1、微软内部的安全管理- IT 实践,何梅IT ManagerOperation Technology GroupMicrosoft Corporation,概述:,微软IT的使命和工作的优先级我们所面临的问题采取的几项措施事例分析,IT 目标和优先级,优先级Microsoft的首位用户和最佳用户提供领先的思维建立并列的IT战略运行一个世界级的公用设施,“预见性地交付超出我们客户、用户和合作伙伴预期 的IT基础结构和应用程序使随时随地的工作更方便更有效率.”Rick Devenuti Microsoft CIO,Redmond,Sydney,Chofu &,Les Ulis,Telehous,TV
2、P,Dublin,Benelux,Silicon Valley,Madrid,Dubai,Singapore,Johannesburg,Sao Paulo,72,000个邮箱,Microsoft IT数据,Milan,Stockholm,Munich,Canyon Park,Los Colinas,Charlotte,Chicago,Milan,Stockholm,Munich,Oemachi,7000多台服务器,遍布世界的400多个IT支持位置,每天450多万封email,每月260万个语音电话,400多种应用程序,150,000多台 PC,110台 Exchange服务器,我们所面对的:,
3、来自外界的:100k+ intrusion attempts/probes/scans per month125k+ quarantined emails/month225k networked devices挑战微软的文化独特的开发要求应用程序的内部测试技术的领先,生态系统,InfoSec must understand and manage vulnerabilities across all 5 vectors. Threats in any of these vectors almost always lead to compromise of other vectors.,Explo
4、it of misconfiguration, buffer overflows, open shares, NetBIOS attacks,托管,对应用程序的未授权访问未经检查的内存驻留,应用程序,账户的一致性和私有性,账户,信任关系,Data sniffing on the wire, network fingerprinting,网络,External Influences(people, bugs, etc.),SystemSecurity,External Influences(people, bugs, etc.),理想的信息安全是:,在一个包含的服务、应用程序和网络架构的IT环境
5、中,提供高可靠性、私有性和安全几点重要保证:验证身份所需资源的安全可靠数据和通讯的私有性角色和职能的划分快速的危险和威胁的反应,安全的策略,目标,确保网络周边的安全,确保网络内部的安全,确保重要资产的安全,加强监控和审计,服务,策略,Investigations & ForensicsThreat & Risk AnalysisManage PolicyVulnerability ScanningSecurity AuditsAccess Management,Smart Cards for RASSecure Remote UserManaged SourceNetwork Segmenta
6、tionSecuring the ExtranetUntrustworthy DevicesSecure Environmental Remediation,危险的分类,技术不是解决问题的唯一,危险的预防级别,事例分析,安全小组,Information Security Team,Threat, RiskAnalysis & Policy,AssessmentCompliance,Monitoring, Intrusion Detection, Incident Response,Shared ServicesOperations,Threat & RiskAnalysis,PolicyDev
7、elopment,ProductEvaluation,DesignReview,StructureStandards,SecurityManagement,SecurityAssessment,Compliance &Remediation,Monitoring &Intrusion Detection,Rapid Response& Resolution,Forensics,ITInvestigations,Physical &Remote Access,CertificateAdministration,SecurityTools,InitiativeManagement,确保网络周边的安
8、全ISA Server as Perimeter Firewall,远程访问的架构,确保网络周边的安全 RAS Deployment,使用智能卡实施VPN/RADIUS 利用Windows 2000 Servers PKI 集中式卡的管理,确保网络周边的安全Connection Manager,用户拨号所必需的 检查系统设置:是否安装放病毒软件ICFICS (关闭)利用Auto-Update功能 Push所需的软件,确保网络内部的安全用户账户的管理,密码是严格控制的信息所有用户,系统,网络和应用程序的密码必须70天更新密码在网络传输的过程中加密密码的标准,确保内部网络的安全确保无线网络的安全,
9、升级 fireware 到 802.1x 禁用 shared WEP key 禁止使用非IT管理的AP采用PKI分发和验证用户和机器的证书,确保网络内部的安全Network Threats, Risks, and Attacks,确保网络内部的安全网络的隔离,降低危险确认微软IT管理的机器区分微软IT管理,非IT管理的机器限制访问 Network Segmentation Approach限制非IT管理的机器(不在domain中的) 访问IT管理的机器利用IPsec,确保网络内部的安全补丁管理,Windows Update,Windows Update,Microsoft Baseline S
10、ecurity Advisor (MBSA),Microsoft Baseline Security Advisor (MBSA),Advertised Program Monitor(Deployed by SMS),Advertised Program Monitor,在设定的时间段,程序可以自动运行,ASAP 实施application software assurance program,危险评估设计审核产品发布之前的评估产品发布之后的跟踪,增强监督机制,设立专门的监督部门利用自动工具进行扫描微软对外发布的工具有:Microsoft Baseline Security Analyzer
11、 (MBSA) and HFNetChkScan for missing hotfixes and other vulnerabilities Scanning is geographically distributed and uses a variety of network sweep methodologiesAn internally developed toolkit helps to identify and correct vulnerabilities,防病毒的策略,安装防病毒软件 Audit employee desktops via a logon scriptQuara
12、ntine remote computers without eTrust from connecting 利用在Outlook中的安全设置Email attachment securityHeightened Outlook default security settingsObject Model Guard在Exchange IMC上做设置Currently block 38 file extensions at the IMCContent scanning and filtering at Internet facing serversBlock rogue Web sites at
13、 the Proxy servers,更多的信息可以在:,Additional content on OTG deployments and best practices can be found on http:/.TechNet: http:/ Study Resources:http:/ 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.,
