ramnish singh platform security briefing

Platform Security Briefing

Ramnish SinghPMP, CISSP, Microsoft Certified Architect (Infrastructure)MCITP (Windows 2008),MCTS (Windows Server,Vista, Exchange), MCSE (Windows 2003, 2000, NT), MCTCisco Certified Design Professional, Cisco Certified Network Professional, Sun CSAIT Advisor | Microsoft CorporationBlog Address (optional) | Email (optional)

Security Versus Access

23 million branch offices WW(IDC, 2006)3.6 billion mobile users WW by 2010 (Infonetics, 2007)85% of companies will have WLANs by 2010 (Infonetics, 2006)

Demand for access

8x increase in phishing sites in past year (AWG, 2006)One message-based Trojan attack per day in 2006 vs. one per week in 2005 (Message Labs, 2006)Strong indication of increase in profit-motivated attacks (Multiple sources)

Escalating threats

Evolving Threat Landscape

Local Area NetworksFirst PC virusBoot sector virusesCreate notorietyor cause havocSlow propagation16-bit DOS

1986–1995

Internet EraMacro virusesScript virusesCreate notorietyor cause havocFaster propagation32-bit Windows

1995–2000

BroadbandprevalentSpyware, SpamPhishingBotnetsRootkits Financial motivationInternet wide impact32-bit Windows

2000–2005

Hyper jackingPeer to PeerSocial engineeringApplication attacksFinancial motivationTargeted attacks64-bit Windows

2007

National Interest

Personal Gain

Personal Fame

Curiosity

Undergraduate Expert Specialist

Largest area by volume

Largest area by $ lost

Script-Kiddy

Largest segment by $ spent on defense

Fastest growing segment

AuthorVandal

Thief

Spy

Trespasser

Evolving Threats

1st known hack...The need for security in communication networks is not new. In the late nineteenth century an American undertaker named Almon Strowger discovered that he was losing business to his rivals because telephone operators, responsible for the manual connection of call requests, were unfairly diverting calls from the newly bereaved to his competitors. Strowger developed switching systems that led to the introduction of the first automated telephone exchanges in 1897. This enabled users to make their own connections using rotary dialling to signal the required destination.

Almon Strowger

Company understands the importance of security in the workplaceIndividuals know their role with security governance and complianceIT staff has the security skills and knowledge to support your business

Data privacy processes to manage data effectivelyIT security processes to implement, manage, and govern securityFinancial reporting processes that include security of the business

Addressing Security Threats

Helps turn IT into a business asset not a cost center Supports your day to day security processes Is the Enabler to running your business successfully

Tech

nolo

gy

Pro

cess

Peop

le

Microsoft’s Promises To YouManage Complexity,Achieve Agility

Advance the Businesswith IT Solutions

Amplifythe Impact

of YourPeople

ProtectInformation,

ControlAccess

Delivering On The Promise:Infrastructure Optimization

*Source: Microsoft CSO Summit 2007 Registration Survey

Basic

No centralized enterprise directoryNo automated patch managementAnti-malwarenot centrally managedMessage security for e-mail onlyNo secure coding practices in place

Standardized

Using enterprise directory for authenticationAutomated patch management tools deployedAnti-malwareis managed centrallyUnified message security in place

Rationalized

Integrated directory services, PKIin placeFormal patch management processDefense in depth threat protectionSecurity extended to remote and mobile workforce

Dynamic

Full identity lifecycle management.ID Federation,Rights Mgt Services in useMetrics driven update processClient quarantine and access policy enforcement

Cost Center Strategic Asset

More Efficient Cost Center

Business Enabler

$1320/PC Cost

$580/PC Cost

$230/PC Cost

Source:GCR and IDC data analyzed by Microsoft, 2006

Core Infrastructure Optimization

Core Infrastructure Optimization Model: Security

Tech

nolo

gy

Pro

cess

Peop

le

IT is astrategic assetUsers look to ITas a valued partner to enable new business initiatives

IT Staff manages an efficient,controlled environmentUsers have the right tools,availability, and access to info

IT Staff trained in best practices such as MOF,ITIL, etc.Users expect basic services from IT

IT staff taxed by operational challengesUsers come up with their ownIT solutions

Self-assessing and continuous improvementEasy, secure access to info from anywhereon Internet

SLAs are linkedto business objectivesClearly defined and enforced images, security, best practices

CentralAdmin and configurationof securityStandard desktop images defined,not adopted by all

IT processes undefinedComplexity dueto localized processesand minimal central control

Self provisioning and quarantine capable systems ensure compliance and high availability

Automate identity and access managementAutomatedsystem management

Multiple directories for authenticationLimited automated software distribution

Patch statusof desktopsis unknownNo unified directory for access mgmt

Basic StandardizedRationalized Dynamic

Impr

ove

IT M

atur

ity w

hile

Gai

ning

ROI

Confidentiality

IntegrityAvailability

SC information system = {(confidentiality, impact),

(integrity, impact), (availability, impact)}

where the acceptable values for potential impact are low, moderate, or high.

Trustworthy Computing

Microsoft Security Strategy

GIAIS

VIA


Public Policy

IndustryPartnerships

ConsumerAwareness

LawEnforcement

www.microsoft.com/technet/security


SecurityTools

Educationand Training

Microsoft SecurityAssessment Toolkit

Microsoft Windows VistaSecurity Whitepapers

Microsoft SecurityIntelligence Report

Learning Paths forSecurity Professionals

SecurityReadiness

http://www.microsoft.com/technet/security

DesignThreat Modeling

Standards, best

practices, and tools

Security Push

Final Security Review RTM and

DeploymentSignoff

Security Response

Product Inception

Security Development Lifecycle

Priority #1 - Platform Security

Security Development LifecycleSecurity Response CenterBetter Updates And Tools

Guidance

Developer Tools

SystemsManagement

Identity Management

Active Directory Federation Services

(ADFS)

WindowsCardSpace

Information Protection

Encrypting File System (EFS)

BitLocker™

Services

Edge

Comprehensive Security Portfolio

Client and Server OS

Server Applications

Network Access Protection (NAP)

Secure Platform

Secure Access

Data Protection

Rights Management Services (RMS) SharePoint, Exchange, Windows Mobile integration

Encrypting File System (EFS)Bitlocker

MalwareProtection

User Account ControlNetwork Access Protection (NAP)IPv6IPsec Windows CardSpace

Native smart card supportGINA Re-architectureCertificate ServicesCredential roaming

Security Development Lifecycle (SDL)Kernel Patch ProtectionKernel-mode Driver Signing

Secure StartupWindows Service Hardening

Windows DefenderIE Protected ModeAddress Space Layout Randomization (ASLR)Data Execution Prevention (DEP)

Bi-directional FirewallWindows Security Center

Windows Vista SP1 includes

Additional Kernel Patch Protection APIsEnhanced Windows Security Center reportingExpanded BitLocker Drive Encryption (BDE)

Additional multifactor authentication methods

Security Development Lifecycle (SDL)Windows Server Virtualization (Hypervisor)Role Management ToolOS File Integrity

Secure Platform

Network Protection

IdentityAccess

Data Protection

Read-only Domain Controller (RODC)Active Directory Federation Srvcs. (ADFS)Administrative Role Separation

PKI Management ConsoleOnline CertificateStatus Protocol

Network Access Protection (NAP)Server and Domain Isolation with IPsecEnd-to-end Network AuthenticationWindows Firewall With Advanced Security

On By Default

Rights Management Services (RMS) Full volume encryption (Bitlocker)USB Device-connection rules with Group Policy

Improved AuditingWindows Server Backup

Secure Platform

Data Protection

Surface Area Configuration toolPassword Policy Enforcement; Granular RolesBuilt in Encryption;Key Mgmt.Auditing – Data Definition Language (DDL)Rich AuthenticationGranularAccess ControlComplianceand Auditing Hierarchical Encryption

Trust CenterNew Document Security ModelOpen XML File Formats

Document InspectorInformation Rights ManagementStrong Encryption,Digital SignaturesSuite-B: For U.S. Government

Platform Security Progress

Advanced Spam and Virus DefensesComplianceBusiness Continuity

Essential Security and Mobile Device MgmtBuilt-in Protection with Business ContinuityCompliance SupportEnhancedMessage Filtering

Engineering ExcellenceSecurity Development Lifecycle


Security Threat Landscape EvolutionMicrosoft Security Strategy

Isolated

Trusted

Remediation Server

Web Server

Remote Access Gateway

Infrastructure Servers

Unmanaged DevicesMalicious

Users

Trusted Home

New Customer

Unhealthy PC

Secure Anywhere AccessEnd-to-end security with IPv6 and IPsecAccess driven by policy not topologyCertificate based multi-factor authenticationHealth checks and remediation prior to access

Policy-driven network access solutionsWindows Firewall with advanced filteringServer and Domain IsolationNetwork Access Protection (NAP)ISA Server 2006Intelligent Application Gateway (2007)Windows Filtering Platform

Network Security

Your COMPANY andyour EMPLOYEES

Identity Lifecycle Manager 2007Active Directory Federation ServicesActive Directory Lightweight Directory ServicesWindows Certificate Services Windows CardSpace™

Secure and seamlesscross-organizational collaborationEasily managing multiple identitiesGovernment sponsored identities (eID)Hardware supported trust platformDisparate directories synchronizationCentralized ID controls and mgmt.Embedded identity into applicationsPolicy Governance / ComplianceRole Based PermissionsIdentity and Data Privacy

Identity and Access Management

Consumer/ Small Business

Corporate

Client ProtectionServer Protection Edge Protection

Simple PC maintenanceAnti-Virus Anti-SpywareAnti-Phishing

FirewallPerformance TuningBackup and Restore

ProtectionEdge, server and client protection“Point to Point” SolutionsSecurity of data at rest and in transitMobile workforceManageability

InteroperabilityIndustry Standards

Web Services (WS-*)Open document format (XPS)OpenID

Partner ProductsNetwork Access ProtectionEV Certificate support in IE7 Windows CardSpaceWindows Security Center

Industry PartnershipsSecureIT AllianceMicrosoft Security Response Alliance Interop Vendor Alliance

Security Stack Interoperability

Integrated security eases defense in depth architecture deploymentAdoption of open standards allows cross platform integration

Management System System Center, Active Directory GPO

Forefront Edge and Server Security, NAP

Perimeter

Network Access Protection, IPSec

Internal Network

Forefront Client Security, Exchange MSFP

Device

SDL process, IIS, Visual Studio, and .NET

Application

BitLocker, EFS, RMS, SharePoint, SQLData

User Active Directory and Identity Lifecycle Mgr

Management Systems Integration

Some hard questions…

Who

What

When

Where

How

Why

The lighter side

And the press is doing its bit...

Infrastructure Optimization

Application Platform Optimization Model

Business Intelligence

Enterprise Content Management

Collaboration

Unified Communications

Enterprise Search

Business Productivity Infrastructure Optimization Model

Development

SOA and Business Process


User Experience

Data Management

Data Protection and Recovery

Desktop, Device, and Server Mgmt


Security and Networking

Core Infrastructure Optimization Model

IT a

nd S

ecu

rity

Pro

cess

BA

SIC

STA

ND

AR

DIZ

ED

RATIO

NA

LIZED

DYN

AM

IC

BA

SIC

STA

ND

AR

DIZ

ED

RATIO

NA

LIZED

DYN

AM

IC

BA

SIC

STA

ND

AR

DIZ

ED

AD

VA

NC

ED

DYN

AM

IC

Infrastructure OptimizationBuilding a People-Ready Business

• Provides capability framework to help you build an optimized infrastructure (not Microsoft-specific)

• Establishes a foundation based on industry analyst, academic, and consortium research

• Provides guidance and best practices for step-by-step implementation

• Drives cost reduction, security and efficiency gains

• Enables agility

Model-Based Approach

Application Platform Optimization Model


Enterprise Content Management

Collaboration

Unified Communications

Enterprise Search

Business Productivity Infrastructure Optimization Model

Development

SOA and Business Process


User Experience

Data Management

Data Protection and Recovery

Desktop, Device, and Server Mgmt


Security and Networking

Core Infrastructure Optimization Model

IT a

nd

Secu

rity

Pro

cess

BA

SIC

STA

ND

AR

DIZ

ED

RATIO

NA

LIZE

D

DYN

AM

IC

BA

SIC

STA

ND

AR

DIZ

ED

RATIO

NA

LIZE

D

DYN

AM

IC

BA

SIC

STA

ND

AR

DIZ

ED

AD

VA

NC

ED

DYN

AM

IC

Policy and ComplianceRisk AssessmentUser Awareness

Core Infrastructure Optimization

Basic Standardized Rationalized Dynamic

Legacy Platform Migration

Secure Application Architecture

Threat and Vulnerability Mitigation

Secure Messaging and Collaboration

Patch Management


Optimizing SecurityMoving from Basic to Standardized

Solutions BenefitsChallenges Costs

Developer-focused environment

Sophisticated and targeted threats

Executive sponsorship

Awareness campaign

Cultural shift to awareness

Able to mitigate current high priority risk

Labor intensive to maintain

Basic to Standardized

Network Intrusion Detection

Secure Wireless Access

Enforce Strong Passwords

Secure Remote User

Two Factor Authentication

Defense in Depth

Optimizing SecurityMoving from Standardized to Rationalized


Evolving and faster threats

Ownership largely resided with Security

Risk management framework

Service manager accountability

Accountability closer to business

Environmental awareness

Improved response

Lack of integration between service managers and business

Standardized to Rationalized

SDL IT

Security Event Monitoring

2FA: Elevated Access Accts

Network Segmentation

Automate

Identity &Access Mgmt

CertificateProvisioning& Renewals

VulnerabilityAssessments

Defense in Depth

Optimizing SecurityMoving from Rationalized to Dynamic


Security viewed as a tax to the business

Information security governance

Information security becomes a strategic asset

Culture shift may cause friction

Rationalized to Dynamic

Defense in Depth

Bitlocker Drive Encryption

User Account Control

Strong User Authentication

Network Access Protection

Antimalware

Application Security

Authentication

Email

Identity & Access Management

Intrusion Detection/Prevention

Mobile Data Security

NAC

Network Firewalls

Secure Remote Access

SIMs

Unified Threat Management

Vulnerability Management Web Security Gateways

Wireless

People

Mobile

Task

Home

Office

Contract Offshore

Hardware

OS

Data, User Settings

Applications

Dependencies Create ComplexitySeparation Creates Flexibility

Mobile

Mobile Worker


Hardware

Mobile Worker

Bi-Directional Firewall, Defender, Malicious Software Removal ToolBitlocker Drive Encryption Security Center & UAC

Hardware OS

Network Location Protection

Mobile Worker

Terminal Server Access

Application (APP-V) & Enterprise Desktop

(MED-V) Virtualization


Hardware OS Applicatio

ns

Group Policy and AGPM Folder Redirection

Offline Files

Anti Virus & AntispywareNetwork Access

Protection


Mobile Worker


RMS Protected Documents




ns


Protection

Data, User Settings

Folder RedirectionOffline FilesGroup Policy and AGPM Data Backup

Mobile Worker



ns

Data, User Settings


System Monitoring System ManagementMobile Device Management Corporate Security Policy

Office

Office Worker


Hardware

Office Worker


Hardware OS


Office Worker






ns


Protection


Office Worker






ns


Protection

Data, User Settings


Office Worker



ns

Data, User Settings



Task Worker


Hardware

Task Worker


Hardware OS


Task Worker






ns

Group Policy and AGPM Folder Redirection

Offline Files


Protection


Task Worker






ns


Protection

Data, User Settings


Task Worker



ns

Data, User Settings



Contract / Offshore

Contract / Offshore Worker


Hardware




Hardware OS







ns


Protection








ns


Protection

Data, User Settings





ns

Data, User Settings



Home Worker


Hardware

Home Worker


Hardware OS


Home Worker






ns


Protection


Home Worker






ns


Protection

Data, User Settings


Home Worker



ns

Data, User Settings



7 Tips for Secure Client Computing

Protect your personal information. It’s valuableKnow who you’re dealing withUse anti-virus and firewall and update both regularlySetup your OS and Web Browser properly and update both regularlyProtect your passwordBackup important filesLearn who to contact if something goes wrong

Technology

External Web Server

DMZ

Internet

Customer

Internet

User BRANCH OFFICE

User

Exchange

Intranet Web Server

SharePointActive

Directory

Internal Network

HEAD QUARTERS

CSS

Technology – Another View

Isolated

Trusted

Remediation Server

Web Server

Remote Access Gateway

Infrastructure Servers

Unmanaged DevicesMaliciousUsers

Trusted Home

New Customer

Unhealthy PC

OSI Model

Media layers Host layersNetwork

Application

Session

Presentation

Transport

Physical

Data Link

Head Office

Head Office (Media Layer)

Physical



Physical Data Link


Intrusion Detection System Secure Wireless AccessSecure Remote Access


Physical Data Link Networ

k

Intrusion Detection System Secure Wireless Access



Site-to-Site VPN Address Translation

Head Office (Host Layer)

Transport

IPSec Enabled Protection Firewall Protection Server & Domain Isolation


Session


Active DirectoryFolder Redirection

Offline Files Remote Access Protocols

Transport


Session Presentation

Active Directory

Folder RedirectionOffline Files

Group Policy and AGPM GINA Protection

CTRL + ALT + DEL


Remote Access Protocols

Encrypted File System

Transport


ApplicationSession Presentation

Defender, Malicious Software Removal Tool Application ProtectionAnti Virus & Antispyware Management


CTRL + ALT + DEL

Terminal Server Access Encrypted File System

Transport




WebDHCP & DNS Audio Video Messaging

Transport



Web Audio Video MessagingDHCP & DNS

Identity Management Data Protection Content Management Database

Transport

Branch Office

Branch Office (Media Layer)

Physical



Physical Data Link





k





Branch Office (Host Layer)


Transport


Session




Transport



Active Directory



CTRL + ALT + DEL




Transport





CTRL + ALT + DEL


Transport





Transport

Intranet

Extranet

Intranet/Extranet (Media Layer)

Physical



Physical Data Link





k





Intranet/Extranet (Host Layer)


Transport


Session




Transport



Active Directory



CTRL + ALT + DEL




Transport





CTRL + ALT + DEL


Transport





Transport

Remote Access

Wired Access

Dial-in / ISDN

ADSL / Cable Power Line

Fiber Optic

Wireless Access

WiFi

WiMAX Satellite

GPRS / UMTS / HSPA / LTE

Wireless USBBluetooth

http://en.wikipedia.org/wiki/File:Certified_Wireless_USB.svg

http://en.wikipedia.org/wiki/File:Certified_Wireless_USB.svg

Securing Wireless…

Wired Enterprise Network

Internet

VPN security models

Authentication before VPN connection

•Password•Biometric•Cryptographic

Trusted delivery networks

•MPLS•L2TP

Security mechanisms•IPsec•SSL/TLS•OpenVPN•L2TPv3•VPN Quarantine•MPVPN•Cisco VPN

Direct Access

Situation Today

Office Home

Difficult for users to access corporate resources from outside the office

Challenging for IT to manage, update, patch mobile PCs while disconnected from company network

Microsoft Solution

Direct Access

HomeOffice

New network paradigm enables same experience inside & outside the office

Seamless access to network resources increases productivity of mobile users

Infrastructure investments also make

it easier to service mobile PCs and distribute updates and polices

Process

Information Security and Risk Management


Operations Security

Cryptography

Security Architecture and Design

Access Control Business Continuity &

Disaster Recovery

Telecommunications and Network Security

Physical (Environmental)

Security

Legal, Regulations, Compliance & Investigations

Access Control

Physical access

Access control system

operation

Credential


components Access control

door wiring

Types of readers

Security risks


topologies

Computer security

Identification and

authentication (I&A)

Authorization

Accountability Discretionary

access control

Mandatory access control

Role-based access control


Application Threats Attacks

Input Validation

Authentication

Authorization

Configuration management

Session management

Cryptography

Sensitive data

Parameter manipulation

Exception management

Auditing and logging

Security standards & regulations

SOX HIPPAISO/IEC70xx

97xx

14888-x

17799

24xxx

27xxx

Gramm-Leach-

Bliley Act

PCI DSS

Business Continuity

Analysis

Solution design

Implementation

Testing and organizational

acceptance

MaintenanceBusiness Continuity Planning Lifecycle

Disaster RecoveryTier 0: No off-site

data – Possibly no recovery

Tier 1: Data backup with no

hot site

Tier 2: Data backup with a

hot site

Tier 3: Electronic vaulting

Tier 4: Point-in-time copies

Tier 5: Transaction

integrity

Tier 6: Zero or near-Zero data

loss

Tier 7: Highly automated, business integrated solution

Cryptography

Symmetric-key

Asymmetric-key

Information SecurityAuthenti

city Non-

repudiation

Security classification

for informationControls

Access Control

Cryptography

Defense in Depth

Administrative Logical Physical

Risk ManagementEstablishing Context

Identification

Assessment

Potential Risk Treatments

Risk Management

plan

Implementation

Review & plan

evaluation

Risk avoidanceRisk reductionRisk retentionRisk transfer

Operations Security

World War II-era poster promoting

OPSEC

OPSEC

Identification of Critical Information

Analysis of

Threats

Analysis of Vulnerabili

ties

Assessment of Risk

Application of Appropriate

OPSEC Measures

http://upload.wikimedia.org/wikipedia/en/b/b9/Opsecposter.jpg

http://upload.wikimedia.org/wikipedia/en/b/b9/Opsecposter.jpg

Security Architecture and Design

Legal, Regulations, Compliance & Investigations

Telecommunications and Network Security

Passive Attacks

Active Attacks

Network Vulnerabili

ties

Media Tapping

Physical Security

Video monitorin

g

Intrusion detection

Mechanical and

electronic access control

Environmental

design

Key Features

Explosion

protection

Obstacle

s

Alarms, security lighting, security guard

patrols or CCTV

Security

response

Key Elements

http://upload.wikimedia.org/wikipedia/commons/e/e4/Security_spikes_1.jpg

http://upload.wikimedia.org/wikipedia/commons/0/06/OxfordCCTV2006.jpg

http://upload.wikimedia.org/wikipedia/commons/f/f7/Private_factory_guard.jpg

http://upload.wikimedia.org/wikipedia/commons/c/c0/1-Wire_lock.jpg

Security Guidance and Resources

Microsoft Security Home Page: www.microsoft.com/securityMicrosoft Forefront: http://www.microsoft.com/forefront/default.mspx

General Information:Microsoft Live Safety Center: http://safety.live.comMicrosoft Security Response Center: www.microsoft.com/security/msrcSecurity Development Lifecycle: http://msdn.microsoft.com/security/sdlGet the Facts on Windows and Linux: www.microsoft.com/getthefacts

Anti-Malware:Microsoft OneCare Live: https://beta.windowsonecare.comMicrosoft Defender: www.microsoft.com/athome/security/spyware/softwareSpyware Criteria: www.microsoft.com/athome/security/spyware/software/isv

Guidance Centers:Security Guidance Centers: www.microsoft.com/security/guidanceSecurity Guidance for IT Professionals: www.microsoft.com/technet/securityThe Microsoft Security Developer Center: msdn.microsoft.com/securityThe Security at Home Consumer Site: www.microsoft.com/athome/security

http://www.microsoft.com/security

http://www.microsoft.com/forefront/default.mspx

http://safety.live.com/

http://www.microsoft.com/security/msrc

http://msdn.microsoft.com/security/sdl

http://www.microsoft.com/getthefacts

https://beta.windowsonecare.com/

http://www.microsoft.com/athome/security/spyware/software

http://www.microsoft.com/athome/security/spyware/software/isv

http://www.microsoft.com/security/guidance

http://www.microsoft.com/technet/security

http://msdn.microsoft.com/security

http://www.microsoft.com/athome/security

धन्यवा�दઆભા�ર ধন্য�বা�দ

ਧੰ�ਨਵਾ�ਦ

ଧନ୍ୟ�ବା�ଦ

நன்றி�

ధన్య�వాదాలు� ಧನ್ಯ�ವಾ�ದಗಳು

നി�ങ്ങള്‍‌ക്ക്� നിന്ദി�

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the

date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ramnish singh platform security briefing

Technology

managedmessage security

security governance

security skills

importance of security

day security processes

security threatshelps

secure access

business asset