微软蓝灰风格PPT模板.ppt

Microsoft Security Strategy 站长站素材 SC.chinaz.COM Session Agenda Focus on Customer Challenges Microsoft Security Strategy Secure Windows Initiative Strategic Technology Protection Program Trustworthy Computing Building the secure platform .NET Framework Windows .NET Summary Questions Technology, Process, People What are the challenges? Products lack security features Products have bugs Insufficient technical standards Difficult to stay up-to-date Design for security Roles & responsibilities Vigilance Business continuity plans Stay up-to-date with security development Problem recognition Skills shortage Human error People Trustworthy Computing Strategic Technology Protection Program Secure Windows Initiative Microsoft Security Strategy Secure Windows Initiative “Engineering For Security” Goal: Eliminate Every Security Vulnerability Before The Product Ships People Process Technology Industry Yardstick 0 5 10 15 20 25 30 35 M a n d r a k e S o f t L i n u x M a n d r a k e 7 . 2 R e d H a t L i n u x 7 . 0 M a n d r a k e S o f t L i n u x M a n d r a k e 7 . 1 D e b i a n L i n u x 2 . 2 S u n S o l a r i s 8 . 0 S u n S o l a r i s 7 . 0 M i c r o s o f t W i n d o w s 2 0 0 0 M a n d r a k e S o f t L i n u x M a n d r a k e 7 . 0 S C O O p e n S e r v e r 5 . 0 . 6 R e d H a t L i n u x 6 . 2 i 3 8 6 Source: Security Focus Secure Windows Initiative People Train, and keep current, every developer, tester, and program manager in the specific techniques of building secure products Process Make security a critical factor in design, coding and testing of every product Microsoft builds Cross-group design & code reviews Security Threat Analysis part of every design spec Red Team testing and code reviews Focus not confined to buffer overruns Security bug feedback loop & code sign-off requirements External reviews and testing by consultants and public Technology Build tools to automate everything possible in the quest to code the most secure products Prefix and Prefast for buffer overrun detection Updated as new vulnerabilities found Visual C+ 7.0 compiler improvements Domain-specific tools (i.e. RPC security stress) Secure Windows Initiative External Security Review FIPS 140-1 evaluation of Cryptographic Service Provider (CSP) Completed Government validation of base crypto algorithms in Windows Common Criteria evaluation In Preparation Evaluation of Windows source code against International security criteria for evaluating Third party expert review of key components Source code licensed to over 80 universities, labs, and government agencies Goal: Help customers secure their Windows Systems People Process Technology Strategic Technology Protection Program Strategic Technology Protection Program - Customers Need Our Help I didnt know which patches I needed I didnt know where to find the updates I didnt know which machines to update We updated our production servers, but the rogue servers got infected More than 50% of the customers affected by Code Red were not patched in time for Nimda STPP: “Get Secure” Coming - Enterprise Security Tools Microsoft Baseline Security Analyzer SMS security patch rollout tool Windows Update Auto-update client Now - Microsoft Security Toolkit Server oriented security resources. New server security tools and updates, Windows Update bootstrap client for Windows 2000 Now - Security Assessment Program Offering Available immediately through MCS/PSS Now - Free Virus Support Hotline Contact your local PSS office Get Secure Microsoft Security Toolkit Gets Windows NT and 2000 systems to secure baseline, even disconnected net Automates server updates One-button wizard and SMS Scripts Updates and Patches Includes all Service Packs and critical OS and IIS patches through 10/15 HFNetchk: patch level verifier IIS Lockdown & URLScan STPP: “Stay Secure” Ongoing - Enhanced Product Security Provide greater security enhancements in the releases of all new products, including the Windows .NET Server family Spring 2002 - Federated Corporate Windows Update Program Allows enterprise to host and select Windows Update content Spring 2002 - Windows 2000 Service Pack (SP3) Provide ability to install SP3 + security rollup with a single reboot Jan. 2002 - Windows 2000 Security Rollup Patches Bundle all security fixes in single patches Reduces reboots and administrator burden Corporate Update Server Solution Automatic Update (AU) client Automatically download and install critical updates Security patches, high impact bug fixes and new drivers when no driver is installed for a device Checks Windows Update service or Corporate Update server once a day New! Install at schedule time after automatic downloads Administrator control of configuration via registry-based policy Support for Windows .NET Server, Windows XP and Windows 2000 Update server Corporate hosted WU server to support download and install of critical updates through AU client Server synchronizes with the public Windows Update service Simple administrative model via IE Updates are not made available to clients until the administrator approves them Runs on Windows .NET Server and Windows 2000 Server Trustworthy Computing Goal: Make devices powered by computers and software as trustworthy as devices powered by electricity. A Trust Taxonomy Availability At advertised levels Suitability Features fit function Integrity Against data loss or alteration Privacy Access authorized by end-user Reputation System and provider brand Security Resists unauthorized access Quality Performance criteria Dev Practices Methods, philosophy Operations Guidelines and benchmarks Business Practices Business model Policies Laws, regulations, standards, norms Intent Management assertions Risks What undermines intent, causes liability Implementation Steps to deliver intent Evidence Audit mechanisms Goals Means Execution Building the secure platform Goal: Provide IT with a secure, integrated foundation for managing how users, business, and technologies connect. Infrastructure (PKI, Directory) Security in depth Network (IPSec, Wireless, VPN) Device (PDA, Laptops, PCs, Servers) Application Ma na gem en t Front End Typical Application Architecture Users Back End Authentication Network Access Authorization Audit Alerts Front End Secure Network Access Users Back End Authorization Authentication Network Access Firewall VPN Wireless IPSEC Audit Alerts Front End Flexible Authentication Users Back End Basic HTTP Digest Kerberos Certificates Smartcards Authentication Network Access Authorization Audit Alerts Front End Rich Access Controls Users Back End Authentication Network Access Authorization Audit Alerts Access Control Lists Roles Front End System Wide Auditing Users Back End Authorization Audit Alerts Audit Actions Distributed Devices Audit Policy Authentication Network Access Front End Alert Infrastructure Users Back End Authorization Audit Alerts Event Forwarding Filtering Correlation Authentication Network Access Windows Brings it Together Active Directory Integrated network authentication Policy based management PKI Integrated PKI services and auto-enrollment Used by IPSEC, Smartcard, Code Signing etc. Networking Secure network access via 802.1x support Authenticated firewall access via Microsoft ISA server Protected Devices Encrypting File System Software Restriction Policies 2002 Microsoft Corporation. All rights reserved.