Microsoft Windows
Developers
Microsoft Network
Security
Forensic Investigators
& Trainers
Microsoft Security
Support
Red Team Members
Delivery Consultants
Intelligence Officers
Corporate Compliance
Managers
IR for major networks
Malware Analysts
Law Enforcement
Officers
Internet Security
Researchers

Service Lines
Application Security
Customized
Solutions
& Training
Infrastructure Security
10+ Years of Tailored Best Practices and
Specialized Intellectual Property
Service Channels
Unique knowledge transfer and value-add for
Microsoft and its customers, partners and acquisitions
Global Delivery: Staffed Locations
Canada Europe India Functional Capacity
Specialization
Application Security
Infrastructure Security
Dedicated PMs
TOTAL
Totals
30
16
3
49
US- Redmond, ACE HQ
United States
China
Australia
Our Mission: to protect key assets by lowering overall information security risk for Microsoft and its customers through advisory services

Power:
Domain
Controllers
Data:
Servers and
Applications
Access:
Users and
Workstations
1. Bad guy targets workstations en masse
2. User running as local admin compromised,
Bad guy harvests credentials.
3. Bad guy starts “credentials crabwalk”
4. Bad guy finds host with domain privileged credentials, steals, and elevates privileges
5. Bad guy owns network, can harvest what he wants.

$
Know What
Matters
Effective
Workstation and
Server Defenses
Protect Key
Identities/Roles
Employ The
SDL

$
“If you protect your paper clips and diamonds with equal vigor, you’ll soon have more paper clips and fewer diamonds”
-Attributed to Dean Rusk, US Secretary of State, 1961-1969

What the defender values
What the defender protects
What the attacker wants http://taosecurity.blogspot.com/2011/08/taosecurity-security-effectiveness.html
$

$

Effective
Workstation and
Server Defenses

Windows 7
Standard User
Java 6
Ends side-by-side versioning
Office 2010
XML file format
Protected View
Adobe Flash Player 11
SSL Support
Random Number
Generator
Adobe
Acrobat Reader X
Applied Microsoft SDL
Protected Mode
Internet Explorer 9
SmartScreen Filter
Protected Mode
Adobe SPLC: http://blogs.msdn.com/b/sdl/archive/2009/06/17/microsoft-adobe-protecting-our-customers-together.aspx

Protect Active
Directory and
Key Identities

=

Production Domain Admins

Leverage easy mechanisms
Use the privileged account to create additional accounts
Not just privileged, but VIP “mimicking” accounts
Accounts with backdoors into other accounts
Place malware and other binaries on DCs and member servers
Leverage existing management tools
Disable SID quarantining and/or selective authentication
Modify GPOs
Install backdoors in approved images/packages
Or slightly harder mechanisms sIDHistory manipulation
Migration APIs
Debugger attacks
Disk editors

Mechanisms by which accounts are granted temporary rights and privileges required to perform build or break-fix functions

•
• Powerful proxy accounts
• Not preferable
Can potentially secure using a subset of the Administrator account recommendations
• Defined roles with assigned rights and permissions
• Better approach
• Combinations of both
• Powerful proxy accounts
• Not preferable
• Temporary membership in privileged groups
• Password vaults
• APIs to replace hard-coded passwords
• Session management tools
• Local and service account management tools

For Day-to-Day Functions:
• Define roles
• Roles may have broad privilege
(e.g., reset passwords across broad swaths of accounts) or deep privilege (e.g., can activate privileged accounts), but not both
In Build & Break-Fix Scenarios:
• Temporarily populate privileged groups in some cases (e.g., fixing a member server, might grant support staff temporary local
Administrators membership)
• Temporarily use built-in privileged accounts
• Consider broad vs. deep
If role privileges are functional equivalents of built-in privileged groups, use timebound population of groups rather than creating permanent roles with high privilege.

$

Security Program
Security Architect Led & Program Manager Supported
Infrastructure Security Application Security

http://northamerica.msteched.com
www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn