what’s next for microsoft security? kai axford, cissp, mcse-security it pro evangelist microsoft...
TRANSCRIPT
What’s Next for Microsoft Security?
What’s Next for Microsoft Security?
Kai Axford, CISSP, MCSE-SecurityKai Axford, CISSP, MCSE-SecurityIT Pro EvangelistIT Pro EvangelistMicrosoft CorporationMicrosoft [email protected]@microsoft.com
Service Pack 2
Malicious Software Removal Tool
2B total executions; 200M per month2B total executions; 200M per monthFocus on most prevalent malwareFocus on most prevalent malwareDramatically reduced the # of Bot infectionsDramatically reduced the # of Bot infections
Most popular download in Microsoft history!!Most popular download in Microsoft history!!Helps protect more than 25 million customersHelps protect more than 25 million customersGreat feedback from SpyNet participantsGreat feedback from SpyNet participants
As of February 2006As of February 2006
Security Configuration WizardSecurity Configuration WizardMore secure by design; more secure by defaultMore secure by design; more secure by defaultMore than 4.7 million downloadsMore than 4.7 million downloadsService Pack 1
More than 260 million copies distributed. More than 260 million copies distributed. Enterprise deployment at 61%Enterprise deployment at 61%15 times less likely to be infected by malware15 times less likely to be infected by malwareSignificantly fewer important & critical Significantly fewer important & critical vulnerabilitiesvulnerabilities
What’s Next for Security?What’s Next for Security?Our Security Progress so far…Our Security Progress so far…
Windows VistaWindows Vista
Certificate Lifecycle ManagerCertificate Lifecycle Manager
Secure Messaging with Antigen and Secure Messaging with Antigen and FrontBridgeFrontBridge
Network Access ProtectionNetwork Access Protection
ISA Server 2006ISA Server 2006
What’s Next for Security?What’s Next for Security?So what products is Microsoft working So what products is Microsoft working on now?on now?
Service HardeningService HardeningWindows services are Windows services are profiled for allowed profiled for allowed actions to the network, actions to the network, file system, and registryfile system, and registry
Services run with Services run with reduced privilege reduced privilege compared to Windows compared to Windows XPXP
Designed to block Designed to block attempts by malicious attempts by malicious software to make a software to make a Windows service write Windows service write to an area of the to an area of the network, file system, or network, file system, or registry that isn’t part registry that isn’t part of that service’s profileof that service’s profile
ActiveActiveprotectionprotection
File systemFile system
RegistryRegistry
NetworNetworkk
Windows VistaWindows Vista Windows Service Hardening: Defense in depthWindows Service Hardening: Defense in depth
Social Engineering ProtectionsSocial Engineering ProtectionsPhishing Filter and Colored Address BarPhishing Filter and Colored Address BarDangerous Settings NotificationDangerous Settings NotificationSecure defaults for International Domain Secure defaults for International Domain Names (IDN)Names (IDN)
Protection From ExploitsProtection From ExploitsUnified URL ParsingUnified URL ParsingCode quality improvements (SDL)Code quality improvements (SDL)ActiveX Opt-inActiveX Opt-inProtected Mode to prevent malicious softwareProtected Mode to prevent malicious software
Windows VistaWindows Vista Internet Explorer 7.0Internet Explorer 7.0
ChallengesChallengesUsers with elevated privileges means increased Users with elevated privileges means increased riskrisk
Line of Business (LoB) applications require Line of Business (LoB) applications require elevated privileges to runelevated privileges to run
Common Operating System Configuration tasks Common Operating System Configuration tasks require elevated privilegerequire elevated privilege
GoalGoalAllow businesses to move to a better-managed Allow businesses to move to a better-managed desktop and consumers to use parental controlsdesktop and consumers to use parental controls
Windows VistaWindows Vista User Account Control (UAC)User Account Control (UAC)
Formerly Secure Start-upFormerly Secure Start-up
Designed specifically to Designed specifically to prevent a thief who boots prevent a thief who boots another Operating System another Operating System or runs a hacking tool from or runs a hacking tool from breaking Windows file and breaking Windows file and system protectionssystem protections
Provides data protection on Provides data protection on your Windows client your Windows client systems, even when the systems, even when the system is in unauthorized system is in unauthorized hands or is running a hands or is running a different or exploiting different or exploiting Operating SystemOperating System
Uses a v1.2 TPM or USB Uses a v1.2 TPM or USB flash drive for key storageflash drive for key storage
BitLockerBitLocker
Windows VistaWindows Vista BitLocker™ Drive Encryption BitLocker™ Drive Encryption
BitLocker™BitLocker™ Drive In XPDrive In XP
11 33
Linux Bitlocker volume errors Linux Bitlocker volume errors 1.1. Fdisk reads partition table... thinks FVE Fdisk reads partition table... thinks FVE
partition is ntfspartition is ntfs
2.2. wrong fs type, bad option, bad wrong fs type, bad option, bad superblock superblock on /dev/sda2, missing codepage or other on /dev/sda2, missing codepage or other errorerror
3.3. Primary boot sector is invalid, Not an Primary boot sector is invalid, Not an NTFS volumnNTFS volumn
22
BitLocker™BitLocker™ Drive In LINUXDrive In LINUX
demo
Single administration point for digital Single administration point for digital certificates and smart cardscertificates and smart cards
Configurable policy-based workflows Configurable policy-based workflows for common tasks (enroll, renew, for common tasks (enroll, renew, revoke, etc.)revoke, etc.)
Detailed auditing and reportingDetailed auditing and reporting
Support for both centralized and self-Support for both centralized and self-service scenariosservice scenarios
Integration with existing infrastructureIntegration with existing infrastructure
What is Microsoft What is Microsoft Certificate Lifecycle Certificate Lifecycle Manager?Manager?
MicrosoftMicrosoftCertificateCertificateLifecycle Lifecycle ManagerManager
Microsoft CAsMicrosoft CAs
End UserEnd User
Physical ArchitecturePhysical Architecture
SQLSQLADAD
E-mailE-mail
Certificate Lifecycle Certificate Lifecycle ManagerManagerArchitectural OverviewArchitectural Overview
Server Side - Server Side - Certificate Lifecycle Certificate Lifecycle
ManagerManagerWindows Server 2003 Windows Server 2003
Certificate Services Add-onCertificate Services Add-onSQL Server 2000 SP3SQL Server 2000 SP3Email/SMTP serviceEmail/SMTP service
Client Side- Client Side- Certificate Lifecycle Certificate Lifecycle
Manager ClientManager ClientBulk Smart Card Issuance Bulk Smart Card Issuance
ToolTool
Certificate Lifecycle Certificate Lifecycle ManagerManagerScreenshotsScreenshots
Certificate Lifecycle Certificate Lifecycle ManagerManagerScreenshotsScreenshots
Certificate Lifecycle Certificate Lifecycle ManagerManagerScreenshotsScreenshots
Au
then
ticati
on
an
d A
uth
ori
zati
on
Au
then
ticati
on
an
d A
uth
ori
zati
on
Managed ServicesManaged Services
Corporate Corporate NetworkNetwork
Exte
rnal Fir
ew
all
Exte
rnal Fir
ew
all
ISA ServerISA Server
Inte
rnal Fir
ew
all
Inte
rnal Fir
ew
all
DMZDMZ
On-Premise SoftwareOn-Premise Software
Antigen for Antigen for ExchangeExchange
Antigen for SMTP Antigen for SMTP GatewaysGateways
Advanced Spam ManagerAdvanced Spam Manager
FrontBridge E-mail FrontBridge E-mail Filtering ServicesFiltering Services
InternetInternet
Microsoft Secure Microsoft Secure MessagingMessagingMulti-Layer Secure MessagingMulti-Layer Secure Messaging
E-mailE-mailFilteringFiltering
MessageMessageArchiveArchive
Secure Secure E-mailE-mail
ActiveActiveMessageMessage
ContinuityContinuity
Layered anti-spam Layered anti-spam
Multi-engine anti-virusMulti-engine anti-virus
Customized content Customized content and policy and policy enforcementenforcement
Real-time attack Real-time attack preventionprevention
Interception-based Interception-based message archivingmessage archiving
Customized report Customized report generation for generation for demonstrating demonstrating compliancecompliance
Fully-indexed, Fully-indexed, searchable archivesearchable archive
Rapid deployment to Rapid deployment to meet deadlines or meet deadlines or immediate needsimmediate needs
Full e-mail encryption Full e-mail encryption
No public and private No public and private key managementkey management
Gateway, policy-based Gateway, policy-based e-mail encryptione-mail encryption
Uninterrupted e-mail Uninterrupted e-mail accessibilityaccessibility
Rapid recovery from Rapid recovery from unplanned disasters unplanned disasters and network outagesand network outages
30-day historical e-30-day historical e-mail storemail store
FrontBridgeFrontBridge E-mail Complexity Requires FlexibilityE-mail Complexity Requires Flexibility
Edge and Edge and connection-based connection-based blockingblocking
Directory Directory services, services, real-time real-time attack attack prevention, prevention, multi-layer multi-layer virus virus scanning and scanning and content content filteringfiltering
Advanced spam Advanced spam filteringfiltering
FingerprintinFingerprinting, SPF g, SPF lookups, rules lookups, rules based scoringbased scoring
E-Mail queuing E-Mail queuing
E-Mail quarantineE-Mail quarantine
FrontBridgeFrontBridge E-Mail FilteringE-Mail Filtering
Microsoft AntigenMicrosoft Antigen What is Antigen?What is Antigen?
Antigen for SMTP/ExchangeAntigen for SMTP/ExchangeOn-premise, server-based mail scanning On-premise, server-based mail scanning softwaresoftware
Provides antivirus, anti-spam, content and Provides antivirus, anti-spam, content and file filteringfile filtering
Multiple complementary technologies used Multiple complementary technologies used
Complete end user controlComplete end user control
Protection against internal threats and Protection against internal threats and virus propagationvirus propagation
All Antigen products integrate multiple antivirus All Antigen products integrate multiple antivirus engines from 3engines from 3rdrd party vendors. Four engines party vendors. Four engines provided as part of base cost.provided as part of base cost.
AhnLabsAhnLabs
Authentium Authentium CommandCommand
CA InoculateIT*CA InoculateIT*
CA VET*CA VET*
Kaspersky LabKaspersky Lab
Norman Data Defense*Norman Data Defense*
Sophos*Sophos*
Virus BustersVirus Busters
*Default engines*Default engines
The The MS AntivirusMS Antivirus engine will be provided in the first engine will be provided in the first Microsoft-branded version of AntigenMicrosoft-branded version of Antigen
Microsoft AntigenMicrosoft Antigen OverviewOverview
24:38:00
23:15
21:38
21:33
21:27
21:18
20:46
20:24
19:54
18:49
18:44
18:18
18:18
18:14
17:38
17:27
17:19
16:56
16:54
16:39
Symantec
eTrust-VET
McAfee
Avast
AVG
Trend Micro
Norman
AntiVir
eTrust- INO
Panda
VirusBuster
Fortinet
F-Secure
Ikarus
Command
Sophos
BitDefender
AVK
F-Prot
Kaspersky
Sober.P Virus Sober.P Virus Detection TimeDetection Time
May 2, 2005 (GMT)May 2, 2005 (GMT)No. Updates/DayNo. Updates/Day
KasperskyKaspersky 18.518.5
Dr. WebDr. Web 10.710.7
SophosSophos 2.72.7
BitDefenderBitDefender 1.71.7
ClamAVClamAV 1.51.5
AntiVirAntiVir 1.41.4
F-SecureF-Secure 1.41.4
PandaPanda 1.31.3
IkarusIkarus 1.11.1
SymantecSymantec 1.11.1
Trend MicroTrend Micro 1.01.0
AV-Test.org May 2005
AV-Test.org Feb. 2005
January 2005 UpdatesJanuary 2005 Updates
Time of Day
Hour : Minute
Note: the chart (left) represents a Note: the chart (left) represents a singlesingle virus outbreak only. It does virus outbreak only. It does notnot represent represent average response times for the listed average response times for the listed antivirus labs.antivirus labs.
Antigen Antigen EnginesEngines
Microsoft AntigenMicrosoft Antigen Signature UpdatesSignature Updates
Detects and removes viruses in Detects and removes viruses in e-mail messages and attachmentse-mail messages and attachments
Scans at SMTP stack (most Scans at SMTP stack (most processing intensive scans)processing intensive scans)
Scans real-time at Exchange Scans real-time at Exchange information Storeinformation Store
Provides on-demand and scheduled Provides on-demand and scheduled scans of information storescans of information store
Uses Microsoft-approved virus Uses Microsoft-approved virus scanning API integration for scanning API integration for Exchange 2000 and 2003Exchange 2000 and 2003
Provides advanced content-filtering Provides advanced content-filtering capabilities for messages and capabilities for messages and attachmentsattachments
Integrates file filtering, keyword Integrates file filtering, keyword filtering and anti-spam at the SMTP filtering and anti-spam at the SMTP routing levelrouting level
Protects Exchange Server 5.5, 2000, and Protects Exchange Server 5.5, 2000, and 20032003
ISA Server
Exchange Front End
Exchange Site 1
Exchange Site 2
Internet
Exchange Public Folder Server
Exchange Mailbox Server
Microsoft AntigenMicrosoft Antigen Antigen for ExchangeAntigen for Exchange
Network Access ProtectionNetwork Access Protection
Virus entering the enterprise Virus entering the enterprise by:by:
Employees returning from tripsEmployees returning from trips
Consultants/guests plugging inConsultants/guests plugging in
Employees VPN-ing in Employees VPN-ing in
Attacking vulnerable machines Attacking vulnerable machines in the networkin the network
Year Virus WW Financial Impact (USD)
19991999 MelissaMelissa 1.10 Billion1.10 Billion
20002000 Love BugLove Bug 8.75 Billion8.75 Billion
20012001 Code RedCode Red 2.75 Billion2.75 Billion
20022002 KlezKlez 750 Million750 Million
20032003 SlammerSlammer 1.25 Billion1.25 Billion
Causing loss of productivity and financial loss
Source: Virus Attack Costs are Rising –Again. Computer Economics, Inc. Sept 2003.
Manage/MonitorManage/Monitor NAPNAP DescriptionDescription
Health Check?Health Check? YesYes Check machine state before allowing accessCheck machine state before allowing access
Remediate Remediate Vulnerabilities?Vulnerabilities? YesYes In conjunction with SMS/WUS and 3In conjunction with SMS/WUS and 3rdrd Parties Parties
Detect/Manage?Detect/Manage? YesYes In conjunction with SMS/MOM and 3In conjunction with SMS/MOM and 3rdrd parties parties
IT Administrators looking for tools to:IT Administrators looking for tools to:
Network Access Protection Network Access Protection Why you need a NAP…Why you need a NAP…
Accessing the networkX
DHCP
Remediation Server
IAS
May I have a DHCP address?
Here you go.
HealthRegistration
Authority
May I have a health certificate? Here’s my SoH.
Client ok?
No! Needs updates.
You don’t get a health certificate! Get updates! I need updates.
Here you go.
Yes. Issue health certificate.
Here’s your health certificate.
Client
QuarantineZone
BoundaryZone
ProtectedZone
Network Access Protection Network Access Protection IPSec-based NAP Walk-throughIPSec-based NAP Walk-through
External External Web Web SiteSite
AdministraAdministratortor
AttackAttackerer
ISA ISA 2006 2006 ApplianAppliancece
DMDMZZ
InternaInternal l NetworNetworkkIntern
et
ExtraneExtranet Web t Web ServerServer
External Attack Resilience
Internal Attack Resilience
Minimal Downtime
Remediation Measures
Better Management
ISA Server 2006ISA Server 2006 Web Access ProtectionWeb Access Protection
ISA Server 2006ISA Server 2006 Flood MitigationFlood Mitigation
Over 1,500 IT Pro’s visited security content on Microsoft.comOver 1,500 IT Pro’s visited security content on Microsoft.com
250 customers downloaded Windows Server 2003 SP1 250 customers downloaded Windows Server 2003 SP1
Over 50,000 users ran the Malicious Software Removal ToolOver 50,000 users ran the Malicious Software Removal Tool
2 instances of the Sasser worm were 2 instances of the Sasser worm were removed removed 149 Bot infections were found and removed149 Bot infections were found and removed
Over 18,000 additional users installed Windows DefenderOver 18,000 additional users installed Windows Defender
~7,500 pieces of spyware and other potentially unwanted software were ~7,500 pieces of spyware and other potentially unwanted software were removedremoved
In the last 30 minutesIn the last 30 minutesDid you realize?Did you realize?
Microsoft Security ResourcesMicrosoft Security Resources
Windows Vista BetaWindows Vista Betahttp://www.microsoft.com/windowsvista/http://www.microsoft.com/windowsvista/
Certificate Lifecycle Manager BetaCertificate Lifecycle Manager Betahttp://www.microsoft.com/windowsserversystem/clm/http://www.microsoft.com/windowsserversystem/clm/default.mspxdefault.mspx
Antigen and FrontBridgeAntigen and FrontBridgehttp://www.microsoft.com/securemessaginghttp://www.microsoft.com/securemessaging
Network Access Protection BetaNetwork Access Protection Betahttp://www.microsoft.com/technet/itsolutions/network/nap/http://www.microsoft.com/technet/itsolutions/network/nap/beta.mspxbeta.mspx
ISA Server 2006 BetaISA Server 2006 Betahttp://www.microsoft.com/isaserver/2006/http://www.microsoft.com/isaserver/2006/