微软公司PPT模板(1)

时间：2025-07-08

Microsoft Security StrategySteven Adler Product Manager Microsoft EMEA

Session AgendaFocus on Customer Challenges Microsoft Security StrategySecure Windows Initiative Strategic Technology Protection Program Trustworthy Computing

Building the secure platform.NET Framework Windows .NET

Summary Questions洁面皂 http://www.77cn.com.cn

Technology, Process, PeopleWhat are the challenges?Products lack security features Products have bugs Insufficient technical standards Difficult to stay up-to-date Design for security Roles & responsibilities Vigilance Business continuity plans Stay up-to-date with security development

PeopleProblem recognition Skills shortage Human error

Microsoft Security StrategyTrustworthy Computing

Strategic Technology Protection Program

Secure Windows Initiative

Secure Windows Initiative“Engineering For Security” Goal: Eliminate Every Security Vulnerability Before The Product Ships

People

Process

Technology

Industry YardstickRedHat Linux 6.2 i386 SCO Open Server 5.0.6 MandrakeSoft Linux Mandrake 7.0 Microsoft Windows 2000 Sun Solaris 7.0 Sun Solaris 8.0 Debian Linux 2.2 MandrakeSoft Linux Mandrake 7.1 RedHat Linux 7.0 MandrakeSoft Linux Mandrake 7.2 0 5 10 15 20 25 30 35

Source: Security Focus http://www.77cn.com.cn/vulns/stats.shtml

Secure Windows InitiativePeopleTrain, and keep current, every developer, tester, and program manager in the specific techniques of building secure products Make security a critical factor in design, coding and testing of every product Microsoft builds Cross-group design & code reviews Security Threat Analysis part of every design spec Red Team testing and code reviews Focus not confined to buffer overruns Security bug feedback loop & code sign-off requirements External reviews and testing by consultants and public Build tools to automate everything possible in the quest to code the most secure products Prefix and Prefast for buffer overrun detection Updated as new vulnerabilities found Visual C++ 7.0 compiler improvements Domain-specific tools (i.e. RPC security stress)

Process

Technology

Secure Windows InitiativeExternal Security ReviewFIPS 140-1 evaluation of Cryptographic Service Provider (CSP) – CompletedGovernment validation of base crypto algorithms in Windows

Common Criteria evaluation – In PreparationEvaluation of Windows source code against International security criteria for evaluating

Third party expert review of key components Source code licensed to over 80 universities, labs, and government agencies

Strategic Technology Protection ProgramGoal: Help customers secure their Windows Systems

People

Process

Technology

Strategic Technology Protection Program Customers Need Our Help

More than 50% of the customers affected by Code Red were not patched in time for Nimda I didn’t know which patches I needed I didn’t know where to find the updates I didn’t know which machines to update We updated our production servers, but the rog

ue servers got infected

STPP: “Get Secure”Now - Free Virus Support Hotline Contact your local PSS office Now - Security Assessment Program Offering Available immediately through MCS/PSS Now - Microsoft Security Toolkit Server oriented security resources. New server security tools and updates, Windows Update bootstrap client for Windows 2000

Coming - Enterprise Security Tools Microsoft Baseline Security Analyzer SMS security patch rollout tool Windows Update Auto-update client

Get SecureMicrosoft Security Toolkit

Gets Windows NT and 2000 systems to secure baseline, even disconnected net Automates server updatesOne-button wizard and SMS Scripts

Updates and PatchesIncludes all Service Packs and critical OS and IIS patches through 10/15

HFNetchk: patch level verifier IIS Lockdown & URLScan

STPP: “Stay Secure”Jan. 2002 - Windows 2000 Security Rollup Patches Bundle all security fixes in single patches Reduces reboots and administrator burden Spring 2002 - Windows 2000 Service Pack (SP3) Provide ability to install SP3 + security rollup with a single reboot Spring 2002 - Federated Corporate Windows Update Program Allows enterprise to host and select Windows Update content Ongoing - Enhanced Product Security Provide greater security enhancements in the releases of all new products, including the Windows .NET Server family

Corporate Update Server SolutionAutomatic Update (AU) clientAutomatically download and install critical updatesSecurity patches, high impact bug fixes and new drivers when no driver is installed for a device Checks Windows Update service or Corporate Update server once a day

New! Install at schedule time after automatic downloads Administrator control of configuration via registry-based policy Support for Windows .NET Server, Windows XP and Windows 2000

Update serverCorporate hosted WU server to support download and install of critical updates through AU client Server synchronizes with the public Windows Update service Simple administrative model via IE Updates are not made available to clients until the administrator approves them Runs on Windows .NET Server and Windows 2000 Server

Trustworthy ComputingGoal: Make devices powered by computers and software as trustworthy as devices powered by electricity.

A Trust TaxonomyGoalsAvailabilityAt advertised levels

MeansSecurityResists unauthorized access

ExecutionIntentManagement assertions

SuitabilityFeatures fit function

QualityPerformance criteria

RisksWhat undermines intent, causes liability

IntegrityAgainst data loss or alteration

Dev PracticesMethods, philosophy

ImplementationSteps to deliver intent

OperationsGuidelines and benchmarks

PrivacyAccess authorized by end-user