1. 安全事故响应 微软信息安全管理 Abstract Executive Summary
This 24-slide presentation, published January 2003, details the Microsoft IT group preventative approach to managing computer vulnerabilities. Designed to reduce the occurrences and severity of attacks, Microsoft IT’s security methodology includes the development of processes to reduce open ports and vulnerable systems and services, manage user permissions, regularly assess risks, and regularly monitor compliance with security guidelines.
Executive Summary
Security threats to computer networks often come from attackers who take advantage of security flaws, such as well-known configuration errors and published product vulnerabilities. Just like any enterprise, Microsoft is the target of computer attacks. These attacks are often discussed in newsgroups or chat rooms, and the attack tools are frequently published on the Internet.
At one time, Microsoft used a reactive approach: If an exploit occurred, resources were deployed and narrowly focused on that exploit only. The process involved deploying and testing a patch on a single server and then distributing the patch to other servers at risk. This process was too time consuming—and involved too much risk to resources – to address a vulnerability effectively.
Accordingly, the Information Security Organization (InfoSec), within the Microsoft IT group, developed a preventative approach to managing computer vulnerabilities. Designed to reduce the occurrences and severity of attacks, The InfoSec security methodology includes reducing open ports and vulnerable systems and services, managing user permissions, regularly assessing risks, and regularly monitoring compliance with security guidelines.
InfoSec also developed a consistent process for responding to incidents and recovering from disasters that do occur. The primary objectives of this process are to establish a clear command and control center, to rapidly mitigate exposure, to maximize cooperation, and to efficiently coordinate response activities. All of these efforts are designed to eliminate network exposure and restore confidence in all systems as quickly as possible. The same overall response plan process is used for both computer incidents and other incidents, such as natural disasters. The focus of this paper is computer incident response. Although the approaches to all responses are similar, the actual steps taken to address specific computer incidents can be different, depending on the nature of the incident.
微软信息安全管理

2. 解决方案概要
解决方案
电脑网络的安全危险通常来自于攻击者对安全缺陷的利用, 比如众所周知的配置错误和公开的产品缺陷. 正如任何一个企业一样, 微软也是受攻击对象.
微软IT针对事故的响应和灾难过后的恢复开发出一套可靠的流程. 它的基本目标就是确立一个清晰的控制中心, 以便迅速降低攻击程度, 加强合作和有效地协调响应行动. 受益
微软IT详尽, 经过反复演练和灵活性的事故响应计划可以确保任何出现的攻击都可以被掌控, 这种行之有效的方法能尽力减小攻击对系统带来的不利影响.
Solution Overview
Security threats to computer networks often come from attackers who take advantage of security flaws, such as well-known configuration errors and published product vulnerabilities. Just like any enterprise, Microsoft is the target of computer attacks. These attacks are often discussed in newsgroups or chat rooms, and the attack tools are frequently published on the Internet.
Solution
Microsoft IT developed a consistent process for responding to incidents and recovering from disasters that do occur. The primary objectives of this process are to establish a clear command and control center, to rapidly mitigate exposure, to maximize cooperation, and to efficiently coordinate response activities. All of these efforts are designed to eliminate network exposure and restore confidence in all systems as quickly as possible.
Benefits
Microsoft IT’s detailed, well-rehearsed, and flexible incident response plan ensures that any exploit that occurs can be handled in an orderly, effective manner that minimizes the impact to systems.

3. 微软信息技术方法论 人员 处理过程 技术 专职员工 培训 安全 – 一种理念和优先考虑 雇员教育 安全规划 预防 检测 反应 基线技术
Microsoft IT Security Methodology
The costs of incident response and recovery can be high. An exploit can result in a significant loss of productivity and data. For example, taking servers offline and removing infected files can cause downtime. Expenditures can also include costs for conducting forensic investigations, coordinating with law enforcement, replacing damaged resources, and managing negative public relations. And after an exploit, the integrity of data can be in question; for example, if an attacker was able to gain access to an accounting database, did he or she change any data?
A coordinated security compliance and remediation program – one that combines technology, procedures, and proper use of personnel – reduces the number of vulnerabilities that attackers and malicious code use to access and compromise networks. A preventative approach toward critical security issues is less expensive than correcting vulnerabilities after systems have been compromised. However, enterprises must still prepare for the occasional attack that manages to penetrate the perimeter.
Microsoft IT oversees daily maintenance and strategic planning of the Microsoft corporate network, which includes more than 10,000 servers at several regional data centers worldwide. The network also includes more than 170,000 live nodes. About 94 percent of these nodes consist of computers, which averages to more than two computers per employee (including contingent staff), with 100-megabit switched connections to the desktop. Users of the Microsoft corporate network send and receive approximately 7 million messages a day, with over 1.5 million of those to and from the Internet.
As part of Microsoft IT, the Information Security group (InfoSec) must make decisions based on its responsibility to protect Microsoft assets, including minimizing the impact of attacks on such a large network. Handling incidents that do occur can produce a positive outcome for both Microsoft and its customers. Benefits include improving products to prevent more occurrences, modifying Microsoft IT procedures, and generating patches for customer systems.
The overall security methodology at Microsoft consists of the people, processes, and technology that work together to keep the network as secure as possible.
      基线(Baseline)说起. 基线是软件文档或源码(或其它产出物)的一个稳定版本,它是进一步开发的基础.所以,当基线形成后,项目负责SCM的人需要通知相关人员基线已经形成,并且哪儿可以找到这基线了的版本.这个过程可被认为内部的发布.至于对外的正式发布,更是应当从基线了的版本中发布. 
      基线是项目储存库中每个工件版本在特定时期的一个“快照”。它提供一个正式标准，随后的工作基于此标准，并且只有经过授权后才能变更这个标准。建立一个初始基线后，以后每次对其进行的变更都将记录为一个差值，直到建成下一个基线。
      参与项目的开发人员将基线所代表的各版本的目录和文件填入他们的工作区。随着工作的进展，基线将合并自从上次建立基线以来开发人员已经交付的工作。变更一旦并入基线，开发人员就采用新的基线，以与项目中的变更保持同步。调整基线将把集成工作区中的文件并入开发工作区。
      建立基线的三大原因是：重现性、可追踪性和报告。
      重现性是指及时返回并重新生成软件系统给定发布版的能力，或者是在项目中的早些时候重新生成开发环境的能力。可追踪性建立项目工件之间的前后继承关系。其目的在于确保设计满足要求、代码实施设计以及用正确代码编译可执行文件。报告来源于一个基线内容同另一个基线内容的比较。基线比较有助于调试并生成发布说明。
      建立基线后，需要标注所有组成构件和基线，以便能够对其进行识别和重新建立。
      建立基线有以下几个优点：
      基线为开发工件提供了一个定点和快照。       新项目可以从基线提供的定点之中建立。作为一个单独分支，新项目将与随后对原始项目（在主要分支上）所进行的变更进行隔离。       各开发人员可以将建有基线的构件作为他在隔离的私有工作区中进行更新的基础。       当认为更新不稳定或不可信时，基线为团队提供一种取消变更的方法。       您可以利用基线重新建立基于某个特定发布版本的配置，这样也可以重现已报告的错误。
      使用
      定期建立基线以确保各开发人员的工作保持同步。但是，在项目过程中，应该在每次迭代结束点（次要里程碑），以及与生命周期各阶段结束点相关联的主要里程碑处定期建立基线：
      生命周期目标里程碑（先启阶段）       生命周期构架里程碑（精化阶段）
安全规划 预防 检测 反应
处理过程
基线技术
标准, 加密, 保护
产品安全性能
安全工具和产品 技术

4. 风险评估 风险 资产价值 财产 有形/可替代 人员 雇员 信息 客户/公司网络 高 低 高 Risk Assessment
Assessing risks is part of the overall security methodology at Microsoft. The philosophy of risk at Microsoft is as follows:
Risk is acknowledged as a fundamental part of operations that is neither good nor bad. A risk is the possibility of a future loss, and although the loss itself may be perceived as bad, the risk as a whole is not.
Risk is something to manage, not something to fear. Enterprises deal with risks by actively addressing each identified risk in advance. If a loss is one possible future outcome, other possible outcomes are gains, smaller losses, or larger losses. Risk management lets the enterprise change the situation to favor one outcome over the others.
The goal is knowing that the enterprise is as prepared as it can be, and that it has a plan for staying prepared.
To ensure the most efficient allocation of resources in case of an incident, an ongoing risk-assessment process allows InfoSec to determine – and focus on – the areas at greatest risk. Risk assessment in enterprise security generally involves the following tasks:
Creating a risk model to identify potential risk areas and the probability and impact of a compromise to each area.
Determining the approach to risk mitigation. Because some assets are inherently more valuable than others, it is important to determine what is worth risking and what must be fixed. For example, people are more valuable than computers. Taking no action is an option if the risk probability or impact of a threat is low.
Understanding the technologies used, the resources (people and devices) that have access to those technologies, and the data and intellectual property that are at risk.
At Microsoft, the risk level of a specific vulnerability is based on an assessment of several factors, including the number of computers affected, whether the exploit is remotely executable, the access privileges set up on a system, whether the vulnerability is externally published and well known, and whether the method of compromise is automated by means of a script. The risk level dictates how InfoSec proceeds with its actions to secure assets and environments. 风险
资产价值 低 高
财产 有形/可替代
信息 客户/公司网络
人员 雇员

5. 预防事故发生 扫描 审计 入侵检测 确立纵深防御体系 确保远程用户客户端 Preventing Incidents
A key to preventing security incidents is to eliminate as many vulnerabilities as possible. The sections that follow describe actions that are instrumental in preventing incidents.
Scanning
Because most attackers use multiple tools to target an enterprise, the Monitoring and Compliance group at Microsoft uses a variety of automated scanning tools to identify and remediate vulnerabilities. Scanning is distributed, not centralized. That is, multiple scans run across the network simultaneously. Dedicated workstations scan thousands of hosts per week. Using dedicated workstations allows efficient CPU utilization.
Information is reported by means of a SQL Server 2000 database to aid in risk assessment, analysis, and reporting. However, technology alone does not create a solution; both processes and people must be in place to accurately identify and act upon vulnerabilities. Thus, only a restricted group of personnel manages the data.
Auditing
Using tools similar to those applied in the scanning process, the Monitoring and Compliance group conducts audits to ensure that corrective action is taken when the level of noncompliance surpasses the set tolerance level for vulnerabilities on that part of the network. A priority is assigned to the non-complying items and a service request is opened to correct the problem. Verifying that a problem has been fixed is a process of scanning, reviewing the scan report, and then entering a remediation loop that fixes the problem or creates a notification of the problem and then scans again. The process continues repeatedly until the problem is resolved. The Monitoring and Compliance group plans for a certain number of audits every year, in addition to benchmark audits conducted every few months.
Detecting Intrusions
The Monitoring and Compliance group uses a combination of Microsoft tools and third-party tools to detect intrusions inside the network and on the perimeter. The group reviews Internet Security and Acceleration Server (ISA) logs and conducts remote access audits to ensure that remote access accounts are being used only by the owners of those accounts. Thorough intrusion detection involves some potential problems. Testing for a correlation of events within the network traffic of a large organization can produce false positives (that is, independent events can appear to correlate by coincidence) and creates additional analysis work for personnel. However, the benefits generally outweigh the potential problems.
Establishing Defense in Depth: An Example
Attackers look for holes that they can use to gain access to networks. A multilayered defense strategy, called defense in depth, stops more attacks than a single point of protection.
Securing Clients for Remote Users
A network administrator can ensure that a user is following guidelines by scanning the user’s system and denying remote access if the user does not have the correct patches, programs, and security settings.

6. 事故响应团队 事故负责人 核心事故响应团队 所以事故 延伸的技术响应团队示例 按需采用
Incident Response Team Structure And Core Team
Regardless of incident type, the response plan at Microsoft remains consistent. The incident response team consists of individual teams that focus on security full time (including personnel who perform virus protection, investigations, communications, and monitoring and compliance) and those that form a “virtual team” by becoming involved in incident response only when a specific incident occurs. All members of the incident response team maintain a high level of communication with each other to resolve the situation in the quickest and most orderly manner possible.
In all cases, the core incident response team consists of representatives from the Security Services and Architecture, Investigations, and Communications teams. Each of these teams makes operational assessments and allocates resources to meet urgent and emergency needs for the protection of Microsoft assets. Each team is assigned an overall lead, or chair, who is responsible for the activities of that team. Depending on the incident type, other groups may also become involved.
Core Team
The Security Services and Architecture team:
Determines the least invasive means of containing the outbreak, which may entail disconnecting systems from the network.
Runs an iterative scan, locates infected systems, and assesses the risk to Microsoft systems and products.
Analyzes compromised systems for configuration errors.
Reviews system logs and auditing results.
Adjusts monitoring systems as appropriate to better detect any ongoing activity.
Finds and fixes any affected network components.
The Investigations team:
Gathers and maintains evidence.
Pursues investigative leads.
Coordinates with law enforcement.
Conducts forensic computer examinations if appropriate.
Provides a single source for evidence collection.
The Communications team:
Alerts the Virus Attack Command Team (VACT) in event of a virus attack.
Establishes conference calls and other communication channels between incident response teams as appropriate.
Instigates backup notification procedures.
Publishes status updates based on a predetermined schedule.
Coordinates communications with Corporate Public Relations as appropriate.
Notifies key business units when the signature is deployed and when a patch is released.
其他团队
负责人
(如需)
安全, 服务及构架 负责人
调查 负责人
通讯 负责人
延伸的技术响应团队示例 按需采用
网络运作
病毒警报 命令 团队 (VACT)
IT 桌面支持

7. 病毒攻击控制团队 VACT 负责 Incident Response Extended Team 信息安全 消息传送 服务器操作 网络操作
Other teams may become involved in the incident response team, depending on the type of incident that occurs. For example, the VACT is a collective of affected organizations that responds only to viruses, although the individual organizations that compose it often contribute to the responses to other types of incidents. The teams that participate in the VACT include:
InfoSec: Handles virus attack notification, escalation, and initial response; provides antivirus software update notification and coordination.
Messaging: Manages response actions that involve , including internal Microsoft Exchange–based servers and Internet gateways.
Server Operations: Handles all updates and cleaning of infected file servers and key internal infrastructure servers.
Network Operations: Handles all updates and cleaning of infected network hardware or network services, including remote access servers.
Desktop Services: Controls end-user logon scripts; handles sending of routine global to end users; provides desktop antivirus software updates.
IT Helpdesk: Handles all requests for assistance by end users whose computers are infected by the virus.
DDOS Attack
For a distributed denial-of-service (DDoS) attack, organizations outside the core incident response team may be asked to perform a variety of tasks, such as filtering spoofed packets or changing router configurations to block illegitimate and/or destructive packets. Key contacts include Data Center Operations (DCOps) and Global Network Operations Center (GNOC).
For an attack on servers that are exposed to the Internet, organizations outside the core incident response team – such as DCOps, GNOC, Corporate Public Relations, and Microsoft Security Research Center (MSRC) – may be asked to provide press releases, account certification, password management, and auditing of any or all systems exposed to the Internet. Another key contact is Directory Services Management (DSMan), which handles all response actions that involve directory services and account management.
Unauthorized Network Intrusion
When an unauthorized network intrusion occurs, organizations outside the core incident response team may be asked to provide assistance in account certification, password management, and auditing of critical systems. These groups include DCOps, GNOC, Corporate Public Relations, DSMan, and IT Helpdesk.
Product Vulnerability
When a vulnerability is discovered in a product, organizations outside the core incident response team – such as DCOps, GNOC, Corporate Public Relations, MSRC, and IT Helpdesk – may be asked for assistance. In addition, the team responsible for developing the product is alerted to the situation so that it can conduct a full vulnerability review.
VACT 负责
信息安全
消息传送
服务器操作
网络操作
桌面服务
IT 桌面支持

8. 事故响应团队主管 事故指挥主管 通讯主管 调查主管 管理中心后勤供给 协调响应策略 确保业务中心人员到位 保持完整事件纪录
草拟提交所有计划通讯
配合公司公关部门
监察和事故有关,用于新闻发布的资料
调查主管
起主导调查的带头作用
开展电脑和信息系统的刑事检查
配合执法机构官员
Incident Response Team Chairs
The chairs often selected for incident response are detailed in the sections that follow. However, because the scope, severity, and type of incident determine what personnel become involved, not all chairs are involved in every incident.
Incident Command Chair
Managing central logistics
Coordinating a response strategy with the necessary groups
Ensuring staffing at the Operations Center as appropriate. If 24-hour-a-day operations are ongoing, ensuring the designation of shift leads.
Serving as a single point of communication for management/executive briefings
Maintaining a comprehensive record of events
Providing status reports as appropriate based on actions and information
Communications Chair
The responsibilities of the Communications Chair include the following:
Drafting and submitting all proposed communication
Coordinating with Corporate Public Relations on a regularly scheduled basis
Monitoring media for press related to the incident and collecting material for reference
Maintaining an incident-specific emergency contact list
Investigations Chair
Pursuing investigative leads
Performing a forensics examination of computer and information systems associated with the incident
Serving as a single source for evidence preservation
Coordinating with law enforcement officials as appropriate

9. 事故响应计划 确定事故严重性的快速指导 事件的重要性 对商业运营的影响 响应阶段 受攻击关键程度/被攻击资产 信息对公众的发布 曝光范围安全
扫描/审计
内部网页
和事故
有关信息 运作 用户
外部网页 支援
确定事故严重性的快速指导
事件的重要性
对商业运营的影响
受攻击关键程度/被攻击资产
信息对公众的发布
曝光范围
对公共关系影响
安全范围之外团队的启用
决定开始
事故响应计划
Incident Response Plan
Whatever the variables involved in an attack, the incident response team as a whole applies the following key procedures as a guide to ensure a successful response:
Evaluate the current state of the system, the extent of penetration/infection, the type of data at risk, the source or target of the attack, the resources that are known to be compromised, the resources that are suspected to be compromised, the impact on infrastructure, the cost of recovery, and other elements that define the scope of the problem.
Establish the first course of action in a detailed response plan.
Isolate and contain the threat, in an effort to disengage the threat and track and identify the attacker.
Analyze and respond to the incident.
Alert others according to the response strategy.
Begin system remediation and clean up issues that may have contributed to the security breach.
响应阶段 评估
当前形式
隔离和遏制
响应团队组建
确定第一步行动计划
分享和响应
持续性评估 和响应的修订
触发阶段
需要时通知
其他各方 开始
补救措施
修改/提高
响应过程
行动降级: 重返正常工作状态
事故处理总结

10. 触发阶段和团队组建 触发阶段 组建团队 评估当前形势 明确第一时间行动计划 Trigger Phase and Team Assembly
When notified of a significant security incident or network breach, core groups within the InfoSec group evaluate the incident.
Evaluate the Situation
When an incident occurs, the following criteria are applied to determine the significance of the incident:
Severity of the event
Overall business impact
Criticality of vulnerable/attacked assets
Public availability of exploit information
Scope of exposure
Public relations impacts
Extent of involvement for groups outside InfoSec
The incident response team uses the appropriate resources to determine the possible and probable extent of the damage based on the nature of the incident. A small working group is established, called the Incident Command Team, for evaluation of the incident. Technical and other specialty analyses are solicited on an as-needed basis. The Incident Command Team bases all assessments on known facts and reasonable supposition derived from those facts. Care is used in forecasting worst-case scenarios. At this point, the Incident Command Team measures the following:
Current state of the system
Extent of the penetration/infection
Type of data at risk, source or target of the attack
Resources that are known to be compromised
Resources that are suspected to be compromised
Impact on infrastructure
Cost of recovery
Other elements that define the scope of the problem
Establish the First Course of Action
Because the approach to addressing an incident can vary slightly depending on the nature of the incident, it is critical to be aware of the type of incident that has occurred before taking action. Based on the aforementioned evaluation, the Incident Command Team develops a detailed response plan. All attacks substantiated by InfoSec as high risk and that are widespread across the corporate network require notification, escalation, and emergency response. InfoSec selects an Incident Command Lead to spearhead the incident response plan. The incident response plan follows the InfoSec course of action by identifying and prioritizing action items, assigning areas of responsibility, and scheduling staff resources accordingly.
Team Assembly
Each affected organization is immediately notified, and the Incident Command Lead designates representatives from each organization as Incident Command Chairs, which compose the nucleus of the incident response team. Each Incident Command Chair escalates and disseminates information within his or her organization as appropriate.
Criteria are established to determine what will cause the development, distribution, and frequency of status reports. Status reports will contain information about critical developments, general statistical information, action items, and associated responsibilities.

11. 响应 阶段 隔离和遏制 分析和响应 需要时通知其他各方 开始补救措施 Response Phase
The response phase consists of the core actions that rectify the incident.
Isolate and Contain
In general, the intruder or the malicious code should be prevented from working through the network. All attempts to contain the threat also take into account every effort to minimize the impact to business operations. Resources are shut down or disconnected only when absolutely necessary, and such action is coordinated with the appropriate business units. During the response phase, every effort is made to disengage the threat, track and identify the offender, and close vulnerabilities that may have contributed to the security breach.
Analyze and Respond
At this point, the value of teams that have designated roles becomes most apparent as the incident response team works closely together to execute assignments, to provide regular status updates on outstanding action items, and to revise the response plan as necessary based on new information. The Incident Command Lead is the central collection point for the receipt and distribution of new information regarding the incident.
Alert Others As Required
In some cases, alerting other teams may be done in parallel with other steps. For InfoSec, the Operations Chair establishes an Operations Center and reserves private meeting space for the Incident Command Team. The Communications Chair opens and monitors a conference bridge and other communication channels as appropriate, and each Incident Command Chair escalates and disseminates information within his or her organization as appropriate.
Begin Remediation
Every effort is made to restore confidence in the affected systems as quickly as reasonably possible. Those efforts include steps to:
Save the system state by backing up as much of the system as necessary to further diagnose the incident.
Obtain forensic images and preserve original media for law enforcement review as necessary.
Remove any hidden malicious programs or directories added by the intruder or deployed by the malicious code, up to and including a system-wide removal of all programs and files.
Update virus signatures.
Eliminate the vulnerability that allowed the exploit and ensure the system is restored with an optimal security configuration.
Track hours and expenses associated with the incident response if determined to be appropriate.
Identify and document tools and techniques that would improve future incident responses.

12. 行动降级和事故后总结 行动降级 事故后总结 返回正常工作状态 无需介入各方新信息汇报 听取各主要组织汇报 事故响应成功和不足讨论
De-escalation
The de-escalation process indicates a return to normal business operations. In general, the amount of resources directed at the response to a particular incident diminishes over time.
De-escalation normally occurs when none of the parties involved in the incident are identifying or reporting new information. An incident may also be closed even if new reports are anticipated but the action items have been transitioned to a medium or long- term remediation project.
Post-incident Review
Analysis and review of a completed incident response can result in a considerable improvement in systems and processes. The Incident Command Lead schedules a post‑incident review meeting to debrief the key organizations and discuss the successes and shortcomings of the incident response. The meeting evaluates, and makes recommendations for any needed changes to, the following:
Security tools
Security resources
Security architecture
Information security policy
Standard operating procedures
Incident response plan
Overall security strategy
Outstanding contributions during the incident

13. 反击阻挡恶意软件: 木马和蠕虫 木马带来的后果远远超过受害用户的想象 后门木马看起来象是做些有用的事, 实际上正在危及电脑安全
反击阻挡恶意软件: 木马和蠕虫
木马带来的后果远远超过受害用户的想象
后门木马看起来象是做些有用的事, 实际上正在危及电脑安全
蠕虫不断以各种不同的方式,从一个硬盘到另一个硬盘复制自己
Defending Against Malware: Trojan Horse and Worm
Malicious software – often called malware – can take many forms, including worms, Trojan horses, and viruses. The Internet, , and peer-to-peer networks are the most common vehicles for malware. Peer-to-peer networks – often unprotected by antivirus software – are especially vulnerable because users within an organization often consider them a trustworthy way to share files with people outside the organization.
Attackers often use social engineering to trick computer users into opening malware. For example, because viruses often use address books to replicate, a user may not perceive that an incoming message contains a virus because the sender and subject line are familiar and not suspicious.
Trojan Horse and Backdoor Trojan Horse
A Trojan horse is a program that does something more than the user expects, and that extra function is damaging. A Trojan horse is often disguised as a game, utility, or legitimate application. Trojan horses do not replicate by themselves; they rely on users to run them. When run, a Trojan horse damages the system, and in the case of what is known as a backdoor Trojan horse, it compromises the security of the computer while appearing to do something useful. An example of a backdoor Trojan horse is a program that behaves like a system logon screen to retrieve user names and password information that the writers of the Trojan horse can later use to break into the system.
Worm
A worm is a program that copies itself from one disk drive to another. Worms use a variety of means to replicate, including (but not limited to) , instant messaging, and the Internet. Worms may arrive on a computer in the form of a joke program or some type of software. Worms are often used to deliver Trojan horses that may damage or compromise the security of a computer.
Many worms are designed to infect default configurations, so a step as simple as moving IIS to a drive other than the default – for example, drive E – may be enough to interrupt a worm’s replication. In addition, worms have fingerprints, patterns of behavior on the network. For example, the Spida worm looks for a blank administrator password, puts the guest account into the Administrators group, installs a password-cracking tool, and installs an tool that sends system information to the attacker.
When a new worm is publicized, it is important to adjust network scans to look for the fingerprint of that worm. In the case of the Spida worm, scans can look for such clues as the presence of the password tool and the tool that the worm introduces. Scanning for a fingerprint can indicate how widespread an infection is. However, using updated antivirus software continues to be the best method for eradicating known worms.

14. 反击阻挡恶意软件: 病毒 显著减少由于攻击而引起的系统宕机时间的措施 如果受到攻击, 事故响应计划开始运作, 这也专门适用于病毒攻击
反击阻挡恶意软件: 病毒
显著减少由于攻击而引起的系统宕机时间的措施
教育用户关于遵守安全政策的重要性
遵循一般操作手册来防止病毒侵入
如果受到攻击, 事故响应计划开始运作, 这也专门适用于病毒攻击
Defending Against Malware: InfoSec’s Response to a Virus
Simply defined, a virus is a program that replicates itself. The majority of viruses do nothing more than replicate. If running a program negatively affects a computer, that program is considered a virus only if it replicates. There are many different categories of viruses, such as script viruses, boot sector viruses, and executable viruses, to name a few.
A virus attack is a significant threat. Past viruses such as Love Letter and Melissa have forced many organizations’ systems offline for hours or even days. Each corporation assigns a different cost to each minute that its essential infrastructure services are offline, but every corporation should agree that the impact is significant. There is currently no way to completely protect a corporation from a virus outbreak, but there are ways to significantly reduce the risk of downtime caused by an outbreak.
In the event of a major virus attack at Microsoft, the incident response plan takes effect. However, the response is tailored to a virus attack.
The incident response team for a virus accomplishes the following:
Engages the VACT
Identifies the virus type, the source of the virus, and the method and rate of infection
Runs an iterative scan, locates infected systems, and assesses the risk to Microsoft systems and products
Collects a sample for analysis
Determines the least invasive means of containing the outbreak, which may entail disconnecting systems from the network
Deploys virus signatures
Monitors systems for behavior associated with the malicious code
Develops virus attack notification, escalation, and initial response
Provides antivirus software update notification and coordination
Manages response actions that involve , including internal Exchange-based servers and Internet gateways
Documents incident activities
Updates and cleans infected file servers and key internal infrastructure servers
Interacts with the media regarding the virus outbreak
Communicates with corporate management
Instigates backup notification procedures
Publishes status updates by and on an internal Web page, based on a predetermined schedule
Notifies key business units when the signature is deployed
Pursues investigative leads, coordinates with law enforcement, and conducts forensic examinations if appropriate

15. 反击阻挡DDoS攻击 如果DDos攻击微软网络或其他域系统, 事故响应计划开始执行运作 响应计划可以专门针对DDoS性质的攻击
通常CPU资源被大量占用也意味着DDoS攻击, 但记住其他原因也可能导致这种情况, 比如网页内容更新或安装了新的产品
Defending Against DDoS Attacks
In a DDoS attack, an intruder breaks into a number of computers and plants programs that lie dormant until activated by the attacker. The computers then send a steady stream of data packets to a targeted Web site in an attempt to crash a service (or server), overload network links, or disrupt other mission-critical resources. DDoS attacks are powerful because they can be launched simultaneously from hundreds of remotely controlled computers, thereby amplifying their reach. The objective of a DDoS attack is to exhaust the resources of the target until the underlying network fails. The tools for DDoS attacks are widely available and can be found at numerous hacker Web sites.
In the event of a DDoS attack against the Microsoft network or other domain properties, the incident response plan takes effect. However, the response is tailored to the DDoS type of attack. The overall incident response team for a DDoS attack accomplishes the following:
Captures network packets
Ascertains the source of packets
Notifies the upstream service provider
Backtracks packets wherever possible and eliminates the DDoS traffic
Monitors the network for spikes in bandwidth consumption
Conducts intelligence gathering on the Web
Determines the appropriate router configurations
Scans for denial-of-service programs installed on all network hosts
Sets up conference calls and other communication channels between the teams involved in the incident response team; for example, communicates with the MSRC to determine whether a product vulnerability facilitated or otherwise enabled the attack
Finds and fixes any affected network components
Posts end-user communications to an Microsoft IT intranet site upon distribution
Publishes status updates based on a predetermined schedule
Pursues investigative leads
Coordinates with law enforcement
Filters spoofed packets
Changes router configurations to block illegitimate and/or destructive packets
When symptoms such as high CPU usage indicate a DDoS attack, it is important to remember that there may be other causes of the symptoms. New content on a Web server, newly released products, or anything that may generate above-normal amounts of traffic may seem like a DDoS attack.

16. 反击阻挡对Internet-Facing 服务器攻击
公司网络上的系统通常是首先受到攻击的
如果Internet-facing服务器攻击微软网络或其他域系统, 事故响应计划开始执行运作
响应计划也针对Internet-facing服务器的攻击
Defending Against Internet-Facing Server Attacks
New exploits and security holes are discovered on an ongoing basis, and hacker Web sites contain many existing tools for abusing Internet-facing servers and other resources. There is always a threat that unauthorized users will find a way into publicly visible systems. Accordingly, the systems in the perimeter network are usually the first to be attacked.
In the event of an Internet-facing server attack against the Microsoft network or other domain properties, the incident response plan takes effect. However, the response is tailored to an attack on an Internet-facing server. The overall incident response team for this type of attack accomplishes the following:
Alerts affected business units
Coordinates all monitoring activities
Tailors detection systems to target incident-specific traffic
Analyzes network traffic
Provides a technical assessment
Documents incident activities
Analyzes compromised systems for configuration errors
Reviews system logs and auditing results
Runs vulnerability assessment scans and audits on all Internet-facing systems
Communicates with the MSRC to determine whether a product vulnerability facilitated or otherwise contributed to the attack
Sets up conference calls and other communication channels between the teams involved in the incident response team; for example, coordinates communications with Corporate Public Relations as appropriate
Finds and fixes any affected network components
Identifies unnecessary services running on Internet-facing systems
Publishes status updates based on a predetermined schedule
Creates a patch and advises users about the availability of a patch
Pursues investigative leads
Coordinates with law enforcement
Provides a single source for evidence collection
Conducts forensic computer examinations on compromised systems
Certifies accounts and manages passwords on any or all Internet-facing systems

17. 反击阻挡未经授权的网络入侵
攻击者可能试图攻击基本设施 – 路由器, Exchange-电子邮件服务器, 域控制器, 并且攻击 Active Directory directory 服务
如果微软遭遇网络入侵, 事故响应计划开始执行运作并且专门针对此类入侵
攻击者也可能使用障眼法 – 一种分散注意力的攻击手段
Defending Against Unauthorized Network Intrusions
Attackers have become increasingly capable of recognizing and exploiting system weaknesses to gain access to networks. Enterprises can, however, try to detect these intrusion attempts so that immediate action can be taken to restore confidence in the network after a security breach.
An attacker who gains unauthorized access to the network may try to attack the infrastructure – for example, routers, Exchange-based servers, and domain controllers. Attacks on the Active Directory® directory service are especially powerful; an attacker who takes advantage of a weak password and breaks into Active Directory can escalate user rights from guest to administrator and gain access to user names and passwords on the network.
In the event of a network intrusion at Microsoft, the incident response plan takes effect. However, the response is tailored to a network intrusion attack. The overall incident response team for this type of attack accomplishes the following:
Drives the tactical response
Coordinates all monitoring activities
Maintains and tailors all detection systems to target incident-specific traffic
Provides technical incident-specific reports and documents incident-specific activities
Gathers intelligence from the Web
Analyzes compromised systems for configuration errors
Runs vulnerability assessment scans and audits on the network
Reviews system logs and auditing results
Determines whether a product vulnerability facilitated or otherwise contributed to the attack
Sets up conference calls and other communication channels between the teams involved in the incident response team; for example, coordinates communications with Corporate Public Relations as appropriate
Finds and fixes any affected network components
Publishes status updates based on a predetermined schedule
Pursues investigative leads
Coordinates with law enforcement
Provides a single source for evidence collection
Conducts forensic computer examinations on compromised systems
Certifies accounts and manages passwords
Attackers sometimes use a “smoke screen” – an attack that attempts to divert attention from a more stealthy network intrusion. It is therefore important not to focus all attention on an initial attack, but to continue diligently looking for other attacks.

18. 关闭产品的漏洞 当程序在特别的电脑中运行, 在特定操作系统中, 或在一个特别的配置中, 产品漏洞会变得显而易见
如果一个非常严重的漏洞在微软的产品中被发现, 响应会针对这种情况而制定; 所以, 相应的措施和处理攻击会有所不同
Closing Vulnerabilities in Products
When a security weakness is found in popular products, hackers scan the Internet looking for vulnerable systems. Some computer security breaches are a consequence of system software bugs, hardware or software failures, or incorrect system administration procedures. Some product vulnerabilities become apparent only when the software is run on a particular computer, under a particular operating system, or in a specific configuration.
If a major security vulnerability is discovered in a Microsoft product, the incident response plan takes effect. However, the response is tailored to the situation of a product vulnerability, so the specific steps involved are somewhat different from the steps required to handle an attack. The overall incident response team for this type of vulnerability accomplishes the following:
Maintains and tailors detection systems to tightly monitor systems for unusual behavior associated with the vulnerability
Prepares an intermediary course of action for affected business units
Alerts affected business units to the vulnerability and responds to intrusions
Provides technical incident-specific reports and documents incident-specific activities
Tracks the status of the quick-fix engineering (QFE) fix
Runs an iterative scan, locates infected systems, and assesses the risk to Microsoft systems
Finds and fixes any affected network components
Sets up conference calls and other communication channels between the teams involved in the incident response team; for example, coordinates communications with Corporate Public Relations as appropriate
Publishes status updates based on a predetermined schedule
Disseminates information about the release of patches
Pursues investigative leads
Conducts forensic computer examinations on compromised systems
Conducts a full vulnerability review of the product

19. 教训 不安全密码管理 虚弱的帐户管理流程 不安全的和没有被管理的远程电脑 不完善的配置和没有补丁的系统 不完善的审计和监督流程
机要信息的不恰当限制访问
Lessons Learned
Before InfoSec launched the initiative that changed the approach at Microsoft to network security from firefighting to prevention and organized incident response, InfoSec identified the most common computer vulnerabilities through scanning and auditing. Enterprises should endeavor to evaluate and remedy high-risk vulnerabilities first, including:
Poor password management
Weak account management processes
Unsecured and unmanaged remote computers
Poorly configured and unpatched systems
Weak auditing and monitoring processes
Inadequately restricted access to critical information
The goal of the security initiative at Microsoft was to mitigate risk to the infrastructure by securing the network perimeter and securing the network interior through a multilayered defense strategy (defense in depth). One key to this goal was enhanced monitoring and auditing. General best practice guidelines, based on Microsoft IT’s experience in this area, include the following:
Use automated scanning tools, such as MBSA and HFNetChk, to continually scan all computers for security vulnerabilities.
Monitor computers as broadly as possible. Use a logon script to audit clients.
Use MOM to check the integrity of servers.
Institute a policy of aggressive compliance and remediation.
In other words, best practices include steps to prevent incidents as well as steps to respond to incidents. It is important for organizations to classify risks according to the value of each resource on the computer network, the likelihood of exposure for each resource, and the potential threat posed by the different kinds of attacks.

20. 第一层防御: 保护网络所处的周界 使用安全可靠无线接入 公司网络使用周界通信防火墙 使用行之有效的网络入侵检测系统 确保远程用户连接
第一层防御: 保护网络所处的周界
使用安全可靠无线接入
公司网络使用周界通信防火墙
使用行之有效的网络入侵检测系统
确保远程用户连接
工作环境拒绝病毒
First Layer of Defense: Secure the Network Perimeter
Securing the network perimeter – Internet and gateways – blocks as many attacks as possible before they can gain access to the network.
Use Secure Wireless Access
A wireless network that is based on a shared Wired Equivalent Privacy (WEP) key can be compromised for unauthorized access to the corporate network.
Use a Perimeter Messaging Firewall on the Network
Dual-homed services, are susceptible to network attacks and intrusion attempts.
Use an Effective Network Intrusion Detection System
It is important to monitor and identify network and host-based intrusions to be able to respond to them efficiently and effectively. It is also important to gather and store evidence to help identify attackers and take action.
Secure Remote User Connections
A secure perimeter must include the computers operated by remote users. Unmanaged and unsecured remote computers that connect to the corporate network can compromise overall network security. In addition to ensuring that remote users use Connection Manager to connect to the corporate network, Microsoft requires remote users to do the following.
Employ a Personal Firewall Application. A personal firewall application – for example, the Internet Connection Firewall feature of Windows XP – provides additional protection on all clients outside the corporate firewall.
Use Smart Cards. Previously, remote access to the corporate network required only single-factor authentication: user name and password. With single-factor authentication, attackers can compromise domain credentials to gain unauthorized access to resources on the network. The solution was to deploy smart cards for strong two-factor authentication.
Download the Latest Antivirus Software and Patches. Ensure that remote users install the latest approved antivirus software and software patches. At Microsoft, if automated logon scans determine that a user’s system lacks the required software or patch, InfoSec uses Connection Manager to continually prompt the user until he or she uses the Windows AutoUpdate tool to perform the installation. A user who does not comply with the request is denied access to the network.
Deny Viruses at the Perimeter
Deploy antivirus software at the gateway to scan files downloaded from the Internet. In addition, perform content scanning and filtering at Internet-facing servers. Block files that have potentially unsafe attachments, such as .exe files and files that contain script. Another useful technology to protect proxy servers is sandboxing – the process of running a program or file in an isolated environment to determine whether it is malware that is not yet detected by antivirus software.

21. 第二层防御: 加强网络自身安全保护 控制用户应用程序 消除薄弱密码 消除域服务共享帐户 使用安全的域控制器 强制使用反病毒软件和更新软件补丁
对客户端和服务器使用强势操作系统
Second Layer of Defense: Secure the Network Interior
The following sections describe methods for securing the servers and desktop computers that compose the network interior.
Control Programs Available to Users: Because users can introduce vulnerabilities when they use or download nonessential applications, it is important to document changes on the network and to control the programs on users’ desktops.
Require Password-Protected Screen Savers: To help eliminate unauthorized access to idle equipment, require all users to use screen savers that lock their computers after a specified period of time.
Eliminate Weak Passwords: Attempts to crack passwords are common. Require complex passwords with a limited validity period and maintain a list of recently used, ineligible passwords.
Eliminate Shared Domain Service Accounts: Services that use shared domain accounts are a significant security risk. Domain accounts can be compromised to gain unauthorized access to resources to the corporate network.
Consolidate Local Administrator Accounts: Local administrator account passwords shared between computers are a significant vulnerability. Compromise of one shared local administrator password leads to the compromise of all computers that use the same password.
Secure Domain Controllers: The more end users with administrative rights on a domain controller, the greater the risk that the domain controller will be compromised.
Enforce Application of Antivirus Software and Software Patches: Network clients that do not have the latest approved antivirus software and that have unpatched vulnerabilities are a major security risk. Network administrators should monitor key, security-oriented Web sites for vulnerability and new patch alerts and make patches and antivirus updates available to users in a timely and consistent manner. Servers must be patched as soon as an exploit is identified.
Use Secure, Robust Operating Systems for Clients and Servers: It is a good practice to migrate from Windows NT 4.0 to a more robust operating system, such as Windows 2000 or Windows XP. For example, Outlook 2002 in Windows XP automatically blocks potentially unsafe attachments. Security updates keep applications secure; for example, Outlook security updates can be installed for heightened default security settings and attachment security. In addition, accounts and computers in Windows NT 4.0 domains cannot be managed and secured unless those domains are migrated to Active Directory.
Educate Users: Continually reinforce behaviors that prevent malware infection. Microsoft IT has learned that the most effective way to educate users is to send a regular notice that lists the necessary tips and tricks – for example, immediately deleting messages that contain suspicious attachments and disabling macros when opening a document.

22. 结论 预防事故的发生成本比事故导致的损失要小的多 企业公司应该采用安全审计, 系统检查,补救并且教育用户如何保护自己的系统
采用详尽的,经过反复演练和灵活性的事故响应计划可以减小攻击对系统带来的不利影响.
Conclusion
Preventing an incident is less costly than reacting to an incident that occurs: Enterprises should develop a system of security audits, system scans, and remediation steps to reduce the number of computer vulnerabilities that can be exploited. Enterprises should also educate users about how to protect their systems from malware.
It is therefore important to develop an incident response plan and to practice enacting the plan to make sure that it works: Flexibility is also important; an organization should be ready to change monitoring and defensive strategies during an incident as necessary to handle the distinctive circumstances of an individual attack. Whatever the structure of an incident response team, communication is critical. All groups affected by the incident must be notified of, and responsive to, ongoing efforts.
Having a detailed, well-rehearsed, and flexible incident response plan ensures that any exploit that occurs can be handled in an orderly, effective manner that minimizes the impact to systems.

23. 更多信息 更多关于微软IT部署和最佳实践可以参考: http://www.microsoft.com
微软 TechNet
微软案例学习资源
For More Information
Additional content on Microsoft IT deployments and best practices can be found on
TechNet:
Case Study Resources:
About Microsoft IT Showcase
Microsoft IT Showcase is a collection of key business applications, deployment strategies, early adopter experiences, best practices and leading-edge initiatives direct from the Microsoft IT organization.
IT Showcase features case studies, white papers, presentations and multimedia presentations that illustrate internal business applications, product deployment experiences and other key IT initiatives being implemented within Microsoft.
Microsoft IT's Experience
Early adopter: Microsoft IT is often the first to implement new Microsoft products in a production environment - and to develop line-of-business applications based on Microsoft technologies. Knowing what challenges we've faced and how we dealt with them can help you as you plan and execute similar projects.
Large-scale deployments: Microsoft IT oversees worldwide deployments, both of Microsoft’s products and those of other vendors. The issues we have to deal with and the lessons we learn along the way can help you as you gear up for your own large rollouts.

24. This document is provided for informational purposes only.
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.>
This document is provided for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.