Microsoft’s SecurityStrategy and Solutions

Mark GibsonSolution SpecialistMicrosoft

Agenda

Microsoft Trustworthy ComputingAddressing Security Threats with Microsoft Next Steps

www.microsoft.com/technet/security

Microsoft Security Strategy

SecurityTools

Educationand Training

Microsoft SecurityAssessment Toolkit

Microsoft Windows VistaSecurity Whitepapers

Microsoft SecurityIntelligence Report

Learning Paths forSecurity Professionals

SecurityReadiness

Privacy Guidance

How Microsoft Secures Microsoftwww.microsoft.com/itshowcase

Malware Removal Toolkit

Trustworthy Computing

DesignThreat Modeling

Standards, best practices, and tools

Security Push

Final Security Review RTM and Deployment

Signoff

Security Response

Product Inception

Security Development Lifecycle

Secure Platform

Secure Access

Data Protection

Rights Management Services (RMS) SharePoint, Exchange, Windows Mobile integration

Encrypting File System (EFS)Bitlocker

MalwareProtection

User Account ControlNetwork Access Protection (NAP)IPv6IPsec Windows CardSpace

Native smart card supportGINA Re-architectureCertificate ServicesCredential roaming

Security Development Lifecycle (SDL)Kernel Patch ProtectionKernel-mode Driver Signing

Secure StartupWindows Service Hardening

Windows DefenderIE Protected ModeAddress Space Layout Randomization (ASLR)Data Execution Prevention (DEP)

Bi-directional FirewallWindows Security Center

Security Development Lifecycle (SDL)Windows Server Virtualization (Hypervisor)Role Management ToolOS File Integrity

Secure Platform

Network Protection

IdentityAccess

Data Protection

Read-only Domain Controller (RODC)Active Directory Federation Srvcs. (ADFS)Administrative Role Separation

PKI Management ConsoleOnline CertificateStatus Protocol

Network Access Protection (NAP)Server and Domain Isolation with IPsecEnd-to-end Network AuthenticationWindows Firewall With Advanced Security

On By Default

Rights Management Services (RMS) Full volume encryption (Bitlocker)USB Device-connection rules with Group Policy

Improved AuditingWindows Server Backup

Core Infrastructure Optimization Model: Security

Tech

nolo

gy

Pro

cess

Peop

le

IT is astrategic assetUsers look to ITas a valued partner to enable new business initiatives

IT Staff manages an efficient,controlled environmentUsers have the right tools,availability, and access to info

IT Staff trained in best practices such as MOF,ITIL, etc.Users expect basic services from IT

IT staff taxed by operational challengesUsers come up with their ownIT solutions

Self-assessing and continuous improvementEasy, secure access to info from anywhereon Internet

SLAs are linkedto business objectivesClearly defined and enforced images, security, best practices

CentralAdmin and configurationof securityStandard desktop images defined,not adopted by all

IT processes undefinedComplexity dueto localized processesand minimal central control

Self provisioning and quarantine capable systems ensure compliance and high availability

Automate identity and access managementAutomatedsystem management

Multiple directories for authenticationLimited automated software distribution

Patch statusof desktopsis unknownNo unified directory for access mgmt

Basic StandardizedRationalized Dynamic

Impr

ove

IT M

atur

ity w

hile

Gai

ning

ROI

$1320/PC Cost

$580/PC Cost

$230/PC Cost < $100/PC Cost

Isolated

Trusted

Remediation Server

Web Server

Remote Access Gateway

Infrastructure Servers

Unmanaged DevicesMalicious

Users

Trusted Home

New Customer

Unhealthy PC

Secure Anywhere AccessEnd-to-end security with IPv6 and IPsecAccess driven by policy not topologyCertificate based multi-factor authenticationHealth checks and remediation prior to access

Policy-driven network access solutionsWindows Firewall with advanced filteringServer and Domain IsolationNetwork Access Protection (NAP)ISA Server 2006Intelligent Application Gateway (2007)Windows Filtering Platform

Network Security

Identity and Access Security

AuthorizationManager

RMSMIISADFSDomain/DirectoryServices

CertificateServices

Secure collaborationEasily managing multiple identitiesGovernment sponsored identities (eID)Hardware supported trust platformDisparate directories synchronization

Centralized ID controls and mgmt.Embedded identity into applicationsPolicy Governance / ComplianceRole Based PermissionsIdentity and Data Privacy

Consumer/ Small Business

Corporate

Client ProtectionServer Protection Edge Protection

Simple PC maintenanceAnti-Virus Anti-SpywareAnti-Phishing

FirewallPerformance TuningBackup and Restore

Protection Edge, server and client protection“Point to Point” SolutionsSecurity of data at rest and in transitMobile workforceManageability

Optimized access for employees, partners, andcustomers from virtually any device or location

SecureRemot

eAccess

Enhanced connectivity and securityfor remote sites and applications

BranchOfficeSecurit

y

Increased resiliency for IT infrastructurefrom Internet-based threats

InternetAccess

Protection

Multiple scan engines at multiple layersthroughout the corporate infrastructureprovide maximum protection against e-mailand collaboration threats

AdvancedProtection

Tight integration with Microsoft Exchange,Windows-based SMTP, SharePoint andOffice Communications Servers maximizesavailability and management control

Availabilityand

Control

Ensures organizations can eliminateinappropriate language and dangerousattachments from internal andexternal communications

SecureContent

Unified malware protection for business desktops, laptops, and server operating systems that is easy to manage and control

One spyware and virus protection solutionBuilt on protection technology based Effective threat response

UnifiedProtection

One simplified security administration consoleDefine one policy to manage client protectionagent settings Integrates with your existing infrastructure

SimplifiedAdminis-tration

One dashboard for visibility into threatsand vulnerabilitiesView insightful reportsStay informed with state assessment scansand security alerts

Visibilityand

Control

Client and Server

Operating System

• Server Applications

Edge

Microsoft ForefrontMicrosoft Forefront provides greater protection and control over the security of your business’ network infrastructure

Security Stack Interoperability

Management System System Center, Active Directory GPO

Forefront Edge and Server Security, NAP

Perimeter

Network Access Protection, IPSec

Internal Network

Forefront Client Security, Exchange MSFP

Device

SDL process, IIS, Visual Studio, and .NET

Application

BitLocker, EFS, RMS, SharePoint, SQLData

User Active Directory and Identity Lifecycle Mgr

Poor integration across the platform“Point to Point” SolutionsStandards AdoptionCompliance ReportingManageability

Management Systems Integration

Guidance

Developer Tools

SystemsManagementActive Directory

Federation Services (ADFS)

Identity

Management

Services

Information

Protection

Encrypting File System (EFS)

BitLocker™

Network Access Protection (NAP)

Client and Server OS

Server Applicatio

ns

Edge

Comprehensive Portfolio

Future Product ScheduleISA Server SP1 planned for 1st half 2008Forefront “Unified Access Gateway” planned for 1st half CY2009Forefront “Threat Management Gateway” planned for 1st half CY2009

A subset of “Threat Management Gateway” features will ship as part of “Centro”

• Subset of “TMG” shipped in

Windows Server Code Name “Centro”

•2010•2009•2008•2007

Forefront “Unified Access

Gateway”

ISA Server 2006 SP1

Forefront “Threat Management

Gateway”

Forefront Code Name “Stirling”

Next Steps Partner with your Microsoft Account Team to create or review your Security Action Plan

Talk about Infrastructure Optimization and the value it could bring to your organization

Implement a Defense-in-Depth security architecture using our advanced security technologies

Leverage Microsoft prescriptive security guidance and online security training

Stay informed through Microsoft Security Bulletins, Security Newsletters and Security Events

Security Guidance and ResourcesMicrosoft Security Home Page: www.microsoft.com/securityMicrosoft Trustworthy Computing: www.microsoft.com/security/twcMicrosoft Forefront: www.microsoft.com/forefrontInfrastructure Optimization: www.microsoft.com/ioMicrosoft Security Assessment Tool: www.microsoft.com/security/msat

General Information:Microsoft Live Safety Center: safety.live.comMicrosoft Security Response Center: www.microsoft.com/security/msrcSecurity Development Lifecycle: msdn.microsoft.com/security/sdlGet the Facts on Windows and Linux:

www.microsoft.com/windowsserver/compare

Anti-Malware:Microsoft OneCare Live: beta.windowsonecare.comMicrosoft Defender: www.microsoft.com/athome/security/spyware/softwareSpyware Criteria: www.microsoft.com/athome/security/spyware/software/isv

Guidance Centers:Security Guidance Centers: www.microsoft.com/security/guidanceSecurity Guidance for IT Professionals: www.microsoft.com/technet/securityThe Microsoft Security Developer Center: msdn.microsoft.com/securityThe Security at Home Consumer Site: www.microsoft.com/athome/security

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the

date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.