProtectionNetworkProtection Protect network from malicious software & inappropriate access Microsoft Security Strategy Overview Protect PCs & devices from malicious software ClientProtection System Integrity Make systems inherently safer and more secure Identity and Access Management Allow legitimate users secure access to machines, applications and data

36. Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy.” Network Restriction Restricts network access to computers based on their health. Remediation Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed. Ongoing Compliance Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions. Network Access Protection Longhorn Server (2007)

37. Requesting access. Here’s my new health status. Network Access Protection Walkthrough IAS Policy Server Client NetworkAccessDevice (DHCP, VPN) RemediationServers May I have access? Here’s my current health status. Should this client be restricted based on its health? Ongoing policy updates to IAS Policy Server You are given restricted access until fix-up. Can I have updates? Here you go. According to policy, the client is not up to date. Quarantine client, request it to update. Corporate Network Restricted Network Client is granted access to full intranet. System Health Servers According to policy, the client is up to date. Grant access.

38. NAP - Enforcement Options Enforcement Healthy Client Unhealthy Client DHCP Full IP address given, full access Restricted set of routes VPN (MS and 3 rd Party) Full access Restricted VLAN 802.1X Full access Restricted VLAN IPsec Can communicate with any trusted peer Healthy peers reject connection requests from unhealthy systems Complements layer 2 protection Works with existing servers and infrastructure Flexible isolation

39. NAP Partner Community

40. Beta available now Preparing for NAP will take effort and time! Deployment preparation tasks: Health Modeling Health Policy Zoning IAS (RADIUS) Deployment Zone Enforcement Selection Exemption Analysis Change Process Control Phased rollout Rollout VPN solution to test health policy Rollout IPSec segmentation to test wired enforcement Getting Started

41. Roadmap Services Platform Products Frontbridge hosted services for anti- virus and anti-spam filtering (for businesses) ISA Server 2004 Sybari Antigen anti- spam and anti-virus for Email, IM and SharePoint Windows XPSP2 Windows Server 2003 SP1 Anti-malware tools Microsoft Update Windows Server Update Services Windows Live OneCare (for consumers) Microsoft Client Protection Microsoft Antigen Anti-virus and Anti-spam for messaging and collaboration servers ISA Server 2006 Windows AntiSpyware Windows Vista Firewall Services Hardening Next generation of services Content filtering services Next generation of security products Network Access Protection IPSec Enhancements Audit Collection Services

42. Summary It’s all one network. Period. Need to be securing for tomorrow’s threats, not yesterday’s Defense in depth is and has always been the only effective strategy Enterprise patch management will free us for more strategic work Every machine deserves a good defense

43. Contact info: Dean Iacovelli Chief Security Advisor - State and Local Government Microsoft Corporation deaniac@microsoft.com Slides available at: www.iacovelli.info/work/secgtc.ppt

44. Appendix

45. Tools / Products Application Compatibility Toolkit 5.0 beta sign up http://connect.microsoft.com/ Network Access Protection http://www.microsoft.com/nap Microsoft Baseline Security Analyzer (MBSA) http://www.microsoft.com/mbsa Windows Server Update Services (WSUS) http://www.microsoft.com/wsus Windows Server Update Services (WSUS) http://www.microsoft.com/wsus IE 7 http://www.microsoft.com/windows/ie/default.mspx Client Protection http://www.microsoft.com/windowsserversystem/solutions/security/clientp rotection/default.mspx http://www.microsoft.com/windowsserversystem/solutions/security/clientp rotection/default.mspx Vista security http://www.microsoft.com/technet/windowsvista/security/default.mspx Security Configuration Wizard http://www.microsoft.com/windowsserver2003/technologies/security/confi gwiz/default.mspx http://www.microsoft.com/windowsserver2003/technologies/security/confi gwiz/default.mspx

46. Guidance and Training MICROSOFT Security Development Lifecycle: http://msdn.microsoft.com/security/default.aspx?pull=/library/en- us/dnsecure/html/sdl.asp http://msdn.microsoft.com/security/default.aspx?pull=/library/en- us/dnsecure/html/sdl.asphttp://msdn.microsoft.com/security/default.aspx?pull=/library/en- us/dnsecure/html/sdl.asp Security Guidance Centers http://www.microsoft.com/security/guidance http://www.microsoft.com/security/guidance Security Online Training https://www.microsoftelearning.com/security/ https://www.microsoftelearning.com/security/ XP SP2 deployment training: https://www.microsoftelearning.com/xpsp2 https://www.microsoftelearning.com/xpsp2 Microsoft IT Security Showcase http://www.microsoft.com/technet/itsolutions/msit/default.mspx#EDBAAA http://www.microsoft.com/technet/itsolutions/msit/default.mspx#EDBAAA Security Newsletter http://www.microsoft.com/technet/security/secnews/default.mspx http://www.microsoft.com/technet/security/secnews/default.mspx Security Events and Webcasts http://www.microsoft.com/seminar/events/security.mspx http://www.microsoft.com/seminar/events/security.mspx Security Notifications via e-mail http://www.microsoft.com/technet/security/bulletin/notify.mspx http://www.microsoft.com/technet/security/bulletin/notify.mspx MS Security blogs: http://www.microsoft.com/technet/security/community/articles/art_malwarefaq.mspx http://www.microsoft.com/technet/security/community/articles/art_malwarefaq.mspx Security Bulletin Search Page http://www.microsoft.com/technet/security/current.aspx http://www.microsoft.com/technet/security/current.aspx Security Bulletin Webcast http://www.microsoft.com/technet/security/bulletin/summary.mspx http://www.microsoft.com/technet/security/bulletin/summary.mspx Writing Secure Code, 2nd edition http://www.microsoft.com/mspress/books/5957.asp http://www.microsoft.com/mspress/books/5957.asp Building and Configuring More Secure Web Sites http://msdn.microsoft.com/library/en- us/dnnetsec/html/openhack.asp http://msdn.microsoft.com/library/en- us/dnnetsec/html/openhack.asphttp://msdn.microsoft.com/library/en- us/dnnetsec/html/openhack.asp Windows XP Security Guide, includes SP2 http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspx http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspx Security Risk Management Guide http://go.microsoft.com/fwlink/?LinkId=30794 http://go.microsoft.com/fwlink/?LinkId=30794 Windows NT 4.0 and Windows 98 Threat Mitigation Guide http://go.microsoft.com/fwlink/?linkid=32048 http://go.microsoft.com/fwlink/?linkid=32048 Microsoft Identity and Access Management Series http://go.microsoft.com/fwlink/?LinkId=14841 http://go.microsoft.com/fwlink/?LinkId=14841 OTHER FBI / CSI 2005 security survey: http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml;jsessionid=KPE5WYV1ICYNCQSNDBECKH 0CJUMEKJVN http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml;jsessionid=KPE5WYV1ICYNCQSNDBECKH 0CJUMEKJVN http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml;jsessionid=KPE5WYV1ICYNCQSNDBECKH 0CJUMEKJVN

47. Age (days) NameServerMaxSize02.00nubela.netdns.nubela.net10725 10.94 winnt.bigmoney.biz (randex) winnt.bigmoney.biz2393 09.66 PS 7835 - y.eliteirc.co.uk y.eliteirc.co.uk2061 09.13 y.stefanjagger.co.uk (#y) y.stefanjagger.co.uk1832 03.10ganjahaze.comganjahaze.com1507 01.04 PS 8049 - 1.j00g0t0wn3d.net 1.j00g0t0wn3d.net3689 10.93pub.isonert.netpub.isonert.net537 08.07irc.brokenirc.netirc.brokenirc.net649 01.02 PS 8048 - grabit.zapto.org grabit.zapto.org62 10.34dark.naksha.netdark.naksha.netUNK 08.96 PS 7865 - lsd.25u.com lsd.25u.comUNK UNK PS ? - 69.64.38.221 PS ? - 69.64.38.22169.64.38.221UNK As of 6 March 2006: Tracking 13053 bot-nets of which 8524 are active Average size is 85,000 computers

49. DD D Reduce size of high risk layers Segment the services Increase # of layers Kernel Drivers Windows Service Hardening Defense In Depth – Factoring/Profiling D D User-mode Drivers D DD Service1 Service2 Service3 Service … Service… ServiceA ServiceB

50. Vista Service Changes Services common to both platforms Windows XP SP2 LocalSystem Wireless Configuration System Event Notification Network Connections (netman) COM+ Event System NLARasauto Shell Hardware Detection ThemesTelephony Windows Audio Error Reporting WorkstationICSRemoteAccess DHCP Client W32timeRasmanbrowser6to4 Help and support Task scheduler TrkWks Cryptographic Services Removable Storage WMI Perf Adapter Automatic updates WMI App Management Secondary Logon BITS Network Service DNS Client Local Service SSDP WebClient TCP/IP NetBIOS helper Remote registry Vista client LocalSystem Firewall Restricted Removable Storage WMI Perf Adapter Automatic updates WMI App Management Secondary Logon LocalSystem Demand started BITS Network Service Fully Restricted DNS Client ICSRemoteAccess DHCP Client W32timeRasmanbrowser6to4 Task scheduler IPSEC Services ServerNLA Network Service Network Restricted TrkWks Cryptographic Services Local Service No Network Access Wireless Configuration System Event Notification Network Connections Shell Hardware Detection RasautoThemes COM+ Event System Local Service Fully Restricted Telephony Windows Audio TCP/IP NetBIOS helper WebClientSSDP Error Reporting Event Log Workstation Remote registry

51. Windows Vista Firewall Combined firewall and IPsec management New management tools – Windows Firewall with Advanced Security MMC snap-in Reduces conflicts and coordination overhead between technologies Firewall rules become more intelligent Specify security requirements such as authentication and encryption Specify Active Directory computer or user groups Outbound filtering Enterprise management feature – not for consumers Simplified protection policy reduces management overhead

52. User Account Control (UAC) Previously known as “LUA” Users will logon as non-administrator by default Protects the system from the user Enables the system to protect the user Consent UI allows elevation to administrator Applications and administrator tools should be UAP aware Differentiate capabilities based on UAP Apply correct security checks to product features Start testing your software against Vista now!

53. Standard UAC Prompt

54. Application Installation as a Standard User

55. Group Policy Device Restriction

56. BitLocker™ Drive Encryption Designed specifically to prevent malicious users from breaking Windows file and system protections Provides data protection on Windows systems, even when the system is in unauthorized hands or is running a different or exploiting Operating System A Trusted Platform Module (TPM) or USB flash drive is used for key storage BitLocker BitLocker

57. Trusted Platform Module Smartcard-like module on system motherboard Helps protect secrets Performs cryptographic functions Can create, store and manage keys Performs digital signature operations Holds Platform Measurements (hashes) Anchors chain of trust for keys and credentials Protects itself against attacks TPM 1.2 spec: www.trustedcomputinggroup.org