Transcript Windows Vista Security and Compliance

A Holistic Approach to
Malware Defense
Bruce Cowper
Senior Program Manager; Security Initiative
Microsoft Canada
Understanding Malware Attack
Techniques
Common malware attack techniques
include:
Social engineering
Backdoor creation
E-mail address theft
Embedded e-mail engines
Exploiting product vulnerabilities
Exploiting new Internet technologies
What Is Defense-in-Depth?
Using a layered approach:
Increases an attacker’s risk of detection
Reduces an attacker’s chance of success
Data
Strong passwords, ACLs,
encryption, EFS, backup
and restore strategy
Application
Application hardening
Host
OS hardening, authentication,
update management, antivirus updates,
auditing
Internal network
Network segments, IPSec, NIDS
Perimeter
Firewalls, boarder routers, VPNs with
quarantine procedures
Physical security
Policies, procedures, and awareness
Guards, locks, tracking devices
Security policies, procedures, and
education
Malware Defense at the
Perimeter
Using application layer firewalls to detect
and block malware at the perimeter
Leveraging a layered approach to
AntiVirus and Spam Filtering
Protecting all of the Assets.
A Traditional View of a Packet
Only packet headers are inspected
Application layer content appears as “black box”
IP Header:
Source Address,
Dest. Address,
TTL,
Checksum
TCP Header:
Sequence Number
Source Port,
Destination Port,
Checksum
Application Layer Content:
???????????????????????????????
???????????????????????????????
???????????????????????????????
Forwarding decisions based on port numbers
– Legitimate traffic and application layer attacks use
identical ports
Expected HTTP Traffic
Unexpected HTTP Traffic
Internet
Attacks
Non-HTTP Traffic
Corporate Network
Application Layer View of a Packet
Packet headers and application content are inspected
IP Header:
Source Address,
Dest. Address,
TTL,
Checksum
TCP Header:
Sequence Number
Source Port,
Destination Port,
Checksum
Application Layer Content:
<html><head><meta http-equiv="content-type"
content="text/html; charset=UTF8"><title>MSNBC - MSNBC Front
Page</title><link rel="stylesheet"
Forwarding decisions based on content
– Only legitimate and allowed traffic is processed
Allowed HTTP Traffic
Internet
Prohibited HTTP Traffic
Attacks
Non-HTTP Traffic
Corporate Network
Example: Blocking Apps Over HTTP
Application
Search in
HTTP header
Signature
MSN Messenger
Request headers
User-Agent:
MSN Messenger
Windows Messenger
Request headers
User-Agent:
MSMSGS
AOL Messenger (and
Gecko browsers)
Request headers
User-Agent:
Gecko/
Yahoo Messenger
Request headers
Host
msg.yahoo.com
Kazaa
Request headers
P2P-Agent
Kazaa Kazaaclient:
Kazaa
Request headers
User-Agent:
KazaaClient
Kazaa
Request headers
X-KazaaNetwork:
KaZaA
Gnutella
Request headers
User-Agent:
Gnutella Gnucleus
Edonkey
Request headers
User-Agent:
e2dk
Morpheus
Response header
Server
Morpheus
Layered AntiVirus & AntiSpam
Antigen
IM and Documents
Live Communications
Server
Viruses
Worms
Antigen
Antigen
SharePoint Server
E-mail
ISA Server
Antigen
Windows SMTP Server
Antigen
Exchange Servers
Multiple Scan Engine Management
Antigen
Scan Engine 2
Quarantine
• Manage up to 9 scan engines
• Eliminate single point of failure
• Minimize window of exposure
during outbreaks
Scan Engine 3
Scan Engine 1
Scan Engine 4
Malware Defense at the client
Windows Service Hardening
Defense in depth
Services run with reduced
privilege compared to
Windows XP
Windows services are
profiled for allowed
actions to the network,
file system, and registry
Designed to block attempts by
malicious software to make a
Windows service write to an
area of the network, file system,
or registry that isn’t part of that
service’s profile
Service Hardening
File system
Registry
Active
protection
Network
Internet Explorer 7
Social Engineering Protections
Phishing Filter and Colored Address Bar
Dangerous Settings Notification
Secure defaults for IDN
Protection from Exploits
Unified URL Parsing
Code quality improvements (SDLC)
ActiveX Opt-in
Protected Mode to prevent malicious software
Phishing Filter
Dynamic Protection Against Fraudulent Websites
3 “checks” to protect users from phishing scams:
1.Compares web site with local list of known legitimate sites
2.Scans the web site for characteristics common to phishing sites
3.Double checks site with online Microsoft service of reported phishing
sites updated several times every hour
Two Levels of Warning and Protection
in IE7 Security Status Bar
Level 1: Warn
Suspicious Website
Signaled
Level 2: Block
Confirmed Phishing Site
Signaled and Blocked
Windows Defender
Improved Detection
and Removal
Redesigned and
Simplified User
Interface
Protection for all
users
Windows Vista Firewall
Combined firewall and IPsec
management
New management tools – Windows
Firewall with Advanced Security
MMC snap-in
Reduces conflicts and coordination
overhead between technologies
Firewall rules become more
intelligent
Specify security requirements such
as authentication and encryption
Specify Active Directory computer or
user groups
Outbound filtering
Enterprise management feature – not
for consumers
Simplified protection policy reduces
management overhead
Network Access Protection
Policy Servers
e.g. MSFT Security
Center, SMS, Antigen
or 3rd party
3
1
Windows
Vista Client
Not policy
compliant
2
DHCP, VPN
Switch/Router
MSFT
Network
Policy Server
4
Fix Up
Servers
Restricted
Network
e.g. MSFT WSUS,
SMS & 3rd party
Policy
compliant
5
Corporate Network
Enhanced Security
All communications are authenticated, authorized & healthy
Defense-in-depth on your terms with DHCP, VPN, IPsec, 802.1X
Policy-based access that IT Pros can set and control
Device Group Policy
Device installation restrictions
Determine what devices can be installed
on computers.
Prevent installation of drivers
Prevent installation of devices
User Account Control
Goal: Allow businesses to move to a bettermanaged desktop and consumers to use parental
controls
Make the system work well for standard users
Allow standard users to change time zone and power
management settings, add printers, and connect to secure
wireless networks
High application compatibility
Make it clear when elevation to admin is required and allow that
to happen in-place without logging off
High application compatibility with file/registry virtualization
Administrators use full privilege only for
administrative tasks or applications
User provides explicit consent
before using elevated privilege
© 2006 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.