For security ask yourself...what would Microsoft do?

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2003/1121forsecur2.html

By Paul Roberts
IDG News Service
11/21/03

Despite taking a beating in the press and from customers for security
holes in its products, decision makers at Microsoft appear to think
the company still has something to teach the world about computer
security.

The software giant this week published a technical white paper that
describes its internal security practices, which Microsoft hopes will
"help customers successfully secure their environments," the company
said.

The paper, simply titled Security at Microsoft, details the methods
and technologies that the company's Operations and Technology Group
(OTG) use to secure the company's global corporate network of more
than 300,000 computers and 4,200 servers.

In the paper, Microsoft describes its risk management strategy, which
involves classifying different computing resources according to their
"value class" -- from servers hosting the Windows source code down to
test servers. Microsoft also provides guidance on how its security
group assesses the potential risks and threats to those assets and
creates policies to secure the assets that are appropriate, given the
value of the data they contain.

Just as interesting are the tidbits of information about Microsoft's
security operation that can be gleaned from the document. For example,
Microsoft discloses that the company experiences more than 100,000
intrusion attempts each month and receives more than 125,000 infected
e-mail messages.

To protect corporate assets from threats introduced by remote workers,
Microsoft said it has invested heavily in smart card technology,
deploying more than 65,000 smart cards to remote workers that enable
them to log on to the corporate network using two-factor
authentication.

The company is also candid in admitting to past security failures,
acknowledging that the company has been attacked in the past and that
"there is a medium to high probability that within the next year, a
successful attack will occur that could compromise the High Value
and/or Highest Value data class," such as source code or human
resources data, according to the document.

Microsoft also says that prior to reforms enacted by the OTG in recent
years, the company had no formal, enterprise-wide system for managing
its source code. Instead, Microsoft's source code management was
characterized by "redundant infrastructure and inconsistent
processes," as well as inadequate security, according to the document,
Microsoft said. At one point, any computer on the company's network
could access the Source Depot servers storing the company's source
code, creating a situation in which "the compromise of a single
computer on the corporate network could potentially lead to
penetration of one or more Source Depot servers," according to the
document.

Microsoft is equally candid about its struggles to enforce strong user
passwords and thwart a flood of intrusion attempts on its rapidly
growing network.

Perhaps not surprising, the company also takes a tough stand on
software patching on its own networks. Microsoft centrally monitors
the patch level of machines on its network using its own Systems
Management Server 2003 product, enforces the application of security
patches "without end-user intervention" and prohibits users from
disabling security patch management features without "an approved
exemption," according to the document.

The candid discussion of Microsoft's internal security operation is
part of a company-wide effort to improve communication with its
customers about security issues, according to Mike Nash, vice
president of Microsoft's Security Business Unit.

In addition to publishing the white paper, Microsoft has started
broadcasting monthly webcasts featuring senior security executives,
who articulate the company's message on securing its products and
answer questions from IT professionals about where to find software
patches and technical information, Nash said in an interview on
Monday.

The company has also launched a new security portal called the "IT Pro
Security Zone" that brings together information on security best
practices and provides access to Microsoft MVPs (Most Valuable
Professionals), experts on the company's technology who are active
participants in technology news groups and online discussions.

The new resources address technical questions and are intended for IT
professionals more than end users, Nash said.

One prominent member of the technical community, however, said that
Microsoft didn't spread the word about the IT Pro Security Zone or the
new white paper.

"They're not sending any of that stuff my way," said Russ Cooper,
surgeon general of TruSecure and moderator of the NTBugtraq security
discussion list, which focuses on Microsoft products.

After reading the white paper, Cooper said that it probably had more
public relations than technical value, especially with a reading
audience made up of administrators at companies with constrained
budgets.

"Hey, if I had a $50 billion war chest, I'd do some of these things
too," Cooper said.

"My god, they deployed 65,000 smart cards. I mean, it's wonderful if
you can get that kind of budget, but I know people who can't get
approval for an antivirus e-mail gateway," he said, noting that smart
cards can cost between $50 and $100 each.

Microsoft also could make the document more useful by providing more
examples of projects the company completed to secure its network, he
said.

Microsoft detailed one project in the whitepaper, to separate managed
and unmanaged computers on Microsoft's network, was not complete, and
said that it was just beginning one core component of the project,
Cooper said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.