1、Microsoft Security StrategySteven AdlerProduct ManagerMicrosoft EMEASession AgendaFocus on Customer ChallengesMicrosoft Security StrategySecure Windows InitiativeStrategic Technology Protection ProgramTrustworthy ComputingBuilding the secure platform.NET FrameworkWindows.NETSummaryQuestionsTechnolog
2、y,Process,PeopleWhat are the challenges?#Products lack security featuresProducts have bugsInsufficient technical standardsDifficult to stay up-to-dateDesign for securityRolesresponsibilitiesVigilanceBusiness continuity plansStay up-to-date with security developmentProblem recognitionSkills shortag
3、eHuman errorProcessPeopleTechnologyTrustworthy ComputingTrustworthy ComputingTrustworthy ComputingTrustworthy ComputingStrategic Technology Strategic Technology Strategic Technology Strategic Technology Protection ProgramProtection ProgramProtection ProgramProtection ProgramSecure Windows Initiative
4、Secure Windows InitiativeSecure Windows InitiativeSecure Windows InitiativeMicrosoft Security StrategySecure Windows Initiative“Engineering For Security”Goal:#Eliminate Every Security Vulnerability Before The Product ShipsPeoplePeoplePeoplePeopleProcessProcessProcessProcessTechnologyTechnologyTechno
5、logyTechnologyIndustry YardstickSource:#Security Focus http:#/ Windows InitiativePeoplePeopleTrain,and keep current,every developer,tester,and program Train,and keep current,every developer,tester,and program manager in the specific techniques of building secure manager in the specific techniques of
6、 building secure productsproductsProcessProcessMake security a critical factor in design,coding and testing of Make security a critical factor in design,coding and testing of every product Microsoft buildsevery product Microsoft buildsCross-group designcode reviewsCross-group designcode reviewsS
7、ecurity Threat Analysis part of every design specSecurity Threat Analysis part of every design specRed Team testing and code reviewsRed Team testing and code reviewsFocus not confined to buffer overrunsFocus not confined to buffer overrunsSecurity bug feedback loopcode sign-off requirements Securi
8、ty bug feedback loopcode sign-off requirements External reviews and testing by consultants and publicExternal reviews and testing by consultants and publicTechnologyTechnologyBuild tools to automate everything possible in the quest to code Build tools to automate everything possible in the quest t
9、o code the most secure productsthe most secure productsPrefix and Prefast for buffer overrun detectionPrefix and Prefast for buffer overrun detectionUpdated as new vulnerabilities foundUpdated as new vulnerabilities foundVisual C+7.0 compiler improvementsVisual C+7.0 compiler improvementsDomain-spec
10、ific tools(i.e.RPC security stress)Domain-specific tools(i.e.RPC security stress)Secure Windows InitiativeExternal Security ReviewFIPS 140-1 evaluation of Cryptographic Service Provider(CSP)CompletedGovernment validation of base crypto algorithms in WindowsCommon Criteria evaluation In PreparationEv
11、aluation of Windows source code against International security criteria for evaluating Third party expert review of key componentsSource code licensed to over 80 universities,labs,and government agenciesGoal:#Help customers secure their Windows SystemsPeoplePeoplePeoplePeopleProcessProcessProcessPro
12、cessTechnologyTechnologyTechnologyTechnologyStrategic TechnologyProtection ProgramStrategic Technology Protection Program-Customers Need Our HelpI didnt know which patches I neededI didnt know where to find the updatesI didnt know which machines to updateWe updated our production servers,but the rog
13、ue servers got infectedMore than 50%of the customers affected by Code Red were not patched in time for NimdaSTPP:#“Get Secure”Coming-Enterprise Security ToolsMicrosoft Baseline Security AnalyzerSMS security patch rollout toolWindows Update Auto-update clientNow-Microsoft Security ToolkitServer orien
14、ted security resources.New server security tools and updates,Windows Update bootstrap client for Windows 2000Now-Security Assessment Program OfferingAvailable immediately through MCS/PSSNow-Free Virus Support HotlineContact your local PSS officeGet SecureMicrosoft Security ToolkitGets Windows NT and
15、 2000 systems to secure baseline,even disconnected netAutomates server updatesOne-button wizard and SMS ScriptsUpdates and Patches Includes all Service Packs and critical OS and IIS patches through 10/15HFNetchk:#patch level verifierIIS LockdownURLScanSTPP:#“Stay Secure”Ongoing-Enhanced Product Se
16、curityProvide greater security enhancements in the releases of all new products,including theWindows.NET Server family Spring 2002-Federated Corporate Windows Update ProgramAllows enterprise to host and selectWindows Update contentSpring 2002-Windows 2000 Service Pack(SP3)Provide ability to install SP3+security rollupwith a single rebootJan.2002-Windows 2000 Security Rollup PatchesBundle all security fixes in single patchesReduces reboots and administrator burdenCorporate Update Server SolutionAutomatic Updat
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1