Microsoft’s Security Strategy Detlef Eckert Chief Security Advisor Microsoft Europe, Middle East, Africa detlefe@microsoft.com
Understanding the Attacker Landscape National Interest Personal Gain Personal Fame Curiosity Spy Fastest growing segment Thief Tools created by experts now used by less skilled attackers and criminals Trespasser Vandal Author Script-Kiddy Hobbyist Hacker Expert Specialist
Microsoft’s security strategy in five steps Step One: Secure the platform Designing a more resilient architecture Writing code with fewer vulnerabilities Reducing the attack surface
Software Vulnerabilties in Context Intended Behavior Actual Behavior Most Security Bugs Traditional Bugs Threat-based design and Development Investment in tools and research
Security Development Lifecycle (SDL) Requirements Design Response Security has become an integrated part of the software development process Implementation Release Verification
SDL At Work – MS03-007 The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push Even if it were vulnerable IIS 6.0 not running by default on Windows Server 2003 Even if it were running IIS 6.0 doesn’t have WebDAV enabled by default Even if it did have WebDAV enabled Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if the buffer were large enough Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS) Even if there were an exploitable buffer overrun Would have occurred in w3wp.exe which is now running as ‘network service’
SDL At Work – Number of Security Bulletins 64 27 628
Microsoft’s security strategy in five steps Step Two: Improve Update Management Improve Patch Quality Unique Update Experience Rollback Facility Monthly Update Cycle Advanced Update Notification Security Advisory Tools and Management Software
“Microsoft Update” (Windows Update) Download Center Office Update VS Update Future Today AutoUpdate Windows, SQL, Exchange, Office… Windows only Windows Update Services SUS SMS Windows, SQL, Exchange, Office… Windows only Windows, SQL, Exchange, Office… http://update.microsoft.com/microsoftupdate
Microsoft’s security strategy in five steps Step Three: Active Protection Technology Windows Firewall ISA Server Anti-Virus (GeCAD, Sybari) Anti-Spyware More in planning (e.g. vulnerability assessment)
Complements traditional Antivirus technologies by providing one tool that removes prevalent viruses and worms from a PC Updated monthly to remove prevalent malware Targeted at consumers without antivirus Enterprise deployable as part of a defense-in-depth strategy Available through: Windows Update Auto Update Online interface MS Download Center Distributed to over 125M PCs
Cleaner Statistics (as of 11 March 2005) Release Days Live Executions Disinfections Value % January 28 124,613,632 239,197 0.1920% February 118,209,670 351,135 0.2970% March 5 84,013,460 149,981 0.1785% Total 61 326,836,762 740,313 0.2265% Source: Microsoft
Spyware removal reduces PC slow down, pop-up ads, and more Scheduled scans help maintain PC security and privacy Continuous protection guards 50+ ways spyware gets on a PC Intelligent alerts handle spyware based on your preferences Global SpyNet™ community helps identify new spyware Automatic signature downloads keep you up-to-date
Microsoft’s security strategy in five steps Step Four: Enabling Secure Business Scenarios Designing Secure Applications (.NET, Visual Studio 2005, Guidelines & Training) Secure Network Architectures Security Features of the Platform (e.g. Windows 2003 PKI, Windows Rights Management)
Microsoft’s security strategy in five steps Step Five: Security Eco System Training and Education Support for Industry Standards (e.g. WS Security) Partnerships (AntiVirus Alliance) Research (Microsoft Research, Sponsorship)
The Longhorn Road IE7 Least-Privilege User Administration New levels of security building on XP SP2 Stronger defenses against phishing, malware and spyware Least-Privilege User Administration Hardware based security: Secure start-up and Volume Encryption Network Access Protection Improved Management of Security Tokens Federated Identity: Infocards And much more ….
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.