*
Microsoft.com Home|Site Map
Microsoft TechNet*
Search Microsoft.com for:
Search for



TechNet Radio Transcript

How Microsoft's Operations and Technology Group (OTG) Develops Security Strategies

Updated: March 23, 2004
On This Page
TechNet Radio—IntroductionTechNet Radio—Introduction
IT at Microsoft OverviewIT at Microsoft Overview
Securing Remote UsersSecuring Remote Users
Compliance EnforcementCompliance Enforcement
Securing Wireless & Other TopicsSecuring Wireless & Other Topics
Resources & Action ItemsResources & Action Items

TechNet Radio—Introduction

Host

Jordan Chrysafidis, Director, Windows Server System, Canada

Speakers

Pete Boden, Director, US Corporate Security IT at Microsoft

Michael Sharp, Director, Security Services & Information Security

Chrysafidis:
Welcome to Microsoft TechNet Radio. My name is Jordan Chrysafidis and I am Microsoft’s Server Business Group Lead for Canada.

Today’s broadcast, “IT at Microsoft,” will give you an inside look into how Microsoft secures and manages it’s vast IT infrastructure.

After listening to this broadcast, please let us know what you think about Microsoft TechNet Radio by going to http://www.microsoft.com/technet/radio 

Now, I am going to hand it off to Pete Boden, director of Microsoft Corporate IT Security on how Microsoft Does IT Security.  This should be an exciting look into the inner workings of Microsoft’s IT Department.

Boden:
Hi, my name’s Pete Boden.  I’m a Director with the Information Security Team here at Microsoft, and I’m joined today by my colleague, Michael Sharp.  Before we get started, I’d like to just talk for a few minutes about what each of us does here at Microsoft.  My teams run all of the audit and compliance checking on the network, which means that we’re responsible for determining the security state of computers that are joined to our network and taking action if those computers are not compliant with security policies.  Michael?

Sharp:
Thanks, Pete.  I’m a Director within our Information Security Group as well, and my group is responsible for digital certificates infrastructure and our self-hosted PKI, and we manage Smart Cards, make sure we have the right tools to run the Security Group, and drive some key initiatives to help us get more secure.

Boden:
Great.  We’re going to start today with an overview of Microsoft’s IT environment, and we’ll begin that discussion with quick run through our missions and priorities as an organization.  Our first priority is to be Microsoft’s first and best customer, which means we’re responsible for dog-fooding, or testing our enterprise products and providing feedback to the product groups.  The idea behind this is that as the products get to market, they’re in a much better condition to run in our customers’ environments than when we started to dog-food and test those.  Secondly, we provide IT thought leadership, both to our customers and to our product groups.  Third, our responsibility’s to set a coordinated IT strategy that balances the goals of all of the organizations that we support, and fourth, to run a world-class utility, which means that the services we provide are just there and operating when our clients on the network need those.  There are four main organizations within Microsoft IT, and I’m going to let Michael talk through those organizations and what they do.

Sharp:
Thanks, Pete.  Firstly, we have the Corporate Security Group in which Pete and I are members of that.  That includes Information Security and our Infrastructure Architecture Group.  Secondly, we have Global Client Services, which includes the Global Help Desk, client software and configurations on the desktop, and Regional IT, including account managers that are distributed around Microsoft sites globally.  Thirdly, we have Global Technology Services.  That covers the engineering and the operations for all of our critical services, running a lot of that utility that Pete mentioned, and lastly, the Enterprise Application Services that cover all of the line-of-business applications including design, development, and production support.

Boden:
To give you an idea of the scope and scale of Microsoft’s IT environment, today we have about 300,000 network devices on our global networks.  About 10,000 of those are servers hosted in Microsoft-operated data centers.  We support over 400 IT locations worldwide, and those vary in size from the Redmond campus with over 20,000 employees down to sales offices of two or three people.  We have over 400 mission-critical line-of-business applications on our network, which hosts financial data, HR data, and sales data.  Over 70,000 employees, contractors, and vendors have accounts in our environment, and many of those have remote access privileges to our network.  As an IT organization, we have the responsibility of balancing a number of what we call tensions in our environment today.  We need to provide IT value to our clients, which means delivering the services that they need.  We need to balance that with cost constraints and some of the financial responsibility we have to make sure we’re running efficiently.  We need to introduce new technologies, and a lot of these are introduced through our dog-fooding programs, introduction of our own next-generation products.  Finally, we have security threats to deal with, so we have introduction of security technologies and mitigating controls that we apply to the enterprise as we deploy products and services.  Today, as you listen to this discussion, we’re going to start with a discussion of how we approach security at Microsoft from a strategic perspective, how we assess and manage risk on our network.  Then we’ll move to a discussion of how we secure our remote user population.  We’ll follow that with a discussion of compliance management, and we’ll close by pointing you to different resources that you may find available and helpful to you as you approach some of these problems yourself.

IT at Microsoft Overview

Boden:
Let’s move to a discussion about how we approach securing our own environment.  Michael, what are some of the unique challenges that we, as a business, face with respect to security?

Sharp:
Some of the unique challenges we have at Microsoft include culture, in terms of how autonomous and agile our population is.  We have a high percentage of highly technical folks who view themselves as quite autonomous as to how they manage their configuration.  Secondly, we have a very mobile client base.  A lot of people with mobile devices, moving around a lot, that we have to deal with.  Thirdly, we do a lot of “dog-fooding” of Microsoft products.  We’re running on the End+1 Platform a lot of the time, which has its own challenges as we work through that testing and bug-fixing cycles.

Boden:
Michael, let’s talk about Microsoft’s IT security strategy.  Can you outline that for us?

Sharp:
It’s based upon a risk-driven decision framework that incorporates some key components; our mission, our vision, some security principles, a decision model based on risk, and then prioritization of different risks and mitigation tactics to address those risks.

Firstly, from a vision-perspective, we’ve got a dream state we’re aiming at, which is an IT environment, comprised of service applications and infrastructure that implicitly provide availability, privacy, and security to our clients.  We do that through putting out five key assurances that each client can consider that they will have whenever they are working on the network that include that their identity’s not compromised, all their resources are secure and available, they’ve got privacy in their data communications.  It’s clearly defined what their role and accountabilities are, and that they will get a timely response to risks and threats in their day-to-day work.

Boden:
Michael, are you viewing this as sort of a contract with our client base?

Sharp:
Yes, I view it that way.  It’s a contract, it’s a service level that they can expect from Microsoft IT.

Boden:
Let’s talk a little bit about the security operating principles.  Are these just generally accepted truisms of security that every organization would be following?

Sharp:
I think you could view them that way, yes.  From the Microsoft standpoint, it’s clear to us that management commitment is a very key thing that you have to have.  We have management commitment from the top down, through our CIO, to drive the security principles.  In terms of users, they need to be managing at least privileged, there’s various privacy and PII rules that are very important.  From operations and maintenance standpoint, we need to make sure that ongoing changes are based upon rational decisions and known criteria and that we’re enforcing security configurations and monitoring against policies on a day-to-day basis.

Boden:
Michael, when we talk about the prioritization of risk in mitigating controls, I know that many organizations today are just overwhelmed by the number and type of security projects and initiatives they need to undertake to keep their environments secure.  Can you talk to us a little bit more about how we, in fact, prioritize those today?

Sharp:
What we do is we need to first of all, assess level of risk for a particular threat against a particular asset, and then we look to prioritize a number of those threats to determine which risks they’re most worried about.  First of all, we assess the impacts of the compromise in terms of what’s the asset value and the specific threat against that asset?  We assess the probability of how could the threat occur?  And then versus any mitigating controls that we might currently have to prevent that threat, and that can output a current level of risk that comes with combining that impact and that probability together, so for a particular threat, we have a particular risk level.  What we like to do is analyze a number of different threats, and we look at the risk levels that are on the high side.  For the risks that we evaluate as being a high level, those are the ones that we look at in terms of addressing through ongoing mitigations and ongoing sustaining controls, and we will look at those high priority risks, and what mitigations can we put in place?  What new controls can we implement and sustain to reduce the level of risk, and so it’s lower than high, medium, or low, and we look at what’s going to be the cost to implement that and to maintain it, and to compare that to the benefit we’re gonna get in terms of risk reductions.  That’s overall how we run through and decide which risks we should address.

Boden:
Michael, as we analyze risks, what aspects of the IT environment are we concerned with?

Sharp:
We’re looking at five different aspects of the IT environment.  We’re looking at hosts, applications, accounts, trusts, and networks.  The reason why we have to look at all five aspects of what we call the ecosystem is that if you have a compromise of one, it can lead to a compromise of others.  For example, if an account is compromised, that can lead to the compromise of that host, a compromise of an application on that host, and through a trust connection to a different domain or forest, it could lead to compromise of, or post or accounts in that other domain or forest.  Finally, it can lead to the compromise of the network.  It’s important to look at all five aspects of that ecosystem when you’re analyzing different security threats and risks.

Boden:
Once risk has been assessed, how does the Information Security Team work with the rest of the Microsoft IT teams on deploying security initiatives and controls?

Sharp:
We think of corporate security as primarily a policy setting and compliance organization.  But executing our security strategies across organization effort, where the other components of the IT group delivering solutions and sustaining the ongoing services.  We have a security steering committee that’s made up of our CIO’s direct reports, and those general managers form a governance mechanism that ensures business needs are appropriately balanced with risk.  That ensures that for each of the solutions that we implement, we have a key owner for that particular tactic implementing a solution, and there are a number of stakeholders that are included in that tactic.  Each of the controls we implement is a collaborative effort to implement, and also to sustain, on an ongoing basis.  Then finally, we make sure that the corporate security group measures compliance against policies.  We make sure the controls are in place and doing their job, so that we remain compliant with security policy on an ongoing basis.

Boden:
Michael, talk a little bit about how the Information Security Team’s organized.

Sharp:
We have four main organizational groupings within Information Security.  The first is threat, risk analysis, and policies.  That’s the team that really focuses on what is our threat and risk analysis framework, and drives a lot of conducting risk assessments.  They legislate policy and manage any exceptions to policy.  They also conduct a key part of our governance process, the design review process, so that changes in infrastructure should be reviewed against security policy before they’re put into production.  Secondly, there’s the assessment and compliance group, which covers security service management, and making sure that key environments have a good engagement model with Information Security.  [They do] security assessments on a project basis, deep-dive audits into a piece of infrastructure, and ongoing day-to-day compliance for mediation to scan our network for vulnerabilities and make sure that they are remediated.  Thirdly, there’s a team that covers the monitoring intrusion detection, and incident response, and they also have forensic folks that will make sure that we can understand after a compromise, exactly what happened on a particular machine or set of machines, and some IT investigations to investigate different incidents.  Lastly, there’s the Shared Services and Operations Team, which includes managing our self-hosted PTI and all of our digital certificate services, our SmartCard services, and the product management of the security tools that we need, both Microsoft products and other customable third party tools, and managing key initiatives like our embodied trustworthy computing program to try to embody the trustworthy computing principles into IT environment.  That sort of rounds out how we’re organized.

Boden:
That’s great, Michael.  How big is the team, and how would you compare that to other large enterprise customers of ours?

Sharp:
Overall, the team totals 55 people.  I think that compares very similarly to other large customers that I was discussing recently.  Some are a little small, some are a little larger, but overall, I think it’s a comparable size for other large, global enterprises.

Securing Remote Users

Sharp:
Now we’re going to move on to discuss a key topic for Microsoft, securing remote users.  I think we’d like to start with an overview of RAS, or Remote Access Services.  Pete, can you define RAS for me in terms of what services that includes?

Boden:
Absolutely.  When we talk about RAS, we mean direct-dial RAS connections and also connections that are made over the Internet to VPN servers.  What we don’t include in that set of services are data-synchronization technologies, things like mobile access for devices like smart phones and Pocket PC phones.  Today we have over 175 remote access points worldwide, and those are used by over 60,000 of our employees and vendors.  Employees are allowed RAS privileges by default, and vendors can obtain those privileges with a valid business justification.  On any typical week, we see about 300,000 remote connections made, and that can peak up to about half a million connections on high-volume weeks.  Any remote access to our corporate network includes access to e-mail, the intranet, the Internet, file servers.  It’s just like you’re in a Microsoft office anywhere.

Sharp:
What security threats are we most concerned with in the RAS space?

Boden:
There’s two classes of threats that we’re concerned with.  The first is the malicious user threat or somebody who might obtain a valid set of Microsoft credentials and then use those maliciously against us.  We know today that home users’ machines are a frequent hacker target.  The hacker community is getting very smart about figuring out how to get to corporate users’ home machines, where typically those machines aren’t as secured as they are in a corporate environment.  We also know that any access secured only by passwords is relatively weak.  In other words, user names and the other half of the credentials are frequently given out on business cards as e-mail addresses and things like that.  Finally, any unauthorized activity with a valid set of credentials is quite difficult to detect.  In fact, typically it’s detected by the user, who notices something going on with their account that may be a little bit suspicious.  The second class of threat is the malicious software threat.  These are the viruses, Trojans, and worms that we’re all very well aware pose a significant threat on the Internet.  Now that we’ve got clients connected with broadband Internet access and persistent connections, the exposure to these types of threats jumps enormously.

Sharp:
How have we been addressing those threats from malicious users and malicious software?

Boden:
Our strategy for addressing those remote-user threats is comprised of two parts.  The first part is a requirement for two-factor authentication for all remote connections.  As opposed to our Legacy environment, where we required only password access for all remote users, now we require Smart Cards and what we call two-factor authentication, which is something that you have, which in our case would be the Smart Card and something you know, which in our case is the PIN that unlocks the digital certificate that’s on that Smart Card.  The second part of our solution strategy that deals with the malicious software threats enforces remote-system-security configuration checks as that client machine attempts to connect to our environment.  Today we’ve built some custom scripting on top of Connection Manager that enables the systems security checks to take place before the connection’s enabled.  If a system isn’t compliant with our security standards at the RAS gateway, the connection is denied.

Sharp:
What are the components of a secure RAS solution in terms of what you need on the client and what you need on server software?

Boden:
There’s a few different pieces that are necessary to make all this work.  Obviously, first is a Smart Card for any Smart Card-based solution, and also along with that would be the Smart Card reader.  On the client software side, a Cryptographic Service Provider, or a CSP, is needed, and that’s the piece of software that talks between the card and the operating system.  The Microsoft operating systems all ship with that CSP built in and also along with the resource managers and the reader drivers and the Connection Manager, which initiates the connection to our environment.  On the server side, we have Windows Server 2003, and we also have the RAS Quarantine Service, which ships as a resource kit to Server 2003, and that’s the software that enables us to disconnect noncompliant connections to our environment.

Sharp:
Earlier you talked about the security checks for PCs connecting remotely to our network.  What security checks are being performed?

Boden:
Well, the first thing we do is make sure that the right version of Connection Manager is being used, and we need to do that to make sure that all of the subsequent checks are in place and are current.  Then we check for Windows XP Professional, and that’s our remote-client-connection standard OS, so everybody who connects remotely to our environment should be running Windows XP Professional.  Then we check that the Internet connection firewall is enabled, that Internet connection sharing is disabled, and that the antivirus product is loaded and all of the signature definitions are updated.  After that connection is made, we launch a full compliance scan of the machine from our network, which essentially runs through the rest of the patch and configuration compliance checks.  We make sure that the machine is fully patched, we make sure that it’s configured correctly, and if it’s not, we deal directly with the asset owner, the owner of that PC, to make sure that those checks or that those standards are then met.

Sharp:
I understand that we have our own self-hosted PKI public infrastructure for digital certificate management.  Is it necessary for customers to have their own self-hosted PKI to do this type of remote solution?

Boden:
Customers have two options here.  They can either deploy and self-host their own public key infrastructure or they can buy their certificates from a third-party certificate provider.  We made the decision to deploy our own, based on how many of our mission-critical IT services are enabled by our own PKI, so there’s a significant cost savings to us.  Other customers should make that decision based on how many certificates they plan to use and what they plan to use them for.

Sharp:
What are some of the challenges we had in deploying this solution to such a wide user base?

Boden:
There were a few that we ran across as we conducted the deployment.  One was that mobile devices’ Macintosh and UNIX platforms weren’t compatible with the EAPTLS authentication that’s required for our Smart Card solution.  Hence, we implemented a RAS client standard that I talked about earlier, which was the Windows XP Professional platform.  We also found that the component selection for this solution was very, very important.  In other words, performance varied based on the different combinations of cards and readers and cryptographic service providers that we tried.  We went through a series of testing to determine what was appropriate for our environment.  We also found that at the time that we started our deployment, standards across the industry for interoperability of those components weren’t very well evolved, and that’s changing now.  Then the card distribution process was relatively resource-intensive for us.  We chose a very secure registration authority where we had a face-to-face transaction with every client to provide them with their card.  We wanted to do this once and once only, so that we could be absolutely sure that the person who received the card was who, in fact, they said they were.

Sharp:
What were some of the lessons we learned during this whole deployment process?

Boden:
Well, we learned a lot.  First, we had to understand what users were doing when they were remote to our network, and as we defined those scenarios, we had to model the security threats involved.  What we found at the outset of our project was that we knew quite little about what people were doing when they were remotely connecting to our network.  Were they just using e-mail?  Were they just on the intranet?  Were they using applications?  Were they developing software from remote locations?  All of these things came out as we started to talk to user groups and survey the population.  We also found that piloting was extremely important.  I talked a little bit earlier about the component selection and the various combinations that we tested.  The fact that we rolled out to relatively small populations was very helpful in determining the performance variations there.  Client communication and education was vital to the success of our rollout.  We found that no matter how much communication we did, it wasn’t quite enough.  The reason is this was a behavioral change.  It changed the way people worked.  We had to take the time to make sure they understood why we were asking them to do what they were doing and how they could be successful managing through that change.  Finally, managing the security exceptions carefully is essential to the long-term success of any deployment like this.  What I mean by that is there are going to be cases where people lose their Smart Cards or they have their cards stolen or they lose their laptop, and what we need to be able to do is provide a way for those folks to get back up and working quickly.  Today they can call the Help Desk and obtain a temporary security exception which allows them to get onto the network and work for a very limited amount of time.  We’re very diligent about the way we manage those exceptions, and we keep that number quite low.

Compliance Enforcement

Sharp:
The next section we’re going to talk about is how we do compliance enforcement at Microsoft.  Pete, how does Microsoft corporate security define compliance?

Boden:
We define compliance along several different dimensions.  First, that the client has the appropriate software loaded.  What this means is the standard version of the operating system, we want to make sure that there are no hacking tools on the client machine, and also make sure that there are no banned peer-to-peer applications.  Also that we have the correct virus detection mechanisms in place, so the appropriate software and updated definitions.  Secondly, we want to make sure that the client machine complies with our minimum patch standards.  These would be operating system patches and also application software patches.  Third, we want to make sure that the system’s configured correctly, and that the right settings are applied to each client machine on our network.  We want to make sure that there are no weak administrator passwords or cached credentials on the machine, and also make sure that configuration settings for Internet Explorer, IAS, and SQL Server are correct.

Sharp:
Great.  How long has Microsoft operated under this framework?

Boden:
We’ve operated under this framework for about two years now, and the reason we moved to this was to create an effective process with clear accountability, all the way down to the asset owner.  Our process now puts the accountability squarely in the hands of the system owner to make sure that they’re compliant with our security policies.  If they’re not compliant with our security policies we can take the appropriate remediation action, and that may be forcibly patching or configuring the machine, or removing it from the network.

Sharp:
How has the Microsoft culture adapted to port shut downs and forced patching?

Boden:
Well, there’s a couple of things that really drove this behavior and a cultural change in the organization.  First, it was absolutely essential to have strong executive sponsorship, and we have that.  Secondly, we have to have clear policies with clear implications or consequences if those policies are violated.  Over the past several years we’ve developed those policies and made sure that they’re communicated very clearly to our clients.

Sharp:
What group is responsible for compliance management?

Boden:
The Information Security Team is responsible for driving compliance with our policies, particularly in cases where a vulnerability poses a critical risk to our environment.  By critical risk we mean that it allows one of three things to take place.  It either allows an exposure for business critical data, it allows expansion of influence across the network, in other words, compromise of one system may lead to compromise of others, or it allows for escalation of privilege, in other words, an attacker can gain access to a host and then escalate that privilege up to, say, domain administrative level or above.

Sharp:
Why did you choose to build your own solution instead of using a third party product?

Boden:
We chose to build our own solution for three primary reasons.  Scanners available on the market weren’t fast enough for our environment.  Again, our environment is about 300,000 network joined devices, and we really had to develop something that was very specific to our environment in order to get the speed and effectiveness we wanted.  In a typical case, our scanners scan the entire network about twice a day.  Second, other scanners on the market couldn’t offer the flexibility we needed to look for a broad range of compliance attributes.  We wanted something that was very configurable and flexible in our environment in order to allow us to respond quickly.  Then third, other scanners that we looked at lacked a centralized reporting capability that mapped to remediation action that we want to take when we find vulnerable systems on the network.  We look for something that produces very customized reports so that we can provide that to our executive management, and also to the system owners.

Sharp:
What Microsoft solutions are available to address this area?

Boden:
The solution we have available today is called Microsoft’s Baseline Security Analyzer, or MBSA.  That’s a tool that will check the configuration and patch level of systems and report back compliance or security vulnerabilities as they’re found.  We’ve been working very closely with the product groups here at Microsoft to make sure that the features that we think are important are built into future products, and we’re really excited about some of the things that the product groups are planning to incorporate today.  

Sharp:
Does Microsoft enforce compliance the same on vendor and guest connections as we do with employees?

Boden:
Absolutely.  Every connection to our corporate network are subject to the same security policies and standards, whether that person is an employee or a vendor or a contractor.  We expect that as guests come onto our network they become compliant with our security policies, if they’re not that compliance is identified and remediated as we find it.

Sharp:
What are some of the challenges or trends that you see that are impacting this compliance management area?

Boden:
Probably the most important trend right now is that we’re seeing that the time between release of a vulnerability and the time that an exploit becomes available is rapidly decreasing.  If you turn back the clock a year or two years what we saw was that a period of months elapsed between reported vulnerabilities and then effective exploits.  Today we’re seeing that time drop down to below one month.  What that means is organizations really need to respond very rapidly to these threats because they pose such a great risk to corporate environments.

Sharp:
Lastly, how often is the data reviewed by our Compliance Management Team?

Boden:
The Information Security Team reviews the data on a daily basis.  We make sure we’re working with systems owners to remediate any vulnerabilities as they’re found, and then we report that data to management on a weekly basis in a very comprehensive set of reports that looks at the entire environment, where vulnerabilities exist, and how we’re dealing with those.  

Sharp:
Pete, can you describe for me the key main components of the compliance management process?

Boden:
Yes, absolutely.  The compliance process starts with what we call the discovery and assessment phase.  That means, first of all we have to become aware that a vulnerability exists.  Typically that’s done through mechanisms like the Microsoft Security Response Center, at least for Microsoft vulnerabilities.  Once we have become aware of a vulnerability we do two things.  We need to rate its severity, so we have a process in place that determines how critical that vulnerability is, and then what we need to do to remediate.  Secondly, if it’s a critical vulnerability, and I talked earlier about whether it met one of those standards for escalating privilege, expansion of influence across other systems, or exposing sensitive data, once we’ve determined that it meets that critical bar, we set a deadline for compliance, which is simply a date by which every system on our network needs to comply with our patch standard.  The second step is evaluating compliance across the network.  As we set those standards, and as we set the compliance deadline, we’re performing baseline scans across our environment to see how compliant we already are.  As vulnerability information is released to our client base, many clients go out and update themselves.  We call that the voluntary compliance period.  They’re allowed to update their own system and make sure it’s compliant without us forcing them to do that.  At the same time we’re running tests in the environment to make sure that the patch is of high enough quality to deploy, so we’re providing it to a very select group of application owners to make sure that they can install that patch, run their business appropriately, and uninstall it if they need to.  Then we get to the deployment phase, and this is the phase where we’re doing an enormous amount of communication with our business systems owners and clients on the network to make sure that they understand when they need to be patched by and what the consequences are for noncompliance.  Once we reach that patch deadline we drop into what we call the enforcement phase.  Once we get to that phase, when we identify a vulnerable system we take one of two measures.  We either forcibly patch or configure that machine or we remove it from the network.

Sharp:
How did we handle the compliance for Slammer in January of 2003 versus Blaster in July and August of 2003?

Boden:
Those are two great examples and they really illustrate the importance of being able to do this and do it really well.  When Slammer emerged back in January of 2003, we were quite unprepared to deal with the magnitude of the threat and the impact on the network.  We were only partially patched, and as such we suffered quite a bit of impact to systems that were on the network.  Blaster, on the other hand, we were very well prepared for.  We had run the patch compliance deadlines very aggressively, we were 99 percent compliant across our environment in less than seven days, and when we reached the point at which the Blaster exploit was running across the Internet we were quite prepared to deal with the very minimal impact it posed to us.  The differences between those situations were the tools and the process we had in place.  Between January and September when Blaster was available and running across the Internet, we deployed the set of tools that we use now to manage compliance across our network, and we also deployed some very important communication process, both with our clients on the network and with our data center-hosted systems owners.

Securing Wireless & Other Topics

Boden:
Michael, let’s move now to some other technical topics that we frequently hear are concerns to our- some of our customers.  What are we doing with regards to securing wireless networks within our IT infrastructure?

Sharp:
The wireless service we offer is a key one, because we have many mobile clients using a range of mobile devices, and we have our wireless LAN deployed throughout a number of our locations.  We realized a couple years ago that we had issues with unauthorized access to our wireless infrastructure, so we moved to secure it a lot better, using the 802.1X protocol.  We’ve implemented that, which we were able to do in a short period of time.  It leverages digital certificates for both users and machines, so if anybody wants to use a particular mobile device via our wireless LAN, they need to first enroll for the two types of digital certificates for that particular device and for themselves as a user, and they must do that using a wired connection.  They must connect to the wired network first and enroll for the certificates, and then they’ll be able to use the wireless network.  We also cover encryption using wet keys that are issued on a session-by-session basis, and lastly, we regularly scan for rogue access points to make sure that the only wireless access points that people are using are ones that are deployed and managed by Microsoft IT.

Boden:
One of the things I think’s important to point out here is that there are a number of different ways to address this threat.  One is the way we’ve addressed it with the 802.1X deployment.  Another way might be to make wireless networks public networks and then allow corporate clients to VPN back into the corporate infrastructure.  Michael, earlier we talked about our PKI.  Can you talk a little bit about why we decided to deploy a self-hosted PKI and how we went about doing that?

Sharp:
Yes.  Firstly, we looked at the number of different services that we might need for digital certificates, and we analyzed how many digital certificates we might be using in the future and then what will be the cost for maintaining an infrastructure ourselves on an ongoing basis versus purchasing certificates from a trusted provider.  Back in 1999 we made the decision, and then we started that investment in our own PKI, and we house 20 to 30 CAs, or Certificate Authorities, in a secure vault that’s managed by three to four highly-trusted people.  We issue certificates that cover a number of different applications or services, including the Smart Card logon we’ve discussed, EFS for Encrypted File System, the wireless machine and user search we discussed earlier, SSL certs for HTTPS Web site connections, and that’s done both for internal Web sites, and also we’re able to issue SSL certs for external Web sites as we’ve had our root CAs signed by an externally-trusted party.  That enables us to issue SSL certs that can be trusted by business partners accessing those external sites.  We issue certificates for IPSec, which we’ll discuss more in a moment, for signing of our code, and for secure e-mail, we use SMIME for encrypted e-mail and for digital signatures on e-mail.  We’re currently doing that using the Exchange Key Management Server, but we’ll soon be retiring that and moving on to issuing SMI certificates onto the Smart Cards that we already have.  In fact, I’m piloting that right now.  Overall, this total infrastructure issues over a hundred thousand certificates per month.

Boden:
Michael, can you talk a little bit about the level of effort it takes to maintain that infrastructure today?

Sharp:
Yes.  We have three to four people who focus on maintaining that infrastructure.  That’s in terms of making sure the certificate authorities are up and running and the certificate services are running for enrollment and for publishing of key information to the active directory like CRLs or certificate revocation lists.  It also covers handling some Tier 1 and Tier 2 questions from clients if they’ve got an issue with using their Smart Card, if they’ve got a problem with wireless cert, they’re getting set up for SMIME with encrypted e-mail, so handling a number of client issues and helping to troubleshoot and resolve those.  Also, we have to consider the ongoing, every three years we replace the hardware, in a cyclical manner, that’s used for housing the CAs and other key pieces of infrastructure like hardware tokens that we use for securing that as best we can.

Boden:
Michael, it sounds like our PKI is being heavily utilized to support a number of mission-critical IT services.  Can you talk a little bit about some of the things we’re looking to do in the future?

Sharp:
Yes, Pete.  One of the things that we’re deploying as we speak is using Smart Card login for securing our privileged accounts, our domain administration, enterprise administration accounts.  We’re looking to make sure that we have that more secure authentication method apply to those accounts, and so we know who it is, who’s logging on.  We can have some assurance of who is performing those critical, privileged tasks on the network.

Boden:
Let’s drill into one of those certificate-enabled services and talk specifically about IPSec for a moment.  What’s Microsoft doing today with IPSec?

Sharp:
What we’re doing is related to a key threat that we’ve seen, and it comes to dissecting or segmenting the 300,000 network devices we’ve talked about quite a bit.  Those 300,000 devices we could segment into domain-join-managed machines versus unmanaged machines.  We have now almost 200,000 of those machines, domain-joined, and what we’re concerned about is that whereas those machines are more highly-managed, we can set policies on them, and we can drive their configuration better, the unmanaged machines, by the name, they’re more controlled by the owner of the machine, and we are more concerned about them getting infected or compromised and that, then, leading to a compromise or an incident on our managed machines.  To do that, we are segmenting our managed machines from the unmanaged machines.  We’re doing that using a logical segmentation with IPSec authentication.  We chose to invest in that rather than invest in far more costly, separate physical networks.

Boden:
This means that the unmanaged clients will be able to sit on the same network as managed clients, yet not have an impact on them if they’re not maintained to the right security standard?

Sharp:
That’s exactly right.  The managed machines will be in an IPSec-require mode, which means that they require that there is IPSec authentication for any machine-to-machine communication.  The unmanaged machines will not be, so the unmanaged machines cannot initiate a connection with a managed machine, so in theory, if an unmanaged machine gets infected with a virus and then tries to via the network connector-managed machine to spread that virus, that connection will not be able to be initiated.  I’ve got a question for you, Pete.  Do we have a team that attempts to break into our own systems to test and check the strength of network and applications?

Boden:
Yes, we absolutely do, Michael.  We refer to it as the Attack and Penetration Team.  What that team does is it’s chartered to attempt to break into our own systems and networks before any malicious intruder or outsider would have the opportunity to do that.  The reason we do it is to, obviously, expose those vulnerabilities and those security risks in advance of those being used against us.  Today that Attack and Penetration Team works on things like testing line-of-business applications before they’re put into production on our network, looking at merger-and-acquisition candidates’ networks to make sure those are secure before they’re joined to our network, and then also providing standard IT audit services, looking in environments, doing the host penetration testing, application review, making sure that trusts are in place that allow the right connectivity and also the right account security.

Sharp:
How many of these white-hat-type people do we have?

Boden:
Today we have eight people performing that function, and we also use some vendor and contract labor to augment that when we need to.  Those eight people are the ones that are chartered with that attack-and-penetration responsibility, so they frequently work with the other IT teams on our own environments, and they work across the business as they need to, even upstream with things like product testing.

Sharp:
Another area I’m interested in is the security of our line-of-business applications.  How do we ensure that they are up to the right level of security before they’re deployed?

Boden:
Well, a little over a year ago, we put in place a process that we call the Application Security Assurance Process.  That works directly with our line-of-business application teams to review applications, to perform security testing before those applications go into production to make sure that all of the security controls are built in.  Our teams work with the business-unit IT teams all the way back at the very beginning of the application-development life cycle.  As applications are being specked out, as they’re being designed, we work with those business owners to make sure the right security controls are in place, and as that application’s being developed and tested, we again engage to make sure that those security features are tested, so that we have a very strong assurance that by the time that application rolls into production, it does in fact meet our security standards, and doesn’t pose any additional risk to our environment.  That’s a massive effort on- in our environment, because we have over 400 mission-critical line-of-business applications sitting on our network, and that number changes as more applications are added and as applications are decommissioned.  This is a significant part of the effort we expend on an ongoing basis to make sure our environment stays secure.  Michael, let’s talk a little bit about intrusion detection.  What types of intrusion detection or intrusion prevention systems are we utilizing today?

Sharp:
Today we’re using a combination of intrusion-detection systems, so both Network Based Intrusion Detection, NIDS, and Host Based Intrusion Detection, HIDS.  We are using a set of anomaly-detection tools that will identify certain, specific scenarios, alert people to those scenarios, and either force-remediate them or shut them down or lead to further investigation and remediation of those issues.

Boden:
Michael, let’s talk about an example of an intrusion-detection tool that we use today, specifically the RAS monitoring.

Sharp:
In the RAS space we make sure that we’re looking for certain anomalies in people’s patterns of usage of that Remote Access Service.  We look at a baseline of someone’s usage, so for you, Pete, we would store what’s your baseline in terms of the IP address that you normally access from, how long you access, and some particulars like are you someone who accesses and goes to e-mail first nearly every time.  We also look at things like you accessing remotely using one set of credentials and then starting a terminal service session with another set of credentials.  If we detect that a remote access session is doing something that’s different than normal baseline for that user or outside of certain parameters, an alert will be fired, and then someone will investigate that to look if any remediating action is needed or if that’s just a regular user doing something slightly different.

Boden:
Michael, earlier we talked about prioritizing risks and the mitigating controls applied to those risks.  Can we talk a little bit about how we deal with high-value assets on our network?

Sharp:
That’s a great question, Pete.  The highest-value asset that we have is our source code, and for the last couple of years, we’ve been driving a program to secure our source code better in terms of a number of areas.  Firstly, we’ve been moving the management of our source code on the source depot servers into a consolidated, managed environment so that the code from all the different product groups, Windows, Knowledge Worker, etc., are moving into that one process.  We’ve been doing more of a lockdown of which devices and users can access the source code, so only developers are the only folks who can get access to the source code.  Then we’ve also been implementing more monitoring and auditing of the environment that’s used for developing and storing the source code to make sure that we can identify and act on any security events that look out of band, look anomalous, and make sure we follow up on those.

Resources & Action Items

Sharp:
In closing, what resources are available should customers want to follow up and get more information and help?

Boden:
Yes, there are a number of things that customers can do to get access to this very valuable information.  First, try visiting the online security resources at Microsoft.com/TechNet.  That information includes a schedule of events, and also access to our own IT organization’s experience deploying and managing our products in our environment under the IT Showcase link.  Second, customers can sign up for the new security newsletter, which includes very valuable information about upcoming events and news.  Third, take advantage of a subscription to TechNet if you’re not currently a member.  This’ll give you access to service packs and news groups and other useful information.  Finally, links to all of these resources can be found by going to the URL on the cover of your CD.  Thank you for listening to Microsoft TechNet Radio.

Chrysafidis:
Well, that sure was an engaging discussion on Microsoft’s IT security environment.  

Remember to go to http://www.microsoft.com/technet/radio and let us know what you think about this broadcast.  The link to the website is also on the cover of this CD.  

On the website, you also will be able to download this entire broadcast, or listen to it again on your PC.  Thanks again for tuning into Microsoft TechNet Radio.    


© 2005 Microsoft Corporation. All rights reserved. Terms of Use |Trademarks |Privacy Statement
Microsoft