Security Update (February 2004)

Enhancing Customer Security: Enhancing Customer Security: Commitment and ProgressCommitment and Progress

Tyler S. FarmerTyler S. FarmerSr. Technology Specialist IISr. Technology Specialist IIEducation SolutionsEducation SolutionsMicrosoft CorporationMicrosoft Corporation

AgendaAgenda

End of LifeEnd of Life

SituationSituation

Commitments Commitments

ProgressProgress

Challenges aheadChallenges ahead

Product Lifecycle GuidelinesProduct Lifecycle Guidelines

7 Year Lifecycle7 Year Lifecycle5 years of “Mainstream Support”5 years of “Mainstream Support”

no-charge incident support, paid incident support, no-charge incident support, paid incident support, support charged on an hourly basis, support for support charged on an hourly basis, support for warranty claims, and hotfix support. warranty claims, and hotfix support.

2 more years of “Extended Support”2 more years of “Extended Support”all paid support options, security-related hotfix support all paid support options, security-related hotfix support (no charge.) (no charge.) Non-security related hotfix support requires a separate Non-security related hotfix support requires a separate Extended Hotfix Support contract to be purchased within Extended Hotfix Support contract to be purchased within 90 days after Mainstream support ends. 90 days after Mainstream support ends. Microsoft will not accept requests for warranty support, Microsoft will not accept requests for warranty support, design changes, or new features during the Extended design changes, or new features during the Extended support phase.support phase.

http://support.microsoft.com/lifecyclehttp://support.microsoft.com/lifecycle

End of Life – NT Server 4.0End of Life – NT Server 4.0

Regular support ends Dec. 2004.Regular support ends Dec. 2004.

Security hotfix support ends Dec. 2004Security hotfix support ends Dec. 2004

Non-security hotfix support ends Dec. Non-security hotfix support ends Dec. 2003.2003.

End of Life – NT Workstation 4.0End of Life – NT Workstation 4.0

Basically ended on June 30, 2003.Basically ended on June 30, 2003.

Some Security patches still coming, probably with Some Security patches still coming, probably with NT Server (June 2004).NT Server (June 2004).

End of Life – Windows 98End of Life – Windows 98

Regular support ended June 30, 2003.Regular support ended June 30, 2003.

Paid incident support extended to June 30, 2006. Paid incident support extended to June 30, 2006.

This does This does notnot include new security fixes (available include new security fixes (available through Premier Support)through Premier Support)

Microsoft Java Virtual MachineMicrosoft Java Virtual Machine

According to 2001 Settlement w/ Sun, According to 2001 Settlement w/ Sun, Microsoft is no longer authorized to Microsoft is no longer authorized to support Java VM, starting October 2004support Java VM, starting October 2004

This includes security patchesThis includes security patches

Diagnostic tool coming “soon”Diagnostic tool coming “soon”

http://www.microsoft.com/javahttp://www.microsoft.com/java

Most attacks Most attacks occur hereoccur here

SituationSituationProcess, Guidance, Tools CriticalProcess, Guidance, Tools Critical

Product Product shipship

VulnerabilityVulnerabilitydiscovereddiscovered

ComponentComponentmodifiedmodified

Patch Patch releasedreleased

Patch Patch deployeddeployed

at customer at customer sitesite

Why does this Why does this gap exist?gap exist?

Exploit TimelineExploit Timeline

Days From Patch to ExploitDays From Patch to Exploit

The average is now nine days The average is now nine days for a patch to be reverse-for a patch to be reverse-engineeredengineered

As this cycle keeps getting As this cycle keeps getting shorter, patching is a less shorter, patching is a less effective defense in large effective defense in large organizationsorganizations

Why does this Why does this gap exist?gap exist?

151151180180

331331

BlasterBlasterWelchia/ Welchia/ NachiNachi

NimdaNimda

2525SQL SQL

SlammerSlammer

exploitexploitcodecodepatchpatch

Days between patch and exploitDays between patch and exploit

The Forensics of a VirusThe Forensics of a Virus

Vulnerability reported to us /

Patch in progress

Bulletin & patch available

No exploit

Exploit code in public Worm in the world

July 1 July 16 July 25 Aug 11

ReportReport Vulnerability in Vulnerability in

RPC/DDOM RPC/DDOM reportedreported

MS activated MS activated highest level highest level emergency emergency response processresponse process

BulletinBulletin MS03-026 delivered MS03-026 delivered

to customers to customers (7/16/03)(7/16/03)

Continued outreach Continued outreach to analysts, press, to analysts, press, community, community, partners, partners, government government agenciesagencies

ExploitExploit X-focus (Chinese X-focus (Chinese

group) published group) published exploit toolexploit tool

MS heightened MS heightened efforts to get efforts to get information to information to customerscustomers

WormWorm Blaster worm Blaster worm

discovered –; discovered –; variants and other variants and other viruses hit viruses hit simultaneously (i.e. simultaneously (i.e. “SoBig”)“SoBig”)

Blaster shows the complex Blaster shows the complex interplay between security interplay between security researchers, software researchers, software companies, and hackerscompanies, and hackers

Microsoft CommitmentMicrosoft Commitment

Build software and services that will Build software and services that will help better protect our customers help better protect our customers

and the industry.and the industry. Better processes and toolsBetter processes and tools

Guidance and training for our customersGuidance and training for our customers

Technology innovationTechnology innovation

Trustworthy Computing quality Trustworthy Computing quality improvementsimprovements

You’ve Told UsYou’ve Told Us Our Action ItemsOur Action Items

““I can’t keep up…new I can’t keep up…new patches are released patches are released every week”every week”

““The quality of the The quality of the patching process is low patching process is low and inconsistent”and inconsistent”

““I need to know the right I need to know the right way to run a Microsoft way to run a Microsoft enterprise”enterprise”

““There are still too many There are still too many vulnerabilities in your vulnerabilities in your products”products”

Provide Guidance Provide Guidance and Trainingand Training

Mitigate Vulnerabilities Mitigate Vulnerabilities Without PatchesWithout Patches

Continue Improving Continue Improving QualityQuality

Improve the Patching Improve the Patching ExperienceExperience

Improve the Patching ExperienceImprove the Patching ExperienceNew Patch PoliciesNew Patch Policies

Extending support to June 2004Extending support to June 2004Windows 2000 SP2Windows 2000 SP2

Windows NT SP6aWindows NT SP6a

Non-emergency security patches on a monthly Non-emergency security patches on a monthly release schedule release schedule

Allows for planning a predictable Allows for planning a predictable monthly test and deployment cycle monthly test and deployment cycle

Packaged as individual patches Packaged as individual patches that can be deployed together that can be deployed together

Achieves benefits of security rollup Achieves benefits of security rollup with increased flexibilitywith increased flexibility

Patches for emergency issues will still release immediatelyPatches for emergency issues will still release immediately

By 5/04: Consolidating to 2 patch installers for W2K By 5/04: Consolidating to 2 patch installers for W2K and higher, Office & Exchange. All patches will and higher, Office & Exchange. All patches will behave the same way behave the same way (SUS 2.0, MSI 3.0)(SUS 2.0, MSI 3.0)

Extend patch Extend patch automation to all automation to all

productsproducts

11/03: SMS 2003 offers capability to patch all supported 11/03: SMS 2003 offers capability to patch all supported Microsoft platforms and applications Microsoft platforms and applications

By end of 2004, all MS patches behave the same at By end of 2004, all MS patches behave the same at installation (MSI 3.0 + SUS 2.0) and available in one installation (MSI 3.0 + SUS 2.0) and available in one place: MS Updateplace: MS Update

Reduce patch sizeReduce patch sizeNow: Reduced patch size by 35% or more. Will have Now: Reduced patch size by 35% or more. Will have 80% reduction by 5/04. 80% reduction by 5/04. (Delta patching technology and (Delta patching technology and improved functionality with MSI 3.0)improved functionality with MSI 3.0)

Reduce patch Reduce patch complexitycomplexity

Reduce risk of Reduce risk of patch deploymentpatch deployment

Now : Increased internal testing; customer testing Now : Increased internal testing; customer testing of patches pre- release.of patches pre- release.

By 5/04: rollback capability for Windows, SQL, By 5/04: rollback capability for Windows, SQL, Exchange, OfficeExchange, Office

Reduce downtimeReduce downtimeNow:Now: 10% fewer 10% fewer reboots on W2K and higher reboots on W2K and higher

By 5/04:By 5/04: 30% fewer 30% fewer reboots on Win 2003 (starting in reboots on Win 2003 (starting in SP1). Up toSP1). Up to 70% 70% reduction for next serverreduction for next server

Your NeedYour Need Our ResponseOur Response

Improve the Patching ExperienceImprove the Patching ExperiencePatch EnhancementsPatch Enhancements

Available NowAvailable Now

17 prescriptive books17 prescriptive books

How Microsoft secures Microsoft How Microsoft secures Microsoft guidance & toolsguidance & tools

Later this year and throughout 2004Later this year and throughout 2004More prescriptive & how-to guidesMore prescriptive & how-to guidesTools & scripts to automate common tasksTools & scripts to automate common tasks

Focused on operating a secure environment Focused on operating a secure environment

Patterns & practices for defense in depthPatterns & practices for defense in depth

Enterprise security checklist – the single place for Enterprise security checklist – the single place for authoritative security guidanceauthoritative security guidance

Security Guidance for IT ProsSecurity Guidance for IT ProsSecurity Guidance for IT ProsSecurity Guidance for IT Pros

Training & Guidance: IT ProsTraining & Guidance: IT Pros

IT Pros: 500K customers to be trained by the end of 2004IT Pros: 500K customers to be trained by the end of 2004Monthly Webcasts and SeminarsMonthly Webcasts and Seminars

http://www.microsoft.com/seminar/events/http://www.microsoft.com/seminar/events/security.mspxsecurity.mspx

New guidance on Microsoft.comNew guidance on Microsoft.comhttp://www.microsoft.com/guidancehttp://www.microsoft.com/guidance

Security Guidance Kit CDSecurity Guidance Kit CD

New monthly newsletterNew monthly newsletterhttp://www.microsoft.com/http://www.microsoft.com/technet/security/secnews/newsletter.htmtechnet/security/secnews/newsletter.htm

Proactive communicationsProactive communicationsUsing Virus Information AllianceUsing Virus Information Alliancecollective data for better threat responsecollective data for better threat response

KB articles outline KB articles outline application security enhancementsapplication security enhancements

Global training with more guidance and best practices for securing systems and infrastructure

Global Education ProgramGlobal Education ProgramDeveloper Security SeminarsDeveloper Security SeminarsMSDN Security CenterMSDN Security CenterPDC SymposiumPDC Symposium

Developer GuidanceDeveloper Guidancepatterns and practicespatterns and practices

““Building Secure ASP.NET Applications”Building Secure ASP.NET Applications”““Improving Web Application Security”Improving Web Application Security”

Microsoft PressMicrosoft Press““Writing Secure Code v 2.0”Writing Secure Code v 2.0”

Guidance and Training: Guidance and Training: DeveloperDeveloper

RatingRating DefinitionDefinition Customer ActionCustomer Action

CriticalCriticalExploitation could allow the propagation Exploitation could allow the propagation of an Internet worm such as Code Red or of an Internet worm such as Code Red or Nimda without user actionNimda without user action

Apply the patch or workaround Apply the patch or workaround immediatelyimmediately

ImportantImportantExploitation could result in compromise of Exploitation could result in compromise of the confidentiality, integrity, or availability the confidentiality, integrity, or availability of users’ data, or of the integrity or of users’ data, or of the integrity or availability of processing resourcesavailability of processing resources

Apply patch or workaround as Apply patch or workaround as soon as is feasiblesoon as is feasible

ModerateModerateExploitability is mitigated to a significant Exploitability is mitigated to a significant degree by factors such as default degree by factors such as default configuration, auditing, need for user configuration, auditing, need for user action, or difficulty of exploitationaction, or difficulty of exploitation

Evaluate bulletin, determine Evaluate bulletin, determine applicability, proceed as applicability, proceed as appropriateappropriate

LowLow Exploitation is extremely difficult, or Exploitation is extremely difficult, or impact is minimalimpact is minimal

Consider applying the patch at Consider applying the patch at the next scheduled update the next scheduled update intervalinterval

Revised November 2002Revised November 2002

More information at More information at http://www.microsoft.com/technet/security/policy/rating.asphttp://www.microsoft.com/technet/security/policy/rating.asp

Improving Patching Experience Improving Patching Experience Security Bulletin Severity Rating SystemSecurity Bulletin Severity Rating SystemFree Security Bulletin Subscription ServiceFree Security Bulletin Subscription Service

http://www.microsoft.com/technet/security/bulletin/notify.asphttp://www.microsoft.com/technet/security/bulletin/notify.asp

Make corporations & perimeters Make corporations & perimeters more resilient to attack, even more resilient to attack, even

when patches are not installedwhen patches are not installed

Help stop known & unknown vulnerabilitiesHelp stop known & unknown vulnerabilities

Goal: Make 7 out of every 10 patches Goal: Make 7 out of every 10 patches installable on your scheduleinstallable on your schedule

Beyond PatchingBeyond Patching

Malicious Web Malicious Web contentcontent

Buffer overrun Buffer overrun attacksattacks

Port-based Port-based attacksattacks

Malicious e-mail Malicious e-mail attachmentsattachments

Client Attack VectorsClient Attack Vectors

Infected Infected remote clientremote client

Infected local Infected local clientclient

VPN & Internal Enterprise QuarantinesVPN & Internal Enterprise Quarantines

Continue Improving QualityContinue Improving QualityTrustworthy Computing Release ProcessTrustworthy Computing Release Process

M1

M2

Mn

Beta

DesignD

evel

op

men

t

Release

Support

SecurityReview

SecurityReview

Each component team develops threat Each component team develops threat models, ensuring that design blocks models, ensuring that design blocks applicable threatsapplicable threats

Develop & Test

Develop & Test

Apply security design & coding standardsApply security design & coding standards

Tools to eliminate code flaws (PREfix & Tools to eliminate code flaws (PREfix & PREfast)PREfast)

Monitor & block new attack techniquesMonitor & block new attack techniques

Security Push

Security Push

Team-wide stand downTeam-wide stand down

Threat model updates, code review, test Threat model updates, code review, test & documentation scrub& documentation scrub

Security Audit

Security Audit

Analysis against current threatsAnalysis against current threats

Internal & 3Internal & 3rdrd party penetration testing party penetration testing

Security ResponseSecurity

Response

Fix newly discovered issuesFix newly discovered issues

Root cause analysis to proactively Root cause analysis to proactively find and fix related vulnerabilitiesfind and fix related vulnerabilities

Design docs & specifications

Development, testing &

documentation

Product

Service Packs,QFEs

66 99

……90 days90 days ……150 days150 days

Critical or important vulnerabilities in the first…Critical or important vulnerabilities in the first…

1313 2323

TwC TwC release?release?

YesYes

NoNo

For some widely-deployed, existing products:For some widely-deployed, existing products:

Mandatory for all new products:Mandatory for all new products:

Bulletins Bulletins sincesince

TwC releaseTwC releaseShipped Jan. 2003, 8 months agoShipped Jan. 2003, 8 months ago

11

Service Pack 3Service Pack 3

Bulletins Bulletins inin

prior prior periodperiod

99

Bulletins Bulletins sincesince

TwC releaseTwC releaseShipped July 2002, 14 months agoShipped July 2002, 14 months ago

00Bulletins Bulletins

ininprior prior

periodperiod

55 Service Pack 3Service Pack 3

Continue Improving QualityContinue Improving QualityContinue Improving QualityContinue Improving Quality

30 60 90 120 150 180 210 240 270

0

5

10

15

20

25

30

35

40

"Critica l" & "Important" Security Bulle tins From General Availability

W S2003 W in2000 Server

Improving Quality: Improving Quality: Windows ServerWindows Server

36

6

Days after availability

Bulletins

Services Disabled by DefaultServices Disabled by DefaultAlerter Alerter ASP.NET StateASP.NET StateClipBookClipBookDistributed Link Distributed Link Tracking ServerTracking ServerFast User Switching Fast User Switching CompatCompatIMAPI CD-BurningIMAPI CD-BurningCOM ServiceCOM ServiceIndexing ServiceIndexing ServiceLicense LoggingLicense LoggingMessengerMessengerNET Framework NET Framework Support ServiceSupport ServiceNetMeeting Remote NetMeeting Remote Desktop SharingDesktop Sharing

Network DDENetwork DDE

Portable Media Serial NumberPortable Media Serial Number

Remote Access Auto Remote Access Auto Connection ManagerConnection Manager

System Event NotificationSystem Event Notification

Task SchedulerTask Scheduler

TelnetTelnet

Terminal Services Session Terminal Services Session DirectoryDirectory

ThemesThemes

Upload ManagerUpload Manager

Wireless Zero ConfigurationWireless Zero Configuration

Web ClientWeb Client

Windows AudioWindows Audio

Reduced Attack SurfaceReduced Attack SurfaceWindows Server 2003 disables 20+ ServicesWindows Server 2003 disables 20+ Services

IIS is not installed on Windows 2003 ServerIIS is not installed on Windows 2003 Server

Now Now IFIF you install IIS… you install IIS…

IIS componentsIIS components IIS 5.0 clean installIIS 5.0 clean install IIS 6.0 clean installIIS 6.0 clean installStatic file supportStatic file support enabledenabled enabledenabled

ASPASP enabledenabled disableddisabled

Server-side includesServer-side includes enabledenabled disableddisabled

Internet Data ConnectorInternet Data Connector enabledenabled disableddisabled

WebDAVWebDAV enabledenabled disableddisabled

Index Server ISAPIIndex Server ISAPI enabledenabled disableddisabled

Internet Printing ISAPIInternet Printing ISAPI enabledenabled disableddisabled

CGICGI enabledenabled disableddisabled

Frontpage Server ExtensionsFrontpage Server Extensions enabledenabled disableddisabled

Password Change FunctionalityPassword Change Functionality enabledenabled disableddisabled

SMTPSMTP enabledenabled disableddisabled

FTPFTP enabledenabled disableddisabled

ASP.NETASP.NET XX disableddisabled

BITS BITS XX disableddisabled

TechnologyTechnology

Windows XP SP2Windows XP SP2Easier, effective management of PC Easier, effective management of PC security that puts the customer in controlsecurity that puts the customer in control

Network protection, sNetwork protection, safer e-mail and Web afer e-mail and Web browsing, memory protectionbrowsing, memory protection

Beta 1 released on December 19, 2003Beta 1 released on December 19, 2003

Availability: target RTM H1 CY04Availability: target RTM H1 CY04

New security technologies for Windows XP to make systems more resilient against attack

Preview: Preview: Windows XP SP2Windows XP SP2

Windows Firewall enhancements with more granular control

Pop-up blockingPop-up blocking

TechnologyTechnology

Windows Server 2003 SP1Windows Server 2003 SP1Role-based security configurationRole-based security configuration

Network client and remote VPN inspection Network client and remote VPN inspection

Availability: RTM H2 CY04Availability: RTM H2 CY04

ISA Server 2004ISA Server 2004

Application Layer FilteringApplication Layer Filtering

Simplified management tools Simplified management tools

Enhanced user interfaceEnhanced user interface

Availability: RTM H1 CY04Availability: RTM H1 CY04

Commitment: Update Windows Server 2003 and improve edge protection with technologies that enable a more secure infrastructure

Security for TomorrowSecurity for Tomorrow

Author

National InterestNational Interest

Personal GainPersonal Gain

Personal FamePersonal Fame

CuriosityCuriosity

Script-KiddyScript-Kiddy UndergraduateUndergraduate ExpertExpert SpecialistSpecialist

Vandal

Thief

Spy

Trespasser

An Evolving ThreatAn Evolving Threat




CuriosityCuriosity

UndergraduateUndergraduate ExpertExpert SpecialistSpecialist

Largest area Largest area by volumeby volume

Largest area by $ lostLargest area by $ lost

Script-KiddyScript-Kiddy

Largest segment by Largest segment by $ spent on defense$ spent on defense

Fastest Fastest growing growing segmentsegment

AuthorVandal

Thief

Spy

Trespasser

An Evolving ThreatAn Evolving Threat




CuriosityCuriosity

UndergraduateUndergraduate ExpertExpert SpecialistSpecialistScript-KiddyScript-Kiddy

Fastest Fastest growing growing segmentsegment

AuthorVandal

Thief

Spy

Trespasser

Security for TomorrowSecurity for TomorrowBetter use of existing technologyBetter use of existing technology

RPC over HTTPRPC over HTTP

Identity managementIdentity management

Secure wirelessSecure wireless

Industry involvementIndustry involvementContinuing partnershipsContinuing partnerships

Expanding the Virus Information AllianceExpanding the Virus Information Alliance

Expanding “Protect Your PC” outreach for consumersExpanding “Protect Your PC” outreach for consumers

EnforcementEnforcementLaw enforcement assistanceLaw enforcement assistance

Reward fundReward fund

Ongoing vigilanceOngoing vigilanceContinued internal training and focus on building secure codeContinued internal training and focus on building secure code

Leadership, innovation, partnershipLeadership, innovation, partnership

Microsoft’s CommitmentsMicrosoft’s CommitmentsSteve Ballmer’s Speech – Oct. 9, 2003.Steve Ballmer’s Speech – Oct. 9, 2003.http://www.microsoft.com/presspass/exec/steve/2003/10-09wwpc.asphttp://www.microsoft.com/presspass/exec/steve/2003/10-09wwpc.asp

““Security is our #1 Priority”Security is our #1 Priority”

#1 “We will move to one patching #1 “We will move to one patching experience by May of next year that works experience by May of next year that works across Windows and all of the application across Windows and all of the application products.”products.”

#2 “Better quality in the patches” and #2 “Better quality in the patches” and “Rollback capability for all patches.”“Rollback capability for all patches.”

#3 “Reduce the size of patches.”#3 “Reduce the size of patches.”

#4 “Cut the # of reboots by 30%”#4 “Cut the # of reboots by 30%”


#5 – Microsoft Update instead of just #5 – Microsoft Update instead of just Windows UpdateWindows Update

#6 – Monthly patches (except for critical)#6 – Monthly patches (except for critical)

#7 – Starting in December, Technet #7 – Starting in December, Technet Security training sessionsSecurity training sessions

#8 – Monthly Webcasts with Mike Nash#8 – Monthly Webcasts with Mike Nash

# 9 – Report on “How Microsoft Secures # 9 – Report on “How Microsoft Secures Microsoft”Microsoft”


#10 – “Patching is critical, but insufficient” – #10 – “Patching is critical, but insufficient” – Goal is to make 70% of patches installable Goal is to make 70% of patches installable on on your your schedule, not Microsoft’sschedule, not Microsoft’s

This is the quarantine technologies mentioned This is the quarantine technologies mentioned earlierearlier

#11 – Browser work so Active X controls #11 – Browser work so Active X controls are “sandboxed”, limit potential damageare “sandboxed”, limit potential damage

#12 – Improve memory protection for buffer #12 – Improve memory protection for buffer overrunsoverruns


““There is much to do still, much, There is much to do still, much, much, much to do on security. much, much to do on security.

It's a journey.”It's a journey.”

ResourcesResourcesGeneralGeneralhttp://www.microsoft.com/securityhttp://www.microsoft.com/security

ConsumersConsumershttp://www.microsoft.com/protecthttp://www.microsoft.com/protect

IT ProfessionalsIT Professionalshttp://www.microsoft.com/http://www.microsoft.com/technettechnet/security/security

Patch ManagementPatch Managementhttp://www.microsoft.com/http://www.microsoft.com/technettechnet/security/topics/patch/security/topics/patch

Best Practices for Defense in DepthBest Practices for Defense in Depthhttp://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance

How Microsoft Secures MicrosoftHow Microsoft Secures Microsofthttp://www.microsoft.com/http://www.microsoft.com/technet/itsolutions/msittechnet/itsolutions/msit/ security// security/mssecbp.aspmssecbp.asp

MSDN Security Development ToolsMSDN Security Development Toolshttp://http://msdn.microsoft.commsdn.microsoft.com/security/downloads/tools/ /security/downloads/tools/ default.aspxdefault.aspx

Now for the Gentle Q&A…Now for the Gentle Q&A…

© 2004 Microsoft Corporation. All rights reserved.© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Security Update (February 2004)

Documents

Transcript of Security Update (February 2004)