Securing the IT Environment at Microsoft
Transcript of Securing the IT Environment at Microsoft
-
8/14/2019 Securing the IT Environment at Microsoft
1/26
Securing the IT Environment atMicrosoft
Enterprise security compliance management
Published:
June 2004
-
8/14/2019 Securing the IT Environment at Microsoft
2/26
Solution Overview
Situation Need for a process to help enforce security compliance to
a minimum set of security standards
Solution Develop a security policy and enforce compliance
Benefits Reduced exposure to exploits of vulnerabilities Proactive approach to securing the network More complete closing of security vulnerabilities
-
8/14/2019 Securing the IT Environment at Microsoft
3/26
Products and Technologies
SMS 2003 Advanced Client Windows Update Service/
Software Update Services
MBSA 1.2 Logon Scripts Custom Tools
SQL Server Database,Windows SharePointServices, Microsoft Office
-
8/14/2019 Securing the IT Environment at Microsoft
4/26
Microsoft IT Compliance Challenges
Need for multiple layers of security, not just
perimeter defenses
Timeliness of security updates
Specific considerations of the Microsoft
corporate network environment
Awareness of the number of computers and
whether updates are installed
Quick reaction to new exploits
-
8/14/2019 Securing the IT Environment at Microsoft
5/26
Security Compliance Management
Strategy
StrategyStrategy
Decision support system guided by a security strategyDecision support system guided by a security strategy
TechnologyTechnologyPeoplePeopleProcessProcess
(Key(KeyContributors)Contributors)
Corporate SecurityCorporate Security
Executive SponsorExecutive Sponsor
Data CenterData Center
Operations / LabsOperations / Labs
Business UnitBusiness Unit
ApplicationsApplications
Desktop / LaptopDesktop / Laptop
ServicesServices
SMSSMS
Windows UpdateWindows Update
ServicesServices
Custom ToolsCustom Tools
Logon ScriptsLogon Scripts
MBSAMBSA
SQL Server /SQL Server /
Office AppsOffice Apps
22
44
33
55
11
Discovery andDiscovery and
AssessmentAssessment
ComplianceCompliance
EvaluationEvaluation
TestTest
DeployDeploy
EnforceEnforce
-
8/14/2019 Securing the IT Environment at Microsoft
6/26
Compliance Competency Pyramid
Drive system configuration to standardDrive system configuration to standard
Remove from network/force patchRemove from network/force patch
Check configuration vs. policy, check forCheck configuration vs. policy, check for
vulnerabilitiesvulnerabilities
Define expected behavior, communicateDefine expected behavior, communicate
to employeesto employees
Manage
Enforce
Assess State
Create Policy
Assess Risk
Enumerate
Executive Sponsorship
Identify threats, quantify, qualify;Identify threats, quantify, qualify;
define actions, set prioritiesdefine actions, set priorities
Identify network environment,Identify network environment,
physical and logicalphysical and logical
Security is a businessSecurity is a business
prioritypriority
-
8/14/2019 Securing the IT Environment at Microsoft
7/26
Obtain Executive Support
Place network security higher than
convenience for any individual
Achieve companywide agreement on
process and consequences of security
compliance management
-
8/14/2019 Securing the IT Environment at Microsoft
8/26
Enumerate and Identify the Network
Environment
At a physical level, enumerate all devices
and inventory operating systems and
applications
At a logical level, examine namespaces and
trust relationships
-
8/14/2019 Securing the IT Environment at Microsoft
9/26
Assess Risks in the Network
Environment
Base a security approach on the unique
needs of the enterprise
Assess the risk levels of specific
vulnerabilities
-
8/14/2019 Securing the IT Environment at Microsoft
10/26
Assess Risks in the Network
Environment
Create a risk model that evaluates a
vulnerabilitys risk level against: Size of corporate installed base and network
architecture
Severity of vulnerability
Availability of exploit code
-
8/14/2019 Securing the IT Environment at Microsoft
11/26
Assess Risks in the Network
Environment
Determine the approach to risk mitigation
Identify technologies and environments
-
8/14/2019 Securing the IT Environment at Microsoft
12/26
Create a Policy
Establish a baseline configuration
Discover and track new vulnerabilities
-
8/14/2019 Securing the IT Environment at Microsoft
13/26
Assess and
track risk related
to vulnerability
If risk is high or
critical, update
policy and notifyclients
Develop
scanning criteriato detect security
complianceScan the
network for
compliance to
security policy
Enforce
compliance aftergrace period
Measure and
report results of
compliancemonitoring
6
5
2
3
1
4
Vulnerability
identified
Define a processDefine a processfor managingfor managingvulnerabilitiesvulnerabilities
Create a Policy
-
8/14/2019 Securing the IT Environment at Microsoft
14/26
Create a Policy
Develop a library of the risk-related
vulnerabilities
Define measurable tolerance metrics for
each vulnerability
-
8/14/2019 Securing the IT Environment at Microsoft
15/26
Create a Policy
Set timelines for critical and non-critical
priorities
Communicate the policy and update notices
via centralized information
-
8/14/2019 Securing the IT Environment at Microsoft
16/26
Assess the State of Compliance
Develop a scan library
Evaluate compliance through scanning
-
8/14/2019 Securing the IT Environment at Microsoft
17/26
Assess the State of Compliance
Evaluate compliance through scanning Support aggregation of devices into logical
groups
Scan for security vulnerabilities and
misconfigurations
-
8/14/2019 Securing the IT Environment at Microsoft
18/26
Assess the State of Compliance
Evaluate compliance through scanning Support all network environments and
configurations
-
8/14/2019 Securing the IT Environment at Microsoft
19/26
Assess the State of Compliance
Evaluate compliance through scanning Prioritize vulnerabilities and identify targets for
compliance and remediation
Support all historical vulnerabilities
Document your actions
-
8/14/2019 Securing the IT Environment at Microsoft
20/26
Enforce Compliance to the Security
Policy
Levels of enforcement: E-mail
Escalation
Force-patching
Port shutdowns
-
8/14/2019 Securing the IT Environment at Microsoft
21/26
Measure and Report Security
Compliance
Reporting and analysis tools
Compliance measurement and reporting
Compare scanned vulnerabilities and
misconfigurations with prescribed tolerance
levels
Provide executive, operational, and
environment-specific reporting Provide operational messaging and
communication
-
8/14/2019 Securing the IT Environment at Microsoft
22/26
Measure and Report Security
Compliance
Auditing Audit known environments by IP range
Audit IP ranges not belonging to a Microsoft
environment
Audit devices without prior identification or
enumeration
-
8/14/2019 Securing the IT Environment at Microsoft
23/26
Summary
Pre-defined process for managing
vulnerabilities
Centralized information and management
Complex system for managing compliance
-
8/14/2019 Securing the IT Environment at Microsoft
24/26
For More Information
Microsoft SMS Web page
Deployment and operations of SMS
Patch management and network security SMS and patch-related information from
MSM
-
8/14/2019 Securing the IT Environment at Microsoft
25/26
For More Information
Additional content on Microsoft ITdeployments and best practices can be
found on http://www.microsoft.com
Microsoft TechNethttp://www.microsoft.com/technet/itshowcase
Microsoft Case Study Resources
http://www.microsoft.com/resources/casestudies
http://www.microsoft.com/http://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/ -
8/14/2019 Securing the IT Environment at Microsoft
26/26
This document is provided for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
SUMMARY. Microsoft, Active Directory, Visio, Windows, Windows Server, and Xbox are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein
may be the trademarks of their respective owners.