Upload
sandra4211
View
366
Download
2
Tags:
Embed Size (px)
Citation preview
Enhancing Customer Security: Enhancing Customer Security: Commitment and ProgressCommitment and Progress
Tyler S. FarmerTyler S. FarmerSr. Technology Specialist IISr. Technology Specialist IIEducation SolutionsEducation SolutionsMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
End of LifeEnd of Life
SituationSituation
Commitments Commitments
ProgressProgress
Challenges aheadChallenges ahead
Product Lifecycle GuidelinesProduct Lifecycle Guidelines
7 Year Lifecycle7 Year Lifecycle5 years of “Mainstream Support”5 years of “Mainstream Support”
no-charge incident support, paid incident support, no-charge incident support, paid incident support, support charged on an hourly basis, support for support charged on an hourly basis, support for warranty claims, and hotfix support. warranty claims, and hotfix support.
2 more years of “Extended Support”2 more years of “Extended Support”all paid support options, security-related hotfix support all paid support options, security-related hotfix support (no charge.) (no charge.) Non-security related hotfix support requires a separate Non-security related hotfix support requires a separate Extended Hotfix Support contract to be purchased within Extended Hotfix Support contract to be purchased within 90 days after Mainstream support ends. 90 days after Mainstream support ends. Microsoft will not accept requests for warranty support, Microsoft will not accept requests for warranty support, design changes, or new features during the Extended design changes, or new features during the Extended support phase.support phase.
http://support.microsoft.com/lifecyclehttp://support.microsoft.com/lifecycle
End of Life – NT Server 4.0End of Life – NT Server 4.0
Regular support ends Dec. 2004.Regular support ends Dec. 2004.
Security hotfix support ends Dec. 2004Security hotfix support ends Dec. 2004
Non-security hotfix support ends Dec. Non-security hotfix support ends Dec. 2003.2003.
End of Life – NT Workstation 4.0End of Life – NT Workstation 4.0
Basically ended on June 30, 2003.Basically ended on June 30, 2003.
Some Security patches still coming, probably with Some Security patches still coming, probably with NT Server (June 2004).NT Server (June 2004).
End of Life – Windows 98End of Life – Windows 98
Regular support ended June 30, 2003.Regular support ended June 30, 2003.
Paid incident support extended to June 30, 2006. Paid incident support extended to June 30, 2006.
This does This does notnot include new security fixes (available include new security fixes (available through Premier Support)through Premier Support)
Microsoft Java Virtual MachineMicrosoft Java Virtual Machine
According to 2001 Settlement w/ Sun, According to 2001 Settlement w/ Sun, Microsoft is no longer authorized to Microsoft is no longer authorized to support Java VM, starting October 2004support Java VM, starting October 2004
This includes security patchesThis includes security patches
Diagnostic tool coming “soon”Diagnostic tool coming “soon”
http://www.microsoft.com/javahttp://www.microsoft.com/java
Most attacks Most attacks occur hereoccur here
SituationSituationProcess, Guidance, Tools CriticalProcess, Guidance, Tools Critical
Product Product shipship
VulnerabilityVulnerabilitydiscovereddiscovered
ComponentComponentmodifiedmodified
Patch Patch releasedreleased
Patch Patch deployeddeployed
at customer at customer sitesite
Why does this Why does this gap exist?gap exist?
Exploit TimelineExploit Timeline
Days From Patch to ExploitDays From Patch to Exploit
The average is now nine days The average is now nine days for a patch to be reverse-for a patch to be reverse-engineeredengineered
As this cycle keeps getting As this cycle keeps getting shorter, patching is a less shorter, patching is a less effective defense in large effective defense in large organizationsorganizations
Why does this Why does this gap exist?gap exist?
151151180180
331331
BlasterBlasterWelchia/ Welchia/ NachiNachi
NimdaNimda
2525SQL SQL
SlammerSlammer
exploitexploitcodecodepatchpatch
Days between patch and exploitDays between patch and exploit
The Forensics of a VirusThe Forensics of a Virus
Vulnerability reported to us /
Patch in progress
Bulletin & patch available
No exploit
Exploit code in public Worm in the world
July 1 July 16 July 25 Aug 11
ReportReport Vulnerability in Vulnerability in
RPC/DDOM RPC/DDOM reportedreported
MS activated MS activated highest level highest level emergency emergency response processresponse process
BulletinBulletin MS03-026 delivered MS03-026 delivered
to customers to customers (7/16/03)(7/16/03)
Continued outreach Continued outreach to analysts, press, to analysts, press, community, community, partners, partners, government government agenciesagencies
ExploitExploit X-focus (Chinese X-focus (Chinese
group) published group) published exploit toolexploit tool
MS heightened MS heightened efforts to get efforts to get information to information to customerscustomers
WormWorm Blaster worm Blaster worm
discovered –; discovered –; variants and other variants and other viruses hit viruses hit simultaneously (i.e. simultaneously (i.e. “SoBig”)“SoBig”)
Blaster shows the complex Blaster shows the complex interplay between security interplay between security researchers, software researchers, software companies, and hackerscompanies, and hackers
Microsoft CommitmentMicrosoft Commitment
Build software and services that will Build software and services that will help better protect our customers help better protect our customers
and the industry.and the industry. Better processes and toolsBetter processes and tools
Guidance and training for our customersGuidance and training for our customers
Technology innovationTechnology innovation
Trustworthy Computing quality Trustworthy Computing quality improvementsimprovements
You’ve Told UsYou’ve Told Us Our Action ItemsOur Action Items
““I can’t keep up…new I can’t keep up…new patches are released patches are released every week”every week”
““The quality of the The quality of the patching process is low patching process is low and inconsistent”and inconsistent”
““I need to know the right I need to know the right way to run a Microsoft way to run a Microsoft enterprise”enterprise”
““There are still too many There are still too many vulnerabilities in your vulnerabilities in your products”products”
Provide Guidance Provide Guidance and Trainingand Training
Mitigate Vulnerabilities Mitigate Vulnerabilities Without PatchesWithout Patches
Continue Improving Continue Improving QualityQuality
Improve the Patching Improve the Patching ExperienceExperience
Improve the Patching ExperienceImprove the Patching ExperienceNew Patch PoliciesNew Patch Policies
Extending support to June 2004Extending support to June 2004Windows 2000 SP2Windows 2000 SP2
Windows NT SP6aWindows NT SP6a
Non-emergency security patches on a monthly Non-emergency security patches on a monthly release schedule release schedule
Allows for planning a predictable Allows for planning a predictable monthly test and deployment cycle monthly test and deployment cycle
Packaged as individual patches Packaged as individual patches that can be deployed together that can be deployed together
Achieves benefits of security rollup Achieves benefits of security rollup with increased flexibilitywith increased flexibility
Patches for emergency issues will still release immediatelyPatches for emergency issues will still release immediately
By 5/04: Consolidating to 2 patch installers for W2K By 5/04: Consolidating to 2 patch installers for W2K and higher, Office & Exchange. All patches will and higher, Office & Exchange. All patches will behave the same way behave the same way (SUS 2.0, MSI 3.0)(SUS 2.0, MSI 3.0)
Extend patch Extend patch automation to all automation to all
productsproducts
11/03: SMS 2003 offers capability to patch all supported 11/03: SMS 2003 offers capability to patch all supported Microsoft platforms and applications Microsoft platforms and applications
By end of 2004, all MS patches behave the same at By end of 2004, all MS patches behave the same at installation (MSI 3.0 + SUS 2.0) and available in one installation (MSI 3.0 + SUS 2.0) and available in one place: MS Updateplace: MS Update
Reduce patch sizeReduce patch sizeNow: Reduced patch size by 35% or more. Will have Now: Reduced patch size by 35% or more. Will have 80% reduction by 5/04. 80% reduction by 5/04. (Delta patching technology and (Delta patching technology and improved functionality with MSI 3.0)improved functionality with MSI 3.0)
Reduce patch Reduce patch complexitycomplexity
Reduce risk of Reduce risk of patch deploymentpatch deployment
Now : Increased internal testing; customer testing Now : Increased internal testing; customer testing of patches pre- release.of patches pre- release.
By 5/04: rollback capability for Windows, SQL, By 5/04: rollback capability for Windows, SQL, Exchange, OfficeExchange, Office
Reduce downtimeReduce downtimeNow:Now: 10% fewer 10% fewer reboots on W2K and higher reboots on W2K and higher
By 5/04:By 5/04: 30% fewer 30% fewer reboots on Win 2003 (starting in reboots on Win 2003 (starting in SP1). Up toSP1). Up to 70% 70% reduction for next serverreduction for next server
Your NeedYour Need Our ResponseOur Response
Improve the Patching ExperienceImprove the Patching ExperiencePatch EnhancementsPatch Enhancements
Available NowAvailable Now
17 prescriptive books17 prescriptive books
How Microsoft secures Microsoft How Microsoft secures Microsoft guidance & toolsguidance & tools
Later this year and throughout 2004Later this year and throughout 2004More prescriptive & how-to guidesMore prescriptive & how-to guidesTools & scripts to automate common tasksTools & scripts to automate common tasks
Focused on operating a secure environment Focused on operating a secure environment
Patterns & practices for defense in depthPatterns & practices for defense in depth
Enterprise security checklist – the single place for Enterprise security checklist – the single place for authoritative security guidanceauthoritative security guidance
Security Guidance for IT ProsSecurity Guidance for IT ProsSecurity Guidance for IT ProsSecurity Guidance for IT Pros
Training & Guidance: IT ProsTraining & Guidance: IT Pros
IT Pros: 500K customers to be trained by the end of 2004IT Pros: 500K customers to be trained by the end of 2004Monthly Webcasts and SeminarsMonthly Webcasts and Seminars
http://www.microsoft.com/seminar/events/http://www.microsoft.com/seminar/events/security.mspxsecurity.mspx
New guidance on Microsoft.comNew guidance on Microsoft.comhttp://www.microsoft.com/guidancehttp://www.microsoft.com/guidance
Security Guidance Kit CDSecurity Guidance Kit CD
New monthly newsletterNew monthly newsletterhttp://www.microsoft.com/http://www.microsoft.com/technet/security/secnews/newsletter.htmtechnet/security/secnews/newsletter.htm
Proactive communicationsProactive communicationsUsing Virus Information AllianceUsing Virus Information Alliancecollective data for better threat responsecollective data for better threat response
KB articles outline KB articles outline application security enhancementsapplication security enhancements
Global training with more guidance and best practices for securing systems and infrastructure
Global Education ProgramGlobal Education ProgramDeveloper Security SeminarsDeveloper Security SeminarsMSDN Security CenterMSDN Security CenterPDC SymposiumPDC Symposium
Developer GuidanceDeveloper Guidancepatterns and practicespatterns and practices
““Building Secure ASP.NET Applications”Building Secure ASP.NET Applications”““Improving Web Application Security”Improving Web Application Security”
Microsoft PressMicrosoft Press““Writing Secure Code v 2.0”Writing Secure Code v 2.0”
Guidance and Training: Guidance and Training: DeveloperDeveloper
RatingRating DefinitionDefinition Customer ActionCustomer Action
CriticalCriticalExploitation could allow the propagation Exploitation could allow the propagation of an Internet worm such as Code Red or of an Internet worm such as Code Red or Nimda without user actionNimda without user action
Apply the patch or workaround Apply the patch or workaround immediatelyimmediately
ImportantImportantExploitation could result in compromise of Exploitation could result in compromise of the confidentiality, integrity, or availability the confidentiality, integrity, or availability of users’ data, or of the integrity or of users’ data, or of the integrity or availability of processing resourcesavailability of processing resources
Apply patch or workaround as Apply patch or workaround as soon as is feasiblesoon as is feasible
ModerateModerateExploitability is mitigated to a significant Exploitability is mitigated to a significant degree by factors such as default degree by factors such as default configuration, auditing, need for user configuration, auditing, need for user action, or difficulty of exploitationaction, or difficulty of exploitation
Evaluate bulletin, determine Evaluate bulletin, determine applicability, proceed as applicability, proceed as appropriateappropriate
LowLow Exploitation is extremely difficult, or Exploitation is extremely difficult, or impact is minimalimpact is minimal
Consider applying the patch at Consider applying the patch at the next scheduled update the next scheduled update intervalinterval
Revised November 2002Revised November 2002
More information at More information at http://www.microsoft.com/technet/security/policy/rating.asphttp://www.microsoft.com/technet/security/policy/rating.asp
Improving Patching Experience Improving Patching Experience Security Bulletin Severity Rating SystemSecurity Bulletin Severity Rating SystemFree Security Bulletin Subscription ServiceFree Security Bulletin Subscription Service
http://www.microsoft.com/technet/security/bulletin/notify.asphttp://www.microsoft.com/technet/security/bulletin/notify.asp
Make corporations & perimeters Make corporations & perimeters more resilient to attack, even more resilient to attack, even
when patches are not installedwhen patches are not installed
Help stop known & unknown vulnerabilitiesHelp stop known & unknown vulnerabilities
Goal: Make 7 out of every 10 patches Goal: Make 7 out of every 10 patches installable on your scheduleinstallable on your schedule
Beyond PatchingBeyond Patching
Malicious Web Malicious Web contentcontent
Buffer overrun Buffer overrun attacksattacks
Port-based Port-based attacksattacks
Malicious e-mail Malicious e-mail attachmentsattachments
Client Attack VectorsClient Attack Vectors
Infected Infected remote clientremote client
Infected local Infected local clientclient
VPN & Internal Enterprise QuarantinesVPN & Internal Enterprise Quarantines
Continue Improving QualityContinue Improving QualityTrustworthy Computing Release ProcessTrustworthy Computing Release Process
M1
M2
Mn
Beta
DesignD
evel
op
men
t
Release
Support
SecurityReview
SecurityReview
Each component team develops threat Each component team develops threat models, ensuring that design blocks models, ensuring that design blocks applicable threatsapplicable threats
Develop & Test
Develop & Test
Apply security design & coding standardsApply security design & coding standards
Tools to eliminate code flaws (PREfix & Tools to eliminate code flaws (PREfix & PREfast)PREfast)
Monitor & block new attack techniquesMonitor & block new attack techniques
Security Push
Security Push
Team-wide stand downTeam-wide stand down
Threat model updates, code review, test Threat model updates, code review, test & documentation scrub& documentation scrub
Security Audit
Security Audit
Analysis against current threatsAnalysis against current threats
Internal & 3Internal & 3rdrd party penetration testing party penetration testing
Security ResponseSecurity
Response
Fix newly discovered issuesFix newly discovered issues
Root cause analysis to proactively Root cause analysis to proactively find and fix related vulnerabilitiesfind and fix related vulnerabilities
Design docs & specifications
Development, testing &
documentation
Product
Service Packs,QFEs
66 99
……90 days90 days ……150 days150 days
Critical or important vulnerabilities in the first…Critical or important vulnerabilities in the first…
1313 2323
TwC TwC release?release?
YesYes
NoNo
For some widely-deployed, existing products:For some widely-deployed, existing products:
Mandatory for all new products:Mandatory for all new products:
Bulletins Bulletins sincesince
TwC releaseTwC releaseShipped Jan. 2003, 8 months agoShipped Jan. 2003, 8 months ago
11
Service Pack 3Service Pack 3
Bulletins Bulletins inin
prior prior periodperiod
99
Bulletins Bulletins sincesince
TwC releaseTwC releaseShipped July 2002, 14 months agoShipped July 2002, 14 months ago
00Bulletins Bulletins
ininprior prior
periodperiod
55 Service Pack 3Service Pack 3
Continue Improving QualityContinue Improving QualityContinue Improving QualityContinue Improving Quality
30 60 90 120 150 180 210 240 270
0
5
10
15
20
25
30
35
40
"Critica l" & "Important" Security Bulle tins From General Availability
W S2003 W in2000 Server
Improving Quality: Improving Quality: Windows ServerWindows Server
36
6
Days after availability
Bulletins
Services Disabled by DefaultServices Disabled by DefaultAlerter Alerter ASP.NET StateASP.NET StateClipBookClipBookDistributed Link Distributed Link Tracking ServerTracking ServerFast User Switching Fast User Switching CompatCompatIMAPI CD-BurningIMAPI CD-BurningCOM ServiceCOM ServiceIndexing ServiceIndexing ServiceLicense LoggingLicense LoggingMessengerMessengerNET Framework NET Framework Support ServiceSupport ServiceNetMeeting Remote NetMeeting Remote Desktop SharingDesktop Sharing
Network DDENetwork DDE
Portable Media Serial NumberPortable Media Serial Number
Remote Access Auto Remote Access Auto Connection ManagerConnection Manager
System Event NotificationSystem Event Notification
Task SchedulerTask Scheduler
TelnetTelnet
Terminal Services Session Terminal Services Session DirectoryDirectory
ThemesThemes
Upload ManagerUpload Manager
Wireless Zero ConfigurationWireless Zero Configuration
Web ClientWeb Client
Windows AudioWindows Audio
Reduced Attack SurfaceReduced Attack SurfaceWindows Server 2003 disables 20+ ServicesWindows Server 2003 disables 20+ Services
IIS is not installed on Windows 2003 ServerIIS is not installed on Windows 2003 Server
Now Now IFIF you install IIS… you install IIS…
IIS componentsIIS components IIS 5.0 clean installIIS 5.0 clean install IIS 6.0 clean installIIS 6.0 clean installStatic file supportStatic file support enabledenabled enabledenabled
ASPASP enabledenabled disableddisabled
Server-side includesServer-side includes enabledenabled disableddisabled
Internet Data ConnectorInternet Data Connector enabledenabled disableddisabled
WebDAVWebDAV enabledenabled disableddisabled
Index Server ISAPIIndex Server ISAPI enabledenabled disableddisabled
Internet Printing ISAPIInternet Printing ISAPI enabledenabled disableddisabled
CGICGI enabledenabled disableddisabled
Frontpage Server ExtensionsFrontpage Server Extensions enabledenabled disableddisabled
Password Change FunctionalityPassword Change Functionality enabledenabled disableddisabled
SMTPSMTP enabledenabled disableddisabled
FTPFTP enabledenabled disableddisabled
ASP.NETASP.NET XX disableddisabled
BITS BITS XX disableddisabled
TechnologyTechnology
Windows XP SP2Windows XP SP2Easier, effective management of PC Easier, effective management of PC security that puts the customer in controlsecurity that puts the customer in control
Network protection, sNetwork protection, safer e-mail and Web afer e-mail and Web browsing, memory protectionbrowsing, memory protection
Beta 1 released on December 19, 2003Beta 1 released on December 19, 2003
Availability: target RTM H1 CY04Availability: target RTM H1 CY04
New security technologies for Windows XP to make systems more resilient against attack
Preview: Preview: Windows XP SP2Windows XP SP2
Windows Firewall enhancements with more granular control
TechnologyTechnology
Windows Server 2003 SP1Windows Server 2003 SP1Role-based security configurationRole-based security configuration
Network client and remote VPN inspection Network client and remote VPN inspection
Availability: RTM H2 CY04Availability: RTM H2 CY04
ISA Server 2004ISA Server 2004
Application Layer FilteringApplication Layer Filtering
Simplified management tools Simplified management tools
Enhanced user interfaceEnhanced user interface
Availability: RTM H1 CY04Availability: RTM H1 CY04
Commitment: Update Windows Server 2003 and improve edge protection with technologies that enable a more secure infrastructure
Security for TomorrowSecurity for Tomorrow
Author
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-Kiddy UndergraduateUndergraduate ExpertExpert SpecialistSpecialist
Vandal
Thief
Spy
Trespasser
An Evolving ThreatAn Evolving Threat
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
UndergraduateUndergraduate ExpertExpert SpecialistSpecialist
Largest area Largest area by volumeby volume
Largest area by $ lostLargest area by $ lost
Script-KiddyScript-Kiddy
Largest segment by Largest segment by $ spent on defense$ spent on defense
Fastest Fastest growing growing segmentsegment
AuthorVandal
Thief
Spy
Trespasser
An Evolving ThreatAn Evolving Threat
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
UndergraduateUndergraduate ExpertExpert SpecialistSpecialistScript-KiddyScript-Kiddy
Fastest Fastest growing growing segmentsegment
AuthorVandal
Thief
Spy
Trespasser
Security for TomorrowSecurity for TomorrowBetter use of existing technologyBetter use of existing technology
RPC over HTTPRPC over HTTP
Identity managementIdentity management
Secure wirelessSecure wireless
Industry involvementIndustry involvementContinuing partnershipsContinuing partnerships
Expanding the Virus Information AllianceExpanding the Virus Information Alliance
Expanding “Protect Your PC” outreach for consumersExpanding “Protect Your PC” outreach for consumers
EnforcementEnforcementLaw enforcement assistanceLaw enforcement assistance
Reward fundReward fund
Ongoing vigilanceOngoing vigilanceContinued internal training and focus on building secure codeContinued internal training and focus on building secure code
Leadership, innovation, partnershipLeadership, innovation, partnership
Microsoft’s CommitmentsMicrosoft’s CommitmentsSteve Ballmer’s Speech – Oct. 9, 2003.Steve Ballmer’s Speech – Oct. 9, 2003.http://www.microsoft.com/presspass/exec/steve/2003/10-09wwpc.asphttp://www.microsoft.com/presspass/exec/steve/2003/10-09wwpc.asp
““Security is our #1 Priority”Security is our #1 Priority”
#1 “We will move to one patching #1 “We will move to one patching experience by May of next year that works experience by May of next year that works across Windows and all of the application across Windows and all of the application products.”products.”
#2 “Better quality in the patches” and #2 “Better quality in the patches” and “Rollback capability for all patches.”“Rollback capability for all patches.”
#3 “Reduce the size of patches.”#3 “Reduce the size of patches.”
#4 “Cut the # of reboots by 30%”#4 “Cut the # of reboots by 30%”
Microsoft’s CommitmentsMicrosoft’s CommitmentsSteve Ballmer’s Speech – Oct. 9, 2003.Steve Ballmer’s Speech – Oct. 9, 2003.http://www.microsoft.com/presspass/exec/steve/2003/10-09wwpc.asphttp://www.microsoft.com/presspass/exec/steve/2003/10-09wwpc.asp
#5 – Microsoft Update instead of just #5 – Microsoft Update instead of just Windows UpdateWindows Update
#6 – Monthly patches (except for critical)#6 – Monthly patches (except for critical)
#7 – Starting in December, Technet #7 – Starting in December, Technet Security training sessionsSecurity training sessions
#8 – Monthly Webcasts with Mike Nash#8 – Monthly Webcasts with Mike Nash
# 9 – Report on “How Microsoft Secures # 9 – Report on “How Microsoft Secures Microsoft”Microsoft”
Microsoft’s CommitmentsMicrosoft’s CommitmentsSteve Ballmer’s Speech – Oct. 9, 2003.Steve Ballmer’s Speech – Oct. 9, 2003.http://www.microsoft.com/presspass/exec/steve/2003/10-09wwpc.asphttp://www.microsoft.com/presspass/exec/steve/2003/10-09wwpc.asp
#10 – “Patching is critical, but insufficient” – #10 – “Patching is critical, but insufficient” – Goal is to make 70% of patches installable Goal is to make 70% of patches installable on on your your schedule, not Microsoft’sschedule, not Microsoft’s
This is the quarantine technologies mentioned This is the quarantine technologies mentioned earlierearlier
#11 – Browser work so Active X controls #11 – Browser work so Active X controls are “sandboxed”, limit potential damageare “sandboxed”, limit potential damage
#12 – Improve memory protection for buffer #12 – Improve memory protection for buffer overrunsoverruns
Microsoft’s CommitmentsMicrosoft’s CommitmentsSteve Ballmer’s Speech – Oct. 9, 2003.Steve Ballmer’s Speech – Oct. 9, 2003.http://www.microsoft.com/presspass/exec/steve/2003/10-09wwpc.asphttp://www.microsoft.com/presspass/exec/steve/2003/10-09wwpc.asp
““There is much to do still, much, There is much to do still, much, much, much to do on security. much, much to do on security.
It's a journey.”It's a journey.”
ResourcesResourcesGeneralGeneralhttp://www.microsoft.com/securityhttp://www.microsoft.com/security
ConsumersConsumershttp://www.microsoft.com/protecthttp://www.microsoft.com/protect
IT ProfessionalsIT Professionalshttp://www.microsoft.com/http://www.microsoft.com/technettechnet/security/security
Patch ManagementPatch Managementhttp://www.microsoft.com/http://www.microsoft.com/technettechnet/security/topics/patch/security/topics/patch
Best Practices for Defense in DepthBest Practices for Defense in Depthhttp://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
How Microsoft Secures MicrosoftHow Microsoft Secures Microsofthttp://www.microsoft.com/http://www.microsoft.com/technet/itsolutions/msittechnet/itsolutions/msit/ security// security/mssecbp.aspmssecbp.asp
MSDN Security Development ToolsMSDN Security Development Toolshttp://http://msdn.microsoft.commsdn.microsoft.com/security/downloads/tools/ /security/downloads/tools/ default.aspxdefault.aspx
© 2004 Microsoft Corporation. All rights reserved.© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.