蓝灰稳重风格PPT模板

1、Microsoft Security Strategy,Steven Adler Product Manager Microsoft EMEA,新浪微博营销案例分享,Session Agenda,Focus on Customer Challenges Microsoft Security Strategy Secure Windows Initiative Strategic Technology Protection Program Trustworthy Computing Building the secure platform .NET Framework Windows .NET

2、Summary Questions,新浪微博营销案例分享,Technology, Process, PeopleWhat are the challenges?,Products lack security features Products have bugs Insufficient technical standards Difficult to stay up-to-date,Design for security Roles & responsibilities Vigilance Business continuity plans Stay up-to-date with secu

3、rity development,Problem recognition Skills shortage Human error,新浪微博营销案例分享,新浪微博营销案例分享,Microsoft Security Strategy,Secure Windows Initiative“Engineering For Security”,Goal: Eliminate Every Security Vulnerability Before The Product Ships,People,Process,Technology,新浪微博营销案例分享,Industry Yardstick,Source:

4、 Security Focus ,Secure Windows Initiative,People,Train, and keep current, every developer, tester, and program manager in the specific techniques of building secure products,Process,Make security a critical factor in design, coding and testing of every product Microsoft builds Cross-group design &

5、code reviews Security Threat Analysis part of every design spec Red Team testing and code reviews Focus not confined to buffer overruns Security bug feedback loop & code sign-off requirements External reviews and testing by consultants and public,Technology,Build tools to automate everything possibl

6、e in the quest to code the most secure products Prefix and Prefast for buffer overrun detection Updated as new vulnerabilities found Visual C+ 7.0 compiler improvements Domain-specific tools (i.e. RPC security stress),新浪微博营销案例分享,Secure Windows InitiativeExternal Security Review,FIPS 140-1 evaluation

7、 of Cryptographic Service Provider (CSP) Completed Government validation of base crypto algorithms in Windows Common Criteria evaluation In Preparation Evaluation of Windows source code against International security criteria for evaluating Third party expert review of key components Source code lic

8、ensed to over 80 universities, labs, and government agencies,新浪微博营销案例分享,Goal: Help customers secure their Windows Systems,People,Process,Technology,Strategic TechnologyProtection Program,Strategic Technology Protection Program - Customers Need Our Help,I didnt know which patches I needed I didnt kno

9、w where to find the updates I didnt know which machines to update We updated our production servers, but the rogue servers got infected,More than 50% of the customers affected by Code Red were not patched in time for Nimda,新浪微博营销案例分享,STPP: “Get Secure”,Coming - Enterprise Security Tools Microsoft Ba

10、seline Security Analyzer SMS security patch rollout tool Windows Update Auto-update client,Now - Microsoft Security Toolkit Server oriented security resources. New server security tools and updates, Windows Update bootstrap client for Windows 2000,Now - Security Assessment Program Offering Available

11、 immediately through MCS/PSS,Now - Free Virus Support HotlineContact your local PSS office,Get SecureMicrosoft Security Toolkit,Gets Windows NT and 2000 systems to secure baseline, even disconnected net Automates server updates One-button wizard and SMS Scripts Updates and Patches Includes all Servi

12、ce Packs and critical OS and IIS patches through 10/15 HFNetchk: patch level verifier IIS Lockdown & URLScan,新浪微博营销案例分享,STPP: “Stay Secure”,Ongoing - Enhanced Product Security Provide greater security enhancements in the releases of all new products, including theWindows .NET Server family,Spring 20

13、02 - Federated Corporate Windows Update Program Allows enterprise to host and selectWindows Update content,Spring 2002 - Windows 2000 Service Pack (SP3) Provide ability to install SP3 + security rollupwith a single reboot,Jan. 2002 - Windows 2000 Security Rollup Patches Bundle all security fixes in

14、single patches Reduces reboots and administrator burden,Corporate Update Server Solution,Automatic Update (AU) client Automatically download and install critical updates Security patches, high impact bug fixes and new drivers when no driver is installed for a device Checks Windows Update service or

15、Corporate Update server once a day New! Install at schedule time after automatic downloads Administrator control of configuration via registry-based policy Support for Windows .NET Server, Windows XP and Windows 2000 Update server Corporate hosted WU server to support download and install of critica

16、l updates through AU client Server synchronizes with the public Windows Update service Simple administrative model via IE Updates are not made available to clients until the administrator approves them Runs on Windows .NET Server and Windows 2000 Server,新浪微博营销案例分享,Trustworthy Computing,Goal: Make de

17、vices powered by computers and software as trustworthy as devices powered by electricity.,A Trust Taxonomy,AvailabilityAt advertised levels SuitabilityFeatures fit function IntegrityAgainst data loss or alteration PrivacyAccess authorized by end-user ReputationSystem and provider brand,SecurityResis

18、ts unauthorized access QualityPerformance criteria Dev PracticesMethods, philosophy OperationsGuidelines and benchmarks Business PracticesBusiness model PoliciesLaws, regulations, standards, norms,IntentManagement assertions RisksWhat undermines intent, causes liability ImplementationSteps to delive

19、r intent EvidenceAudit mechanisms,Goals,Means,Execution,新浪微博营销案例分享,Building the secure platform,Goal: Provide IT with a secure, integrated foundation for managing how users, business, and technologies connect.,Infrastructure (PKI, Directory),Security in depth,Network (IPSec, Wireless, VPN),Device (P

20、DA, Laptops, PCs, Servers),Application,Management,新浪微博营销案例分享,Front End,Typical Application Architecture,Users,Back End,Authentication,Network Access,Authorization,Audit,Alerts,Front End,Secure Network Access,Users,Back End,Authorization,Authentication,Network Access,FirewallVPNWirelessIPSEC,Audit,Al

21、erts,新浪微博营销案例分享,Front End,Flexible Authentication,Users,Back End,BasicHTTP DigestKerberosCertificates Smartcards,Authentication,Network Access,Authorization,Audit,Alerts,Front End,Rich Access Controls,Users,Back End,Authentication,Network Access,Authorization,Audit,Alerts,Access Control Lists Roles,Front End,Sys