Securing the IT Environment at Microsoft

8/14/2019 Securing the IT Environment at Microsoft

1/26

Securing the IT Environment atMicrosoft

Enterprise security compliance management

Published:

June 2004


2/26

Solution Overview

Situation Need for a process to help enforce security compliance to

a minimum set of security standards

Solution Develop a security policy and enforce compliance

Benefits Reduced exposure to exploits of vulnerabilities Proactive approach to securing the network More complete closing of security vulnerabilities


3/26

Products and Technologies

SMS 2003 Advanced Client Windows Update Service/

Software Update Services

MBSA 1.2 Logon Scripts Custom Tools

SQL Server Database,Windows SharePointServices, Microsoft Office


4/26

Microsoft IT Compliance Challenges

Need for multiple layers of security, not just

perimeter defenses

Timeliness of security updates

Specific considerations of the Microsoft

corporate network environment

Awareness of the number of computers and

whether updates are installed

Quick reaction to new exploits


5/26

Security Compliance Management

Strategy

StrategyStrategy

Decision support system guided by a security strategyDecision support system guided by a security strategy

TechnologyTechnologyPeoplePeopleProcessProcess

(Key(KeyContributors)Contributors)

Corporate SecurityCorporate Security

Executive SponsorExecutive Sponsor

Data CenterData Center

Operations / LabsOperations / Labs

Business UnitBusiness Unit

ApplicationsApplications

Desktop / LaptopDesktop / Laptop

ServicesServices

SMSSMS

Windows UpdateWindows Update

ServicesServices

Custom ToolsCustom Tools

Logon ScriptsLogon Scripts

MBSAMBSA

SQL Server /SQL Server /

Office AppsOffice Apps

22

44

33

55

11

Discovery andDiscovery and

AssessmentAssessment

ComplianceCompliance

EvaluationEvaluation

TestTest

DeployDeploy

EnforceEnforce


6/26

Compliance Competency Pyramid

Drive system configuration to standardDrive system configuration to standard

Remove from network/force patchRemove from network/force patch

Check configuration vs. policy, check forCheck configuration vs. policy, check for

vulnerabilitiesvulnerabilities

Define expected behavior, communicateDefine expected behavior, communicate

to employeesto employees

Manage

Enforce

Assess State

Create Policy

Assess Risk

Enumerate

Executive Sponsorship

Identify threats, quantify, qualify;Identify threats, quantify, qualify;

define actions, set prioritiesdefine actions, set priorities

Identify network environment,Identify network environment,

physical and logicalphysical and logical

Security is a businessSecurity is a business

prioritypriority


7/26

Obtain Executive Support

Place network security higher than

convenience for any individual

Achieve companywide agreement on

process and consequences of security

compliance management


8/26

Enumerate and Identify the Network

Environment

At a physical level, enumerate all devices

and inventory operating systems and

applications

At a logical level, examine namespaces and

trust relationships


9/26

Assess Risks in the Network

Environment

Base a security approach on the unique

needs of the enterprise

Assess the risk levels of specific

vulnerabilities


10/26


Environment

Create a risk model that evaluates a

vulnerabilitys risk level against: Size of corporate installed base and network

architecture

Severity of vulnerability

Availability of exploit code


11/26


Environment

Determine the approach to risk mitigation

Identify technologies and environments


12/26

Create a Policy

Establish a baseline configuration

Discover and track new vulnerabilities


13/26

Assess and

track risk related

to vulnerability

If risk is high or

critical, update

policy and notifyclients

Develop

scanning criteriato detect security

complianceScan the

network for

compliance to

security policy

Enforce

compliance aftergrace period

Measure and

report results of

compliancemonitoring

6

5

2

3

1

4

Vulnerability

identified

Define a processDefine a processfor managingfor managingvulnerabilitiesvulnerabilities

Create a Policy


14/26

Create a Policy

Develop a library of the risk-related

vulnerabilities

Define measurable tolerance metrics for

each vulnerability


15/26

Create a Policy

Set timelines for critical and non-critical

priorities

Communicate the policy and update notices

via centralized information


16/26

Assess the State of Compliance

Develop a scan library

Evaluate compliance through scanning


17/26


Evaluate compliance through scanning Support aggregation of devices into logical

groups

Scan for security vulnerabilities and

misconfigurations


18/26


Evaluate compliance through scanning Support all network environments and

configurations


19/26


Evaluate compliance through scanning Prioritize vulnerabilities and identify targets for

compliance and remediation

Support all historical vulnerabilities

Document your actions


20/26

Enforce Compliance to the Security

Policy

Levels of enforcement: E-mail

Escalation

Force-patching

Port shutdowns


21/26

Measure and Report Security

Compliance

Reporting and analysis tools

Compliance measurement and reporting

Compare scanned vulnerabilities and

misconfigurations with prescribed tolerance

levels

Provide executive, operational, and

environment-specific reporting Provide operational messaging and

communication


22/26

Measure and Report Security

Compliance

Auditing Audit known environments by IP range

Audit IP ranges not belonging to a Microsoft

environment

Audit devices without prior identification or

enumeration


23/26

Summary

Pre-defined process for managing

vulnerabilities

Centralized information and management

Complex system for managing compliance


24/26

For More Information

Microsoft SMS Web page

Deployment and operations of SMS

Patch management and network security SMS and patch-related information from

MSM


25/26

For More Information

Additional content on Microsoft ITdeployments and best practices can be

found on http://www.microsoft.com

Microsoft TechNethttp://www.microsoft.com/technet/itshowcase

Microsoft Case Study Resources

http://www.microsoft.com/resources/casestudies
http://www.microsoft.com/http://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/


26/26

This document is provided for informational purposes only.

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

2003 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS

SUMMARY. Microsoft, Active Directory, Visio, Windows, Windows Server, and Xbox are either registered trademarks or trademarks of

Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein

may be the trademarks of their respective owners.

Documents

Securing the IT Environment at Microsoft