* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Windows Vista Security and Compliance
Survey
Document related concepts
Internet protocol suite wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Computer security wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Network tap wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Wireless security wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Deep packet inspection wikipedia , lookup
Transcript
A Holistic Approach to Malware Defense Bruce Cowper Senior Program Manager; Security Initiative Microsoft Canada Understanding Malware Attack Techniques Common malware attack techniques include: Social engineering Backdoor creation E-mail address theft Embedded e-mail engines Exploiting product vulnerabilities Exploiting new Internet technologies What Is Defense-in-Depth? Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success Data Strong passwords, ACLs, encryption, EFS, backup and restore strategy Application Application hardening Host OS hardening, authentication, update management, antivirus updates, auditing Internal network Network segments, IPSec, NIDS Perimeter Firewalls, boarder routers, VPNs with quarantine procedures Physical security Policies, procedures, and awareness Guards, locks, tracking devices Security policies, procedures, and education Malware Defense at the Perimeter Using application layer firewalls to detect and block malware at the perimeter Leveraging a layered approach to AntiVirus and Spam Filtering Protecting all of the Assets. A Traditional View of a Packet Only packet headers are inspected Application layer content appears as “black box” IP Header: Source Address, Dest. Address, TTL, Checksum TCP Header: Sequence Number Source Port, Destination Port, Checksum Application Layer Content: ??????????????????????????????? ??????????????????????????????? ??????????????????????????????? Forwarding decisions based on port numbers – Legitimate traffic and application layer attacks use identical ports Expected HTTP Traffic Unexpected HTTP Traffic Internet Attacks Non-HTTP Traffic Corporate Network Application Layer View of a Packet Packet headers and application content are inspected IP Header: Source Address, Dest. Address, TTL, Checksum TCP Header: Sequence Number Source Port, Destination Port, Checksum Application Layer Content: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet" Forwarding decisions based on content – Only legitimate and allowed traffic is processed Allowed HTTP Traffic Internet Prohibited HTTP Traffic Attacks Non-HTTP Traffic Corporate Network Example: Blocking Apps Over HTTP Application Search in HTTP header Signature MSN Messenger Request headers User-Agent: MSN Messenger Windows Messenger Request headers User-Agent: MSMSGS AOL Messenger (and Gecko browsers) Request headers User-Agent: Gecko/ Yahoo Messenger Request headers Host msg.yahoo.com Kazaa Request headers P2P-Agent Kazaa Kazaaclient: Kazaa Request headers User-Agent: KazaaClient Kazaa Request headers X-KazaaNetwork: KaZaA Gnutella Request headers User-Agent: Gnutella Gnucleus Edonkey Request headers User-Agent: e2dk Morpheus Response header Server Morpheus Layered AntiVirus & AntiSpam Antigen IM and Documents Live Communications Server Viruses Worms Antigen Antigen SharePoint Server E-mail ISA Server Antigen Windows SMTP Server Antigen Exchange Servers Multiple Scan Engine Management Antigen Scan Engine 2 Quarantine • Manage up to 9 scan engines • Eliminate single point of failure • Minimize window of exposure during outbreaks Scan Engine 3 Scan Engine 1 Scan Engine 4 Malware Defense at the client Windows Service Hardening Defense in depth Services run with reduced privilege compared to Windows XP Windows services are profiled for allowed actions to the network, file system, and registry Designed to block attempts by malicious software to make a Windows service write to an area of the network, file system, or registry that isn’t part of that service’s profile Service Hardening File system Registry Active protection Network Internet Explorer 7 Social Engineering Protections Phishing Filter and Colored Address Bar Dangerous Settings Notification Secure defaults for IDN Protection from Exploits Unified URL Parsing Code quality improvements (SDLC) ActiveX Opt-in Protected Mode to prevent malicious software Phishing Filter Dynamic Protection Against Fraudulent Websites 3 “checks” to protect users from phishing scams: 1.Compares web site with local list of known legitimate sites 2.Scans the web site for characteristics common to phishing sites 3.Double checks site with online Microsoft service of reported phishing sites updated several times every hour Two Levels of Warning and Protection in IE7 Security Status Bar Level 1: Warn Suspicious Website Signaled Level 2: Block Confirmed Phishing Site Signaled and Blocked Windows Defender Improved Detection and Removal Redesigned and Simplified User Interface Protection for all users Windows Vista Firewall Combined firewall and IPsec management New management tools – Windows Firewall with Advanced Security MMC snap-in Reduces conflicts and coordination overhead between technologies Firewall rules become more intelligent Specify security requirements such as authentication and encryption Specify Active Directory computer or user groups Outbound filtering Enterprise management feature – not for consumers Simplified protection policy reduces management overhead Network Access Protection Policy Servers e.g. MSFT Security Center, SMS, Antigen or 3rd party 3 1 Windows Vista Client Not policy compliant 2 DHCP, VPN Switch/Router MSFT Network Policy Server 4 Fix Up Servers Restricted Network e.g. MSFT WSUS, SMS & 3rd party Policy compliant 5 Corporate Network Enhanced Security All communications are authenticated, authorized & healthy Defense-in-depth on your terms with DHCP, VPN, IPsec, 802.1X Policy-based access that IT Pros can set and control Device Group Policy Device installation restrictions Determine what devices can be installed on computers. Prevent installation of drivers Prevent installation of devices User Account Control Goal: Allow businesses to move to a bettermanaged desktop and consumers to use parental controls Make the system work well for standard users Allow standard users to change time zone and power management settings, add printers, and connect to secure wireless networks High application compatibility Make it clear when elevation to admin is required and allow that to happen in-place without logging off High application compatibility with file/registry virtualization Administrators use full privilege only for administrative tasks or applications User provides explicit consent before using elevated privilege © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.