Enhancing Customer Security:
Ongoing Efforts to Help Customers
Dave Sayers
Technical Specialist
Microsoft UK
Agenda
Impact of Security on Business
Security as an Enabler
Trustworthy Computing
Improving Security
Improving the Patching Experience
Security Technologies for Clients
Security Technologies for Servers
Commitment to Customers
Impact to Business
Industry
14B devices on the Internet by 20101
35M remote users by 20052
65% increase in dynamic Web sites3
Security
90% detected security breaches4
75% have financial loss from breaches4
85% detected computer viruses4
80% insider abuse of network access4
95% of all breaches avoidable5
1 Source: Forrester Research
2 Source: Information Week, 26 November 2001
3 Source: Netcraft summary
4 Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002
5 Source: CERT, 2002
Impact to Microsoft Customers
Source: Forrester (Mar 03), Can Microsoft Be Secure?
Security As An Enabler
Dependable
Best
Economics
Total
Costs
Lower Total Cost of Ownership
Fewer vulnerabilities
Simplify patch management
Downtime is expensive
Increase Business Value
Connect with customers
Integrate with partners
Empower employees
ROI
Connected
Productive
What is Trustworthy Computing?
“Trustworthy Computing” means that users
can trust computers and networks to be
reliable, secure, and private. They can also
trust those who provide products and
services.
Trustworthy Computing
Improving Security
Responding to the Crisis
Patches proliferating
Days between patch
and exploit
331
Time to exploit decreasing
Exploits are more
sophisticated
180
Current approach is not
sufficient
Security is our #1 Priority
There is no silver bullet
Change requires innovation
151
25
The Exploit Process
Security Researchers
Discover
vulnerabilities
Exploit Coders
Worm Builders
Reverse-engineer
patches & post exploit
code to the Web
Hack together worms
with posted exploit code
& worm toolkits
What Microsoft is doing
Collaborating to fix
vulnerabilities
Disclosing
responsibly
Building community
consensus that
disclosure is not good
Reaching out
Anti-Virus
Reward Program
Assisting with technical
forensics work
Results:
Fewer researchers
disclosing
irresponsibly;
continuing to improve
More industry
experts are speaking
out against exploit
code
Two arrests
around the
Blaster worm
You’ve Told Us
Our Action Items
“The quality of the
patching process is low
and inconsistent”
Improve the Patching
Experience
“I need to know the right
way to run a Microsoft
enterprise”
Provide Guidance
and Training
“I can’t keep up…new
patches are released
every week”
“There are still too many
vulnerabilities in your
products”
Mitigate Vulnerabilities
Without Patches
Continue Improving
Quality
Progress To Date
SD3 + Communications
Secure by
Design
Secure by
Default
Secure in
Deployment
Communications





Security training for 11,000 engineers
Security code reviews of old source
Threat modeling
“Blackhat” test coverage
Buffer overrun detection in compile process

Office XP: Macros off by default
No sample code installed by default
IIS and SQL Server off by default in Visual
Studio.NET



Deployment tools: MBSA, IIS Lockdown, SUS,
WU, SMS Value Pack
Created STPP to respond to customers
PAG for Windows 2000 Security Ops





TAMs call Premier Customers proactively
MSRC severity rating system
Free virus hotline
MSDN security guidance for developers
www.microsoft.com/technet/security


Improve the Patching Experience
New Patch Policies
Extended security support to December 2004
Windows NT4 Server
Security patches on a monthly predictable
release cycle
Allows for planning a predictable
monthly test and deployment cycle
Packaged as individual patches
that can be deployed together
NOTE: Exceptions will be made if customers are at
immediate risk from viruses, worms, attacks or other
malicious activities
Customer Pain
Patch and update management is the #1 driver of
dissatisfaction* among IT operations staff
#1 activity that requires work after hours and on weekends
Activity
1.
Updates, Patches, Hotfixes, Service Packs
2.
3.
SIT
MIT/LIT
EIT
(1-3 SRVs)
(4-49 SRVs)
(50+ SRVs)
16.9%
22.7%
22.6%
Application and SW Install / Upgrade
9.1%
7.3%
11.4%
Server – Management & Troubleshooting
3.9%
8.3%
6.3%
#1 activity that’s a ‘waste of time’
Activity
SIT
1.
Updates, Patches, Hotfixes, Service Packs
20.7%
22.9%
25.6%
2.
End User Support
11.7%
15.3%
8.8%
3.
Communication / Meetings / Dealing with
Corporate Issues
2.7%
2.1%
8.4%
*Based on results from survey of 462 IT Pros conducted in September 2003. Data shows % of total # of times
the activity was listed as one of the top two drivers of 1) wasted time and 2) after hours or weekend work
MIT/LIT
EIT
Improve the Patching Experience
Patch Enhancements
Your Need
Reduce patch
complexity
Reduce risk of
patch deployment
Reduce patch size
Our Response
By late 2004: Consolidation to 2 patch installers for W2k
and later, SQL 2000, Office & Exchange 2003; all patches
will behave the same way (update.exe, MSI 3.0)
Now: Increased internal testing; customer testing of
patches before release
By mid-2004: Rollback capability for W2k generation
products and later (MSI 3.0 patches)
By late 2004: Substantially smaller patches for W2k
generation and later OS & applications (Delta patching
technology, next generation patching installers)
Reduce downtime
Now: Continued focus on reducing reboots
By late 2004: 30% of critical updates on Windows Server
2003 SP1 installed w/o rebooting (“hot patching”)
Improved tools
consistency
By mid-2004: Consistent results from MBSA, SUS, SMS,
Windows Update (will all use SUS 2.0 engine for detection)
Improved tools
capabilities
May 2004: Microsoft Update (MU) hosts patches for W2k
server, and over time SQL 2000, Office & Exchange 2003
By mid-2004: SUS 2.0 receives content from MU & adds
capabilities for targeting, basic reporting and rollback
Patching Technologies – SUS 1.0
Internal Windows Update
Windows 2000 Professional, Windows 2000
Server, Windows XP, Windows Server 2003
For critical updates, security updates and
service packs
Administrators maintain control over which
items are published
Windows Update Services
Top Features Requested
Support for service packs
Install on SBS and domain controller
Support for Office and other MS products
Support additional update content types
Update uninstall
Update targeting
Improve support for low bandwidth networks
Reduce amount of data that needs to be downloaded
Set polling frequency for downloading new updates
Minimize need for end user interruption
Emergency patch deployment (‘big red button’)
Deploy update for ISV and custom apps
NT4 support
Software Update
Services 1.0
SP1
Windows
Update
Services












*
Providing Guidance and Training
IT Professionals
Global Education Program
TechNet Security Seminars
Monthly Security Webcasts
www.microsoft.com/events
New Prescriptive Guidance
Patterns and practices
How-to configure for security
How Microsoft Secures Microsoft
Online Community
Security Zone for
IT Professionals
Authoritative Enterprise Security Guidance
http://www.microsoft.com/technet/security/bestprac.asp
Beyond Patching
Make customer more resilient
to attack, even when patches
are not installed
Help stop known & unknown vulnerabilities
Goal: Make 7 out of every 10 patches
installable on your schedule
Delivering Security Technologies
Windows XP SP2
Improved network protection
Safer email and Web browsing
Enhanced memory protection
RTM based on customer feedback
Windows Server 2003 SP1
Role-based security configuration
Inspected remote computers
Inspected internal environment
RTM H2 CY04
Security technologies for clients
What it is
What it does
Key Features
Security enhancements that protect
computers, even without patches…included
in Windows XP SP2; more to follow
Helps stop network-based attacks,
malicious attachments and Web content,
and buffer overruns
Network protection: Improved ICF, DCOM,
RPC protection turned on by default
Safer browsing: Pop-up blocking, protection
from accidental installation of potentially
malicious Web content
Memory protection: Improved compiler checks
to reduce stack overruns, hardware NX support
Safer email: Improved attachment blocking for
Outlook Express and IM
Securing the Server Platform
Windows Server 2003 – Secure by Default
IIS 6.0
Reduced Automatic Services
Smart card requirements for administrative
operations
Limited use of blank passwords
Encrypting the offline files database
Software Restriction Policies
Internet Connection Firewall
IE Lockdown
Securing Active Directory
Delegation of administration
Security Policies
Software Restriction Policies
GPMC
What-If Scenarios
Import GPOs
Cross-Forest Kerberos Trust
Authentication Firewall
SID Filtering
Quotas
Security Guides
Security technologies for Enterprises
What it is
What it does
Key Features
Only clients that meet corporate security
standards can connect…included in
Windows Server 2003 SP1; more to follow
Protects enterprise assets from infected
computers
Role-based security configuration: Locks
down servers for their specific task
Inspected remote computers and internal
environment:
Enforce specific corporate security requirements
such as patch level, AV signature level & firewall
state
Ensure these standards are met when VPN and
local wired or wireless connections are made
Continue Improving Quality
Trustworthy Computing Release Process
Design docs &
specifications
Security
Review
Each component team develops threat
models, ensuring that design blocks
applicable threats
Develop
& Test
Apply security design & coding standards
Tools to eliminate code flaws (PREfix &
PREfast)
Monitor & block new attack techniques
Security
Push
Team-wide stand down
Threat model updates, code review, test
& documentation scrub
Release
Security
Audit
Analysis against current threats
Internal & 3rd party penetration testing
Support
Security
Response
Design
Development,
testing &
documentation
Development
M1
M2
Mn
Beta
Product
Service
Packs,
QFEs
Fix newly discovered issues
Root cause analysis to proactively
find and fix related vulnerabilities
Continue Improving Quality
For some widely-deployed, existing products:
11
6
Service Pack 3
Service Pack 3
2
Bulletins in 10
month period prior
to TwC release
1
Bulletins in 16
month period prior
to TwC release
Bulletins since
TwC release
Shipped Jan. 2003, 10 months ago (as of Nov. 2003)
Bulletins since
TwC release
Shipped July 2002, 16 months ago (as of Nov. 2003)
Mandatory for all new products:
Critical or important vulnerabilities in the first…
…90 days
…180 days
TwC release?
8
21
No
3
6
Yes
Commitment to Customers
Patch Investments
Extended Support for NT4 Server
Improved Patching Experience – Windows Update
Services
Global Education Effort
500,000 customers trained by June 2004
New Security “Expert Zone”
PDC Security Symposium
Security Innovations
Security technologies for Windows client
Security technologies for Windows server
Today
Extended
support
Monthly
patch
releases
Baseline
guidance
Community
Investments
H1 04
Windows XP
SP2
Patching
enhancements
SMS 2003
Windows
Update
Services
Microsoft
Update
Broad training
H2 04
Windows
Server 2003
SP1
Security
technologies
Next
generation
inspection
Future
NGSCB
Windows
hardening
Continued
OS-level
security
technologies
Lockdown servers, workstations
and network infrastructure
Design and deploy a proactive
patch management strategy
Centralize policy and
access management
Resources
General
http://www.microsoft.com/security
Technical Resources for IT Professionals
http://www.microsoft.com/technet/security
Best Practices for Defense in Depth
http://www.microsoft.com/technet/security/bestprac.asp
How Microsoft Secures Microsoft
http://www.microsoft.com/technet/itsolutions/msit/
security/mssecbp.asp
MSDN Security Development Tools
http://msdn.microsoft.com/security/downloads/tools/
default.aspx
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Resources
Enterprise Security Guidance
Design and Deploy a Proactive Patch Management Strategy
Microsoft Guide to Security Patch Management:
http://www.microsoft.com/technet/security/topics/patch
Lockdown Servers, Workstations and Network Infrastructure
Microsoft Windows XP Security Guide Overview http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.asp
Threats and Countermeasures Guides for Windows Server 2003 and Windows XP:
http://www.microsoft.com/technet/security/topics/hardsys/TCG/TCGCH00.asp
Windows Server 2003 Security:
http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.asp
Securing your Network:
http://msdn.microsoft.com/en-us/dnnetsec/html/THCMCh15.asp
Perimeter Firewall Service Design:
http://www.microsoft.com/technet/itsolutions/msa/msa20ik/VMHTMLPages/VMHtm5
7.asp
Network Access Quarantine for Windows Server 2003:
http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx
Centralize Policy and Access Management
Microsoft Identity and Access Management Solution:
http://www.microsoft.com/technet/security/topics/identity/idmanage
Architecture, Deployment, and Management:
http://www.microsoft.com/technet/security/topics/architec
Continue Improving Quality
Making Progress
23 Products In the TwC Release Process
.NET Framework (for 2002 & 2003)
ASP.NET (for 2002 & 2003)
Biztalk Server 2002 SP1
Commerce Server 2000 SP4
Commerce Server 2002 SP1
Content Management Server 2002
Exchange Server 2003
Host Integration Server 2002
Identity Integration Server 2003
Live Communications Server 2003
MapPoint.NET
Office 2003
Rights Mgmt Client & Server 1.0
Services For Unix 3.0
SQL Server 2000 SP3
Visual Studio .NET 2002
Visual Studio .NET 2003
Virtual PC
Virtual Server
Windows CE (Magneto)
Windows Server 2003
Windows Server 2003 ADAM
Improving Patching Experience
Security Bulletin Severity Rating System
Free Security Bulletin Subscription Service
http://www.microsoft.com/technet/security/bulletin/notify.asp
Rating
Critical
Important
Moderate
Low
Definition
Exploitation could allow the propagation
of an Internet worm such as Code Red or
Nimda without user action
Exploitation could result in compromise of
the confidentiality, integrity, or availability
of users’ data, or of the integrity or
availability of processing resources
Exploitability is mitigated to a significant
degree by factors such as default
configuration, auditing, need for user
action, or difficulty of exploitation
Exploitation is extremely difficult, or
impact is minimal
Customer Action
Apply the patch or workaround
immediately
Apply patch or workaround as
soon as is feasible
Evaluate bulletin, determine
applicability, proceed as
appropriate
Consider applying the patch at
the next scheduled update
interval
Revised November 2002
More information at http://www.microsoft.com/technet/security/policy/rating.asp
The Forensics of a Virus
July 1
July 16
Vulnerability
reported to us /
Patch in progress
Bulletin & patch
available
No exploit
Report
Bulletin



Vulnerability in
RPC/DDOM
reported
MS activated
highest level
emergency
response process
July 25

Exploit code in
public
Exploit
MS03-026 delivered 
to customers
(7/16/03)
Continued outreach 
to analysts, press,
community,
partners,
government
agencies
X-focus (Chinese
group) published
exploit tool
MS heightened
efforts to get
information to
customers
Blaster shows the complex
interplay between security
researchers, software
companies, and hackers
Aug 11
Worm in the world
Worm

Blaster worm
discovered –;
variants and other
viruses hit
simultaneously (i.e.
“SoBig”)
Client Attack Vectors
Malicious e-mail
attachments
Port-based
attacks
Malicious Web
content
Buffer overrun
attacks
Enterprise Attack Vectors
Potentially
infected local
client
Potentially
infected remote
client
Security Guidance for IT Pros
Focused on operating a secure environment
Patterns & practices for defense in depth
Enterprise security checklist – the single place for
authoritative security guidance
Available Now
17 prescriptive books
How Microsoft secures Microsoft
Later this year and throughout 2004
More prescriptive & how-to guides
Tools & scripts to automate common tasks