Security Security Securing Your IT Infrastructure Kim Mikkelsen Senior Technology Specialist Enterprise & Partner Group Microsoft Denmark

Agenda The challenge of security The challenge of security People, process and technology People, process and technology Organizational security risk Organizational security risk Strategic Technology Protection Program (STPP) Strategic Technology Protection Program (STPP) The Secure Infrastructure The Secure Infrastructure Trustworthy Computing Trustworthy Computing Next steps Next steps

The Challenge of Security Internet-enabled businesses face challenges ensuring their technologies for computing and information assets are secure, fast and easy to interact with. The right access to the right content by the right people by the right people

Microsoft’s Commitment to Customers : To do everything possible to enable every customer to work, communicate, and transact securely over the Internet

People, Process, Technology People, Process, Technology What are the industry challenges? Products lack security features Products lack security features Products have bugs Products have bugs Many issues are not addressed by technical standards Many issues are not addressed by technical standards Too hard to stay Too hard to stayup-to-date Design for security Design for security Roles and responsibilities Roles and responsibilities Audit, track, follow-up Audit, track, follow-up Calamity plans Calamity plans Stay up-to-date with security development Stay up-to-date with security development Lack of knowledge Lack of knowledge Lack of commitment Lack of commitment Human error Human error People Technology Process

Organizational Security Risk Estimating the cost of security Low Organizational Security Profile Less Secure Observed Security Profile More Secure Cost of Failure IT Security Budget Time Cost of Maintaining Security Each layer of the organization: Each layer of the organization:  Has its own security requirements  Sets its own security profile The perceived cost of failure is an estimate of losses from inability to operate The perceived cost of failure is an estimate of losses from inability to operate  Security spending is driven by the perceived cost of failure Components of the organizational security profile: Components of the organizational security profile:  People  Security team  Security awareness  Process  Security policy  Reducing the attack surface  Incident response  Change management  Patch management  Technology  Defense In Depth  Intrusion detection High

Organizational Security Risk The impact of failure with a reactive approach Reactive approach: Increases overall security cost as a result of: Increases overall security cost as a result of:  Lost productivity  Loss of investor confidence  User apathy  Loss of management support Low Organizational Security Profile Less Secure Observed Security Profile More Secure Cost of Failure Temporary change in security profile IT Security Budget Time Cost of Maintaining Security Nimda Virus Response Cost High

Organizational Security Risk The impact of failure with a proactive approach Proactive approach: Organizational security profile better suited for future incidents Organizational security profile better suited for future incidents  Lower cost over time  Reduced attack surface  Detection and early identification  Reaction and effective incident response Low Organizational Security Profile Less Secure Observed Security Profile More Secure Cost of Failure Incident Response with Proactive approach IT Security Budget Time Cost of Maintaining Security Future Virus Response Cost High

Business Impact According to the Computer Crime and Security Survey 2002, by the Computer Security Institute (CSI) and the FBI: According to the Computer Crime and Security Survey 2002, by the Computer Security Institute (CSI) and the FBI:  90% detected computer security breaches  80% acknowledged financial losses due to computer breaches  40% of respondents quantified financial losses at $456 million, or $2 million per respondent  40% detected system penetration from the outside; up from 25% in 2000  85% detected computer viruses InformationWeek estimates: InformationWeek estimates:  Security breaches cost businesses $1.4 trillion worldwide this year  2/3 of companies have experienced viruses, worms, or Trojan Horses  15% have experienced Denial of Service attacks Security Breaches Have Real Costs Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002 Source: InformationWeek.com, 10/15/01

Security Areas Physical Security Physical Security Logical Security Logical Security Telecommunication Security Telecommunication Security Operating System Security Operating System Security Application Security Application Security Organizational Security Organizational Security

Microsoft Operational Framework (MOF): Risk Modeling and Mitigation Understanding Risks Risk Statement Retire Risks Identify and manage risks throughout all phases of the project Identify Corporate Learning About Risks Track Plan Analyze Control Risk Assessment Document Top Risks

Defense In Depth Industry-wide security design methodology of layering defenses: Industry-wide security design methodology of layering defenses:  Perimeter defenses  Network defenses  Host defenses  Application defenses  Data and resources Provides a method and framework for designing security into infrastructure Provides a method and framework for designing security into infrastructure Prescriptive guidance and detail included in Microsoft Internet Data Center design guide Prescriptive guidance and detail included in Microsoft Internet Data Center design guide

Microsoft Internet Data Center Guide: Security Examples of topics included in Internet Data Center guide: Examples of topics included in Internet Data Center guide:  Defense In Depth strategy  Common hacker methods and prevention  Best practices for security IIS  Windows 2000 Active Directory design and security policies  Best practices for application security  Authentication

Microsoft Security Process Guidance Based on British Standard 7799, included in Internet Data Center guide, a 4-phase process: Based on British Standard 7799, included in Internet Data Center guide, a 4-phase process: Assess Assess  Define security requirements  Perform analysis of current and desired states Design Design  Develop security solution  Utilize Defense In Depth framework Deploy Deploy  Test and implement  Define and document policies, standards, procedures Manage Manage  Operational management  Review and reassess on a regular basis

Strategic Technology Protection Program Get Secure! Stay Secure! PeopleProcessTechnology

Security Management and Operations Security through people, process and technology MCS Security assessment service offering Prescriptive guidance for building and managing security Pre-tested and certified configurations Microsoft Operations Framework Industry leading security response and support Free PSS virus related support at World-class security training Gold certified security partner program Security roll-up packages Microsoft Baseline Security Analyzer Windows Update Microsoft Software Update Service People Process Technology

STPP: “Get Secure” Enterprise Security  Server security configuration scanner  SMS security patch rollout tool  Windows Update Auto-update client (Group Policy-enabled) Microsoft.com/security  Server oriented security resources for server admins  New security tools and updates,  Security Notification Service Microsoft Consulting Services  Security Assessment  Security Quick Start Programs  ISA Quick Start Program Product Support Services (PSS)  PCSAFETY – Free virus related support  Security News Groups – Microsoft.com/security People People Process Technology Process Technology Process

STPP: “Stay Secure” Enhanced Product Security  Provide greater security enhancements in the releases of all new products, including the Windows.NET Server family Microsoft Software Update Service (SUS)  Allows enterprise to host and select Windows Update content Windows 2000 Service Pack (SP3)  Provide ability to install SP3 + security rollup with a single reboot Windows 2000 Security Rollup Patches  Bundle all security fixes in single patches  Reduces reboots and administrator burden Technology Process Technology Process People Technology Process People Technology Process

The Secure Infrastructure Comprehensive Security Management and Operations Secure Network Connectivity Integrated Solution for Identity Management  Directory Services (AD & MMS)  Authentication (PKI, Kerberos, Passport)  Authorization (ACLs, Roles, Federation)  Policy-based management (GP, and GPMC)  Secure Internet connectivity (MSA & ISA)  Secure remote access (VPN, IAS)  Secure wireless networks (PKI x)  Tools (MBSA, MSUS)  Guidance (MOC, PAGs, Security Best Practices)  Services (MSQS, PSS, & professional services)  Products (SMS, MOM)

Products to Help Manage Your IT Security Use Systems Management Server (SMS) 2.0 Use Systems Management Server (SMS) 2.0  Collect software/hardware inventory information  Deploy the HFNetChk tool, collect results and report on findings  Distribute Microsoft Security Tool Kit fixes to Windows desktops and servers  Receive status reports on the success of distribution Use Microsoft Operations Manager (MOM) 2000 Use Microsoft Operations Manager (MOM) 2000  Proactively manage the OS and applications through built-in security-related alerts and scripts  Continuously monitor Windows servers for possible attacks  Receive immediate alerts of possible security breaches  Produce reports that can showcase service levels are being met

Microsoft Baseline Security Analyzer Part of STPP Part of STPP Uses a version of HFNetChk to scan for missing hotfixes and service packs for Windows, IIS, and SQL. Uses a version of HFNetChk to scan for missing hotfixes and service packs for Windows, IIS, and SQL. Includes a graphical and command line interface that can perform local or remote scans of Windows systems Includes a graphical and command line interface that can perform local or remote scans of Windows systems Scan for missing hotfixes and vulnerabilities in the following products: Windows NT 4.0, Windows 2000, Windows XP, Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002 Scan for missing hotfixes and vulnerabilities in the following products: Windows NT 4.0, Windows 2000, Windows XP, Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002

Software Update Services Solution Automatic Update (AU) client Automatic Update (AU) client  Automatically download and install critical updates  Security patches, high impact bug fixes and new drivers when no driver is installed for a device  Checks Windows Update service or Corporate Update server once a day  New! Install at scheduled time after automatic downloads  Administrator control of configuration via registry-based policy  Support for Windows.NET Server, Windows XP and Windows 2000 Software Update Services Software Update Services  Corporate hosted server supports download and install of critical updates through Automatic Update client  Server synchronizes with the public Windows Update service  Simple administrative model via IE  Updates are not made available to clients until the administrator approves them  Runs on Windows.NET Server and Windows 2000 Server

Trustworthy Computing The Big Picture Availability Functionality there when needed Suitability Features fit function Privacy User in control of their data Integrity Against data loss or alteration Reputation System and provider brand Policy Guidelines, standards, norms Dev Practices Methods, philosophy Ops Practices Guidelines and benchmarks Business Practices Business model Security Resists unauthorized access Quality Usability, reliability, performance Intent Management assertions Risks What undermines intent, causes liability Implementation Steps to deliver intent Evidence Audit mechanisms GoalsMeansExecution

Bringing It All Together… UNIXApplication Exchange Web Applications File Sharing SQL Server Active Directory Non-AD Non-ADDirectory Lower Cost of Security   Integrated infrastructure solution   Centralized management of network resources   Fewer identities and directories to manage   Interoperability with other platforms Reduced Security Risk   Prescriptive guidance   Internet protection via firewall and content filtering   Security tools and services   Security patch management infrastructure LAN Wireless LAN VPNGateway

All-Time Favorite Security Goals Defense in depth The defense in depth rule states that not just one security solution should be implemented but that different solutions should be combined into one solution framework. In other words, information security is not a question of this OR that but rather of this AND that. This approach has the additional advantage that the different solutions can supplement each other. Ease of use Ease of use assures that a security system is used when appropriate and that its use doesn’t depend on the complexity of its implementation. If a user encounters too many difficulties while working with a security system, he or she could prefer to do the same job without the security system. A way to provide ease of use is to centralize all security administration tasks and to make the application of security measures transparent to the user. This principle is used in Windows 2000 Group Policy Objects (GPO’s). Performance As with ease of use, performance also assures that a security system is used when appropriate. It guarantees that a security system’s use doesn’t depend on its execution speed. If it takes you several minutes to send one secured mail, you might consider sending the mail without security (or upgrading the machine). Availability Availability protects against interruption. It guarantees that the security system and the information protected by the security system are available at all time. Excellent examples of security solutions providing availability are backup software and fault-tolerant solutions, such as hardware clustering or RAID. Cost This is a key factor that is often forgotten. In many organizations it’s the decisive parameter when choosing the final security solution.

Next Steps Microsoft Security Quick Start (MSQS) Microsoft Security Quick Start (MSQS)  Short, fixed cost programs designed to help you get secure and stay secure  MSQS for Planning Secure Systems  MSQS for Operating Secure Systems Build security into the development process Build security into the development process  SMI – engineering for security  New processes and tools for development and testing  Mobilization of resources to make it happen Deploy a secure infrastructure Deploy a secure infrastructure  Windows 2000 Servers and ISA today  Windows.NET build on Windows 2000 security infrastructure  Best path to federation Utilize security training available from Microsoft Utilize security training available from Microsoft Certified Partner Program Certified Partner Program

Security Resources (1/3) To locate a partner who can help with Microsoft security solutions: Microsoft Certified Providers Directory Microsoft Consulting Services For technical information: White Paper: Microsoft Security Response Center Security Bulletin Severity Rating System topics/rating.asp CSI/FBI Computer Crimes and Security Survey 2002, Computer Security Institute: ISA Server information: Hacking Exposed – Network Security Secrets & Solutions, 3 rd Edition; Joel Scambray, Stuart McClure, George Kurtz For training and certification questions: Microsoft Training and Certification For information about Microsoft security strategies and solutions: Primary resource: White Papers: Best Practices for Enterprise Security bpentsec.asp bpentsec.asp bpentsec.asp It’s Time to End Information Anarchy /noarch.asp /noarch.asp /noarch.asp The 10 Immutable Laws of Security 10imlaws.asp 10imlaws.asp 10imlaws.asp

Security Resources (2/3) Security Services: Microsoft Security Services Directory Microsoft TechNet Security technet/security/default.asp technet/security/default.asp technet/security/default.asp For technical information: White Papers: Security Operations Guide for Windows 2000 Server security/prodtech/windows/windows2000/staysecure/default.asp security/prodtech/windows/windows2000/staysecure/default.asp Security Operations Guide for Exchange 2000 Server security/prodtech/mailexch/opsguide/default.asp security/prodtech/mailexch/opsguide/default.asp Internet Data Center Guide Documentation: Security Tools: Microsoft Security Tools technet/security/default.asp technet/security/default.asp technet/security/default.asp Microsoft Baseline Security Analyzer curity/tools/Tools/MBSAhome.asp curity/tools/Tools/MBSAhome.asp For information about Microsoft security strategies and solutions: Primary resource: Trustworthy Computing Strategic Technology Protection Program Product Security Notification y/bulletin/notify.asp y/bulletin/notify.asp y/bulletin/notify.asp Security Best Practices: y/bulletin/notify.asp y/bulletin/notify.asp y/bulletin/notify.asp

Security Resources (3/3) Other useful resources: Other useful resources: MBSA Whitepaper: MBSA Download: US/mbsasetup.msi US/mbsasetup.msi SUS Info and Download: SMS Valuepack online presentation: b asp b asp b asp MMS Information: SfU Information: SfN Information: HIS Information: Active Directory Information: