Supporting SecuritySupporting SecurityInside fixing vulnerabilities at Inside fixing vulnerabilities at

MicrosoftMicrosoft®®

Simon ConantSimon Conant MCSE CISSPMCSE CISSP

Security Program ManagerSecurity Program ManagerPSS SecurityPSS SecurityMicrosoft CorporationMicrosoft Corporationsconant@microsoft.comsconant@microsoft.com

Who’s who?Who’s who?

Product Groups• Program Managers• Developers• Test Engineers

PSS Security

MicrosoftSecurityResponseCenter

Field testingField testing

PackagingPackaging

DocumentationDocumentation

PublishingPublishing

ReleaseRelease

Fix is tested:Fix is tested:

--Fixes all of problemFixes all of problem

--Doesn’t break anything elseDoesn’t break anything else

--All products, versions, platforms, languagesAll products, versions, platforms, languages

Broken? Back to step one…Broken? Back to step one…

TestTest

Fix architected from step 1Fix architected from step 1

Fix built for all affected products, platforms, versions, languaFix built for all affected products, platforms, versions, languages.ges.FixFix

Issue first received.Issue first received.

Evaluated & acknowledged to reporter (all reports acknowledged).Evaluated & acknowledged to reporter (all reports acknowledged).

Sent to all possibly affected product group “SI” teams.Sent to all possibly affected product group “SI” teams.

Confirmation of problem (or not). Warteams, discussions, all theConfirmation of problem (or not). Warteams, discussions, all theexperts pulled in on it.experts pulled in on it.

Full info on problem, associated issues, workarounds, solutions.Full info on problem, associated issues, workarounds, solutions.

EvaluationEvaluation

ProcessProcess

Why does it take so long?Why does it take so long?§§ It’s all about It’s all about COMPLEXITYCOMPLEXITY§§ The products all are very featureThe products all are very feature--packed, and are packed, and are

therefore very complextherefore very complex

§§ We support multiple older versions of productsWe support multiple older versions of products

§§ On various platformsOn various platforms

§§ And for many languagesAnd for many languages

§§ It’s all about It’s all about QUALITYQUALITY§§ If the fix doesn’t fix ALL of the problem, it’s no goodIf the fix doesn’t fix ALL of the problem, it’s no good

§§ If the fix breaks something else along the way, it’s not If the fix breaks something else along the way, it’s not helping our customers eitherhelping our customers either

§§ We have to do our very best to get it We have to do our very best to get it right first timeright first time

§§ And we exhaustively test it all.And we exhaustively test it all.

WorkaroundsWorkarounds

No known / possible workaround

High impact orpartial workaround

Low-impactWorkaround

Fix

ImprovementsImprovements§§ No more “No more “Under InvestigationUnder Investigation” black hole” black hole§§ Milestones:Milestones:§§ Confirmation of vulnerability, fix in progressConfirmation of vulnerability, fix in progress§§ Know workarounds, mitigations, risk analysisKnow workarounds, mitigations, risk analysis§§ Fix completedFix completed§§ Fix in testing Fix in testing –– progressprogress§§ Fix in releaseFix in release

§§ Proactive communicationsProactive communications§§ PSSSec will own the cases & customer carePSSSec will own the cases & customer care

§§ Patch beta testingPatch beta testing§§ Local security supportLocal security support§§ Patch improvementsPatch improvements

Improve the Patching ExperienceImprove the Patching ExperienceNew Patch PoliciesNew Patch Policies

§§ Extending support to June 2004Extending support to June 2004§§ Windows 2000 SP2Windows 2000 SP2

§§ Windows NT SP6aWindows NT SP6a

§§ NonNon--emergency security patches on a emergency security patches on a monthly release schedule monthly release schedule §§ Allows for planning a Allows for planning a

predictable monthly test and predictable monthly test and deployment cycle deployment cycle

§§ Packaged as individual Packaged as individual patches that can be deployed patches that can be deployed together together

§§ Achieves benefits of security Achieves benefits of security rollup with increased flexibilityrollup with increased flexibility

Patches for emergency issues will still release immediatelyPatches for emergency issues will still release immediately

By 5/04: Consolidating to 2 patch installers By 5/04: Consolidating to 2 patch installers for W2K and higher, Office & Exchange. All for W2K and higher, Office & Exchange. All patches will behave the same way patches will behave the same way (SUS 2.0, (SUS 2.0, MSI 3.0)MSI 3.0)

Extend patch Extend patch automation to all automation to all

productsproducts

11/03: SMS 2003 offers capability to patch all 11/03: SMS 2003 offers capability to patch all supported Microsoft platforms and applications supported Microsoft platforms and applications

By end of 2004, all MS patches behave the same By end of 2004, all MS patches behave the same at installation (MSI 3.0 + SUS 2.0) and at installation (MSI 3.0 + SUS 2.0) and available in one place: MS Updateavailable in one place: MS Update

Reduce patch sizeReduce patch sizeNow: Reduced patch size by 35% or more. Now: Reduced patch size by 35% or more. Will have 80% reduction by 5/04. Will have 80% reduction by 5/04. (Delta (Delta patching technology and improved functionality patching technology and improved functionality with MSI 3.0)with MSI 3.0)

Reduce patch Reduce patch complexitycomplexity

Reduce risk of Reduce risk of patch deploymentpatch deployment

Now : Increased internal testing; customer Now : Increased internal testing; customer testing of patches pretesting of patches pre-- release.release.By 5/04: rollback capability for Windows, By 5/04: rollback capability for Windows, SQL, Exchange, OfficeSQL, Exchange, Office

Reduce downtimeReduce downtimeNow:Now: 10% fewer10% fewer reboots on W2K and higher reboots on W2K and higher By 5/04:By 5/04: 30% fewer30% fewer reboots on Win 2003 reboots on Win 2003 (starting in SP1). Up to(starting in SP1). Up to 70% 70% reduction for reduction for next servernext server

Your NeedYour Need Our ResponseOur Response

Improve the Patching ExperienceImprove the Patching ExperiencePatch EnhancementsPatch Enhancements

§§ Available NowAvailable Now

§§ 1717 prescriptive booksprescriptive books

§§ How Microsoft secures Microsoft How Microsoft secures Microsoft guidance & toolsguidance & tools

§§ Later this year and throughout 2004Later this year and throughout 2004§§ More prescriptive & howMore prescriptive & how--to guidesto guides§§ Tools & scripts to automate common Tools & scripts to automate common

taskstasks

§§ Focused on operating a secure environment Focused on operating a secure environment

§§ Patterns & practices for defense in depthPatterns & practices for defense in depth

§§ Enterprise security checklist Enterprise security checklist –– the single place the single place for authoritative security guidancefor authoritative security guidance

Security Guidance for IT ProsSecurity Guidance for IT ProsSecurity Guidance for IT Pros

Continue Improving QualityContinue Improving QualityTrustworthy Computing Release ProcessTrustworthy Computing Release Process

M1

M2

Mn

Beta

Design

Dev

elo

pm

ent

Release

Support

SecurityReview

SecurityReview

§§ Each component team develops Each component team develops threat models, ensuring that threat models, ensuring that design blocks applicable threatsdesign blocks applicable threats

Develop & Test

Develop & Test

§§ Apply security design & coding Apply security design & coding standardsstandards

§§ Tools to eliminate code flaws Tools to eliminate code flaws ((PREfixPREfix & & PREfastPREfast))

§§ Monitor & block new attack Monitor & block new attack techniquestechniquesSecurity

PushSecurity

Push

§§ TeamTeam--wide stand downwide stand down

§§ Threat model updates, code Threat model updates, code review, test & documentation review, test & documentation scrubscrub

Security Audit

Security Audit

§§ Analysis against current threatsAnalysis against current threats

§§ Internal & 3Internal & 3rdrd party penetration party penetration testingtesting

Security ResponseSecurity

Response

§§ Fix newly discovered issuesFix newly discovered issues

§§ Root cause analysis to Root cause analysis to proactively find and fix related proactively find and fix related vulnerabilitiesvulnerabilities

Design docs & specifications

Development, testing &

documentation

Product

Service Packs,QFEs

66 99

……90 days90 days ……150 days150 days

Critical or important vulnerabilities in the first…Critical or important vulnerabilities in the first…

1313 2323

TwC TwC release?release?

YesYes

NoNo

For some widelyFor some widely--deployed, existing products:deployed, existing products:

Mandatory for all new products:Mandatory for all new products:

Bulletins sinceBulletins sinceTwC releaseTwC release

Shipped Jan. 2003, 8 months agoShipped Jan. 2003, 8 months ago

11Service Pack 3Service Pack 3

Bulletins inBulletins inprior periodprior period

99

Bulletins sinceBulletins sinceTwC releaseTwC release

Shipped July 2002, 14 months agoShipped July 2002, 14 months ago

00Bulletins inBulletins inprior periodprior period

55 Service Pack 3Service Pack 3

Continue Improving QualityContinue Improving QualityContinue Improving Quality

2 patch 2 patch installers; installers; rollbackrollbackPatching Patching enhancementsenhancementsSUS 2.0SUS 2.0SMS 2003SMS 2003More guidance More guidance and trainingand training

Integrated Integrated host security host security technologiestechnologiesNGSCBNGSCBWindows Windows hardeninghardeningMore More guidance guidance and trainingand training

Tools & Tools & PatchingPatching

NextNext--Generation Generation SecuritySecurity

Monthly Monthly patch releasespatch releasesGuidance Guidance & training& trainingHow Microsoft How Microsoft runs Microsoftruns MicrosoftSupport for Support for W2K SP2 & W2K SP2 & NT4 SP6atNT4 SP6at

GuidanceGuidance

0 0 –– 9 9 monthsmonths

9 9 –– 12 12 monthsmonths FutureFuture

Security RoadmapSecurity Roadmap

TodayToday

Shield Shield technologies technologies for client for client and serverand server“MS Update”“MS Update”More More guidance and guidance and trainingtraining

ShieldsShields

Where else we’re involvedWhere else we’re involved

§§ Security patches & toolsSecurity patches & tools

§§ VirusVirus

§§ Crisis support Crisis support

§§ PrivacyPrivacy

§§ Hacking and IRHacking and IR

§§ Gov't & Law Enforcement LiaisonGov't & Law Enforcement Liaison

§§ AntiAnti--spam & computer crime, Legal spam & computer crime, Legal

§§ Press/PR/outreach/communicationsPress/PR/outreach/communications

How to get in touchHow to get in touch

§§ Via your existing MS Via your existing MS contact/relationshipcontact/relationship

§§ Mailto:sconant@microsoft.comMailto:sconant@microsoft.com