Enhancing Customer Enhancing Customer Security: Security: Commitment and Progress Commitment and Progress Tyler S. Farmer Tyler S. Farmer Sr. Technology Specialist II Sr. Technology Specialist II Education Solutions Education Solutions Microsoft Corporation Microsoft Corporation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Enhancing Customer Security: Enhancing Customer Security: Commitment and ProgressCommitment and Progress
Tyler S. FarmerTyler S. FarmerSr. Technology Specialist IISr. Technology Specialist IIEducation SolutionsEducation SolutionsMicrosoft CorporationMicrosoft Corporation
7 Year Lifecycle7 Year Lifecycle5 years of “Mainstream Support”5 years of “Mainstream Support”
no-charge incident support, paid incident support, no-charge incident support, paid incident support, support charged on an hourly basis, support for support charged on an hourly basis, support for warranty claims, and hotfix support. warranty claims, and hotfix support.
2 more years of “Extended Support”2 more years of “Extended Support”all paid support options, security-related hotfix support all paid support options, security-related hotfix support (no charge.) (no charge.) Non-security related hotfix support requires a separate Non-security related hotfix support requires a separate Extended Hotfix Support contract to be purchased within Extended Hotfix Support contract to be purchased within 90 days after Mainstream support ends. 90 days after Mainstream support ends. Microsoft will not accept requests for warranty support, Microsoft will not accept requests for warranty support, design changes, or new features during the Extended design changes, or new features during the Extended support phase.support phase.
End of Life – NT Server 4.0End of Life – NT Server 4.0
Regular support ends Dec. 2004.Regular support ends Dec. 2004.
Security hotfix support ends Dec. 2004Security hotfix support ends Dec. 2004
Non-security hotfix support ends Dec. Non-security hotfix support ends Dec. 2003.2003.
End of Life – NT Workstation 4.0End of Life – NT Workstation 4.0
Basically ended on June 30, 2003.Basically ended on June 30, 2003.
Some Security patches still coming, probably with Some Security patches still coming, probably with NT Server (June 2004).NT Server (June 2004).
End of Life – Windows 98End of Life – Windows 98
Regular support ended June 30, 2003.Regular support ended June 30, 2003.
Paid incident support extended to June 30, 2006. Paid incident support extended to June 30, 2006.
This does This does notnot include new security fixes (available include new security fixes (available through Premier Support)through Premier Support)
Microsoft Java Virtual MachineMicrosoft Java Virtual Machine
According to 2001 Settlement w/ Sun, According to 2001 Settlement w/ Sun, Microsoft is no longer authorized to Microsoft is no longer authorized to support Java VM, starting October 2004support Java VM, starting October 2004
This includes security patchesThis includes security patches
Days From Patch to ExploitDays From Patch to Exploit
The average is now nine days The average is now nine days for a patch to be reverse-for a patch to be reverse-engineeredengineered
As this cycle keeps getting As this cycle keeps getting shorter, patching is a less shorter, patching is a less effective defense in large effective defense in large organizationsorganizations
Why does this Why does this gap exist?gap exist?
151151180180
331331
BlasterBlasterWelchia/ Welchia/ NachiNachi
NimdaNimda
2525SQL SQL
SlammerSlammer
exploitexploitcodecodepatchpatch
Days between patch and exploitDays between patch and exploit
The Forensics of a VirusThe Forensics of a Virus
Vulnerability reported to us /
Patch in progress
Bulletin & patch available
No exploit
Exploit code in public Worm in the world
July 1 July 16 July 25 Aug 11
ReportReport Vulnerability in Vulnerability in
RPC/DDOM RPC/DDOM reportedreported
MS activated MS activated highest level highest level emergency emergency response processresponse process
Continued outreach Continued outreach to analysts, press, to analysts, press, community, community, partners, partners, government government agenciesagencies
ExploitExploit X-focus (Chinese X-focus (Chinese
group) published group) published exploit toolexploit tool
MS heightened MS heightened efforts to get efforts to get information to information to customerscustomers
WormWorm Blaster worm Blaster worm
discovered –; discovered –; variants and other variants and other viruses hit viruses hit simultaneously (i.e. simultaneously (i.e. “SoBig”)“SoBig”)
Blaster shows the complex Blaster shows the complex interplay between security interplay between security researchers, software researchers, software companies, and hackerscompanies, and hackers
Microsoft CommitmentMicrosoft Commitment
Build software and services that will Build software and services that will help better protect our customers help better protect our customers
and the industry.and the industry. Better processes and toolsBetter processes and tools
Guidance and training for our customersGuidance and training for our customers
Improve the Patching Improve the Patching ExperienceExperience
Improve the Patching ExperienceImprove the Patching ExperienceNew Patch PoliciesNew Patch Policies
Extending support to June 2004Extending support to June 2004Windows 2000 SP2Windows 2000 SP2
Windows NT SP6aWindows NT SP6a
Non-emergency security patches on a monthly Non-emergency security patches on a monthly release schedule release schedule
Allows for planning a predictable Allows for planning a predictable monthly test and deployment cycle monthly test and deployment cycle
Packaged as individual patches Packaged as individual patches that can be deployed together that can be deployed together
Achieves benefits of security rollup Achieves benefits of security rollup with increased flexibilitywith increased flexibility
Patches for emergency issues will still release immediatelyPatches for emergency issues will still release immediately
By 5/04: Consolidating to 2 patch installers for W2K By 5/04: Consolidating to 2 patch installers for W2K and higher, Office & Exchange. All patches will and higher, Office & Exchange. All patches will behave the same way behave the same way (SUS 2.0, MSI 3.0)(SUS 2.0, MSI 3.0)
Extend patch Extend patch automation to all automation to all
productsproducts
11/03: SMS 2003 offers capability to patch all supported 11/03: SMS 2003 offers capability to patch all supported Microsoft platforms and applications Microsoft platforms and applications
By end of 2004, all MS patches behave the same at By end of 2004, all MS patches behave the same at installation (MSI 3.0 + SUS 2.0) and available in one installation (MSI 3.0 + SUS 2.0) and available in one place: MS Updateplace: MS Update
Reduce patch sizeReduce patch sizeNow: Reduced patch size by 35% or more. Will have Now: Reduced patch size by 35% or more. Will have 80% reduction by 5/04. 80% reduction by 5/04. (Delta patching technology and (Delta patching technology and improved functionality with MSI 3.0)improved functionality with MSI 3.0)
Reduce patch Reduce patch complexitycomplexity
Reduce risk of Reduce risk of patch deploymentpatch deployment
Now : Increased internal testing; customer testing Now : Increased internal testing; customer testing of patches pre- release.of patches pre- release.
By 5/04: rollback capability for Windows, SQL, By 5/04: rollback capability for Windows, SQL, Exchange, OfficeExchange, Office
Reduce downtimeReduce downtimeNow:Now: 10% fewer 10% fewer reboots on W2K and higher reboots on W2K and higher
By 5/04:By 5/04: 30% fewer 30% fewer reboots on Win 2003 (starting in reboots on Win 2003 (starting in SP1). Up toSP1). Up to 70% 70% reduction for next serverreduction for next server
Your NeedYour Need Our ResponseOur Response
Improve the Patching ExperienceImprove the Patching ExperiencePatch EnhancementsPatch Enhancements
Available NowAvailable Now
17 prescriptive books17 prescriptive books
How Microsoft secures Microsoft How Microsoft secures Microsoft guidance & toolsguidance & tools
Later this year and throughout 2004Later this year and throughout 2004More prescriptive & how-to guidesMore prescriptive & how-to guidesTools & scripts to automate common tasksTools & scripts to automate common tasks
Focused on operating a secure environment Focused on operating a secure environment
Patterns & practices for defense in depthPatterns & practices for defense in depth
Enterprise security checklist – the single place for Enterprise security checklist – the single place for authoritative security guidanceauthoritative security guidance
Security Guidance for IT ProsSecurity Guidance for IT ProsSecurity Guidance for IT ProsSecurity Guidance for IT Pros
Training & Guidance: IT ProsTraining & Guidance: IT Pros
IT Pros: 500K customers to be trained by the end of 2004IT Pros: 500K customers to be trained by the end of 2004Monthly Webcasts and SeminarsMonthly Webcasts and Seminars
New guidance on Microsoft.comNew guidance on Microsoft.comhttp://www.microsoft.com/guidancehttp://www.microsoft.com/guidance
Security Guidance Kit CDSecurity Guidance Kit CD
New monthly newsletterNew monthly newsletterhttp://www.microsoft.com/http://www.microsoft.com/technet/security/secnews/newsletter.htmtechnet/security/secnews/newsletter.htm
Proactive communicationsProactive communicationsUsing Virus Information AllianceUsing Virus Information Alliancecollective data for better threat responsecollective data for better threat response
CriticalCriticalExploitation could allow the propagation Exploitation could allow the propagation of an Internet worm such as Code Red or of an Internet worm such as Code Red or Nimda without user actionNimda without user action
Apply the patch or workaround Apply the patch or workaround immediatelyimmediately
ImportantImportantExploitation could result in compromise of Exploitation could result in compromise of the confidentiality, integrity, or availability the confidentiality, integrity, or availability of users’ data, or of the integrity or of users’ data, or of the integrity or availability of processing resourcesavailability of processing resources
Apply patch or workaround as Apply patch or workaround as soon as is feasiblesoon as is feasible
ModerateModerateExploitability is mitigated to a significant Exploitability is mitigated to a significant degree by factors such as default degree by factors such as default configuration, auditing, need for user configuration, auditing, need for user action, or difficulty of exploitationaction, or difficulty of exploitation
Evaluate bulletin, determine Evaluate bulletin, determine applicability, proceed as applicability, proceed as appropriateappropriate
LowLow Exploitation is extremely difficult, or Exploitation is extremely difficult, or impact is minimalimpact is minimal
Consider applying the patch at Consider applying the patch at the next scheduled update the next scheduled update intervalinterval
Revised November 2002Revised November 2002
More information at More information at http://www.microsoft.com/technet/security/policy/rating.asphttp://www.microsoft.com/technet/security/policy/rating.asp
Each component team develops threat Each component team develops threat models, ensuring that design blocks models, ensuring that design blocks applicable threatsapplicable threats
"Critica l" & "Important" Security Bulle tins From General Availability
W S2003 W in2000 Server
Improving Quality: Improving Quality: Windows ServerWindows Server
36
6
Days after availability
Bulletins
Services Disabled by DefaultServices Disabled by DefaultAlerter Alerter ASP.NET StateASP.NET StateClipBookClipBookDistributed Link Distributed Link Tracking ServerTracking ServerFast User Switching Fast User Switching CompatCompatIMAPI CD-BurningIMAPI CD-BurningCOM ServiceCOM ServiceIndexing ServiceIndexing ServiceLicense LoggingLicense LoggingMessengerMessengerNET Framework NET Framework Support ServiceSupport ServiceNetMeeting Remote NetMeeting Remote Desktop SharingDesktop Sharing
Network DDENetwork DDE
Portable Media Serial NumberPortable Media Serial Number
Remote Access Auto Remote Access Auto Connection ManagerConnection Manager
System Event NotificationSystem Event Notification
Windows XP SP2Windows XP SP2Easier, effective management of PC Easier, effective management of PC security that puts the customer in controlsecurity that puts the customer in control
Network protection, sNetwork protection, safer e-mail and Web afer e-mail and Web browsing, memory protectionbrowsing, memory protection
Beta 1 released on December 19, 2003Beta 1 released on December 19, 2003
Ongoing vigilanceOngoing vigilanceContinued internal training and focus on building secure codeContinued internal training and focus on building secure code
““Security is our #1 Priority”Security is our #1 Priority”
#1 “We will move to one patching #1 “We will move to one patching experience by May of next year that works experience by May of next year that works across Windows and all of the application across Windows and all of the application products.”products.”
#2 “Better quality in the patches” and #2 “Better quality in the patches” and “Rollback capability for all patches.”“Rollback capability for all patches.”
#3 “Reduce the size of patches.”#3 “Reduce the size of patches.”
#4 “Cut the # of reboots by 30%”#4 “Cut the # of reboots by 30%”
#10 – “Patching is critical, but insufficient” – #10 – “Patching is critical, but insufficient” – Goal is to make 70% of patches installable Goal is to make 70% of patches installable on on your your schedule, not Microsoft’sschedule, not Microsoft’s
This is the quarantine technologies mentioned This is the quarantine technologies mentioned earlierearlier
#11 – Browser work so Active X controls #11 – Browser work so Active X controls are “sandboxed”, limit potential damageare “sandboxed”, limit potential damage
#12 – Improve memory protection for buffer #12 – Improve memory protection for buffer overrunsoverruns
Best Practices for Defense in DepthBest Practices for Defense in Depthhttp://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
How Microsoft Secures MicrosoftHow Microsoft Secures Microsofthttp://www.microsoft.com/http://www.microsoft.com/technet/itsolutions/msittechnet/itsolutions/msit/ security// security/mssecbp.aspmssecbp.asp
MSDN Security Development ToolsMSDN Security Development Toolshttp://http://msdn.microsoft.commsdn.microsoft.com/security/downloads/tools/ /security/downloads/tools/ default.aspxdefault.aspx