Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
Security. ©2005 Microsoft 2 Security Jason Trump, Education Solutions Specialist.
43
Security
-
date post
22-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Security. ©2005 Microsoft 2 Security Jason Trump, Education Solutions Specialist.
Security
©2005 Microsoft2
SecuritySecurityJason Trump, Education Solutions SpecialistJason Trump, Education Solutions Specialist
©2005 Microsoft3
“Give us better access control”“Give us better access control”
“Simplify critical
maintenance”
“Simplify critical
maintenance”
“Reduce impact of malware”
“Reduce impact of malware”
Advanced Updating
Expanded Authentication, Authorisation, Access Control
Isolation and Resiliency
“Provide betterguidance”
“Provide betterguidance”
Security Guidance, Tools, Responsiveness
“Develop reliable and secure software”
“Develop reliable and secure software”
Engineering Excellence
You’ve Told Us
©2005 Microsoft4
©2005 Microsoft5
Technology Innovation
• Updating
• Isolation
• Authorisation and access control
• Better protection from Internet-enabled social engineering
©2005 Microsoft6
Windows XP SP2
©2005 Microsoft7
Security toolsMicrosoft Baseline Security AnalyzerSecurity Bulletin Search Tool
Guidance and trainingSecurity Guidance CenterE-Learning Clinics
Community engagementNewslettersWebcasts and chats
Security Guidance and Training
©2005 Microsoft8
Updating and PatchingUpdating and Patching
©2005 Microsoft9
One update experience
Delta updating for 30-80% smaller update packages
Better quality updatesRollback capability for all updatesBroader pre-release testing
10-30% fewer reboots
Reduce Complexity
Reduce Size
Reduce Risk
Reduce Downtime
Improvements to Patching
More Information Scheduled release cycle, wherever possibleSecurity bulletin advanced notification
©2005 Microsoft10
Windows, SQL,Windows, SQL,Exchange, Office…Exchange, Office…
Windows, SQL,Windows, SQL,Exchange, Office…Exchange, Office…
Office Update
Download Center
SUSSUS SMSSMS
VS Update
Windows Update
Windows onlyWindows only
Windows onlyWindows only
Windows, SQL,Windows, SQL,Exchange, Exchange, Office…Office…
©2005 Microsoft11
Solution for ‘simple’ update management in organisations Assesses, controls, and automates deployment of Microsoft software
updates
Administrator experience optimised for ‘IT Generalist’
Next version of Software Update Services (SUS) 1.0
Core update management infrastructure in Windows Enables SMS, MBSA, and other Microsoft and 3rd party software to
leverage unified infrastructure
Single update analysis engine for supported Microsoft software
Data model & deployment infrastructure for update mgmt
Client and Server APIs to extend / leverage the infrastructure
RTW component of Windows Server Free to Windows Server (2000 and above) licensees
Requires Windows Server / Core CAL for target systems
Windows Server Update Services
Perfect solution for schools and small campuses
©2005 Microsoft12Administrator subscribes to update categories
< Back Finish Cancel
Windows Update ServicesWindows Update Services
Server downloads updates from Microsoft UpdateClients register themselves with the serverAdministrator puts clients in different target groupsAdministrator approves updatesClients install administrator approved updates
< Back Finish Cancel
Windows Update ServicesWindows Update Services
Microsoft Update
WSUS Server
Desktop ClientsTarget Group 1 Server
ClientsTarget Group 2
WSUS Administrator
WSUS: How It Works
©2005 Microsoft13
Supported Applications Windows Update
Microsoft Update
Windows (2000 SP3+, XP+, WS2003)
Office (XP & 2003)
SQL Server 2000, MSDE 2000
Exchange 2003
Additional products over time
SUS 1.0 synchronises with Windows Update
WSUS synchronises with Microsoft Update
Both services built on customised version of Windows Server Update Services
Updating Services
©2005 Microsoft14
Resilient and transparent BITS* for client-server and server-server downloads Downloads are in the background
Minimised data downloads Update subscriptions (per product/classification) Support for “delta compression” technologies for client-
server communications Option to only download approved updates
*Background Intelligent Transfer Service
Optimised Network Use
©2005 Microsoft15
Standard consolidated reports (for client activity) Per machine/per update/per target group Download, install success & failures with error information
Content synchronisation status reports What’s new, what changed
Aggregate reports for multiple servers Summary event roll-up to parent server
Event log integration Client and server status events sent to local event log
WSUS Reporting Features
©2005 Microsoft16
Server deployment Options Updates hosted on Microsoft Update
- WSUS server acts as a control point
Hierarchical deploymentIndependent servers (admin wishes not inherited)
Manageability (and extensibility) .NET based Server APIs (for admin tasks) COM based Client APIs (with scripting & remoting support) Automatic deployment of updates Command line options to trigger update detection
WSUS Deployment Flexibility
©2005 Microsoft17
*Partially addressed through polling frequency control and scripts
Top Features Requested SUS 1.0 SP1 WSUS
Support for service packs Install on SBS and domain controller Support for Office and other MS products Support additional update content types Update uninstall Update targeting Improve support for low bandwidth networks
Reduce amount of data that needs to be downloaded Set polling frequency for downloading new updates Minimise need for end user interruption Emergency patch deployment (‘big red button’) *
Deploy update for ISV and custom apps
NT4 support
WSUS: Feedback Requests
©2005 Microsoft18
Capability Microsoft Update WSUS SMS 2003
Supported Software and Content
Supported Software for Content
Same as Windows Update Services + WinXP Home
Win2K, WS2003, WinXP Pro, Office 2003, Office XP, Exchange 2003, SQL Server 2000, MSDE
Same as Windows Update Services + NT 4.0 & Win98* + can update any other Windows based software
Supported Content Types for Supported Software
All software updates, critical driver updates, service packs (SPs), and feature packs (FPs)
All software updates, critical driver updates, SPs, & FPs
All updates, SPs, & FPs + supports update & app installs for any Windows based software
Update Management Capabilities
Targeting Content to Systems
N/A Simple Advanced
Network Bandwidth Optimisation
Yes Yes Yes
Patch Distribution Control N/A Simple Advanced
Patch Installation & Scheduling Flexibility
Manual & end user controlled Simple Advanced
Patch Installation Status Reporting
Install errors reported to user Simple Advanced
Deployment Planning N/A Simple Advanced
Inventory Management N/A No Yes
Compliance Checking N/A No – status reporting only Advanced
*MBSA does not support scanning Win98 – Win98 can be updated using SMS2003 inventory management and software distribution capabilities
Comparing the Patching Options
©2005 Microsoft19
IsolationIsolation
©2005 Microsoft20
Windows XP Service Pack 2Windows Server 2003 Service Pack 1Microsoft Windows AntiSpywareSoftware Restriction PoliciesFuture: Network Access Protection
Host Isolation
©2005 Microsoft21
ISA Server 2004 Exchange ServerSybari Antigen
LabUnmanaged guest
Perimeter Isolation
©2005 Microsoft22
Quarantine Scenarios
Access From Home
Student Laptops
Guests
PrivatePC’s
Health Checkup IT checks “health” of client - patch
level, AV, other scriptable checks
Network Access Control Access/No Access
Health Maintenance Quarantined clients
given access to
patch
Can’t protect against malicious users
©2005 Microsoft23
Network Access Protection
The Network Access Protection system provides three distinct functionalities:
Network Policy Validation – is your system healthy? Network Isolation – if you’re not healthy, you’re out! Network Policy Compliance - if you’re not healthy,
we’ll help you get there.
©2005 Microsoft24
Quarantine Scenario
Accessing the networkX
DHCP
Remediation Server
IAS
May I have a DHCP address?
Here you go.
HCS
May I have a health certificate? Here’s my SoH. Client ok?
No. Needs fix-up.You don’t get a health certificate.Go fix up. I need updates.
Here you go.
Yes. Issue health certificate.
Here’s your health certificate.
Client
QuarantineRing
BoundaryRing
ProtectedRing
©2005 Microsoft25
Combating SPAMCombating SPAM
©2005 Microsoft26
User Education & Enablement
www.microsoft.com/spam
Industry Associations
• Standards and policy
Govt Partnerships• Strong laws• Enforcement
eMail usereMail user
Prevention Agents• Attack detection • Sender
reputation • Outbound
filtering
Proof: Identity & Evidence• Sender ID• Computational Proofs• Certificates, Digital
Signatures• Sender Safelists
Protection Filters• SmartScreen• At gateway,
server and desktop
• Update services
Microsoft’s SPAM Approach
©2005 Microsoft27
Outlook 2003 Enhancements
User specified Safe & Blocked Senders lists Safe Senders, Safe Recipients, Blocked Senders Can optionally include Contacts and GAL
User Lists shared by Outlook 2003 and Exchange 2003 OWA, stored on the server
Move to junk folder determined by: Exchange 2003 Mailbox Store based on user lists Per message SCL Client Side based on Microsoft SmartScreen Technology
Block all external content by default (Web beacons)
©2005 Microsoft28
Leverage SmartScreen Technology
Extension to Exchange 2003 Server, deployed on Internet Bridgeheads
Leverages the ISV infrastructure
Coexistence with 3rd party solutions
Supports per Message tagging
Administration via Exchange System Manager Console extension
Update Service
http://www.microsoft.com/exchange/imf
Intelligent Message Filter
©2005 Microsoft29
Gateway Server Transport
Mailbox ServerStore
JunkMail
Folder
JunkMail
Folder
Inbox
SCL = Spam Confidence Level
Spam?
UserSafe & Junk
Senders
Exchange IMF
ISV Solutions
Allow/Deny Lists
Real-Time Block Lists
Recipient & Sender Filtering
Message + SCL
Spam?
UserSafe & Junk
Senders
Inbox
UserSafe & Junk
Senders
SMTP Message
Exchange and Outlook Measures
©2005 Microsoft30
Securing Wireless NetworksSecuring Wireless Networks
©2005 Microsoft31
802.11b Security Concerns
WEPUnique key required across enterprise802.11b standard is only 40-bit
128-bit is proprietary
WEP keys are not dynamically changed and therefore vulnerable to attack
Using a PC-based tool and 802.11b antenna, a 128-bit WEP key can be hacked within two hours, and a 40-bit key within 40 minutes
Difficult to change or administer
©2005 Microsoft32
802.11b Security Concerns
Media Access Control (MAC) address filteringNot scalable
Exception list must be administrated and propagated to all APs
The list may have a size limit
MAC address must be associated to a user nameUser could neglect to report a lost or stolen cardUser could change the MAC address
©2005 Microsoft33
The 802.1X Solution
1. Client network access (link layer) is controlled by the AP based on domain user and/or machine account authentication
2. Authentication process is secured via standard Public Key Infrastructure (PKI) protocols available in Windows
Extensible authentication protocol over LAN (EAPoL) Transport Layer Security (TLS) Public / private keys, X.509 Certificates
3. Client user and computers negotiate authentication against Internet Authentication Server (IAS).
IAS proxies authentication requests to Active Directory and Certificate Authority
IAS is the Microsoft implementation of the IETF Remote Authentication Dial-In User Service (RADIUS) standard
4. WEP keys are dynamic They are changed with each new connection session, when roaming, or
within a preset time interval
©2005 Microsoft34
Dealing with Malicious CodeDealing with Malicious Code
©2005 Microsoft35
Global SpyNet™ community helps identify new spyware
Automatic signature downloads keep you up-to-date
Spyware removal reduces PC slow down, pop-up ads, and more
Scheduled scans help maintain PC security and privacy
Continuous protection guards 50+ ways spyware gets on a PC
Intelligent alerts handle spyware based on your preferences
Detect & Remove Spyware
Helps protect Windows users from spyware and other potentially unwanted software
©2005 Microsoft36
Detect & Remove Viruses
• Layered defence strategy
• Integration with infrastructure
• Reduces the window of vulnerability
• Ability to monitor, control and manage how viruses are scanned within the network
• Maximal protection with minimal performance impact
©2005 Microsoft37
Internet Explorer 7.0
Builds on positive response to IE 6.0 with SP2
Stronger defense against phishing, malware and spyware
Maintains extensibility and compatibility
Beta version available mid-2005
©2005 Microsoft38
Strategies and GuidanceStrategies and Guidance
©2005 Microsoft39
©2005 Microsoft40
Using a layered approach:Increases an attacker’s risk of detection Reduces an attacker’s chance of success
Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness
Guards, locks, tracking devicesPhysical securityPhysical security
Application hardeningApplication
OS hardening, authentication, update management, antivirus updates, auditing
Host
Network segments, IPSec, NIDSInternal network
Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter
Strong passwords, ACLs, encryption, EFS, backup and restore strategy
Data
Strategy: Defence in Depth
©2005 Microsoft41
Microsoft Baseline Security Analyzer (MBSA) v1.2Virus Cleaner ToolsSystems Management Server (SMS) 2003Software Update Services (SUS) SP1Internet Security and Acceleration (ISA) Server 2004 Standard EditionWindows XP Service Pack 2
Patching Technology Improvements (MSI 3.0)Systems Management Server 2003 SP1Microsoft Operations Manager 2005Windows malicious software removal tool
Windows Server 2003 Service Pack 1Windows Update Services ISA Server 2004 Enterprise EditionWindows Rights Management Services SP1Windows AntiSpywareSystem Center 2005Windows Server 2003 “R2”Visual Studio 2005
Vulnerability Assessment and Vulnerability Assessment and RemediationRemediationActive Protection Technologies Active Protection Technologies AntivirusAntivirus
PriorPrior
H2 04H2 04
FutureFuture
20052005
Security Timeline
©2005 Microsoft42
Microsoft Security Website http://www.microsoft.com/security
Windows Server Update Services (WSUS) http://www.microsoft.com/windowsserversystem/updateservices/
Network Access Protection (Network Quarantine) http://www.microsoft.com/nap
Security Tools on Technet http://www.microsoft.com/technet/Security/tools
Anti-SPAM using Exchange http://www.microsoft.com/exchange/imf
How Microsoft IT Secures Microsoft http://www.microsoft.com/technet/itsolutions/msit
E-Learning Clinics https://www.microsoftelearning.com/security
Events and Webcasts http://www.microsoft.com/seminar/events/security.mspx
Patch Management http://www.microsoft.com/technet/security/topics/patchmanagement.mspx
Anti-Spyware http://www.microsoft.com/athome/security/spyware/software/default.mspx
Microsoft Baseline Security Analyser http://www.microsoft.com/technet/security/tools/mbsahome.mspx
Further Information
