微软蓝灰风格模板PPT课件

MicrosoftSecurityStrategy,StevenAdlerProductManagerMicrosoftEMEA,SessionAgenda,FocusonCustomerChallengesMicrosoftSecurityStrategySecureWindowsInitiativeStrategicTechnologyProtectionProgramTrustworthyComputingBuildingthesecureplatform.NETFrameworkWindows.NETSummaryQuestions,Technology,Process,PeopleWhatarethechallenges?,ProductslacksecurityfeaturesProductshavebugsInsufficienttechnicalstandardsDifficulttostayup-to-date,DesignforsecurityRoles&responsibilitiesVigilanceBusinesscontinuityplansStayup-to-datewithsecuritydevelopment,ProblemrecognitionSkillsshortageHumanerror,MicrosoftSecurityStrategy,SecureWindowsInitiative“EngineeringForSecurity”,Goal:EliminateEverySecurityVulnerabilityBeforeTheProductShips,People,Process,Technology,IndustryYardstick,Source:SecurityFocus,SecureWindowsInitiative,People,Train,andkeepcurrent,everydeveloper,tester,andprogrammanagerinthespecifictechniquesofbuildingsecureproducts,Process,Makesecurityacriticalfactorindesign,codingandtestingofeveryproductMicrosoftbuildsCross-groupdesign&codereviewsSecurityThreatAnalysispartofeverydesignspecRedTeamtestingandcodereviewsFocusnotconfinedtobufferoverrunsSecuritybugfeedbackloop&codesign-offrequirementsExternalreviewsandtestingbyconsultantsandpublic,Technology,BuildtoolstoautomateeverythingpossibleinthequesttocodethemostsecureproductsPrefixandPrefastforbufferoverrundetectionUpdatedasnewvulnerabilitiesfoundVisualC+7.0compilerimprovementsDomain-specifictools(i.e.RPCsecuritystress),SecureWindowsInitiativeExternalSecurityReview,FIPS140-1evaluationofCryptographicServiceProvider(CSP)CompletedGovernmentvalidationofbasecryptoalgorithmsinWindowsCommonCriteriaevaluationInPreparationEvaluationofWindowssourcecodeagainstInternationalsecuritycriteriaforevaluatingThirdpartyexpertreviewofkeycomponentsSourcecodelicensedtoover80universities,labs,andgovernmentagencies,Goal:HelpcustomerssecuretheirWindowsSystems,People,Process,Technology,StrategicTechnologyProtectionProgram,StrategicTechnologyProtectionProgram-CustomersNeedOurHelp,IdidntknowwhichpatchesIneededIdidntknowwheretofindtheupdatesIdidntknowwhichmachinestoupdateWeupdatedourproductionservers,buttherogueserversgotinfected,Morethan50%ofthecustomersaffectedbyCodeRedwerenotpatchedintimeforNimda,STPP:“GetSecure”,Coming-EnterpriseSecurityToolsMicrosoftBaselineSecurityAnalyzerSMSsecuritypatchrollouttoolWindowsUpdateAuto-updateclient,Now-MicrosoftSecurityToolkitServerorientedsecurityresources.Newserversecuritytoolsandupdates,WindowsUpdatebootstrapclientforWindows2000,Now-SecurityAssessmentProgramOfferingAvailableimmediatelythroughMCS/PSS,Now-FreeVirusSupportHotlineContactyourlocalPSSoffice,GetSecureMicrosoftSecurityToolkit,GetsWindowsNTand2000systemstosecurebaseline,evendisconnectednetAutomatesserverupdatesOne-buttonwizardandSMSScriptsUpdatesandPatchesIncludesallServicePacksandcriticalOSandIISpatchesthrough10/15HFNetchk:patchlevelverifierIISLockdown&URLScan,STPP:“StaySecure”,Ongoing-EnhancedProductSecurityProvidegreatersecurityenhancementsinthereleasesofallnewproducts,includingtheWindows.NETServerfamily,Spring2002-FederatedCorporateWindowsUpdateProgramAllowsenterprisetohostandselectWindowsUpdatecontent,Spring2002-Windows2000ServicePack(SP3)ProvideabilitytoinstallSP3+securityrollupwithasinglereboot,Jan.2002-Windows2000SecurityRollupPatchesBundleallsecurityfixesinsinglepatchesReducesrebootsandadministratorburden,CorporateUpdateServerSolution,AutomaticUpdate(AU)clientAutomaticallydownloadandinstallcriticalupdatesSecuritypatches,highimpactbugfixesandnewdriverswhennodriverisinstalledforadeviceChecksWindowsUpdateserviceorCorporateUpdateserveronceadayNew!InstallatscheduletimeafterautomaticdownloadsAdministratorcontrolofconfigurationviaregistry-basedpolicySupportforWindows.NETServer,WindowsXPandWindows2000UpdateserverCorporatehostedWUservertosupportdownloadandinstallofcriticalupdatesthroughAUclientServersynchronizeswiththepublicWindowsUpdateserviceSimpleadministrativemodelviaIEUpdatesarenotmadeavailabletoclientsuntiltheadministratorapprovesthemRunsonWindows.NETServerandWindows2000Server,TrustworthyComputing,Goal:Makedevicespoweredbycomputersandsoftwareastrustworthyasdevicespoweredbyelectricity.,ATrustTaxonomy,AvailabilityAtadvertisedlevelsSuitabilityFeaturesfitfunctionIntegrityAgainstdatalossoralterationPrivacyAccessauthorizedbyend-userReputationSystemandproviderbrand,SecurityResistsunauthorizedaccessQualityPerformancecriteriaDevPracticesMethods,philosophyOperationsGuidelinesandbenchmarksBusinessPracticesBusinessmodelPoliciesLaws,regulations,standards,norms,IntentManagementassertionsRisksWhatunderminesintent,causesliabilityImplementationStepstodeliverintentEvidenceAuditmechanisms,Goals,Means,Execution,Buildingthesecureplatform,Goal:ProvideITwithasecure,integratedfoundationformanaginghowusers,business,andtechnologiesconnect.,Infrastructure(PKI,Directory),Securityindepth,Network(IPSec,Wireless,VPN),Device(PDA,Laptops,PCs,Servers),Application,Management,FrontEnd,TypicalApplicationArchitecture,Users,BackEnd,Authentication,NetworkAccess,Authorization,Audit,Alerts,FrontEnd,SecureNetworkAccess,Users,BackEnd,Authorization,Authentication,NetworkAccess,FirewallVPNWirelessIPSEC,Audit,Alerts,FrontEnd,FlexibleAuthentication,Users,BackEnd,BasicHTTPDigestKerberosCertificatesSmartcards,Authentication,NetworkAccess,Authorization,Audit,Alerts,FrontEnd,RichAccessControls,Users,BackEnd,Authentication,NetworkAccess,Authorization,Audit,Alerts,AccessControlListsRoles,FrontEnd,SystemWideAuditing,Users,BackE