Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.
-
Upload
brandon-rich -
Category
Documents
-
view
220 -
download
0
Transcript of Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.
![Page 1: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/1.jpg)
![Page 2: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/2.jpg)
Inside the Microsoft Security Development Lifecycle (and how you can use it!)
Michael HowardPrincipal Security Program Mgr.Microsoft Corp.DPR203
![Page 3: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/3.jpg)
Who Is This Guy?
[email protected] employee for 17 yearsAlways in securityWorked on the SDL since inception
Feels like
eternity!
![Page 4: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/4.jpg)
Agenda
The SDLRecommendations vs. RequirementsSDL Recommendations and Requirements
My Only ObjectiveGive you actionable ideas that will improve
the security of your software.
Links to tools and other resourcesare in the speaker notes.
![Page 5: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/5.jpg)
IMPORTANT
This session does not cover every SDL itemThis session covers very little privacy and nothing to do with security response and servicingNor does it cover any internal Microsoft-specific issues
![Page 6: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/6.jpg)
The SDL
“Reduce the Number of Vulnerabilities in your code.”“Reduce the Severity of the Vulnerabilities you miss.”
![Page 7: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/7.jpg)
Does SDL Apply to Your Product?
Yes, if…It handles valuable data (e.g., PII, sensitive business/medical data)Has a large customer baseHas functional risk
Eg: one socket from the ’netPart of an acquisition
![Page 8: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/8.jpg)
Recommendations vs. Requirements
Requirement is something you must do prior to shippingRecommendation is something you should considerMany requirements start life as recommendations
![Page 9: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/9.jpg)
Identify Primary Security & Privacy Contact
REQUIREMENTSomeone (or some people) must handle the security and privacy for the team
ACTIONPick a security person to be the “Security Champ”“Grow” this person if needed
![Page 10: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/10.jpg)
Security Training
REQUIREMENTFits into the “rhythm of the product”At least 80% trained
ACTIONAdopt ongoing training for your teamIf you have *NEVER* attended *ANY* security training, do so ASAP
![Page 11: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/11.jpg)
Track Security BugsREQUIREMENT
Configure your bug database to track security bugsACTION
Create the following in your database:Security Criticality
None, Critical, Important, Moderate, Low, Defense in Depth
Security CauseNone, Buffer overflow/underflow, Arithmetic, SQL injection, Race Condition, XSS, Crypto, etc…
Security EffectNone, STRIDE
![Page 12: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/12.jpg)
Use Strong-Named Assemblies and but not APTCA
REQUIREMENTStrong-named assemblies prevent DLL Hell and provide tamper detectionAdds a defense: immediate callers must be granted FullTrustAllowPartiallyTrustedCallersAttributes allows partially trusted callers (i.e., code from the ’net)
ACTIONRun FxCop on your strong-named assemblies
Code review CA2116 & CA2117Consider using SecurityTransparent
![Page 13: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/13.jpg)
Use Secure Crypto Design (1 of 3)
REQUIREMENTCovers: algorithms, agility, use of standard libsAgility: Do not hard-code algorithms in your code
ACTIONUse a class factory
SHA1Managed sha = new SHA1Managed();
HashAlgorithm alg = HashAlgorithm.Create(“MyAppHash”);
![Page 14: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/14.jpg)
Use Secure Crypto Design (2 of 3)
ACTIONUse Microsoft standard crypto libraries
System.Security.Cryptography for managedCryptoAPI, CNG for native
Use DPAPI for secretsUse approved random number generators
CryptGenRandomrand_sRNGCryptoServiceProvider
![Page 15: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/15.jpg)
Use Secure Crypto Design (3 of 3)
ACTIONUse appropriate algorithms
Use: AES (128-bit or better), RSA (2048 or better), SHA-256 (+)Use nothing else!
Download SDLCryptoCheck, run on your code and triage results
![Page 16: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/16.jpg)
Firewall Requirements
REQUIREMENTFirewall setting changes must be logged in the system security logDo not disable the firewallDo not create an inbound rule to allow the traffic through the firewallCannot allow exception by user without admin privilegesDocument your networking requirements
ACTIONSee above :-)
![Page 17: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/17.jpg)
Threat Models
REQUIREMENTBuild a threat model for your product
Threats to a Windows Azure solution are different threats to a native Windows solution
Helps you understand secure design issuesService updates do not need threat modeling
ACTIONLearn how to do threat modeling, then download the SDL Threat Modeling tool and use it
![Page 18: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/18.jpg)
Support UAC
REQUIREMENTMost applications should run correctly as normal users and not require unnecessary privileges
ACTIONMake sure you test your application as a non-admin on Windows Vista or Windows 7Use Aaron Margosis’ LUABuglight to help ascertain why your application fails as non-adminOr use LuaPriv with Application VerifierRead Writing Secure for Windows Vista
![Page 19: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/19.jpg)
Granular Feature Control
RECOMMENDATIONTo reduce attack surface, expose only the most common functionality
ACTIONSupport granular enable/disable features and parsersIIS7 is the poster child
![Page 20: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/20.jpg)
Grant Minimal Privileges
RECOMMENDATIONApplications should run with only enough privilege to perform the tasks required, and no more
ACTION(See UAC) and don’t run your services as SYSTEM unless you absolutely mustDrop privileges on service startup
![Page 21: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/21.jpg)
Use Minimum Code Generation Suite
REQUIREMENTWe constantly add defenses to the compiler and linkerYou get defenses for free by simply using the latest compilers
ACTIONAt a minimum, you should use VS 2005 SP1But highly recommend you use VS 2008 SP1
And VS 2010 when it comes out, especially for C++Stronger -GS
![Page 22: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/22.jpg)
Use /GS
REQUIREMENT Applies to 32-bit native C/C++ code onlyEven if the code is called by Managed codeDetects some forms of stack-based buffer overrun at runtime
ACTIONCompile all native 32-bit C/C++ code with /GSIt’s on by default in VC++ 2008, so don’t use /GS-Consider using #pragma strict_gs_check(on)
![Page 23: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/23.jpg)
Use Safe Exception Handling
REQUIREMENTDetects compromised exception handlers
C++ and Windows SEHWould have prevented CodeRed
ACTIONLink with /SAFESEH
![Page 24: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/24.jpg)
Use MIDL /ROBUST for RPC/DCOM
REQUIREMENTRPC is subject to potentially dangerous inputLots of services use RPCIn Windows NT4 server-side proxy code was very trustingWe added /ROBUST to MIDL to add more data validation
ACTIONAlways run MIDL with /ROBUST (it’s the default now)Requires Windows 2000 and later
![Page 25: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/25.jpg)
Use ASLR
REQUIREMENTApplies to all codeRandomizes the image in memory, making it harder for attackers to get their exploits working correctly
ACTIONLink your code with /DYNAMICBASE
![Page 26: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/26.jpg)
Use DEP
REQUIREMENTApplies to all codeMarks memory as “no execute” which can stop some forms of buffer overrunASLR is required for DEP to be effective
ACTIONLink your code with /NXCOMPAT
![Page 27: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/27.jpg)
Confirm DEP and ASLR with Process Explorer
![Page 28: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/28.jpg)
Detect Heap Corruption
REQUIREMENTC & C++ onlyWindows Vista and later heap manager detect heap corruption, but Windows will not shut your application down by default
ACTIONAdd the following to your main() or WinMain() function (void)HeapSetInformation(NULL, HeapEnableTerminationOnCorruption, NULL, 0);
![Page 29: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/29.jpg)
No Writeable PE Segments
REQUIREMENTSomewhat esoteric IPC method PE segments are not ACL-able
ACTIONDon’t use PE segmentsThese are all bad:
/section:<name>, RWS#pragma comment(linker, ―/section:<name>, rws‖) #pragma section(<name>, read, write, shared)
![Page 30: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/30.jpg)
Do Not Use Banned APIs
REQUIREMENTSome C runtime functions are prone to errorSo don’t use them, use safer versions
ACTIONCompile with banned.h or strsafe.hTriage C4996 warningsReplace insecure functions with safer C runtime functions or strsafe functionsstrcpy [strcpy_s or String CchCopy]Add the following to auto-migrate functions to safe functions
#define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES (1)
![Page 31: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/31.jpg)
Encode Long-lived Pointers
RECOMMENDATIONLong-lived pointers, for example globally scoped, are targets for attackThey need protecting
ACTIONFind all long-lived pointers and protect them with EncodePointer, etc.
// g_pFoo is a global point that points to foo void g_pFoo = EncodePointer(&foo); ...// Decode the pointer when you need to use itvoid *pFoo = DecodePointer(g_pFoo);
![Page 32: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/32.jpg)
Use FxCop on Managed Code
REQUIREMENTFxCop can help find common security vulnerabilities in C# and VB.NET code
Web code or standalone code
ACTIONDownload FxCop (or use Code Analysis in VS)Run it at least once a dayTriage all Security rules
Aim to have zero suppressions and zero warnings
![Page 33: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/33.jpg)
Use /analyze for Unmanaged Code
REQUIREMENTThe PREfast engine can find many common and easy-to-fix security vulnerabilities at compile time
ACTIONCompile with /analyze at least once a day
Don’t use it on your main builds, it doubles compile timesTriage:
6029 6053 6057 6059 6063 6067 6200 6201 6202 6203 6204 6248 6259 6260 6268 6276
/analyze is very low noise
![Page 34: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/34.jpg)
Help /analyze – Use SAL
RECOMMENDATIONAdding SAL can help /analyze find more security bugs SAL adds valuable interface contract data, e.g.,
_In_z_bytecount_(n)
‘In’ buffer, code will read the buffer
Buffer will be NULL-terminated Buffer byte count is ‘n’
![Page 35: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/35.jpg)
Use /W4
RECOMMENDATIONC and C++ onlyThere is a subset of high-noise warnings that are now potentially real security vulnerabilities
ACTIONCompile C and C++ code with /W4 or the less noisy:
MSC_WARNING_LEVEL=/W3 /WX /we4242 /we4245 /we4254 /we4289 /we4295 /we4296 /we4701
Hand triage the results
![Page 36: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/36.jpg)
Native Code XML Parsers
REQUIREMENTParsing XML safely is hardThere have been many industry-wide security vulnerabilities parsing malicious XML payloadsXML is everywhere!C++ just makes matters worse!
ACTIONUse XmlLiteUse MSXML 6 SP1Use MSXML3 SP9 only if there is a strong business justification
![Page 37: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/37.jpg)
XSS Prevention
REQUIREMENTXSS is the #1 security vulnerability today
Yes, it’s bigger than BOs!
ACTIONCheck all incoming data
Constrain with TryParse, or RegExEncode with HTML EncodingUse AntiXSSUse ValidateRequest‖(defense in depth)Use CAT.NET
![Page 38: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/38.jpg)
XSS Prevention (Safe Tags)
<b> <blockquote> <br> <div>
<em> <i> <li> <ol>
IMPORTANT Only safe if you strip or disallow attributes
bool IsSafeTag(string tag) { bool safe = false; string safeTagsRE = @"^<\/?[b|blockquote|br|div|em|i|li|ol|p|strong|u|ul]+>$";
if (Regex.Match(tag, safeTagsRE,RegexOptions.IgnoreCase).Success) safe = true;
return safe;}
<p> <strong> <u> <ul>
![Page 39: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/39.jpg)
Use ViewStateUserkey
REQUIREMENTHelps mitigate Cross-Site Request Forgery (CSRF) vulnerabilitiesDefense in depth
ACTIONAdd this to your Web applications
protected void Page_Init(object sender, EventArgs e) { this.ViewStateUserKey = Session.SessionID; }
![Page 40: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/40.jpg)
Do Not Use JavaScript eval() or Equivalents
RECOMMENDATIONEvaluates and executes arbitrary string dataWhat if the data is untrusted?
ACTIONTriage the following in your JavaScript code
evalsetTimeoutsetInterval
When using JSON, use fromJSON
![Page 41: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/41.jpg)
Safe Redirect
RECOMMENDATIONRedirecting to an arbitrary Web location specified in an HTTP request is dangerousOpens users of your site to phishing attacks
ACTIONOnly redirect to a known set of safe URLs
Response.Redirect("/error.aspx")
Response.Redirect(Request.QueryString(uri))
![Page 42: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/42.jpg)
SQL Execute Only Permission
REQUIREMENTHelps mitigate SQL Injection vulns
ACTIONRun your app as Network Service (DOMAIN\$machinename)Join that account to a domain group (DOMAIN\webapps)Grant that group execute permission to stored procs, etc.
![Page 43: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/43.jpg)
Use SQL Parameterized Queries
REQUIREMENTSQL injections are hard to pull off with parameterized queries…and easy to pull off with string concatenation
ACTION
SqlDataAdapter cmd = new SqlDataAdapter("exec sp_getshipstatus(@id)",
conn);SqlParameter parm = cmd.SelectCommand.Parameters.Add("@id",id);
string query= "select * from status where id = " + id;
![Page 44: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/44.jpg)
Use SQL Stored Procedures
REQUIREMENTA good way to hide back-end application logic in the event your server is breachedIt also allows you to easily support execute-only database objectsIt’s defense in depth
ACTIONUse sprocs for all your back-end queriesDon’t add EXEC (etc) to your sprocs
![Page 45: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/45.jpg)
Do Not Depend on NTLM
RECOMMENDATIONNTLM provides only client authenticationAll current versions of Windows support Kerberos
ACTIONGrep for the word “NTLM” in your codeUse the Negotiate SSP rather than NTLM SSP
![Page 46: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/46.jpg)
No “Swallow All” Exceptions
RECOMMENDATIONExceptions that handle all possible exceptions can mask serious bugsThey also can make it easier to defeat ASLR
ACTIONHandle only the exceptions you can REALLY handleAll bad:
SEH: __except(EXCEPTION_EXECUTE_HANDLER)C++: catch(…)RPC: RpcExcept(1)Managed Code: catch (Exception)
![Page 47: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/47.jpg)
Safe Error Messages
RECOMMENDATIONYou want to make it easy for users and admins to know why something failedBut, you don’t want to tell attackers too much
ACTIONReview all error message text, make sure they are:
Clear to usersDo not disclose too much information
Especially for errors transmitted across the network
![Page 48: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/48.jpg)
Fuzz TestingREQUIREMENT
Many applications fail when presented with incorrectly or malformed dataA DoS may really be a code execution vulnerability
ACTIONFuzz test
Applications that read untrusted data with a minimum of 100,000 malformed inputs
File parsers are a great candidateActiveX controls marked safe for scripting or safe for initialization
Networking endpoints
![Page 49: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/49.jpg)
Test with Application Verifier
REQUIREMENTApplies to native code onlyA runtime tool that can detect many runtime security vulnerabilitiesRequires good code coverage to be effective
ACTIONRun your application under application verifier using the following rules:
Heaps, handles, memory
![Page 50: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/50.jpg)
Device Driver Issues
REQUIREMENTKernel-mode crashes lead to BSOD
ACTIONRun Driver Verifier with at least the following:
Security ChecksMiscellaneous Checks
![Page 51: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/51.jpg)
question & answer
![Page 52: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/52.jpg)
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
![Page 53: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/53.jpg)
Track Resources
Visit the DPR TLC for a chance to win a copy of Visual Studio Team Suite. Daily drawing occurs every day in the TLC at 4:15pm. Stop by for a raffle tickethttp://www.microsoft.com/visualstudio http://www.microsoft.com/visualstudio/en-us/products/teamsystem/default.mspxPlease visit us in the TLC blue area
![Page 54: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/54.jpg)
Complete an evaluation on CommNet and enter to win!
![Page 55: Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.](https://reader035.fdocuments.in/reader035/viewer/2022062322/56649ea25503460f94ba5820/html5/thumbnails/55.jpg)
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.