Your SlideShare is downloading. ×
0
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Microsoft Security "Beyond Patching" Security Challenges, Part II
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Microsoft Security "Beyond Patching" Security Challenges, Part II

956

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
956
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
39
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. MGB 2003
  • MGB 2003
  • 05/04/10 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. MGB 2003
  • © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. MGB 2003
  • 05/04/10
  • © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. MGB 2003
  • © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. MGB 2003
  • © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. MGB 2003
  • © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. MGB 2003
  • Trustworthy browsing Windows Vista Internet Explorer includes enhanced malicious software protection, extensibility control, and personal data protection. Internet Explorer runs with minimal reduced privileges, no matter what privileges the currently logged-on user has. Transition: Let's see this in action. 05/04/10 05:04 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
  • The Microsoft Application Compatibility Toolkit V5.0 is designed to assist customers in understanding their application portfolio by identifying applications, web sites, and computers in their environment. and helping customers manage and deliver application compatibility fixes.  ACT helps customers lower their cost of application compatibility testing by assisting them to analyze, rationalize and prioritize their application compatibility efforts, and assists them in deploying Windows Vista more quickly and efficiently. New features in the Application Compatibility Toolkit V5.0 include: New Vista-specific evaluators include a new Inventory evaluator, a User Account Control evaluator, and an Update Compatibility Evaluator agent that will test for possible compatibility issues during new deployments of service packs New Centralized Configuration and Collection Data features allow you to centrally perform agent configuration settings, set inventory parameters, do agent job scheduling, and set up SMS integration.  New Data Organizing features allow you to categorize your portfolio, set priorities, maintain status tracking, and filter applications from being reviewed New Data Analyzing features allow you to perform reporting and analysis, add additional custom issues and solusions to the database with Product Studio like workflow, and export reports to files. New Issue Resolution features allow you to Automatically create and deploy mitigations to known application compatibility issues New Online Application Community Exchange posting capabilities will allow customers to share information about application compatibility testing and upload the results of their personal compatibility testing for other IT Professionals  You will be able to filter and acknowledge the applications you want to share with the community, and your feedback will be combined with other community members to provide a comprehensive detail of compatibility ratings. ACT V4.1 is currently available and was delivered to assist customers with there Windows XP SP2 deployment.  ACT 4.1 agents identified applications that used DCOM interfaces, specific firewall settings, and identified possible Internet Explorer Issues.
  • Microsoft has developed several anti-malware offerings to protect business and consumer PCs. Protection for consumer PCs is provided by the following offerings: Malicious Software Removal Tool (MSRT): complements traditional antivirus technologies by helping to remove the most prevalent viruses and worms from a PC. Windows Defender (previously Windows AntiSpyware): provides spyware protection for individual users of the Windows operating system Windows Live Safety Center: a web service that individuals can use to help ensure the health of their PC.  In addition to checking for and removing viruses, Windows Live Safety Center includes tools for improving PC performance. Windows OneCare Live: a subscription PC health service that helps give you round-the-clock protection and maintenance including: virus scanning, firewalls, tune ups, and file backups. Microsoft Client Protection is the single, centrally managed product that helps protect business desktops, laptops and servers from emerging threats such as spyware and rootkits, as well as viruses and other traditional attacks. I nsightful, prioritized reports and alerts delivered through centralized management help customers spend less time on malware. Microsoft Client Protection can be easily customized and integrates with existing IT infrastructure such as Active Directory and other software distribution systems, helping to reduce deployment time and maximize value. 
  • © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. MGB 2003
  • © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. MGB 2003
  • This is a build of Network Access Protection in action (DHCP/VPN example). Health policy is set by the IT administrator. It is asynchronously plumbed by the system health servers to the IAS policy server. The IAS policy server keeps a health cache at any given time. The client tries to come in and requests network access. It passes across its statement of health (SoH). The Network Access Device ships this information over to the IAS policy server. IAS compares it to what’s in cache and makes certain determinations. The SoH doesn’t meet health policy. At that point, the IAS policy server tells the Network Access Device to restrict the client – could be put in a VLAN, separate subnet. The IAS policy server also tells the NAD what the client needs to be healthy. The NAP system information passed to the client by the NAP systems tells it how to access the fix up servers. Client contacts the fix-up server and requests update. The client returns to the Network Access Device with an updated SoH. It matches policy so the client gains full access to network resources. The SoH is re-used to continue to access network resources until the policy is updated. You can imagine that the cycle goes again with the client requesting network access, this time presenting an up-to-date SoH. Since it matches policy, the client is granted immediate access to the network. 05/04/10 05:05 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
  • NAP is about customer choice Benefits of IPsec-based enforcement Isolation of unhealthy clients using IPSec Secure enforcement Can not be bypassed by reconfiguring client Or by use of hubs / virtual PC technology No infrastructure upgrade Works with today’s switches and routers No need to replace/upgrade DHCP, VPN, etc. Flexible isolation Healthy systems can connect to quarantined systems but not vice versa Isolation model defined by policy Recommendation is to use the enforcement mechanisms in combination as per unique business requirements. Each customer is different and will need to assess many factors such as: risk, business models, health policies and management, access scenarios, infrastructure investments, and upgrade schedule, among other things. The Network Access Protection platform empowers the customer to make a selection based on the unique circumstances of a customer’s environment without compromising on the need for a strong, multi-layered network security and access policy management solution.  
  • 05/04/10 05:05 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
  • © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. MGB 2003
  • 05/04/10 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. MGB 2003
  • <<This slide has animation>> Let me talk a little bit more about another great Windows Vista security feature which is something that we call “Windows Service Hardening.” Windows Service Hardening is all about our Defense In Depth strategy. What we’re doing in service hardening is making sure that even if there is a vulnerability in a service, and that vulnerability is compromised by exploit code, that exploit code isn’t allowed to propagate to other machines on the network. If you look at something like the Blaster Worm that happened a couple years ago, what it did was exploit vulnerability in the RPC Service and it forced RPC to write a file to the file system that RPC shouldn’t be able to do. It actually wrote a Run Key in the Registry to make sure that it would persist after a reboot. And also actively talked outbound on the network and try to infect other machines. With service hardening, we reduce the size of high risk layers in other words protecting the kernel and system files. << CLICK>> We do that by profiling the entire core Windows services and determining access boundaries such as what part of the file system, registry and ports the service can write to or manipulate. We will enforce that behavior at run time. <<CLICK>> If necessary we segment the services to ensure pieces of the services that needs to run with higher privileges are separated from the one which doesn’t require that level of privileges. <<CLICK>> In addition we are also introducing a layer and concept called user mode drivers. So even if there’s vulnerability in a Windows service, and it’s compromised by exploit code. That exploit code can’t make that service do something that it wouldn’t ordinarily be allowed to do. This is really intended to reduce the risk of mal-ware quickly spreading to other machines. That’s a huge focus of the Windows Service Hardening Platform. The great thing about service hardening is that besides hardening core Windows services we’ll make this available to third parties to opt into the service hardening platform as well. So that third party applications will be able to take advantage of this.
  • From a firewall standpoint, we’ve added new application aware outbound filtering. And we really think this is a powerful addition to Windows Vista in the Enterprise. Because what it will allow you to do is for instance, if there is a peer-to-peer sharing application that you don’t want to allow on your network, You’ll have the capability to say, “I want this application to be blocked, and not allowed to communicate on my network.” Also, for example, let’s say there is an application that has a vulnerability in it that’s discovered. And there is no patch to deploy yet or you haven’t had time to deploy a patch for that. You can set up a rule that allows that app to be used, but not communicate outbound in the network. Maybe it’s something like a Windows Media Player that you want to allow people to watch internal videos. But you don’t want it to communicate outbound on the network. You’ll be able to set up rules to enable scenarios like that with Windows Vista.
  • Hidden slide for demo on non-Vista machine Discuss how the language was written to be very clear Note the orange Shield **NEED GRAPHICS with red and green shields Click Allow 05/04/10 05:05 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
  • Hidden slide for demo on non-Vista machine Note all the details in the two dialogs Note that Cancel is the default option on the Open File dialog box 05/04/10 05:05 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
  • Hidden slide for demo on non-Vista machine Demo script: Computer config – Admin Templates – System – Device Installation – Device Installation Restrictions Extend discussion to differentiate behaviors like Device Installation that can be controlled via Administrative Templates. Note how this is different from the settings controlled via traditional Security Templates. Other examples of behaviors controlled via Administrative Templates are Internet Explorer Maintenance, Software Restriction Policies, and Restricted Groups. 05/04/10 05:05 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
  • Changes threats related to physcial access of a system BitLocker offers full volume encryption to ensure that a thief or hacker who obtains a system is not able to access the data that resides on it. BitLocker is a hardware-based data protection feature that addresses the growing concern over data on lost or stolen machines. Data is protected by preventing unauthorized users from breaking Windows file and system protection on lost or stolen computers. This protection is achieved by encrypting the entire Windows volume. This improves data security and reduces equipment repurposing concerns. The feature is simple to deploy, use and enables easy recovery. BitLocker only works against the boot drive (Longhorn server is expected to allow encryption of other volumes) If you have physical access to the workstation and attack the system keys on Windows XP and gain access, you have the ability to decrypt the private keys for the users with encrypted files on the workstation.  BDE encrypts the entire system volume, including the stored keys, so they can’t be attacked. Better user experience – no more boot passwords or “hard drive passwords” Transition: A TPM v1.2 chip is not required for the use of BitLocker on Vista, but it improves manageability and ease of use. http://www.microsoft.com/whdc/system/platform/pcdesign/secure-start_exec.mspx 05/04/10 05:05 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
  • BitLocker requires new API features/functionality only in the TPM 1.2 specification The TPM will likely be a standard component on new computer systems Cannot be retrofitted to older systems 05/04/10 05/04/10 05:05 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
  • Microsoft Client Protection provides visibility and control to administrators through two server based components: the management server and the reporting and alerting servers. The management server runs a central console. <click 1> From there, the administrator configures the client settings, to tailor the solution to their environment. Settings include: scan schedule, real-time protection enabled and disabled, default actions to specific threats and alerting and reporting level. Microsoft Client Protection is optimized for the use of Active Directory Group Policy to distribute settings to client computers. Customers can also choose to use any existing software distribution system. <click 2> Malware definition updates are distributed with Microsoft Update or Windows Update. Microsoft Client Protection is optimized for the use of Windows Server Update Services to distribute definition updates to client computers. WSUS enables administrators to auto-approve the latest signatures, or test and approve every update. Customers can also use any existing software distribution system in their environment. <click 3> Events that occur on client machines are reported to the reporting and alerting server. This server generates alerts for high-value events, such as ‘malware outbreak’ (same virus detected on multiple machines within X mins) or ‘failed to remove a threat.’ This server also generates reports which are accessible through the console. The reports provide prioritized, insightful information to help administrators focus their resources on the right issues. All relevant reports are linked together and include up-to-date information as well as trending information. The integrated event collection and reporting technology is built on technology from MOM 2005 and SQL Server. The servers shown depict the scaled out, 4 server topology (WSUS, Management Server, 2 Reporting Servers). In smaller organizations these functions can be consolidated on fewer servers. We are optimizing the product to deliver a seamless end-to-end experience for customers in the upper mid-market to midrange enterprise.  We are currently working on the exact scalability parameters of this range. As of this time, we know that it will depend on factors such as complexity of network topology, amount of network bandwidth and number of remote locations.   While upper mid-market to midrange enterprise is the focus for this first version, we expect customers outside this range will be able to successfully use Microsoft Client Protection with some additional steps required for implementation. We will provide further details on this as we complete formal testing of the product. 05/04/10 05:05 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
  • Transcript

    • 1. Beyond Patching Dean Iacovelli Chief Security Advisor – State and Local Government Microsoft Corporation [email_address]
    • 2. <ul><li>Objectives </li></ul><ul><li>Address your concerns about security </li></ul><ul><li>Update on current trends </li></ul><ul><li>Current initiatives at Microsoft </li></ul><ul><li>Future security product/solution roadmap </li></ul><ul><li>Agenda </li></ul><ul><li>Defining and managing the risk </li></ul><ul><li>System Integrity </li></ul><ul><li>Identity management </li></ul><ul><li>Trustworthy Identity </li></ul><ul><li>Client protection </li></ul><ul><li>Server protection </li></ul><ul><li>Network protection </li></ul><ul><li>Summary, Q&amp;A </li></ul>
    • 3. My Role as SLG CSA <ul><li>Overall security policy and strategy for MS SLG </li></ul><ul><li>MS spokesperson to/from SLG customers </li></ul><ul><li>Information broker – resources, best practices, programs </li></ul><ul><li>Coordinator for incident response communication, security readiness </li></ul><ul><li>Not goaled on revenue </li></ul><ul><li>Basically: Help ensure SLG customers have a good experience dealing with security on the MS platform </li></ul>
    • 4. Your Feedback ? <ul><li>Challenges </li></ul><ul><ul><li>Worms / viruses </li></ul></ul><ul><ul><li>Spyware </li></ul></ul><ul><ul><li>Spam </li></ul></ul><ul><ul><li>Patch management </li></ul></ul><ul><ul><li>Network access control </li></ul></ul><ul><ul><li>Identity management </li></ul></ul><ul><ul><li>Best practices / guidance </li></ul></ul><ul><ul><li>Looking at Linux for security reasons ? </li></ul></ul>
    • 5. Understanding Your Adversary Script-Kiddy Hobbyist Hacker Expert Specialist Vandal Thief Spy Trespasser Tools created by experts now used by less skilled attackers and criminals Fastest growing segment Author National Interest Personal Gain Personal Fame Curiosity
    • 6. State and Local Security Trends <ul><li>Attacks becoming less numerous, more nasty </li></ul><ul><ul><li>Viruses/worms still lead in financial cost BUT </li></ul></ul><ul><ul><li>6x increase in $ lost from unauthorized information access from 2004 to 2005 (FBI/CSI) </li></ul></ul><ul><ul><li>2x increase in $ lost from theft of proprietary information from 2004 to 2005 (FBI/CSI) </li></ul></ul><ul><ul><li>Botnets (used for cyber extortion) have jumped from average of 2500 machines in 2004 to 85,000 in 2006 </li></ul></ul><ul><li>Why sniff the net when you can hack the site or the password? </li></ul><ul><ul><li>95% reported 10+ website incidents last year (FBI/CSI) </li></ul></ul><ul><ul><li>15% of enterprise hosts have had keystroke loggers detected, 3x in 1 year (Webroot and Sophos) </li></ul></ul><ul><li>Major NT4/Win 98 supportability issues </li></ul><ul><ul><li>Enterprise patching and management still not under control </li></ul></ul><ul><ul><li>What your neighbor isn’t doing IS your problem </li></ul></ul><ul><li>Real cost is lost of trust </li></ul>
    • 7. Closer Look at Malware Data (MSRT) Source: Microsoft … … … … … 0.3950% 642,955 162,763,946 28 June 0.7027% 1,154,345 164,283,730 35 May 0.4720% 590,714 125,150,400 28 April 0.3049% 443,661 145,502,003 35 March 0.481% 8,679,656 1,804,565,652 362 Total 0.2970% 351,135 118,209,670 28 February 0.1920% 239,197 124,613,632 28 January % Value Disinfections Executions Days Live Release
    • 8. Video game cheats #3 in previous chart Celebrities Song lyrics
    • 9. Trends in Security Spending <ul><li>$497 per employee </li></ul><ul><ul><li>$354 operations </li></ul></ul><ul><ul><li>$143 capital </li></ul></ul><ul><ul><li>Even worse for smaller agencies - as much as $650 </li></ul></ul><ul><li>No economies of scale </li></ul><ul><ul><li>SLG spends ~10x Federal and most of private sector </li></ul></ul><ul><ul><li>Lack of centralized strategy / tools </li></ul></ul><ul><li>Getting worse </li></ul><ul><ul><li>Federal trending down from CY05 </li></ul></ul><ul><ul><li>SLG trending up </li></ul></ul><ul><li>Various new state infosec laws may be impacting costs but still serious issue </li></ul>
    • 10. MS Security Statistical Snapshot <ul><li>263M downloads of XP SP2 </li></ul><ul><li>75M downloads of Microsoft Anti-Spyware beta </li></ul><ul><li>9.7M consumers using SP2 Firewall </li></ul><ul><li>332M machines using Automatic Update or Windows Update </li></ul><ul><li>135 legal actions against spammers worldwide </li></ul><ul><li>121 phishing sites sued </li></ul><ul><li>578 Microsoft CISSPs (and counting…) </li></ul>
    • 11. Microsoft Security Strategy Overview Threat and Vulnerability Mitigation Protect PCs &amp; devices from malicious software Client Protection Protect servers from malicious software Server Protection Network Protection Protect network from malicious software &amp; inappropriate access System Integrity Make systems inherently safer and more secure Identity and Access Management Allow legitimate users secure access to machines, applications and data
    • 12. Security Development Lifecycle <ul><li>Security Development Lifecycle </li></ul><ul><li>Security Response Center </li></ul><ul><li>Better Updates And Tools </li></ul>
    • 13. Threat Modeling Example MS03-007 Even if it there was an exploitable buffer overrun Would have occurred in w3wp.exe which is now running as ‘network service’ Even if the buffer was large enough Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS) The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push Even if it was running IIS 6.0 doesn’t have WebDAV enabled by default Even if it did have WebDAV enabled Maximum URL length in IIS 6.0 is 16kb by default (&gt;64kb needed) Even if it was vulnerable IIS 6.0 not running by default on Windows Server 2003
    • 14. Focus Yielding Results * As of February 14, 2006 2003 Bulletins since TwC release Service Pack 3 Bulletins in period prior to release 16 3 SQL Server 2000 SP3 released 1/17/2003 Released 05/31/2001 Released 11/17/2003 Bulletins 820 Days After Product Release 7 11 1027 Days After Product Release 89 Released 11/29/2000 Released 09/28/2003 50
    • 15. Case Study How We Tested WMF Patch <ul><li>415 apps (ms &amp; third party) </li></ul><ul><li>6 supported version of the o/s in 23 languages </li></ul><ul><li>15k print variations, 2800 print pages verified </li></ul><ul><li>2000 wmf’s analyzed, 125 malicious wmf’s tested </li></ul><ul><li>12k images verified for regressions </li></ul><ul><li>22,000 hours of stress testing </li></ul><ul><li>450k total test cases </li></ul>
    • 16. Patch Management Initiative Progress to Date Informed &amp; Prepared Customers Superior Patch Quality Consistent &amp; Superior Update Experience Best Patch &amp; Update Management Solutions <ul><li>Microsoft Update </li></ul><ul><li>WSUS </li></ul><ul><li>SMS 2003 </li></ul><ul><li>Better security bulletins and KB articles </li></ul><ul><li>IT SHOWCASE: How Microsoft IT Does Patch Management </li></ul><ul><li>Standardized patch and update terminology </li></ul><ul><li>Moved from 8 installers to 2 (update.exe and MSI) </li></ul><ul><li>Standardized patch naming and switch options </li></ul><ul><li>Improved patch testing process and coverage </li></ul><ul><li>Expanded test process to include customers </li></ul><ul><li>Reduced reboots by 10%, targeting 50% in Vista </li></ul>
    • 17. Update Impact Analyzer Determine How Patches Will Affect Critical Apps
    • 18. Fundamentals <ul><li>“ You can only manage what you can measure” </li></ul><ul><ul><li>… and you can only secure what you can manage (and find  ) </li></ul></ul><ul><ul><li>Decentralization may be a reality but it’s not a best practice </li></ul></ul><ul><li>Set policy </li></ul><ul><ul><li>Active Directory </li></ul></ul><ul><ul><li>Central policy, local defense </li></ul></ul><ul><ul><li>Delegate back business-specific policy control </li></ul></ul><ul><li>Audit policy </li></ul><ul><ul><li>Turning it on AFTER the incident much less useful </li></ul></ul><ul><ul><li>Don’t wait for the incident to look at the logs </li></ul></ul><ul><li>Standardize builds, supported applications </li></ul><ul><ul><li>Enterprise assets are not toys </li></ul></ul><ul><ul><li>Vista will make this easier, possible in XP too: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx </li></ul></ul>
    • 19. Beyond Patching: The Problem <ul><li>Patching is no longer strategic </li></ul><ul><ul><li>Moving from security to operations like backups </li></ul></ul><ul><li>New threats require new models </li></ul><ul><ul><li>Internal network is NOT trusted </li></ul></ul><ul><ul><li>Medieval castle model is the only response </li></ul></ul><ul><ul><li>Automated attacks require automated defenses </li></ul></ul>
    • 20. Microsoft Security Strategy Overview Threat and Vulnerability Mitigation Protect PCs &amp; devices from malicious software Client Protection Protect servers from malicious software Server Protection Network Protection Protect network from malicious software &amp; inappropriate access System Integrity Make systems inherently safer and more secure Identity and Access Management Allow legitimate users secure access to machines, applications and data
    • 21. Access Policy Management Trustworthy Identity Information Protection <ul><li>Directory Services </li></ul><ul><li>Lifecycle Management </li></ul><ul><li>Strong Authentication </li></ul><ul><li>Federated Identity </li></ul><ul><li>Certificate Services </li></ul><ul><li>Role-based Access Control </li></ul><ul><li>Audit Collections Services </li></ul><ul><li>Group Policy Management Console </li></ul><ul><li>Rights Management Services </li></ul><ul><li>Encryption Services </li></ul><ul><li>Secure Protocols and Channels </li></ul><ul><li>Back-up and Recovery Services </li></ul>Allow only legitimate users secure, policy-based access to machines, applications and data Provide access based on policy Protect data throughout its lifecycle Ensure users are who they claim to be; manage identity lifecycle
    • 22. Fundamentals <ul><li>Reduce </li></ul><ul><ul><li>Consolidate to fewer identity stores </li></ul></ul><ul><ul><li>Leverage metadirectories to simplify sign on, automate/standardize identity business rules </li></ul></ul><ul><li>Reuse </li></ul><ul><ul><li>Leverage globally relevant attributes across all applications </li></ul></ul><ul><ul><li>Place non-globally relevant attributes in app-coupled LDAP stores </li></ul></ul><ul><li>Recycle </li></ul><ul><ul><li>Leverage federation to use your credentials on business partner networks </li></ul></ul>
    • 23. Microsoft Security Strategy Overview Threat and Vulnerability Mitigation Protect servers from malicious software Server Protection Network Protection Protect network from malicious software &amp; inappropriate access Protect PCs &amp; devices from malicious software Client Protection System Integrity Make systems inherently safer and more secure Identity and Access Management Allow legitimate users secure access to machines, applications and data
    • 24. Fundamentals <ul><li>Medieval castle model </li></ul><ul><ul><li>The internal network is NOT trusted </li></ul></ul><ul><ul><li>Central policy, local defense </li></ul></ul><ul><li>Leverage tools you already own </li></ul><ul><ul><li>Windows firewall </li></ul></ul><ul><ul><li>Active Directory group policy </li></ul></ul><ul><ul><li>Phishing filters </li></ul></ul><ul><ul><li>Encrypting file system </li></ul></ul><ul><ul><li>IPSec logical segmentation </li></ul></ul><ul><li>Isolate what you can’t defend </li></ul>
    • 25. Helps protect the system from attacks from the network Provides system-level protection for the base operating system Enables more secure Internet experience for most common Internet tasks Enables more secure Email and Instant Messaging experience
    • 26. Internet Explorer 7 Social Engineering Protections <ul><ul><ul><ul><li>Phishing Filter and Colored Address Bar </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Dangerous Settings Notification </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Secure defaults for all settings </li></ul></ul></ul></ul>Protection from Exploits <ul><ul><ul><ul><li>Protected Mode to prevent malicious software </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Code quality improvements </li></ul></ul></ul></ul><ul><ul><ul><ul><li>ActiveX Opt-in </li></ul></ul></ul></ul>
    • 27. Application Compatibility Toolkit V5.0 <ul><li>Analyze your portfolio of Applications, Web Sites, and Computers </li></ul><ul><li>Evaluate operating system deployments or impact of operating system updates </li></ul><ul><li>Rationalize and Organize by Applications, Web Sites, and Computers </li></ul><ul><li>Prioritize compatibility efforts with filtered reporting </li></ul><ul><li>Add and manage issues and solutions for your personal computing environment </li></ul><ul><li>Deploy automated mitigations to known compatibility issues </li></ul><ul><li>Send/Receive compatibility information to Online Compatibility Exchange </li></ul>
    • 28. Remove most prevalent viruses Remove all known viruses Real-time antivirus Remove all known spyware Real-time antispyware Central reporting and alerting Customization Microsoft Client Protection FOR INDIVIDUAL USERS FOR BUSINESSES MSRT Windows Defender Windows Live Safety Center Windows OneCare Live IT Infrastructure Integration
    • 29. Shared Computer Toolkit for Windows XP <ul><li>Windows Disk Protection </li></ul><ul><li>Prevent unapproved changes to the Windows partition </li></ul><ul><li>Allow critical updates and antivirus updates </li></ul><ul><li>User Restrictions </li></ul><ul><li>Restrict untrusted users from files and settings </li></ul><ul><li>Lock user profiles for protection and privacy </li></ul><ul><li>Profile Manager </li></ul><ul><li>Create “persistent” user profiles on unprotected partitions </li></ul><ul><li>Delete locked user profiles </li></ul><ul><li>Accessibility </li></ul><ul><li>Accessibility settings &amp; utilities when restricted </li></ul><ul><li>Quick access for repeat use </li></ul>Tools are scriptable. Additional command-line tools included. Comprehensive Help and Handbook with supplemental security guidance. <ul><li>Getting Started </li></ul><ul><li>Use and learn about the Toolkit </li></ul><ul><li>Quick access toolbar </li></ul>
    • 30. Next Generation Security and Compliance Identity &amp; Access Control Threat &amp; Vulnerability Mitigation <ul><li>Code Integrity </li></ul><ul><li>IE Protected Mode </li></ul><ul><li>Windows Defender </li></ul><ul><li>IPSEC/Firewall integration </li></ul><ul><li>Network Access Protection </li></ul><ul><li>User Account Control </li></ul><ul><li>Plug and Play Smartcards </li></ul><ul><li>Granular auditing </li></ul><ul><li>Simplified Logon architecture </li></ul>Fundamentals <ul><li>Security Development Lifecycle </li></ul><ul><li>Threat Modeling </li></ul><ul><li>Code Scanning </li></ul><ul><li>Service Hardening </li></ul><ul><li>BitLocker Drive Encryption </li></ul><ul><li>EFS Smartcard key storage </li></ul><ul><li>RMS client </li></ul><ul><li>Control over removable device installation </li></ul><ul><li>XPS Document + WPF APIs </li></ul>Engineered for the future Enable secure access to information Protect against malware and intrusions Information Protection
    • 31. InfoCard Overview Secure sharing of your info online <ul><li>Simple user abstraction </li></ul><ul><ul><li>Manage compartmentalized versions of your identity </li></ul></ul><ul><ul><li>Strong computer generated keys instead of human generated passwords </li></ul></ul><ul><li>Relates to familiar models </li></ul><ul><ul><li>Gov’t ID card, driver’s license, credit card, membership card, … </li></ul></ul><ul><li>Flexible issuance </li></ul><ul><ul><li>Self-issued – eBay, Amazon </li></ul></ul><ul><ul><li>Issued by external authority – Visa, Government </li></ul></ul><ul><li>Implemented as secure subsystem </li></ul><ul><ul><li>Protected UI, anti-spoofing techniques, encrypted storage </li></ul></ul><ul><li>Built on WS-Federation web standards </li></ul>
    • 32. Microsoft Security Strategy Overview Threat and Vulnerability Mitigation Protect servers from malicious software Server Protection Network Protection Protect network from malicious software &amp; inappropriate access Protect PCs &amp; devices from malicious software Client Protection System Integrity Make systems inherently safer and more secure Identity and Access Management Allow legitimate users secure access to machines, applications and data
    • 33. Security Configuration Wizard Windows Server 2003 SP1 <ul><li>Security lockdown tool for Windows Server 2003 </li></ul><ul><ul><li>Roles-based paradigm </li></ul></ul><ul><ul><li>Focused on Attack Surface Reduction </li></ul></ul><ul><ul><ul><li>Disables unnecessary services </li></ul></ul></ul><ul><ul><ul><li>Disables unnecessary web extensions </li></ul></ul></ul><ul><ul><ul><li>Blocks unnecessary ports </li></ul></ul></ul><ul><ul><ul><li>Configures audit SACLs </li></ul></ul></ul><ul><li>Operational infrastructure </li></ul><ul><ul><li>Client-Server deployment infrastructure </li></ul></ul><ul><ul><li>Support for Group Policy-based deployment </li></ul></ul><ul><ul><li>Compliance Analysis </li></ul></ul><ul><ul><li>Rollback support </li></ul></ul>
    • 34. <ul><li>Microsoft Antigen Line of Products </li></ul>RTM in Q2 2006 <ul><li>Highlights </li></ul><ul><ul><li>Unique multi-engine approach for faster detection and broader protection </li></ul></ul><ul><ul><li>Integrated virus and spam protection </li></ul></ul><ul><ul><li>Integrated Microsoft AV engine </li></ul></ul>Threat &amp; Vulnerability Mitigation
    • 35. Microsoft Security Strategy Overview Threat and Vulnerability Mitigation Protect servers from malicious software Server Protection Network Protection Protect network from malicious software &amp; inappropriate access Protect PCs &amp; devices from malicious software Client Protection System Integrity Make systems inherently safer and more secure Identity and Access Management Allow legitimate users secure access to machines, applications and data
    • 36. <ul><li>Policy Validation </li></ul><ul><ul><li>Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy.” </li></ul></ul><ul><li>Network Restriction </li></ul><ul><ul><li>Restricts network access to computers based on their health. </li></ul></ul><ul><li>Remediation </li></ul><ul><ul><li>Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed. </li></ul></ul><ul><li>Ongoing Compliance </li></ul><ul><ul><li>Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions. </li></ul></ul>Network Access Protection Longhorn Server (2007)
    • 37. Network Access Protection Walkthrough Requesting access. Here’s my new health status. IAS Policy Server Client Network Access Device (DHCP, VPN) Remediation Servers May I have access? Here’s my current health status. Should this client be restricted based on its health? Ongoing policy updates to IAS Policy Server You are given restricted access until fix-up. Can I have updates? Here you go. According to policy, the client is not up to date. Quarantine client, request it to update. Corporate Network Restricted Network Client is granted access to full intranet. According to policy, the client is up to date. Grant access. Play video System Health Servers
    • 38. NAP - Enforcement Options Restricted set of routes Full IP address given, full access DHCP Restricted VLAN Full access 802.1X <ul><li>Complements layer 2 protection </li></ul><ul><li>Works with existing servers and infrastructure </li></ul><ul><li>Flexible isolation </li></ul>Restricted VLAN Full access VPN (MS and 3 rd Party) Healthy peers reject connection requests from unhealthy systems Can communicate with any trusted peer IPsec Unhealthy Client Healthy Client Enforcement
    • 39. NAP Partner Community
    • 40. <ul><li>Beta available now </li></ul><ul><li>Preparing for NAP will take effort and time! </li></ul><ul><li>Deployment preparation tasks: </li></ul><ul><ul><ul><li>Health Modeling </li></ul></ul></ul><ul><ul><ul><li>Health Policy Zoning </li></ul></ul></ul><ul><ul><ul><li>IAS (RADIUS) Deployment </li></ul></ul></ul><ul><ul><ul><li>Zone Enforcement Selection </li></ul></ul></ul><ul><ul><ul><li>Exemption Analysis </li></ul></ul></ul><ul><ul><ul><li>Change Process Control </li></ul></ul></ul><ul><li>Phased rollout </li></ul><ul><ul><ul><li>Rollout VPN solution to test health policy </li></ul></ul></ul><ul><ul><ul><li>Rollout IPSec segmentation to test wired enforcement </li></ul></ul></ul>Getting Started
    • 41. Roadmap Services Platform Products <ul><li>Frontbridge hosted services for anti-virus and anti-spam filtering (for businesses) </li></ul><ul><li>ISA Server 2004 </li></ul><ul><li>Sybari Antigen anti-spam and anti-virus for Email, IM and SharePoint </li></ul><ul><li>Windows XPSP2 </li></ul><ul><li>Windows Server 2003 SP1 </li></ul><ul><li>Anti-malware tools </li></ul><ul><li>Microsoft Update </li></ul><ul><li>Windows Server Update Services </li></ul><ul><li>Windows Live OneCare (for consumers) </li></ul><ul><li>Microsoft Client Protection </li></ul><ul><li>Microsoft Antigen Anti-virus and Anti-spam for messaging and collaboration servers </li></ul><ul><li>ISA Server 2006 </li></ul><ul><li>Windows AntiSpyware </li></ul><ul><li>Windows Vista </li></ul><ul><ul><li>Firewall </li></ul></ul><ul><ul><li>Services Hardening </li></ul></ul><ul><li>Next generation of services </li></ul><ul><li>Content filtering services </li></ul><ul><li>Next generation of security products </li></ul><ul><li>Network Access Protection </li></ul><ul><li>IPSec Enhancements </li></ul><ul><li>Audit Collection Services </li></ul>
    • 42. Summary <ul><li>It’s all one network. Period. </li></ul><ul><li>Need to be securing for tomorrow’s threats, not yesterday’s </li></ul><ul><ul><li>Defense in depth is and has always been the only effective strategy </li></ul></ul><ul><ul><li>Enterprise patch management will free us for more strategic work </li></ul></ul><ul><li>Every machine deserves a good defense </li></ul>
    • 43. Contact info: Dean Iacovelli Chief Security Advisor - State and Local Government Microsoft Corporation [email_address] Slides available at: www.iacovelli.info/work/secgtc.ppt
    • 44. Appendix
    • 45. Tools / Products <ul><li>Application Compatibility Toolkit 5.0 beta sign up </li></ul><ul><li>http:// connect.microsoft.com / </li></ul><ul><li>Network Access Protection </li></ul><ul><li>http://www.microsoft.com/nap </li></ul><ul><li>Microsoft Baseline Security Analyzer (MBSA) </li></ul><ul><li>http://www.microsoft.com/mbsa </li></ul><ul><li>Windows Server Update Services (WSUS) </li></ul><ul><li>http://www.microsoft.com/wsus </li></ul><ul><li>Windows Server Update Services (WSUS) </li></ul><ul><li>http://www.microsoft.com/ wsus </li></ul><ul><li>IE 7 </li></ul><ul><li>http://www.microsoft.com/windows/ie/default.mspx </li></ul><ul><li>Client Protection </li></ul><ul><li>http://www.microsoft.com/windowsserversystem/solutions/security/clientprotection/default.mspx </li></ul><ul><li>Vista security </li></ul><ul><li>http://www.microsoft.com/technet/windowsvista/security/default.mspx </li></ul><ul><li>Security Configuration Wizard </li></ul><ul><li>http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx </li></ul>
    • 46. Guidance and Training <ul><li>MICROSOFT </li></ul><ul><li>Security Development Lifecycle: http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp </li></ul><ul><li>Security Guidance Centers http://www.microsoft.com/security/guidance </li></ul><ul><li>Security Online Training https:// www.microsoftelearning.com /security/ </li></ul><ul><li>XP SP2 deployment training: https://www.microsoftelearning.com/xpsp2 </li></ul><ul><li>Microsoft IT Security Showcase http://www.microsoft.com/technet/itsolutions/msit/default.mspx#EDBAAA </li></ul><ul><li>Security Newsletter http://www.microsoft.com/ technet/security/secnews/default.mspx </li></ul><ul><li>Security Events and Webcasts http://www.microsoft.com/seminar/events/ security.mspx </li></ul><ul><li>Security Notifications via e-mail http://www.microsoft.com/ technet/security/bulletin/notify.mspx </li></ul><ul><li>MS Security blogs: http://www.microsoft.com/technet/security/community/articles/art_malwarefaq.mspx </li></ul><ul><li>Security Bulletin Search Page http://www.microsoft.com/ technet/security/current.aspx </li></ul><ul><li>Security Bulletin Webcast http://www.microsoft.com/ technet/security/bulletin/summary.mspx </li></ul><ul><li>Writing Secure Code, 2nd edition http://www.microsoft.com/mspress/books/5957.asp </li></ul><ul><li>Building and Configuring More Secure Web Sites http://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.asp </li></ul><ul><li>Windows XP Security Guide, includes SP2 http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspx </li></ul><ul><li>Security Risk Management Guide http:// go.microsoft.com/fwlink/?LinkId =30794 </li></ul><ul><li>Windows NT 4.0 and Windows 98 Threat Mitigation Guide http:// go.microsoft.com/fwlink/?linkid =32048 </li></ul><ul><li>Microsoft Identity and Access Management Series http://go.microsoft.com/fwlink/?LinkId=14841 </li></ul><ul><li>OTHER </li></ul><ul><li>FBI / CSI 2005 security survey: http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml;jsessionid=KPE5WYV1ICYNCQSNDBECKH0CJUMEKJVN </li></ul>
    • 47. As of 6 March 2006: Tracking 13053 bot-nets of which 8524 are active Average size is 85,000 computers MaxSize Server Name Age (days) 10725 dns.nubela.net nubela.net 02.00 2393 winnt.bigmoney.biz winnt.bigmoney.biz (randex) 10.94 2061 y.eliteirc.co.uk PS 7835 - y.eliteirc.co.uk 09.66 1832 y.stefanjagger.co.uk y.stefanjagger.co.uk (#y) 09.13 1507 ganjahaze.com ganjahaze.com 03.10 3689 1.j00g0t0wn3d.net PS 8049 - 1.j00g0t0wn3d.net 01.04 537 pub.isonert.net pub.isonert.net 10.93 649 irc.brokenirc.net irc.brokenirc.net 08.07 62 grabit.zapto.org PS 8048 - grabit.zapto.org 01.02 UNK 69.64.38.221 PS ? - 69.64.38.221 UNK UNK lsd.25u.com PS 7865 - lsd.25u.com 08.96 UNK dark.naksha.net dark.naksha.net 10.34
    • 48. &nbsp;
    • 49. <ul><li>Reduce size of high risk layers </li></ul><ul><li>Segment the services </li></ul><ul><li>Increase # of layers </li></ul>Windows Service Hardening Defense In Depth – Factoring/Profiling Kernel Drivers User-mode Drivers Service 1 Service 2 Service 3 Service … Service … Service A Service B D D D D D D D D
    • 50. Vista Service Changes Services common to both platforms RemoteAccess DHCP Client W32time Rasman browser 6to4 Help and support Task scheduler TrkWks Cryptographic Services Removable Storage WMI Perf Adapter Automatic updates WMI App Management Secondary Logon BITS SSDP WebClient TCP/IP NetBIOS helper Remote registry Local Service DNS Client Network Service Wireless Configuration System Event Notification Network Connections (netman) COM+ Event System NLA Rasauto Shell Hardware Detection Themes Telephony Windows Audio Error Reporting Workstation ICS LocalSystem Windows XP SP2 Telephony Windows Audio TCP/IP NetBIOS helper WebClient SSDP Wireless Configuration System Event Notification Network Connections Shell Hardware Detection TrkWks Cryptographic Services DNS Client ICS RemoteAccess DHCP Client W32time Rasman BITS Removable Storage WMI Perf Adapter Automatic updates Local Service Fully Restricted Local Service No Network Access Network Service Network Restricted Network Service Fully Restricted LocalSystem Demand started LocalSystem Firewall Restricted Vista client Error Reporting Event Log Workstation Remote registry Rasauto Themes COM+ Event System browser 6to4 Task scheduler IPSEC Services Server NLA WMI App Management Secondary Logon
    • 51. Windows Vista Firewall <ul><li>Combined firewall and IPsec management </li></ul><ul><ul><li>New management tools – Windows Firewall with Advanced Security MMC snap-in </li></ul></ul><ul><ul><li>Reduces conflicts and coordination overhead between technologies </li></ul></ul><ul><li>Firewall rules become more intelligent </li></ul><ul><ul><li>Specify security requirements such as authentication and encryption </li></ul></ul><ul><ul><li>Specify Active Directory computer or user groups </li></ul></ul><ul><li>Outbound filtering </li></ul><ul><ul><li>Enterprise management feature – not for consumers </li></ul></ul><ul><li>Simplified protection policy reduces management overhead </li></ul>
    • 52. User Account Control (UAC) <ul><li>Previously known as “LUA” </li></ul><ul><li>Users will logon as non-administrator by default </li></ul><ul><li>Protects the system from the user </li></ul><ul><li>Enables the system to protect the user </li></ul><ul><li>Consent UI allows elevation to administrator </li></ul><ul><li>Applications and administrator tools should be UAP aware </li></ul><ul><ul><li>Differentiate capabilities based on UAP </li></ul></ul><ul><ul><li>Apply correct security checks to product features </li></ul></ul><ul><li>Start testing your software against Vista now! </li></ul>
    • 53. Standard UAC Prompt
    • 54. Application Installation as a Standard User
    • 55. Group Policy Device Restriction
    • 56. BitLocker™ Drive Encryption <ul><li>Designed specifically to prevent malicious users from breaking Windows file and system protections </li></ul><ul><li>Provides data protection on Windows systems, even when the system is in unauthorized hands or is running a different or exploiting Operating System </li></ul><ul><li>A Trusted Platform Module (TPM) or USB flash drive is used for key storage </li></ul>BitLocker
    • 57. Trusted Platform Module Smartcard-like module on system motherboard <ul><li>Helps protect secrets </li></ul><ul><li>Performs cryptographic functions </li></ul><ul><li>Can create, store and manage keys </li></ul><ul><li>Performs digital signature operations </li></ul><ul><li>Holds Platform Measurements (hashes) </li></ul><ul><li>Anchors chain of trust for keys and credentials </li></ul><ul><li>Protects itself against attacks </li></ul>TPM 1.2 spec: www.trustedcomputinggroup.org
    • 58. &nbsp;

    ×