Dean Iacovelli
Chief Security Advisor – State and Local Government
Microsoft Corporation deaniac@microsoft.com

Address your concerns about security
Update on current trends
Current initiatives at Microsoft
Future security product/solution roadmap
1.
Defining and managing the risk
2.
System Integrity
3.
Identity management
4.
Trustworthy Identity
5.
Client protection
6.
Server protection
7.
Network protection
8.
Summary, Q&A

Overall security policy and strategy for MS SLG
MS spokesperson to/from SLG customers
Information broker – resources, best practices, programs
Coordinator for incident response communication, security readiness
Not goaled on revenue
Basically: Help ensure SLG customers have a good experience dealing with security on the MS platform

Worms / viruses
Spyware
Spam
Patch management
Network access control
Identity management
Best practices / guidance
Looking at Linux for security reasons ?

National Interest
Spy
Personal Gain
Personal Fame
Curiosity
Vandal
Script-Kiddy Hobbyist
Hacker
Thief
Trespasser
Author
Fastest growing segment
Tools created by experts now used by less skilled attackers and criminals
Expert Specialist

Attacks becoming less numerous, more nasty
Viruses/worms still lead in financial cost BUT
6x increase in $ lost from unauthorized information access from 2004 to
2005 (FBI/CSI)
2x increase in $ lost from theft of proprietary information from 2004 to
2005 (FBI/CSI)
Botnets (used for cyber extortion) have jumped from average of 2500 machines in 2004 to 85,000 in 2006
Why sniff the net when you can hack the site or the password?
95% reported 10+ website incidents last year (FBI/CSI)
15% of enterprise hosts have had keystroke loggers detected, 3x in 1 year (Webroot and Sophos)
Major NT4/Win 98 supportability issues
Enterprise patching and management still not under control
What your neighbor isn’t doing IS your problem

Closer Look at Malware Data (MSRT)
Release
January
February
March
April
May
June
…
Total
Days
Live
28
28
35
28
35
28
…
362
Executions
124,613,632
118,209,670
145,502,003
125,150,400
164,283,730
162,763,946
…
1,804,565,652
Disinfections
Value
239,197
%
0.1920%
351,135 0.2970%
443,661 0.3049%
590,714
1,154,345
0.4720%
0.7027%
642,955
…
0.3950%
…
8,679,656 0.481%
Exploit
Worm s
15%
Mass
Mailing
Worm s
15%
Instant
Msg.
Worm s
1%
Trojans
1%
Bots
58%
Rootkits
10%
Source: Microsoft
Machines
Cleaned
(log)
1000000
100000
10000
1000
100
10
1
1 2 3 4 5 6
Malware per Machine
7 8 9

Video game cheats
#3 in previous chart
Celebrities
Song lyrics
70
60
50
40
30
20
10
0
0 100 200 300 400
Site ranking based on number of hosted exploit URLs

$497 per employee
$354 operations
$143 capital
Even worse for smaller agencies - as much as
$650
No economies of scale
SLG spends ~10x
Federal and most of private sector
Lack of centralized strategy / tools
Getting worse
Federal trending down from CY05
SLG trending up
Various new state infosec laws may be impacting costs but still serious issue

263M
75M
9.7M
332M
135
121
578

Microsoft Security Strategy
Overview
Threat and Vulnerability Mitigation
Client
Protection
Protect PCs
& devices from malicious software
Server
Protection
Protect servers from malicious software
Network
Protection
Protect network from malicious software & inappropriate access
Identity and Access Management
Allow legitimate users secure access to machines, applications and data
System Integrity
Make systems inherently safer and more secure

Security Development Lifecycle
Security Response Center
Better Updates And Tools

The underlying DLL
(NTDLL.DLL) not vulnerable
Code made more conservative during Security Push
Even if it was vulnerable
IIS 6.0 not running by default on
Windows Server 2003
Even if it was running IIS 6.0 doesn’t have WebDAV enabled by default
Even if it did have
WebDAV enabled
Even if the buffer was large enough
Even if it there was an exploitable buffer overrun
Maximum URL length in IIS 6.0 is 16kb by default
(>64kb needed)
Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)
Would have occurred in w3wp.exe
which is now running as ‘network service’

89
50
11
16
Service Pack 3
3
7
2003
Bulletins in period prior to release
Bulletins since
TwC release
SQL Server 2000 SP3 released 1/17/2003
Released
11/29/2000
Released
09/28/2003
1027 Days After Product Release
* As of February 14, 2006
Released
05/31/2001
Released
11/17/2003
Bulletins 820 Days
After Product Release

How We Tested WMF Patch
415 apps (ms & third party)
6 supported version of the o/s in 23 languages
15k print variations, 2800 print pages verified
2000 wmf’s analyzed, 125 malicious wmf’s tested
12k images verified for regressions
22,000 hours of stress testing
450k total test cases

Informed & Prepared
Customers
Consistent & Superior
Update Experience
Superior Patch Quality
Best Patch & Update
Management Solutions
Better security bulletins and KB articles
IT SHOWCASE: How Microsoft IT Does Patch Management
Standardized patch and update terminology
Moved from 8 installers to 2 (update.exe and MSI)
Standardized patch naming and switch options
Improved patch testing process and coverage
Expanded test process to include customers
Reduced reboots by 10%, targeting 50% in Vista
Microsoft Update
WSUS
SMS 2003

Determine How Patches Will Affect Critical Apps
Download update profiles
Microsoft
Customer
Administrator
`
Enter data & get reports
Upload application profiles
`
`
`

“You can only manage what you can measure”
…and you can only secure what you can manage (and find  )
Decentralization may be a reality but it’s not a best practice
Set policy
Active Directory
Central policy, local defense
Delegate back business-specific policy control
Audit policy
Turning it on AFTER the incident much less useful
Don’t wait for the incident to look at the logs
Standardize builds, supported applications
Enterprise assets are not toys
Vista will make this easier, possible in XP too: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/ luawinxp.mspx

• Patching is no longer strategic
• Moving from security to operations like backups
• New threats require new models
• Internal network is NOT trusted
• Medieval castle model is the only response
• Automated attacks require automated defenses

Microsoft Security Strategy
Overview
Threat and Vulnerability Mitigation
Client
Protection
Protect PCs
& devices from malicious software
Server
Protection
Protect servers from malicious software
Network
Protection
Protect network from malicious software & inappropriate access
Identity and Access Management
Allow legitimate users secure access to machines, applications and data
System Integrity
Make systems inherently safer and more secure

Allow only legitimate users secure, policy-based access to machines, applications and data
Trustworthy
Identity
Access Policy
Management
Information
Protection
Directory Services
Ensure users are
Lifecycle Management who they claim
Role-based Access Control
Provide access
Group Policy Management based on policy
Rights Management Services
Services lifecycle

Consolidate to fewer identity stores
Leverage metadirectories to simplify sign on, automate/standardize identity business rules
Leverage globally relevant attributes across all applications
Place non-globally relevant attributes in app-coupled
LDAP stores
Leverage federation to use your credentials on business partner networks

Microsoft Security Strategy
Overview
Threat and Vulnerability Mitigation
Client
Protection
Protect PCs
& devices from malicious software
Server
Protection
Protect servers from malicious software
Network
Protection
Protect network from malicious software & inappropriate access
Identity and Access Management
Allow legitimate users secure access to machines, applications and data
System Integrity
Make systems inherently safer and more secure

The internal network is NOT trusted
Central policy, local defense
Windows firewall
Active Directory group policy
Phishing filters
Encrypting file system
IPSec logical segmentation

Helps protect the system from attacks from the network
Enables more secure Email and
Instant Messaging experience
Enables more secure Internet experience for most common Internet tasks
Provides system-level protection for the base operating system

Social Engineering Protections
Phishing Filter and Colored Address Bar
Dangerous Settings Notification
Secure defaults for all settings
Protection from Exploits
Protected Mode to prevent malicious software
Code quality improvements
ActiveX Opt-in

Application Compatibility Toolkit V5.0
Analyze your portfolio of
Applications, Web Sites, and Computers
Evaluate operating system deployments or impact of operating system updates
Rationalize and Organize by Applications, Web Sites, and Computers
Prioritize compatibility efforts with filtered reporting
Add and manage issues and solutions for your personal computing environment
Deploy automated mitigations to known compatibility issues
Send/Receive compatibility information to Online Compatibility
Exchange

Remove most prevalent viruses
Remove all known viruses
Real-time antivirus
Remove all known spyware
Real-time antispyware
Central reporting and alerting
Customization
IT Infrastructure
Integration
MSRT
Windows
Defender
Windows
Live Safety
Center
Windows
OneCare
Live
Microsoft
Client
Protection
FOR INDIVIDUAL USERS FOR BUSINESSES

Windows Disk Protection
Prevent unapproved changes to the
Windows partition
Allow critical updates and antivirus updates
Profile Manager
Create “persistent” user profiles on unprotected partitions
Delete locked user profiles
User Restrictions
Restrict untrusted users from files and settings
Lock user profiles for protection and privacy
Accessibility
Accessibility settings & utilities when restricted
Quick access for repeat use
Getting Started
• Use and learn about the Toolkit
• Quick access toolbar
Tools are scriptable. Additional command-line tools included.
Comprehensive Help and Handbook with supplemental security guidance.

Next Generation Security and Compliance
Fundamentals
Threat & Vulnerability
Mitigation
Identity & Access Control
Engineered for the future
Security Development Lifecycle
Threat Modeling
Code Scanning
Service Hardening
Protect against malware and intrusions
Code Integrity
IE Protected Mode
Windows Defender
IPSEC/Firewall integration
Network Access Protection
Enable secure access to information
User Account Control
Plug and Play Smartcards
Granular auditing
Simplified Logon architecture
Information Protection
BitLocker Drive Encryption
EFS Smartcard key storage
RMS client
Control over removable device installation
XPS Document + WPF APIs

Simple user abstraction
Manage compartmentalized versions of your identity
Strong computer generated keys instead of human generated passwords
Relates to familiar models
Gov’t ID card, driver’s license, credit card, membership card, …
Flexible issuance
Self-issued – eBay, Amazon
Issued by external authority – Visa, Government
Implemented as secure subsystem
Protected UI, anti-spoofing techniques, encrypted storage
Built on WS-Federation web standards

Microsoft Security Strategy
Overview
Threat and Vulnerability Mitigation
Client
Protection
Protect PCs
& devices from malicious software
Server
Protection
Protect servers from malicious software
Network
Protection
Protect network from malicious software & inappropriate access
Identity and Access Management
Allow legitimate users secure access to machines, applications and data
System Integrity
Make systems inherently safer and more secure

Security Configuration Wizard
Windows Server 2003 SP1
Security lockdown tool for
Windows Server 2003
Roles-based paradigm
Focused on Attack
Surface Reduction
Disables unnecessary services
Disables unnecessary web extensions
Blocks unnecessary ports
Configures audit SACLs
Operational infrastructure
Client-Server deployment infrastructure
Support for Group Policybased deployment
Compliance Analysis
Rollback support

Threat & Vulnerability
Mitigation
Highlights
Unique multi-engine approach for faster detection and broader protection
Integrated virus and spam protection
Integrated Microsoft AV engine
RTM in Q2 2006

Microsoft Security Strategy
Overview
Threat and Vulnerability Mitigation
Client
Protection
Protect PCs
& devices from malicious software
Server
Protection
Protect servers from malicious software
Network
Protection
Protect network from malicious software & inappropriate access
Identity and Access Management
Allow legitimate users secure access to machines, applications and data
System Integrity
Make systems inherently safer and more secure

Longhorn Server (2007)
Policy Validation
Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy.”
Network Restriction
Restricts network access to computers based on their health.
Remediation
Provides necessary updates to allow the computer to
“get healthy.” Once healthy, the network restrictions are removed.
Ongoing Compliance
Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.

Corporate Network
Restricted Network
Remediation
Servers
System Health
Servers
Here you go.
Can I have updates?
May I have access?
health status.
Ongoing policy updates to IAS Policy Server
Should this client be restricted based on its health?
Client
You are given restricted access until fix-up.
Network
Access
Device
(DHCP, VPN) client, request it to
IAS Policy
Server
Client is granted access to full intranet.

Unhealthy Client Enforcement Healthy Client
DHCP
Full IP address given, full access
VPN (MS and 3 rd
Party)
Full access
Restricted set of routes
Restricted VLAN
802.1X
IPsec
Full access Restricted VLAN
Can communicate with any trusted peer
Healthy peers reject connection requests from unhealthy systems
Complements layer 2 protection
Works with existing servers and infrastructure
Flexible isolation

Health Modeling
Health Policy Zoning
IAS (RADIUS) Deployment
Zone Enforcement Selection
Exemption Analysis
Change Process Control
Rollout VPN solution to test health policy
Rollout IPSec segmentation to test wired enforcement

Frontbridge hosted services for antivirus and anti-spam filtering
(for businesses)
Windows Live OneCare
(for consumers)
Next generation of services
ISA Server 2004
Sybari Antigen antispam and anti-virus for Email, IM and
SharePoint
Windows XPSP2
Windows Server 2003 SP1
Anti-malware tools
Microsoft Update
Windows Server
Update Services
Microsoft Client Protection
Microsoft Antigen Anti-virus and Anti-spam for messaging and collaboration servers
ISA Server 2006
Content filtering services
Next generation of security products
Windows AntiSpyware
Windows Vista
Firewall
Services Hardening
Network Access
Protection
IPSec Enhancements
Audit Collection Services

Defense in depth is and has always been the only effective strategy
Enterprise patch management will free us for more strategic work

Application Compatibility Toolkit 5.0 beta sign up http://connect.microsoft.com/
Network Access Protection http://www.microsoft.com/nap
Microsoft Baseline Security Analyzer (MBSA) http://www.microsoft.com/mbsa
Windows Server Update Services (WSUS) http://www.microsoft.com/wsus
Windows Server Update Services (WSUS) http://www.microsoft.com/wsus
IE 7 http://www.microsoft.com/windows/ie/default.mspx
Client Protection http://www.microsoft.com/windowsserversystem/solutions/security/clientp rotection/default.mspx
Vista security http://www.microsoft.com/technet/windowsvista/security/default.mspx
Security Configuration Wizard http://www.microsoft.com/windowsserver2003/technologies/security/confi gwiz/default.mspx

MICROSOFT
Security Development Lifecycle: http://msdn.microsoft.com/security/default.aspx?pull=/library/enus/dnsecure/html/sdl.asp
Security Guidance Centers http://www.microsoft.com/security/guidance
Security Online Training https://www.microsoftelearning.com/security/
XP SP2 deployment training: https://www.microsoftelearning.com/xpsp2
Microsoft IT Security Showcase http://www.microsoft.com/technet/itsolutions/msit/default.mspx#EDBAAA
Security Newsletter http://www.microsoft.com/technet/security/secnews/default.mspx
Security Events and Webcasts http://www.microsoft.com/seminar/events/security.mspx
Security Notifications via e-mail http://www.microsoft.com/technet/security/bulletin/notify.mspx
MS Security blogs: http://www.microsoft.com/technet/security/community/articles/art_malwarefaq.mspx
Security Bulletin Search Page http://www.microsoft.com/technet/security/current.aspx
Security Bulletin Webcast http://www.microsoft.com/technet/security/bulletin/summary.mspx
Writing Secure Code, 2nd edition http://www.microsoft.com/mspress/books/5957.asp
Building and Configuring More Secure Web Sites http://msdn.microsoft.com/library/enus/dnnetsec/html/openhack.asp
Windows XP Security Guide, includes SP2 http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspx
Security Risk Management Guide http://go.microsoft.com/fwlink/?LinkId=30794
Windows NT 4.0 and Windows 98 Threat Mitigation Guide http://go.microsoft.com/fwlink/?linkid=32048
Microsoft Identity and Access Management Series http://go.microsoft.com/fwlink/?LinkId=14841
OTHER
FBI / CSI 2005 security survey: http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml;jsessionid=KPE5WYV1ICYNCQSNDBECKH
0CJUMEKJVN

Age
(days)
02.00
10.94
09.66
09.13
03.10
01.04
10.93
08.07
01.02
10.34
08.96
UNK
Name nubela.net
winnt.bigmoney.biz (randex)
PS 7835 - y.eliteirc.co.uk
y.stefanjagger.co.uk (#y) ganjahaze.com
PS 8049 - 1.j00g0t0wn3d.net
pub.isonert.net
irc.brokenirc.net
PS 8048 - grabit.zapto.org
dark.naksha.net
PS 7865 - lsd.25u.com
PS ? - 69.64.38.221
Server dns.nubela.net
winnt.bigmoney.biz
y.eliteirc.co.uk
y.stefanjagger.co.uk
ganjahaze.com
1.j00g0t0wn3d.net
pub.isonert.net
irc.brokenirc.net
grabit.zapto.org
dark.naksha.net
lsd.25u.com
69.64.38.221
MaxSize
10725
2393
2061
1832
1507
3689
537
649
62
UNK
UNK
UNK
As of 6 March 2006:
Tracking 13053 bot-nets of which 8524 are active
Average size is 85,000 computers

Reduce size of high risk layers
D Kernel Drivers
D User-mode Drivers
Service
A
Service
…
Service
…
Service
1
D
D D
Service
3
Service
2
Service
B
D
D
D

Vista Service Changes
Services common to both platforms
Windows XP SP2
LocalSystem
Vista client
LocalSystem
Firewall Restricted
Wireless Configuration
System Event
Notification
Network Connections
(netman)
COM+ Event System
NLA
Rasauto
Shell Hardware
Detection
Themes
Telephony
Windows Audio
Error Reporting
Workstation
ICS
RemoteAccess
DHCP Client
W32time
Rasman browser
6to4
Help and support
Task scheduler
TrkWks
Cryptographic Services
Removable Storage
WMI Perf Adapter
Automatic updates
WMI
App Management
Secondary Logon
BITS
LocalSystem
Demand started
Network Service
Fully Restricted
Network Service
Network Restricted
Local Service
No Network Access
Network
Service
DNS Client
Local Service SSDP
WebClient
TCP/IP NetBIOS helper
Remote registry
Local Service
Fully Restricted
Removable Storage
WMI Perf Adapter
Automatic updates
BITS
DNS Client
ICS
RemoteAccess
DHCP Client
W32time
Rasman
TrkWks
Cryptographic Services
Wireless Configuration
System Event Notification
Network Connections
Shell Hardware Detection
Telephony
Windows Audio
TCP/IP NetBIOS helper
WebClient
SSDP
WMI
App Management
Secondary Logon browser
6to4
Task scheduler
IPSEC Services
Server
NLA
Rasauto
Themes
COM+ Event System
Error Reporting
Event Log
Workstation
Remote registry

Combined firewall and IPsec management
New management tools – Windows
Firewall with Advanced Security
MMC snap-in
Reduces conflicts and coordination overhead between technologies
Firewall rules become more intelligent
Specify security requirements such as authentication and encryption
Specify Active Directory computer or user groups
Outbound filtering
Enterprise management feature – not for consumers
Simplified protection policy reduces management overhead

Previously known as “LUA”
Users will logon as non-administrator by default
Protects the system from the user
Enables the system to protect the user
Consent UI allows elevation to administrator
Applications and administrator tools should be UAP aware
Differentiate capabilities based on UAP
Apply correct security checks to product features
Start testing your software against Vista now!

Designed specifically to prevent malicious users from breaking Windows file and system protections
Provides data protection on
Windows systems, even when the system is in unauthorized hands or is running a different or exploiting
Operating System
A Trusted Platform Module
(TPM) or USB flash drive is used for key storage
BitLocker

Smartcard-like module on system motherboard
Helps protect secrets
Performs cryptographic functions
Can create, store and manage keys
Performs digital signature operations
Holds Platform Measurements
(hashes)
Anchors chain of trust for keys and credentials
Protects itself against attacks
TPM 1.2 spec: www.trustedcomputinggroup.org