Security Management and Operations
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
The need to connect and collaborate with partners, suppliers, customers, and employees anytime and anywhere has increased the complexity of managing network and systems security. Organizations are faced with the difficult and time-consuming task of securing and managing network systems, and keeping their desktops and servers up-to-date—all of this in the face of constrained resources and the uncertainty as to whether systems are, in fact, secure. Organizations want easy and efficient ways to maintain network security, manage updates, and, at the same time, reduce total costs for security management. With a number of Microsoft tools and technologies, including those integrated in Windows 2000 Server, the Microsoft Baseline Security Analyzer (MBSA), Microsoft Operations Manager (MOM), Software Update Services (SUS), and System Management Server, IT administrators can more effectively manage the security of their Windows environments.
On This Page
Enterprises are competing globally to provide access to information, to enhance productivity, and to deliver services quickly—all at the lowest possible cost. The ability to communicate and collaborate with partners, suppliers, customers, and employees anytime and anywhere is now a requirement. Gone are the days when only a selected group of people had network access to business applications and data.
The advent and acceptance of new computing technologies and the Internet have changed the way information is stored, accessed, and shared. Companies have implemented a more open and distributed information model resulting in benefits that include:
Increased Employee Productivity: Enables employees to be flexible, make better decisions, and respond quickly to the changing demands of the marketplace by providing secure access to the information they need anywhere at anytime.
Lower Cost: Decreases costs and increases efficiency by safely leveraging the power of collaboration and network connectivity.
Integrated Business Processes: Increases sales by enabling closer relations with customers and partners through secure communications and collaboration.
To take advantage of these benefits, companies need a secure IT infrastructure that can minimize security risks and decrease the costs of security management and operations. This paper is one of a series of three papers:
Secure Network Connectivity presents Microsoft's offering for ensuring secure access to corporate information assets from within an organization, or externally from the Internet.
Identity Management presents Microsoft's offering for managing user access to all corporate information assets.
Security Management and Operations presents Microsoft's offering for managing the people, technology, and process aspects of security.
The Need for Security Management and Operations
The need to connect and collaborate with partners, suppliers, customers, and employees anytime and anywhere has increased the complexity of managing network and systems security. When addressing security management and operations, administrators need to consider the following:
Security: Employees not only work from corporate offices, but from branch offices, home offices, or from the road. Managing access policies and security for remote connectivity requires flexibility to apply security policies to different sets of users and groups, as well as ensuring remote users are up-to-date with the most current patches and updates. Administrators must keep systems up-to-date with the latest patches and fixes to prevent security breaches.
Management complexity: Security threats are dynamic; therefore, ongoing management of systems to keep them up-to-date is very important.
Lowering cost: The demands on IT staff to keep desktops and servers up-to-date with the latest patches, to monitor systems for security threats, and to enforce security policy across the enterprise have increased the cost of managing security.
By addressing these challenges, organizations can achieve greater employee productivity, decrease costs, and improve business integration.
Challenges in Security Management and Operations
As businesses move to a connected environment, the demands on IT administrators to maintain a secure environment increase significantly.
The evolution of the Internet has enabled businesses to reach more customers, integrate business processes with partners, and stay connected with the mobile workforce. However, extending access from corporate networks to the Internet has exposed systems to a new and evolving set of security attacks. As a result, businesses are challenged with implementing and evolving their security processes, deploying security technologies, and keeping their IT administrators trained to manage and enforce corporate security policies.
Managing networks, systems, and application security is both complex and time-consuming. Administrators' tasks include:
Finding desktops and servers with common security misconfigurations.
Keeping desktops and servers up-to-date with the latest security patches.
Ensuring that the corporate security policies are enforced across desktops and servers.
Monitoring systems for potential security compromises.
Human error is a leading factor in security failures. These errors manifest themselves in several ways:
Configuration errors when installing products.
The inability to track system configurations. For example, a system was already configured and deployed prior to a new system administrator taking over.
The inability to recognize actual or attempted attacks. In a recent Computer Crime and Security survey, only 40 percent of respondents detected and reported security breaches originating from outside of their network.
Security and management complexity both have implications in terms of containing costs relating to security and IT. Security breaches and network downtime can cost organizations millions of dollars in lost revenue. In addition, the number of IT staff and the time required to implement security and keep systems up-to-date can be very costly. The difference between preventative network and systems security management and disaster recovery and down-time might be the difference between profitability and non-profitability for organizations today.
Solutions for Security Management and Operations
Microsoft is investing heavily in engineering its products for security and providing customers with security features that meet their current and future needs. However, delivering secure products is not enough to solve the security management challenges customers are now facing, so Microsoft is also producing and delivering a variety of tools, prescriptive guidance, training, and products to help address customer security needs. These elements work together to help customers build stronger security management into their processes and systems.
Assessment and Management Tools
Microsoft is committed to helping customers become secure and stay secure by providing tools to identify common security misconfigurations, reduce attack surface area, and monitor events and performance in real time.
The first step involves analyzing existing environments for security misconfigurations that can lead to costly compromises. Microsoft Baseline Security Analyzer (MBSA), which runs on Windows 2000 and Windows XP systems, scans for missing hot fixes and common security misconfigurations in a broad range of products, including: Windows NT 4.0, Windows 2000, Windows XP, Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002. MBSA creates and stores individual XML security reports for each computer scanned and displays the reports in the graphical user interface in HTML.
The IIS Lockdown tool works by turning off unnecessary features, thereby reducing the attack surface. In addition, URLscan, with customized templates for each supported server role, has been integrated into the IIS Lockdown Wizard to provide defense in depth, or multiple layers of protection against attackers.
Microsoft Operations Manager (MOM) monitors events and performance of Windows servers to provide information on the real-time operational state of a system or application. MOM can be used to monitor servers for attack signatures in real time, as well as producing reports that demonstrate whether security and performance requirements are being met by production systems.
It is a complex and time-consuming process to ensure that all internal clients and servers are kept up-to-date with critical patches. Maintaining the integrity of system software in a networked environment through a well-defined patch management program is the first step toward successful information security, regardless of any controls over physical access to a system.
Patch management is a process that gives organizations control over the deployment and maintenance of interim software releases to their IT infrastructure, to maintain operational efficiency and effectiveness, overcome potential security vulnerabilities, and maintain stability of the live environment.
To ease this process and reduce management time, Microsoft is delivering a variety of tools that simplify security management tasks by allowing them to be better-managed and more automated. These tools include:
Windows Update is an integrated service in Windows 2000 and Windows XP that enables consumers and small businesses to be notified when new patches are available. Upon notification, users can choose to install these updates automatically or manually.
Software Update Services (SUS) can be downloaded free of charge from the Microsoft Web site. It is designed to simplify the process of keeping Windows-based systems up-to-date with the latest critical updates. SUS enables administrators to quickly and reliably deploy critical updates to their Windows 2000-based servers as well as desktop computers running Windows 2000 Professional or Windows XP Professional. Typically, administrators have to monitor the Microsoft Web site for new updates, manually download updates, test, and with traditional distribution software, distribute to all desktops and servers. However, with SUS, administrators can test and automatically distribute security updates to all computers. SUS uses a Web-based administration to synchronize content and approve updates tested for distribution on the network.
SMS Value Pack offers enhancements to the Systems Management Server (SMS) product to improve integration with other security assessment and management tools. The SMS Value Pack, scheduled for release in Q3 2002, includes extensive and flexible tools for managing and deploying security patches on enterprise networks. SMS can also be used to deploy MBSA to gather report data about the patch level of various machines on a network.
To help customers define, implement, and enforce their digital security policies, Microsoft has provided an integrated policy-based management infrastructure in Windows 2000 Server and Windows XP.
Windows 2000 Server, through Group Policy and Active Directory, enables IT administrators to define and apply security policies to users, groups, and network servers. A group of servers with the same functionality can be created (for example, a Microsoft IIS server farm can be created), and then group policy objects can be used to apply common security settings to the group. If more servers are added to this group later, many of the common security settings are automatically applied, reducing deployment and administrative labor.
When security policies are created and applied, the goal is to simplify and centralize security configuration and management for computers running Windows 2000 Server in the perimeter network. Policies reduce administrator workload by automating some processes for applying security to servers. Computers running Windows 2000 Server that are members of a domain will periodically access Active Directory; if they find that a new policy exists or that an existing one has been changed, they automatically download the policy and apply it locally.
The best tools and products may be ineffective without detailed guidance and training on how to employ them properly. Microsoft is providing prescriptive content that helps customers secure their systems and keep them secure, including:
Microsoft Operations Framework (MOF) is a collection of best practices, principles, and models. It provides comprehensive technical guidance for achieving mission-critical production system reliability, availability, supportability, and manageability for solutions and services built on Microsoft's products and technologies. MOF provides industry-standard best practices for operations procedures, including detailed procedures for how to identify and deal with risks at all levels of a corporate IT infrastructure.
The Microsoft® Systems Architecture Internet Data Center prescriptive architecture allows customers to build a scalable, reliable, secure, and manageable environment using a recommended set of tools, technologies, and processes. By following the recommendations in the Internet Data Center documentation, an organization can quickly and efficiently build Internet applications that are suitable for its long-term Internet business needs and that meet its security requirements. This prescriptive guide provides hardware and software configuration recommendations required to build this infrastructure in a production environment. This architecture has been tested and validated using hardware from a number of vendors to ensure that the required performance, scaling, availability, manageability, and security goals are met.
A series of Security Operations Guides that explain the best security practices for Microsoft products and can be downloaded free-of-charge from the Microsoft Web site. They capture operational experience in a series of easy to understood checklists and steps; guides for Windows 2000 and Microsoft Exchange 2000 are now available.
"Security QuickStart" packages from Microsoft Consulting Services and Certified Partners are fixed-price engagements for organizations which provide expert assessment of, and guidance for improving, their security standards, practices, and configurations.
Similar services are available from Microsoft Gold Certified Security Partners.
Trained professionals, security processes and procedures, and security tools are just as critical to building a secure connected infrastructure as secure products and security features. Networks are only as secure as their least secure components, since that is where an attacker will focus. A successful security strategy, then, must cover more than just products and features; it must cover people and processes as well.
Administrators need up-to-date training and guidance to help them recognize, solve, and document security problems before they become crippling. For organizations that do not have, or cannot acquire, adequate in-house security knowledge, a trusted outside source with security expertise would be very valuable.
The value of professional development relating to the latest technologies is important to most administrators. Ongoing education and training are particularly important in the security field, where breakthroughs and exploits occur almost daily. Microsoft has long been at the forefront of certification for IT professionals; to supplement the existing Microsoft Official Curriculum offerings, Microsoft is enhancing its curriculum offerings by adding several security-focused courses, including courses on building security fundamentals, designing and deploying secure networks, using public-key infrastructure components, and developing secure Web applications. For more information on training courses, see http://www.microsoft.com/learning/solutions/security.asp.
To take advantage of the networked world, organizations must prevent unauthorized users from accessing their networks, and at the same time, ensure that authorized users have access only to authorized assets. By providing the following tools and resources, Microsoft can enable businesses to ensure network and systems security, reduce security management complexity, and lower total security and management costs.
Network and systems security assessment and management tools
Patch management tools
Security policy management tools
Several organizations have already benefited from utilizing Microsoft's technologies to manage their security and operations, including:
Divine Managed Services provides advanced Web and application services for many of the world's most innovative and fast-growing extended enterprise businesses. Its managed service operations are based in Dallas, Texas, with customers throughout the world. As its managed service infrastructure grew larger, Divine needed a system management solution to enable its employees to test and distribute software to its servers more quickly and efficiently than their manual processes.
Through the use of Microsoft® Systems Management Server 2.0, in 2001 alone, Divine distributed more than 20,000 pieces of software to more than 1,200 servers with a team of only three people. With Systems Management Server, this same team can install critical patches across all servers in less than 24 hours.
ClearPointe is a managed solution provider whose core focus is building and managing comprehensive network environments. Every ClearPointe managed solution uses Microsoft Internet Security and Acceleration (ISA) Server 2000 to provide firewall and VPN functionality. In addition to providing business users with remote access to internal network resources, the VPN provides ClearPointe's monitoring center with access to all computers and applications running in each client's private network. To monitor system health, ClearPointe relies on Microsoft Operations Manager 2000 (MOM). MOM uses intelligent agents that are automatically "pushed" out to each server. These agents continuously collect data based on configurable MOM processing rules, such as how fast a network name query is resolved or how many outbound messages are in the Exchange Server queue. Data from each server is fed to another agent that consolidates the information and transmits it to ClearPointe over the VPN. In most cases, the consolidator runs on the same server hosting the VPN functionality. MOM has enabled ClearPointe to deliver 100 percent availability during business hours for its managed solutions. "Delivering 100 percent availability across such a broad range of services without being onsite 24x7 is something we could never have done without MOM," said John Joyner, MCSE, ClearPointe's CTO. "One of our clients used to go for days without e-mail using a different managed solution provider, but they've had no service interruptions since they began using our managed solution based on MOM. We'll take other business, but we won't guarantee service levels unless the solution is based on MOM."
Additional Information and Resources
For additional information on how to more effectively manage the security of Windows environments using Microsoft products, visit the following Microsoft Web sites: