《微软蓝灰风格PPT模板.ppt》由会员分享,可在线阅读,更多相关《微软蓝灰风格PPT模板.ppt(26页珍藏版)》请在三一办公上搜索。
1、Microsoft Security Strategy,站长站素材,Session Agenda,Focus on Customer ChallengesMicrosoft Security StrategySecure Windows InitiativeStrategic Technology Protection ProgramTrustworthy ComputingBuilding the secure platform.NET FrameworkWindows.NETSummaryQuestions,Technology,Process,PeopleWhat are the cha
2、llenges?,Products lack security featuresProducts have bugsInsufficient technical standardsDifficult to stay up-to-date,Design for securityRoles&responsibilitiesVigilanceBusiness continuity plansStay up-to-date with security development,Problem recognitionSkills shortageHuman error,Microsoft Security
3、 Strategy,Secure Windows Initiative“Engineering For Security”,Goal:Eliminate Every Security Vulnerability Before The Product Ships,People,Process,Technology,Industry Yardstick,Secure Windows Initiative,People,Train,and keep current,every developer,tester,and program manager in the specific technique
4、s of building secure products,Process,Make security a critical factor in design,coding and testing of every product Microsoft buildsCross-group design&code reviewsSecurity Threat Analysis part of every design specRed Team testing and code reviewsFocus not confined to buffer overrunsSecurity bug feed
5、back loop&code sign-off requirements External reviews and testing by consultants and public,Technology,Build tools to automate everything possible in the quest to code the most secure productsPrefix and Prefast for buffer overrun detectionUpdated as new vulnerabilities foundVisual C+7.0 compiler imp
6、rovementsDomain-specific tools(i.e.RPC security stress),Secure Windows InitiativeExternal Security Review,FIPS 140-1 evaluation of Cryptographic Service Provider(CSP)CompletedGovernment validation of base crypto algorithms in WindowsCommon Criteria evaluation In PreparationEvaluation of Windows sour
7、ce code against International security criteria for evaluating Third party expert review of key componentsSource code licensed to over 80 universities,labs,and government agencies,Goal:Help customers secure their Windows Systems,People,Process,Technology,Strategic TechnologyProtection Program,Strate
8、gic Technology Protection Program-Customers Need Our Help,I didnt know which patches I neededI didnt know where to find the updatesI didnt know which machines to updateWe updated our production servers,but the rogue servers got infected,More than 50%of the customers affected by Code Red were not pat
9、ched in time for Nimda,STPP:“Get Secure”,Coming-Enterprise Security ToolsMicrosoft Baseline Security AnalyzerSMS security patch rollout toolWindows Update Auto-update client,Now-Microsoft Security ToolkitServer oriented security resources.New server security tools and updates,Windows Update bootstra
10、p client for Windows 2000,Now-Security Assessment Program OfferingAvailable immediately through MCS/PSS,Now-Free Virus Support HotlineContact your local PSS office,Get SecureMicrosoft Security Toolkit,Gets Windows NT and 2000 systems to secure baseline,even disconnected netAutomates server updatesOn
11、e-button wizard and SMS ScriptsUpdates and Patches Includes all Service Packs and critical OS and IIS patches through 10/15HFNetchk:patch level verifierIIS Lockdown&URLScan,STPP:“Stay Secure”,Ongoing-Enhanced Product SecurityProvide greater security enhancements in the releases of all new products,i
12、ncluding theWindows.NET Server family,Spring 2002-Federated Corporate Windows Update ProgramAllows enterprise to host and selectWindows Update content,Spring 2002-Windows 2000 Service Pack(SP3)Provide ability to install SP3+security rollupwith a single reboot,Jan.2002-Windows 2000 Security Rollup Pa
13、tchesBundle all security fixes in single patchesReduces reboots and administrator burden,Corporate Update Server Solution,Automatic Update(AU)clientAutomatically download and install critical updatesSecurity patches,high impact bug fixes and new drivers when no driver is installed for a deviceChecks
14、 Windows Update service or Corporate Update server once a dayNew!Install at schedule time after automatic downloads Administrator control of configuration via registry-based policySupport for Windows.NET Server,Windows XP and Windows 2000Update serverCorporate hosted WU server to support download an
15、d install of critical updates through AU clientServer synchronizes with the public Windows Update serviceSimple administrative model via IE Updates are not made available to clients until the administrator approves themRuns on Windows.NET Server and Windows 2000 Server,Trustworthy Computing,Goal:Mak
16、e devices powered by computers and software as trustworthy as devices powered by electricity.,A Trust Taxonomy,AvailabilityAt advertised levelsSuitabilityFeatures fit function IntegrityAgainst data loss or alterationPrivacyAccess authorized by end-userReputationSystem and provider brand,SecurityResi
17、sts unauthorized accessQualityPerformance criteriaDev PracticesMethods,philosophyOperationsGuidelines and benchmarksBusiness PracticesBusiness modelPoliciesLaws,regulations,standards,norms,IntentManagement assertionsRisksWhat undermines intent,causes liabilityImplementationSteps to deliver intentEvi
18、denceAudit mechanisms,Goals,Means,Execution,Building the secure platform,Goal:Provide IT with a secure,integrated foundation for managing how users,business,and technologies connect.,Infrastructure(PKI,Directory),Security in depth,Network(IPSec,Wireless,VPN),Device(PDA,Laptops,PCs,Servers),Applicati
19、on,Management,Front End,Typical Application Architecture,Users,Back End,Authentication,Network Access,Authorization,Audit,Alerts,Front End,Secure Network Access,Users,Back End,Authorization,Authentication,Network Access,FirewallVPNWirelessIPSEC,Audit,Alerts,Front End,Flexible Authentication,Users,Ba
20、ck End,BasicHTTP DigestKerberosCertificatesSmartcards,Authentication,Network Access,Authorization,Audit,Alerts,Front End,Rich Access Controls,Users,Back End,Authentication,Network Access,Authorization,Audit,Alerts,Access Control ListsRoles,Front End,System Wide Auditing,Users,Back End,Authorization,
21、Audit,Alerts,Audit ActionsDistributed DevicesAudit Policy,Authentication,Network Access,Front End,Alert Infrastructure,Users,Back End,Authorization,Audit,Alerts,Event ForwardingFilteringCorrelation,Authentication,Network Access,Windows Brings it Together,Active DirectoryIntegrated network authentica
22、tionPolicy based managementPKIIntegrated PKI services and auto-enrollmentUsed by IPSEC,Smartcard,Code Signing etc.NetworkingSecure network access via 802.1x supportAuthenticated firewall access via Microsoft ISA serverProtected DevicesEncrypting File SystemSoftware Restriction Policies,2002 Microsoft Corporation.All rights reserved.,
