Microsoft Shares Own Security Secrets

Microsoft has released a technical case study of its internal security procedures, in which it spells out a three-pronged approach to thwarting malicious hacker attacks and urges enterprise admins to spend more time anticipating and preventing attacks.

The release of the case study comes on the same day the company unveiled a new patch management strategy and renamed its main automatic updating services as part of its Management Summit in Las Vegas.

“In addition to using a consistent process for responding to incidents as they occur, the Microsoft security methodology includes reducing its ‘attack surface’ to avert incidents,” the company said. Microsoft also said its internal Microsoft IT group uses specific vulnerability management polices and procedures to deal with incident response and to reduce exposure to attacks.

The company chided enterprises for adopting a reactionary approach to
malicious attacks instead of spending more time anticipating and preventing
attacks. “With the vast number of tools available to attackers today, an
active approach is needed to help secure networks from exploits. It is less
expensive to reduce the risk beforehand than to mitigate the damage

Microsoft’s own approach to reducing the frequency and severity of network attacks
is to implement a security methodology that reduces its attack surface on
both Internet-facing and intranet-facing hosts. The methodology includes
strict management of user privileges, periodic risk assessments and ongoing
monitoring of compliance with security guidelines.

The first step, the company explained, is to focus on active prevention
to close vulnerabilities before exploits are created and distributed. This
involves active vulnerability scanning, audits, intrusion detection, risk
assessment and continuous diligence.

Microsoft said its three-pronged security
approach includes Monitoring and Compliance, Security Consulting and Tools
Development and Support. Because attackers use multiple tools to target an
enterprise, the Monitoring and Compliance group uses publicly available
scanning tools such as the Microsoft Baseline Security Analyzer (MBSA) or the
HFNetChk (hotfix
) to scan against an XML database for missing hotfixes and
patches in its various software products.

According to the case study released Tuesday, the Monitoring and Compliance group also
uses an internally developed “hacking toolkit” to identify and plug security
holes immediately. The “hacking toolkit” was built with the Visual C++
development system and programming language and uses a SQL
Server database for reporting and tracking. Access to the toolkit is
strictly controlled.

Information from the “hacking toolkit” is then reported via its SQL Server
2000 database to track risk assessment, analysis, and reporting.

The company said regular audits are conducted against the list of
risk-rated vulnerabilities established in the baseline and priority is
assigned to any non-complying system and a service request is opened to
correct the problem. “Verifying that a problem has been fixed involves
scanning, reviewing the scanning report, and then entering a remediation
loop that fixes the problem or creates a notification of the problem and
then scans again. The process continues repeatedly until the problem is
resolved,” Microsoft explained.

The case study includes several best practice recommendations for IT
admins, including:

  • The creation of a risk model for the enterprise to pinpoint
    potential risk areas and the probability and impact of a compromise to each
  • Plans to determining what is worth risking and what must be fixed.
    “Doing nothing is an option if the risk probability or impact is
  • The development of a library of the risk-rated vulnerabilities to
    verify if the known vulnerabilities are present in the scanning process and
    the documentation of technologies and resources (people and devices) that
    have access to those technologies.
  • Management of the vulnerabilities by notifying users and forcing a
    patch or disconnecting the vulnerable system from the network.
  • The company said it used a combination of Microsoft and third-party tools
    to monitor for intrusions. The unit reviews Internet Security and
    Acceleration (ISA) Server logs and conducts audits to ensure that remote
    access accounts are used only by the owners of those accounts. The Microsoft
    Operations Manager (MOM) is used for event collection and to diagnose
    suspicious incidents while the Microsoft Audit Collection System component
    of MOM is used to collect and analyze security event logs.

    News Around the Web