ramnish singh platform security briefing
TRANSCRIPT
Platform Security Briefing
Ramnish SinghPMP, CISSP, Microsoft Certified Architect (Infrastructure)MCITP (Windows 2008),MCTS (Windows Server,Vista, Exchange), MCSE (Windows 2003, 2000, NT), MCTCisco Certified Design Professional, Cisco Certified Network Professional, Sun CSAIT Advisor | Microsoft CorporationBlog Address (optional) | Email (optional)
Security Versus Access
23 million branch offices WW(IDC, 2006)3.6 billion mobile users WW by 2010 (Infonetics, 2007)85% of companies will have WLANs by 2010 (Infonetics, 2006)
Demand for access
8x increase in phishing sites in past year (AWG, 2006)One message-based Trojan attack per day in 2006 vs. one per week in 2005 (Message Labs, 2006)Strong indication of increase in profit-motivated attacks (Multiple sources)
Escalating threats
Evolving Threat Landscape
Local Area NetworksFirst PC virusBoot sector virusesCreate notorietyor cause havocSlow propagation16-bit DOS
1986–1995
Internet EraMacro virusesScript virusesCreate notorietyor cause havocFaster propagation32-bit Windows
1995–2000
BroadbandprevalentSpyware, SpamPhishingBotnetsRootkits Financial motivationInternet wide impact32-bit Windows
2000–2005
Hyper jackingPeer to PeerSocial engineeringApplication attacksFinancial motivationTargeted attacks64-bit Windows
2007
National Interest
Personal Gain
Personal Fame
Curiosity
Undergraduate Expert Specialist
Largest area by volume
Largest area by $ lost
Script-Kiddy
Largest segment by $ spent on defense
Fastest growing segment
AuthorVandal
Thief
Spy
Trespasser
Evolving Threats
1st known hack...The need for security in communication networks is not new. In the late nineteenth century an American undertaker named Almon Strowger discovered that he was losing business to his rivals because telephone operators, responsible for the manual connection of call requests, were unfairly diverting calls from the newly bereaved to his competitors. Strowger developed switching systems that led to the introduction of the first automated telephone exchanges in 1897. This enabled users to make their own connections using rotary dialling to signal the required destination.
Almon Strowger
Company understands the importance of security in the workplaceIndividuals know their role with security governance and complianceIT staff has the security skills and knowledge to support your business
Data privacy processes to manage data effectivelyIT security processes to implement, manage, and govern securityFinancial reporting processes that include security of the business
Addressing Security Threats
Helps turn IT into a business asset not a cost center Supports your day to day security processes Is the Enabler to running your business successfully
Tech
nolo
gy
Pro
cess
Peop
le
Microsoft’s Promises To YouManage Complexity,Achieve Agility
Advance the Businesswith IT Solutions
Amplifythe Impact
of YourPeople
ProtectInformation,
ControlAccess
Delivering On The Promise:Infrastructure Optimization
*Source: Microsoft CSO Summit 2007 Registration Survey
Basic
No centralized enterprise directoryNo automated patch managementAnti-malwarenot centrally managedMessage security for e-mail onlyNo secure coding practices in place
Standardized
Using enterprise directory for authenticationAutomated patch management tools deployedAnti-malwareis managed centrallyUnified message security in place
Rationalized
Integrated directory services, PKIin placeFormal patch management processDefense in depth threat protectionSecurity extended to remote and mobile workforce
Dynamic
Full identity lifecycle management.ID Federation,Rights Mgt Services in useMetrics driven update processClient quarantine and access policy enforcement
Cost Center Strategic Asset
More Efficient Cost Center
Business Enabler
$1320/PC Cost
$580/PC Cost
$230/PC Cost
Source:GCR and IDC data analyzed by Microsoft, 2006
Core Infrastructure Optimization
Core Infrastructure Optimization Model: Security
Tech
nolo
gy
Pro
cess
Peop
le
IT is astrategic assetUsers look to ITas a valued partner to enable new business initiatives
IT Staff manages an efficient,controlled environmentUsers have the right tools,availability, and access to info
IT Staff trained in best practices such as MOF,ITIL, etc.Users expect basic services from IT
IT staff taxed by operational challengesUsers come up with their ownIT solutions
Self-assessing and continuous improvementEasy, secure access to info from anywhereon Internet
SLAs are linkedto business objectivesClearly defined and enforced images, security, best practices
CentralAdmin and configurationof securityStandard desktop images defined,not adopted by all
IT processes undefinedComplexity dueto localized processesand minimal central control
Self provisioning and quarantine capable systems ensure compliance and high availability
Automate identity and access managementAutomatedsystem management
Multiple directories for authenticationLimited automated software distribution
Patch statusof desktopsis unknownNo unified directory for access mgmt
Basic StandardizedRationalized Dynamic
Impr
ove
IT M
atur
ity w
hile
Gai
ning
ROI
Confidentiality
IntegrityAvailability
SC information system = {(confidentiality, impact),
(integrity, impact), (availability, impact)}
where the acceptable values for potential impact are low, moderate, or high.
Trustworthy Computing
Microsoft Security Strategy
GIAIS
VIA
Microsoft Security Strategy
Public Policy
IndustryPartnerships
ConsumerAwareness
LawEnforcement
www.microsoft.com/technet/security
Microsoft Security Strategy
SecurityTools
Educationand Training
Microsoft SecurityAssessment Toolkit
Microsoft Windows VistaSecurity Whitepapers
Microsoft SecurityIntelligence Report
Learning Paths forSecurity Professionals
SecurityReadiness
DesignThreat Modeling
Standards, best
practices, and tools
Security Push
Final Security Review RTM and
DeploymentSignoff
Security Response
Product Inception
Security Development Lifecycle
Priority #1 - Platform Security
Security Development LifecycleSecurity Response CenterBetter Updates And Tools
Guidance
Developer Tools
SystemsManagement
Identity Management
Active Directory Federation Services
(ADFS)
WindowsCardSpace
Information Protection
Encrypting File System (EFS)
BitLocker™
Services
Edge
Comprehensive Security Portfolio
Client and Server OS
Server Applications
Network Access Protection (NAP)
Secure Platform
Secure Access
Data Protection
Rights Management Services (RMS) SharePoint, Exchange, Windows Mobile integration
Encrypting File System (EFS)Bitlocker
MalwareProtection
User Account ControlNetwork Access Protection (NAP)IPv6IPsec Windows CardSpace
Native smart card supportGINA Re-architectureCertificate ServicesCredential roaming
Security Development Lifecycle (SDL)Kernel Patch ProtectionKernel-mode Driver Signing
Secure StartupWindows Service Hardening
Windows DefenderIE Protected ModeAddress Space Layout Randomization (ASLR)Data Execution Prevention (DEP)
Bi-directional FirewallWindows Security Center
Windows Vista SP1 includes
Additional Kernel Patch Protection APIsEnhanced Windows Security Center reportingExpanded BitLocker Drive Encryption (BDE)
Additional multifactor authentication methods
Security Development Lifecycle (SDL)Windows Server Virtualization (Hypervisor)Role Management ToolOS File Integrity
Secure Platform
Network Protection
IdentityAccess
Data Protection
Read-only Domain Controller (RODC)Active Directory Federation Srvcs. (ADFS)Administrative Role Separation
PKI Management ConsoleOnline CertificateStatus Protocol
Network Access Protection (NAP)Server and Domain Isolation with IPsecEnd-to-end Network AuthenticationWindows Firewall With Advanced Security
On By Default
Rights Management Services (RMS) Full volume encryption (Bitlocker)USB Device-connection rules with Group Policy
Improved AuditingWindows Server Backup
Secure Platform
Data Protection
Surface Area Configuration toolPassword Policy Enforcement; Granular RolesBuilt in Encryption;Key Mgmt.Auditing – Data Definition Language (DDL)Rich AuthenticationGranularAccess ControlComplianceand Auditing Hierarchical Encryption
Trust CenterNew Document Security ModelOpen XML File Formats
Document InspectorInformation Rights ManagementStrong Encryption,Digital SignaturesSuite-B: For U.S. Government
Platform Security Progress
Advanced Spam and Virus DefensesComplianceBusiness Continuity
Essential Security and Mobile Device MgmtBuilt-in Protection with Business ContinuityCompliance SupportEnhancedMessage Filtering
Engineering ExcellenceSecurity Development Lifecycle
Engineering ExcellenceSecurity Development Lifecycle
Security Threat Landscape EvolutionMicrosoft Security Strategy
Isolated
Trusted
Remediation Server
Web Server
Remote Access Gateway
Infrastructure Servers
Unmanaged DevicesMalicious
Users
Trusted Home
New Customer
Unhealthy PC
Secure Anywhere AccessEnd-to-end security with IPv6 and IPsecAccess driven by policy not topologyCertificate based multi-factor authenticationHealth checks and remediation prior to access
Policy-driven network access solutionsWindows Firewall with advanced filteringServer and Domain IsolationNetwork Access Protection (NAP)ISA Server 2006Intelligent Application Gateway (2007)Windows Filtering Platform
Network Security
Your COMPANY andyour EMPLOYEES
Identity Lifecycle Manager 2007Active Directory Federation ServicesActive Directory Lightweight Directory ServicesWindows Certificate Services Windows CardSpace™
Secure and seamlesscross-organizational collaborationEasily managing multiple identitiesGovernment sponsored identities (eID)Hardware supported trust platformDisparate directories synchronizationCentralized ID controls and mgmt.Embedded identity into applicationsPolicy Governance / ComplianceRole Based PermissionsIdentity and Data Privacy
Identity and Access Management
Consumer/ Small Business
Corporate
Client ProtectionServer Protection Edge Protection
Simple PC maintenanceAnti-Virus Anti-SpywareAnti-Phishing
FirewallPerformance TuningBackup and Restore
ProtectionEdge, server and client protection“Point to Point” SolutionsSecurity of data at rest and in transitMobile workforceManageability
InteroperabilityIndustry Standards
Web Services (WS-*)Open document format (XPS)OpenID
Partner ProductsNetwork Access ProtectionEV Certificate support in IE7 Windows CardSpaceWindows Security Center
Industry PartnershipsSecureIT AllianceMicrosoft Security Response Alliance Interop Vendor Alliance
Security Stack Interoperability
Integrated security eases defense in depth architecture deploymentAdoption of open standards allows cross platform integration
Management System System Center, Active Directory GPO
Forefront Edge and Server Security, NAP
Perimeter
Network Access Protection, IPSec
Internal Network
Forefront Client Security, Exchange MSFP
Device
SDL process, IIS, Visual Studio, and .NET
Application
BitLocker, EFS, RMS, SharePoint, SQLData
User Active Directory and Identity Lifecycle Mgr
Management Systems Integration
Engineering ExcellenceSecurity Development Lifecycle
Microsoft Security Strategy
Some hard questions…
Who
What
When
Where
How
Why
The lighter side
And the press is doing its bit...
Infrastructure Optimization
Application Platform Optimization Model
Business Intelligence
Enterprise Content Management
Collaboration
Unified Communications
Enterprise Search
Business Productivity Infrastructure Optimization Model
Development
SOA and Business Process
Business Intelligence
User Experience
Data Management
Data Protection and Recovery
Desktop, Device, and Server Mgmt
Identity and Access Management
Security and Networking
Core Infrastructure Optimization Model
IT a
nd S
ecu
rity
Pro
cess
BA
SIC
STA
ND
AR
DIZ
ED
RATIO
NA
LIZED
DYN
AM
IC
BA
SIC
STA
ND
AR
DIZ
ED
RATIO
NA
LIZED
DYN
AM
IC
BA
SIC
STA
ND
AR
DIZ
ED
AD
VA
NC
ED
DYN
AM
IC
Infrastructure OptimizationBuilding a People-Ready Business
• Provides capability framework to help you build an optimized infrastructure (not Microsoft-specific)
• Establishes a foundation based on industry analyst, academic, and consortium research
• Provides guidance and best practices for step-by-step implementation
• Drives cost reduction, security and efficiency gains
• Enables agility
Model-Based Approach
Application Platform Optimization Model
Business Intelligence
Enterprise Content Management
Collaboration
Unified Communications
Enterprise Search
Business Productivity Infrastructure Optimization Model
Development
SOA and Business Process
Business Intelligence
User Experience
Data Management
Data Protection and Recovery
Desktop, Device, and Server Mgmt
Identity and Access Management
Security and Networking
Core Infrastructure Optimization Model
IT a
nd
Secu
rity
Pro
cess
BA
SIC
STA
ND
AR
DIZ
ED
RATIO
NA
LIZE
D
DYN
AM
IC
BA
SIC
STA
ND
AR
DIZ
ED
RATIO
NA
LIZE
D
DYN
AM
IC
BA
SIC
STA
ND
AR
DIZ
ED
AD
VA
NC
ED
DYN
AM
IC
Policy and ComplianceRisk AssessmentUser Awareness
Core Infrastructure Optimization
Basic Standardized Rationalized Dynamic
Legacy Platform Migration
Secure Application Architecture
Threat and Vulnerability Mitigation
Secure Messaging and Collaboration
Patch Management
Identity and Access Management
Optimizing SecurityMoving from Basic to Standardized
Solutions BenefitsChallenges Costs
Developer-focused environment
Sophisticated and targeted threats
Executive sponsorship
Awareness campaign
Cultural shift to awareness
Able to mitigate current high priority risk
Labor intensive to maintain
Basic to Standardized
Network Intrusion Detection
Secure Wireless Access
Enforce Strong Passwords
Secure Remote User
Two Factor Authentication
Defense in Depth
Optimizing SecurityMoving from Standardized to Rationalized
Solutions BenefitsChallenges Costs
Evolving and faster threats
Ownership largely resided with Security
Risk management framework
Service manager accountability
Accountability closer to business
Environmental awareness
Improved response
Lack of integration between service managers and business
Standardized to Rationalized
SDL IT
Security Event Monitoring
2FA: Elevated Access Accts
Network Segmentation
Automate
Identity &Access Mgmt
CertificateProvisioning& Renewals
VulnerabilityAssessments
Defense in Depth
Optimizing SecurityMoving from Rationalized to Dynamic
Solutions BenefitsChallenges Costs
Security viewed as a tax to the business
Information security governance
Information security becomes a strategic asset
Culture shift may cause friction
Rationalized to Dynamic
Defense in Depth
Bitlocker Drive Encryption
User Account Control
Strong User Authentication
Network Access Protection
Antimalware
Application Security
Authentication
Identity & Access Management
Intrusion Detection/Prevention
Mobile Data Security
NAC
Network Firewalls
Secure Remote Access
SIMs
Unified Threat Management
Vulnerability Management Web Security Gateways
Wireless
People
Mobile
Task
Home
Office
Contract Offshore
Hardware
OS
Data, User Settings
Applications
Dependencies Create ComplexitySeparation Creates Flexibility
Mobile
Mobile Worker
Bitlocker Drive Encryption
Hardware
Mobile Worker
Bi-Directional Firewall, Defender, Malicious Software Removal ToolBitlocker Drive Encryption Security Center & UAC
Hardware OS
Network Location Protection
Mobile Worker
Terminal Server Access
Application (APP-V) & Enterprise Desktop
(MED-V) Virtualization
Bi-Directional Firewall, Defender, Malicious Software Removal ToolBitlocker Drive Encryption Security Center & UAC
Hardware OS Applicatio
ns
Group Policy and AGPM Folder Redirection
Offline Files
Anti Virus & AntispywareNetwork Access
Protection
Network Location Protection
Mobile Worker
Terminal Server Access
RMS Protected Documents
Application (APP-V) & Enterprise Desktop
(MED-V) Virtualization
Hardware OS Applicatio
ns
Anti Virus & AntispywareNetwork Access
Protection
Data, User Settings
Folder RedirectionOffline FilesGroup Policy and AGPM Data Backup
Mobile Worker
RMS Protected Documents
Hardware OS Applicatio
ns
Data, User Settings
Folder RedirectionOffline FilesGroup Policy and AGPM Data Backup
System Monitoring System ManagementMobile Device Management Corporate Security Policy
Office
Office Worker
Bitlocker Drive Encryption
Hardware
Office Worker
Bi-Directional Firewall, Defender, Malicious Software Removal ToolBitlocker Drive Encryption Security Center & UAC
Hardware OS
Network Location Protection
Office Worker
Terminal Server Access
Application (APP-V) & Enterprise Desktop
(MED-V) Virtualization
Bi-Directional Firewall, Defender, Malicious Software Removal ToolBitlocker Drive Encryption Security Center & UAC
Hardware OS Applicatio
ns
Anti Virus & AntispywareNetwork Access
Protection
Network Location Protection
Office Worker
Terminal Server Access
RMS Protected Documents
Application (APP-V) & Enterprise Desktop
(MED-V) Virtualization
Hardware OS Applicatio
ns
Anti Virus & AntispywareNetwork Access
Protection
Data, User Settings
Folder RedirectionOffline FilesGroup Policy and AGPM Data Backup
Office Worker
RMS Protected Documents
Hardware OS Applicatio
ns
Data, User Settings
Folder RedirectionOffline FilesGroup Policy and AGPM Data Backup
System Monitoring System ManagementMobile Device Management Corporate Security Policy
Task
Task Worker
Bitlocker Drive Encryption
Hardware
Task Worker
Bi-Directional Firewall, Defender, Malicious Software Removal ToolBitlocker Drive Encryption Security Center & UAC
Hardware OS
Network Location Protection
Task Worker
Terminal Server Access
Application (APP-V) & Enterprise Desktop
(MED-V) Virtualization
Bi-Directional Firewall, Defender, Malicious Software Removal ToolBitlocker Drive Encryption Security Center & UAC
Hardware OS Applicatio
ns
Group Policy and AGPM Folder Redirection
Offline Files
Anti Virus & AntispywareNetwork Access
Protection
Network Location Protection
Task Worker
Terminal Server Access
RMS Protected Documents
Application (APP-V) & Enterprise Desktop
(MED-V) Virtualization
Hardware OS Applicatio
ns
Anti Virus & AntispywareNetwork Access
Protection
Data, User Settings
Folder RedirectionOffline FilesGroup Policy and AGPM Data Backup
Task Worker
RMS Protected Documents
Hardware OS Applicatio
ns
Data, User Settings
Folder RedirectionOffline FilesGroup Policy and AGPM Data Backup
System Monitoring System ManagementMobile Device Management Corporate Security Policy
Contract / Offshore
Contract / Offshore Worker
Bitlocker Drive Encryption
Hardware
Network Location Protection
Contract / Offshore Worker
Bi-Directional Firewall, Defender, Malicious Software Removal ToolBitlocker Drive Encryption Security Center & UAC
Hardware OS
Contract / Offshore Worker
Terminal Server Access
Application (APP-V) & Enterprise Desktop
(MED-V) Virtualization
Bi-Directional Firewall, Defender, Malicious Software Removal ToolBitlocker Drive Encryption Security Center & UAC
Hardware OS Applicatio
ns
Anti Virus & AntispywareNetwork Access
Protection
Network Location Protection
Contract / Offshore Worker
Terminal Server Access
RMS Protected Documents
Application (APP-V) & Enterprise Desktop
(MED-V) Virtualization
Hardware OS Applicatio
ns
Anti Virus & AntispywareNetwork Access
Protection
Data, User Settings
Folder RedirectionOffline FilesGroup Policy and AGPM Data Backup
Contract / Offshore Worker
RMS Protected Documents
Hardware OS Applicatio
ns
Data, User Settings
Folder RedirectionOffline FilesGroup Policy and AGPM Data Backup
System Monitoring System ManagementMobile Device Management Corporate Security Policy
Home
Home Worker
Bitlocker Drive Encryption
Hardware
Home Worker
Bi-Directional Firewall, Defender, Malicious Software Removal ToolBitlocker Drive Encryption Security Center & UAC
Hardware OS
Network Location Protection
Home Worker
Terminal Server Access
Application (APP-V) & Enterprise Desktop
(MED-V) Virtualization
Bi-Directional Firewall, Defender, Malicious Software Removal ToolBitlocker Drive Encryption Security Center & UAC
Hardware OS Applicatio
ns
Anti Virus & AntispywareNetwork Access
Protection
Network Location Protection
Home Worker
Terminal Server Access
RMS Protected Documents
Application (APP-V) & Enterprise Desktop
(MED-V) Virtualization
Hardware OS Applicatio
ns
Anti Virus & AntispywareNetwork Access
Protection
Data, User Settings
Folder RedirectionOffline FilesGroup Policy and AGPM Data Backup
Home Worker
RMS Protected Documents
Hardware OS Applicatio
ns
Data, User Settings
Folder RedirectionOffline FilesGroup Policy and AGPM Data Backup
System Monitoring System ManagementMobile Device Management Corporate Security Policy
7 Tips for Secure Client Computing
Protect your personal information. It’s valuableKnow who you’re dealing withUse anti-virus and firewall and update both regularlySetup your OS and Web Browser properly and update both regularlyProtect your passwordBackup important filesLearn who to contact if something goes wrong
Technology
External Web Server
DMZ
Internet
Customer
Internet
User BRANCH OFFICE
User
Exchange
Intranet Web Server
SharePointActive
Directory
Internal Network
HEAD QUARTERS
CSS
Technology – Another View
Isolated
Trusted
Remediation Server
Web Server
Remote Access Gateway
Infrastructure Servers
Unmanaged DevicesMaliciousUsers
Trusted Home
New Customer
Unhealthy PC
OSI Model
Media layers Host layersNetwork
Application
Session
Presentation
Transport
Physical
Data Link
Head Office
Head Office (Media Layer)
Physical
Bitlocker Drive Encryption
Head Office (Media Layer)
Physical Data Link
Bitlocker Drive Encryption
Intrusion Detection System Secure Wireless AccessSecure Remote Access
Head Office (Media Layer)
Physical Data Link Networ
k
Intrusion Detection System Secure Wireless Access
Network Access Protection
Secure Remote Access
Site-to-Site VPN Address Translation
Head Office (Host Layer)
Transport
IPSec Enabled Protection Firewall Protection Server & Domain Isolation
Head Office (Host Layer)
Session
IPSec Enabled Protection Firewall Protection Server & Domain Isolation
Active DirectoryFolder Redirection
Offline Files Remote Access Protocols
Transport
Head Office (Host Layer)
Session Presentation
Active Directory
Folder RedirectionOffline Files
Group Policy and AGPM GINA Protection
CTRL + ALT + DEL
Terminal Server Access
Remote Access Protocols
Encrypted File System
Transport
Head Office (Host Layer)
ApplicationSession Presentation
Defender, Malicious Software Removal Tool Application ProtectionAnti Virus & Antispyware Management
Group Policy and AGPM GINA Protection
CTRL + ALT + DEL
Terminal Server Access Encrypted File System
Transport
Head Office (Host Layer)
ApplicationSession Presentation
Defender, Malicious Software Removal Tool Application ProtectionAnti Virus & Antispyware Management
WebDHCP & DNS Audio Video Messaging
Transport
Head Office (Host Layer)
ApplicationSession Presentation
Web Audio Video MessagingDHCP & DNS
Identity Management Data Protection Content Management Database
Transport
Branch Office
Branch Office (Media Layer)
Physical
Bitlocker Drive Encryption
Branch Office (Media Layer)
Physical Data Link
Bitlocker Drive Encryption
Intrusion Detection System Secure Wireless AccessSecure Remote Access
Branch Office (Media Layer)
Physical Data Link Networ
k
Intrusion Detection System Secure Wireless Access
Network Access Protection
Secure Remote Access
Site-to-Site VPN Address Translation
Branch Office (Host Layer)
IPSec Enabled Protection Firewall Protection Server & Domain Isolation
Transport
Branch Office (Host Layer)
Session
IPSec Enabled Protection Firewall Protection Server & Domain Isolation
Active DirectoryFolder Redirection
Offline Files Remote Access Protocols
Transport
Branch Office (Host Layer)
Session Presentation
Active Directory
Folder RedirectionOffline Files
Group Policy and AGPM GINA Protection
CTRL + ALT + DEL
Terminal Server Access
Remote Access Protocols
Encrypted File System
Transport
Branch Office (Host Layer)
ApplicationSession Presentation
Defender, Malicious Software Removal Tool Application ProtectionAnti Virus & Antispyware Management
Group Policy and AGPM GINA Protection
CTRL + ALT + DEL
Terminal Server Access Encrypted File System
Transport
Branch Office (Host Layer)
ApplicationSession Presentation
Defender, Malicious Software Removal Tool Application ProtectionAnti Virus & Antispyware Management
WebDHCP & DNS Audio Video Messaging
Transport
Branch Office (Host Layer)
ApplicationSession Presentation
Web Audio Video MessagingDHCP & DNS
Identity Management Data Protection Content Management Database
Transport
Intranet
Extranet
Intranet/Extranet (Media Layer)
Physical
Bitlocker Drive Encryption
Intranet/Extranet (Media Layer)
Physical Data Link
Bitlocker Drive Encryption
Intrusion Detection System Secure Wireless AccessSecure Remote Access
Intranet/Extranet (Media Layer)
Physical Data Link Networ
k
Intrusion Detection System Secure Wireless Access
Network Access Protection
Secure Remote Access
Site-to-Site VPN Address Translation
Intranet/Extranet (Host Layer)
IPSec Enabled Protection Firewall Protection Server & Domain Isolation
Transport
Intranet/Extranet (Host Layer)
Session
IPSec Enabled Protection Firewall Protection Server & Domain Isolation
Active DirectoryFolder Redirection
Offline Files Remote Access Protocols
Transport
Intranet/Extranet (Host Layer)
Session Presentation
Active Directory
Folder RedirectionOffline Files
Group Policy and AGPM GINA Protection
CTRL + ALT + DEL
Terminal Server Access
Remote Access Protocols
Encrypted File System
Transport
Intranet/Extranet (Host Layer)
ApplicationSession Presentation
Defender, Malicious Software Removal Tool Application ProtectionAnti Virus & Antispyware Management
Group Policy and AGPM GINA Protection
CTRL + ALT + DEL
Terminal Server Access Encrypted File System
Transport
Intranet/Extranet (Host Layer)
ApplicationSession Presentation
Defender, Malicious Software Removal Tool Application ProtectionAnti Virus & Antispyware Management
WebDHCP & DNS Audio Video Messaging
Transport
Intranet/Extranet (Host Layer)
ApplicationSession Presentation
Web Audio Video MessagingDHCP & DNS
Identity Management Data Protection Content Management Database
Transport
Remote Access
Wired Access
Dial-in / ISDN
ADSL / Cable Power Line
Fiber Optic
Wireless Access
WiFi
WiMAX Satellite
GPRS / UMTS / HSPA / LTE
Wireless USBBluetooth
Securing Wireless…
Wired Enterprise Network
Internet
VPN security models
Authentication before VPN connection
•Password•Biometric•Cryptographic
Trusted delivery networks
•MPLS•L2TP
Security mechanisms•IPsec•SSL/TLS•OpenVPN•L2TPv3•VPN Quarantine•MPVPN•Cisco VPN
Direct Access
Situation Today
Office Home
Difficult for users to access corporate resources from outside the office
Challenging for IT to manage, update, patch mobile PCs while disconnected from company network
Microsoft Solution
Direct Access
HomeOffice
New network paradigm enables same experience inside & outside the office
Seamless access to network resources increases productivity of mobile users
Infrastructure investments also make
it easier to service mobile PCs and distribute updates and polices
Process
Information Security and Risk Management
Application Security
Operations Security
Cryptography
Security Architecture and Design
Access Control Business Continuity &
Disaster Recovery
Telecommunications and Network Security
Physical (Environmental)
Security
Legal, Regulations, Compliance & Investigations
Access Control
Physical access
Access control system
operation
Credential
Access control system
components Access control
door wiring
Types of readers
Security risks
Access control system
topologies
Computer security
Identification and
authentication (I&A)
Authorization
Accountability Discretionary
access control
Mandatory access control
Role-based access control
Application Security
Application Threats Attacks
Input Validation
Authentication
Authorization
Configuration management
Session management
Cryptography
Sensitive data
Parameter manipulation
Exception management
Auditing and logging
Security standards & regulations
SOX HIPPAISO/IEC70xx
97xx
14888-x
17799
24xxx
27xxx
Gramm-Leach-
Bliley Act
PCI DSS
Business Continuity
Analysis
Solution design
Implementation
Testing and organizational
acceptance
MaintenanceBusiness Continuity Planning Lifecycle
Disaster RecoveryTier 0: No off-site
data – Possibly no recovery
Tier 1: Data backup with no
hot site
Tier 2: Data backup with a
hot site
Tier 3: Electronic vaulting
Tier 4: Point-in-time copies
Tier 5: Transaction
integrity
Tier 6: Zero or near-Zero data
loss
Tier 7: Highly automated, business integrated solution
Cryptography
Symmetric-key
Asymmetric-key
Information SecurityAuthenti
city Non-
repudiation
Security classification
for informationControls
Access Control
Cryptography
Defense in Depth
Administrative Logical Physical
Risk ManagementEstablishing Context
Identification
Assessment
Potential Risk Treatments
Risk Management
plan
Implementation
Review & plan
evaluation
Risk avoidanceRisk reductionRisk retentionRisk transfer
Operations Security
World War II-era poster promoting
OPSEC
OPSEC
Identification of Critical Information
Analysis of
Threats
Analysis of Vulnerabili
ties
Assessment of Risk
Application of Appropriate
OPSEC Measures
Security Architecture and Design
Legal, Regulations, Compliance & Investigations
Telecommunications and Network Security
Passive Attacks
Active Attacks
Network Vulnerabili
ties
Media Tapping
Physical Security
Video monitorin
g
Intrusion detection
Mechanical and
electronic access control
Environmental
design
Key Features
Explosion
protection
Obstacle
s
Alarms, security lighting, security guard
patrols or CCTV
Security
response
Key Elements
Security Guidance and Resources
Microsoft Security Home Page: www.microsoft.com/securityMicrosoft Forefront: http://www.microsoft.com/forefront/default.mspx
General Information:Microsoft Live Safety Center: http://safety.live.comMicrosoft Security Response Center: www.microsoft.com/security/msrcSecurity Development Lifecycle: http://msdn.microsoft.com/security/sdlGet the Facts on Windows and Linux: www.microsoft.com/getthefacts
Anti-Malware:Microsoft OneCare Live: https://beta.windowsonecare.comMicrosoft Defender: www.microsoft.com/athome/security/spyware/softwareSpyware Criteria: www.microsoft.com/athome/security/spyware/software/isv
Guidance Centers:Security Guidance Centers: www.microsoft.com/security/guidanceSecurity Guidance for IT Professionals: www.microsoft.com/technet/securityThe Microsoft Security Developer Center: msdn.microsoft.com/securityThe Security at Home Consumer Site: www.microsoft.com/athome/security
धन्यवा�दઆભા�ર ধন্য�বা�দ
ਧੰ�ਨਵਾ�ਦ
ଧନ୍ୟ�ବା�ଦ
நன்றி�
ధన్య�వాదాలు� ಧನ್ಯ�ವಾ�ದಗಳು
നി�ങ്ങള്ക്ക്� നിന്ദി�
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the
date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.