Securing the IT Environment at

Microsoft

Published:
June 2004

Enterprise security compliance management

Solution Overview

Situation
● Need for a process to help enforce security compliance to
a minimum set of security standards

Solution
● Develop a security policy and enforce compliance

Benefits
● Reduced exposure to exploits of vulnerabilities
● Proactive approach to securing the network
● More complete closing of security vulnerabilities
Products and Technologies

● SMS 2003 Advanced Client

● Windows Update Service/
Software Update Services
● MBSA 1.2
● Logon Scripts
● Custom Tools
● SQL Server Database,
Windows SharePoint
Services, Microsoft Office
Microsoft IT Compliance Challenges

● Need for multiple layers of security, not just

perimeter defenses
● Timeliness of security updates
● Specific considerations of the Microsoft
corporate network environment
● Awareness of the number of computers and
whether updates are installed
● Quick reaction to new exploits
Security Compliance Management
Strategy
Strategy
Decision support system guided by a security strategy

Process People Technology

1 (Key
Contributors) SMS
Discovery and
Assessment Corporate Security Windows Update
2 Services
Executive Sponsor
Compliance
Evaluation Data Center MBSA
3 Operations / Labs
Logon Scripts
Test Business Unit
4 Applications Custom Tools
Deploy
5 Desktop / Laptop SQL Server /
Services Office Apps
Enforce
Compliance Competency Pyramid

Drive system configuration to standard

Manage
Remove from network/force patch
Enforce
Check configuration vs. policy, check for
Assess State vulnerabilities
Define expected behavior, communicate
Create Policy to employees
Identify threats, quantify, qualify;
Assess Risk define actions, set priorities
Identify network environment,
Enumerate physical and logical

Security is a business
Executive Sponsorship priority
Obtain Executive Support

● Place network security higher than

convenience for any individual
● Achieve companywide agreement on
process and consequences of security
compliance management
Enumerate and Identify the Network
Environment
● At a physical level, enumerate all devices
and inventory operating systems and
applications
● At a logical level, examine namespaces and
trust relationships
Assess Risks in the Network
Environment
● Base a security approach on the unique
needs of the enterprise
● Assess the risk levels of specific
vulnerabilities
Assess Risks in the Network
Environment
● Create a risk model that evaluates a
vulnerability’s risk level against:
● Size of corporate installed base and network
architecture
● Severity of vulnerability
● Availability of exploit code
Assess Risks in the Network
Environment
● Determine the approach to risk mitigation
● Identify technologies and environments
Create a Policy

● Establish a baseline configuration

● Discover and track new vulnerabilities
Create a Policy  Define a process
Vulnerability for managing
identified 1 vulnerabilities
Assess and
track risk related
to vulnerability
6 2
Measure and If risk is high or
report results of critical, update
compliance policy and notify
monitoring clients

5 3
Enforce Develop
compliance after scanning criteria
grace period to detect security
4 compliance
Scan the
network for
compliance to
security policy
Create a Policy

● Develop a library of the risk-related

vulnerabilities
● Define measurable tolerance metrics for
each vulnerability
Create a Policy

● Set timelines for critical and non-critical

priorities
● Communicate the policy and update notices
via centralized information
Assess the State of Compliance

● Develop a scan library

● Evaluate compliance through scanning
Assess the State of Compliance

● Evaluate compliance through scanning

● Support aggregation of devices into logical
groups
● Scan for security vulnerabilities and
misconfigurations
Assess the State of Compliance

● Evaluate compliance through scanning

● Support all network environments and
configurations
Assess the State of Compliance

● Evaluate compliance through scanning

● Prioritize vulnerabilities and identify targets for
compliance and remediation
● Support all historical vulnerabilities
● Document your actions
Enforce Compliance to the Security
Policy
● Levels of enforcement:
● E-mail
● Escalation
● Force-patching
● Port shutdowns
Measure and Report Security
Compliance
● Reporting and analysis tools
● Compliance measurement and reporting
● Compare scanned vulnerabilities and
misconfigurations with prescribed tolerance
levels
● Provide executive, operational, and
environment-specific reporting
● Provide operational messaging and
communication
Measure and Report Security
Compliance
● Auditing
● Audit known environments by IP range
● Audit IP ranges not belonging to a Microsoft
environment
● Audit devices without prior identification or
enumeration
Summary

● Pre-defined process for managing

vulnerabilities
● Centralized information and management
● Complex system for managing compliance
For More Information

● Microsoft SMS Web page

● Deployment and operations of SMS
● Patch management and network security
● SMS and patch-related information from
MSM
For More Information

● Additional content on Microsoft IT

deployments and best practices can be
found on http://www.microsoft.com
● Microsoft TechNet
http://www.microsoft.com/technet/itshowcase
● Microsoft Case Study Resources
http://www.microsoft.com/resources/casestudies
This document is provided for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

© 2003 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
SUMMARY. Microsoft, Active Directory, Visio, Windows, Windows Server, and Xbox are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein
may be the trademarks of their respective owners.