microsoft security progress and strategy · 2009. 4. 3. · microsoft, windows, windows vista and...

9/21/2006 3:09 PM

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Daniel MeyerDaniel MeyerIdentity and Access Management Lead Identity and Access Management Lead Europe, Middle East & AfricaEurope, Middle East & AfricaMicrosoft CorporationMicrosoft Corporation

Services as IdentitiesServices as Identities

Application to Application

Rich Interactions- Office- Real time

Communications- Live Meeting

Rich ClientDevices & Apps

Web Browsers

WebService

WebService

WebService

WebService

Web Server

InternetOrganization PartnerWeb

ServiceWeb

Service

ApplikationsintegrationApplikationsintegration und und ––interaktioninteraktion durchdurch Web ServicesWeb Services

Da Web Services auf Internettechnologien Da Web Services auf Internettechnologien basieren, sind sie mit den gleichen basieren, sind sie mit den gleichen Methoden wie diese angreifbarMethoden wie diese angreifbar

RisikenRisiken

PCServer Running XML

Web serviceBad Guy

Man In The Middle Man In The Middle SOAP monitoring tool to simulate the man in the middleSOAP monitoring tool to simulate the man in the middleIn reality this could be an intermediary, router, In reality this could be an intermediary, router, firewall, etc.firewall, etc.

Message Protection Message Protection Integrity and ConfidentialityIntegrity and Confidentiality

ThreatsThreatsNetwork eavesdropping leads to disclosure of confidential informNetwork eavesdropping leads to disclosure of confidential informationationAn attacker manipulates a message in transit influencing the An attacker manipulates a message in transit influencing the serviceservice’’s behaviors behavior

VulnerabilitiesVulnerabilitiesLack of Lack of end to end end to end encryptionencryption when when sending SOAP messagessending SOAP messagesLack of a Lack of a digital signaturedigital signatureto verify authenticity of a to verify authenticity of a SOAP messageSOAP message

CountermeasuresCountermeasuresMessage Protection Message Protection Patterns: Patterns:

Data Origin AuthenticationData Origin AuthenticationData ConfidentialityData Confidentiality

9/21/2006 3:09 PM


Replay DetectionReplay DetectionThreatsThreats

A replayed message will often cause data inconsistencies (especiA replayed message will often cause data inconsistencies (especially true of ally true of update operations)update operations)Messages may traverse unMessages may traverse un--trusted intermediaries on an insecure network, trusted intermediaries on an insecure network, any of whom could capture the message and replay any of whom could capture the message and replay

VulnerabilitiesVulnerabilitiesLimited support for Limited support for preventing replayed messagespreventing replayed messagesMany replay caches do not support web farmsMany replay caches do not support web farms

CountermeasuresCountermeasuresReplay Detection PatternReplay Detection Pattern

Message ValidationMessage ValidationThreatsThreats

Message data may be Message data may be malformedmalformed for malicious intentions such as for malicious intentions such as injection attacksinjection attacks

VulnerabilitiesVulnerabilitiesXML serialization helps validate some data types as XML data froXML serialization helps validate some data types as XML data from m the message is transformed into .Net data types the message is transformed into .Net data types –– but this does not but this does not prevent against malicious content with a string being used for Xprevent against malicious content with a string being used for XML ML or SQL injection attacks etc.or SQL injection attacks etc.

CountermeasuresCountermeasuresMessage Validation PatternMessage Validation Pattern

Service Perimeter RouterService Perimeter RouterThreatsThreats

Compromise of Web Compromise of Web services that access services that access internal resources may internal resources may lead to compromise of lead to compromise of dependent resources dependent resources such as databasessuch as databases

VulnerabilitiesVulnerabilitiesVulnerabilities in OS, Vulnerabilities in OS, Web serviceWeb service etc may etc may lead to compromise of lead to compromise of the host of a web the host of a web service. service.

CountermeasuresCountermeasuresService Perimeter Router Service Perimeter Router PatternPattern

BedrohungenBedrohungen und und RisikenRisiken in SOA in SOA UmgebungenUmgebungen•• UnauthorisierterUnauthorisierter ZugriffZugriff auf auf NetzwerkeNetzwerke•• PrivilegierterPrivilegierter ZugangZugang mitmit nichtnicht authorisiertenauthorisierten

MittelnMitteln•• MissbrauchMissbrauch von von DienstenDiensten•• SicherheitslSicherheitslüückencken in in AnwendungenAnwendungen•• VerfVerfäälschunglschung von von DatenDaten•• DatenmissbrauchDatenmissbrauch•• UnerwUnerwüünschtenschte WeitergabeWeitergabe von von DatenDaten

((IndustriespionageIndustriespionage))

Connected ApplicationsConnected Applications

MessagingMessaging

XMLXML

TransportsTransports

SecuritySecurity ReliableReliableDeliveryDelivery

TransactionsTransactions

Metadata

Metadata

ManagementManagement Business Business ProcessProcess ……

WSWS--* Specifications* Specifications

DevicesDevices MobileMobile

P2PP2P EAIEAI B2BB2B GridGrid

WSWS--* * ComposabilityComposability

Addressing

<S:Envelope … ><S:Header>

<wsa:ReplyTo><wsa:Address>http://business456.com/User12</wsa:Address>

</wsa:ReplyTo><wsa:To>http://fabrikam123.com/Traffic</wsa:To><wsa:Action>http://fabrikam123.com/Traffic/Status</wsa:Action><wssec:Security>

<wssec:BinarySecurityTokenValueType="wssec:X509v3" EncodingType=“wssec:Base64Binary">

dWJzY3JpYmVyLVBlc…..eFw0wMTEwMTAwMD</wssec:BinarySecurityToken>

</wssec:Security><wsrm:Sequence>

<wsu:Identifier>http://fabrikam123.com/seq1234</wsu:Identifier><wsrm:MessageNumber>10</wsrm:MessageNumber>

</wsrm:Sequence></S:Header><S:Body>

<app:TrafficStatusxmlns:app="http://highwaymon.org/payloads">

<road>520W</road><speed>3MPH</speed></app:TrafficStatus>

</S:Body></S:Envelope>

Security

Reliability

9/21/2006 3:09 PM


WS-Trust, WS-MetadataExchange

WSWS--* Metasystem Architecture* Metasystem Architecture

SecurityTokenServer

Kerberos

WS-SecurityPolicy

SAML

Identity Selector

SecurityTokenServer

WS-SecurityPolicy

CustomSecurity

ID ProviderID Provider

x509

ID ProviderID Provider

SubjectSubject

Relying PartyRelying Party Relying PartyRelying Party

WSWS--FederationFederationWeb Services Federation LanguageWeb Services Federation Language

Defines messages to enable security realms to Defines messages to enable security realms to federate & exchange security tokensfederate & exchange security tokens

BEA, IBM, Microsoft, RSA, BEA, IBM, Microsoft, RSA, VeriSignVeriSignTwo Two ““profilesprofiles”” of the model definedof the model defined

Passive (Browser) clients Passive (Browser) clients –– HTTP/SHTTP/SActive (Smart) clients Active (Smart) clients –– SOAPSOAP

SecuritySecurityTokenToken

ServiceService

HTTPHTTPReceiverReceiver

HTTP messagesHTTP messages

SOAP messagesSOAP messagesSOAPSOAP

ReceiverReceiver

WSWS--Federation InteroperabilityFederation Interoperability

WSWS--* public workshops/spec reviews* public workshops/spec reviewshttp://http://groups.yahoo.comgroups.yahoo.com/group/WS/group/WS--SecuritySecurity--Workshops/Workshops/

Passive Requestor Passive Requestor InteropInterop Profile (2004) Profile (2004) Microsoft, IBM, RSA, Oracle (Microsoft, IBM, RSA, Oracle (OblixOblix), BMC (), BMC (OpenNetworkOpenNetwork), CA ), CA ((NetegrityNetegrity), ), PingIDPingID

WSWS--Fed Product previews (2004)Fed Product previews (2004)TechEdTechEd InteropInterop pavilion & Vendor panelpavilion & Vendor panel

WSWS--Fed Product interoperability (2005)Fed Product interoperability (2005)Burton CatalystBurton Catalyst

MultiMulti--protocol Federated Identity protocol Federated Identity InteropInterop DemonstrationDemonstrationMicrosoft, IBM, BMC, Microsoft, IBM, BMC, PingIDPingID, , SymabsSymabs, , TrustgenixTrustgenix, , DataPowerDataPower Guidance

Developer Tools

SystemsManagementActive Directory Active Directory

Federation Services Federation Services (ADFS)(ADFS)

IdentityManagement

Services

Information Protection

Encrypting File System (EFS)

Encrypting File System (EFS)BitLockerBitLocker™™

Network Access Protection (NAP)

Client and Server OS

Server Applications

Edge

Schutz von Daten und Infrastruktur Schutz von Daten und Infrastruktur

Tools und TechnologienTools und TechnologienMicrosoft Tools, die eine Entwicklung sicherer Web Services Microsoft Tools, die eine Entwicklung sicherer Web Services unterstunterstüützentzen

.NET Framework.NET FrameworkADFS / STSADFS / STSVisual StudioVisual StudioWebservices Webservices EnhancementEnhancement (WSE)(WSE)Windows Communication Windows Communication FoundationFoundation (WCF)(WCF)Windows Windows WorkflowWorkflow FoundationFoundationWindows Windows CardSpaceCardSpaceBizTalk ServerBizTalk ServerDarDarüüber hinaus bieten die weiteren bekannten Microsoft ber hinaus bieten die weiteren bekannten Microsoft

AnwenderAnwender-- und Enterpriseprodukte die Bereitstellung, und Enterpriseprodukte die Bereitstellung, Nutzung und Verwaltung von Web ServicesNutzung und Verwaltung von Web Services

MicrosoftMicrosoft’’s Security Development Lifecycles Security Development LifecycleUnternehmensweiterUnternehmensweiter ProzessProzess und Standard und Standard ffüürr die die EntwicklungEntwicklung sicherersicherer SoftwareSoftwareInterne Interne VermittlungVermittlung durchdurch SchulungSchulungÜÜberprberprüüfungfung durchdurch Audits Audits vorvor AuslieferungAuslieferungThe Security Development LifecycleThe Security Development Lifecycle bookbook

BeteiligungBeteiligung auchauch von Softwarevon Software-- und ITund IT--EntwicklungspartnernEntwicklungspartnern

DokumentationDokumentation und Training und Training FortbildungsplFortbildungspläänene ffüürr SicherheitSicherheitAktiveAktive EinbeziehungEinbeziehung in Communitiesin Communities

AutomatisiertAutomatisiert mitmit Tools in Visual StudioTools in Visual StudioPREPREffastastFxCopFxCop

9/21/2006 3:09 PM


FazitFazit

Sicherheit auch fSicherheit auch füür Web Services ist r Web Services ist mmööglichglichIn Folge der Sicherheitsinitiative hat In Folge der Sicherheitsinitiative hat Microsoft Prozesse und Produkte fMicrosoft Prozesse und Produkte füür die r die Entwicklung sicherer Anwendungen Entwicklung sicherer Anwendungen geschaffengeschaffenWeitere Informationen zu Web Services Weitere Informationen zu Web Services SecuritySecurity: : http://http://www.microsoft.comwww.microsoft.com//germanygermany//msdnmsdn//securitysecurity//webservices.mspxwebservices.mspx

©© 2006 Microsoft Corporation. All rights reserved. Microsoft, Win2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registdows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countered trademarks and/or trademarks in the U.S. and/or other countries.ries.The information herein is for informational purposes only and reThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the datpresents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to change of this presentation. Because Microsoft must respond to changing market conditions, it should not be ing market conditions, it should not be

interpreted to be a commitment on the part of Microsoft, and Micinterpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information providedrosoft cannot guarantee the accuracy of any information provided after the date of this presentation. after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, ASMICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.TO THE INFORMATION IN THIS PRESENTATION.

microsoft security progress and strategy · 2009. 4. 3. · microsoft, windows, windows vista and...

Documents