Information About Security Incident on Microsoft Corporate Network
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
This page presents updated information on the reports about a security incident on the Microsoft Corporate Network. We have also added a Frequently Asked Questions that discusses basic customer approaches to protecting themselves from incidents such as this.
Microsoft's ongoing investigation has continued to narrow the scope of this situation. Microsoft security became aware of the illegal activity shortly after it first occurred and tracked the hacker's attempts to expand his unauthorized access to our network over a 12 day period from October 14 to October 25. Although Microsoft Corporate Security is continuing to investigate the incident to determine its full scope, we have no reason to believe that any customers have been or will be affected in any way by the incident.
As we stated earlier, there is no evidence that the intruder gained access to the source code for Office or any Windows products. There is no evidence to suggest that any of Microsoft's online services have been or will be affected by the incident. The security breach did not involve a security vulnerability in any Microsoft product. The hacker may have viewed the source code for a single future product under development. Our investigation has confirmed that it has not been modified or corrupted in any way. We have no evidence to suggest that the hacker gained any other access to any other source code.
Microsoft is working with US law enforcement authorities to investigate this incident, and will take appropriate action when the responsible person(s) have been identified.
In sum, this intrusion is a deplorable act, but we anticipate that customers will be unaffected by it. We are taking appropriate steps to deal with the immediate problem, and are developing follow-on steps to prevent it from happening again.
On This Page
Customer Questions Related to Preventing Network Intrusions
How can network intrusions occur?
Do you have any recommendations about software and configuration that I should follow?
What about password and account management?
How do I detect an intrusion when it occurs?
These answers sound like I should assume that intrusions may occur. Doesn't that mean that my security system is ineffective?
It sounds like achieving network security is a significant responsibility.
Customer Questions Related to Preventing Network Intrusions
These questions and answers are cast in general terms, but reflect Microsoft's experience, best practices, and lessons confirmed by the recent intrusion to the Microsoft network. The Microsoft security web pages at https://www.microsoft.com/technet/security/default.mspx provide additional resources as to best practices for managing networks securely.
How can network intrusions occur?
Many network intrusions originate from an end user's error. These errors happen in organizations of all sizes. It is important for network security managers to assume that such configuration errors will occur and be exploited. The presence of a set of security procedures and a security organization that implement those procedures allows security managers to detect an intrusion early, monitor it, and limit the exposure of organization assets.
Do you have any recommendations about software and configuration that I should follow?
Our fundamental recommendation is to follow security best practices. Install antivirus software on Internet Mail Connectors, proxy servers, others servers, and desktops. Ensure that virus signature files are kept up to date - use automated processes to push updated signature files to systems throughout your enterprise. Configure your firewalls and routers to allow only the network activity necessary to your business. Install vendor product security updates when they are released. Use operating system and application access controls and auditing features to protect and monitor your critical assets, and ensure that users and administrators follow a strong password policy for all accounts. Configure only those service accounts that are actually needed. By following these practices, it is possible to ensure that an intrusion will be limited in scope, and that intrusion activity that succeeds would be detected.
What about password and account management?
Establish a strong password policy and enforce for all users and all accounts. Keep the number of privileged users such as domain administrators on your systems to a minimum, and be sure to audit the activities of such users.
How do I detect an intrusion when it occurs?
Avoid talking about the specifics of monitoring activities in order to ensure that future intruders don't attempt to evade them. Organizations with large networks should use a combination of commercial intrusion detection tools with custom tools and scripts that are tailored to detect anomalies unique to their environments. The most important factor in detecting an intrusion is to think about the issues of auditing and intrusion detection, understand what activities are normal across the network, and decide what activities and events should be audited.
These answers sound like I should assume that intrusions may occur. Doesn't that mean that my security system is ineffective?
On the contrary, a security system that assumes that all intrusions will be prevented is a fragile and ineffective one. A sound security system relies on multiple layers of security, and is based on the "prevent - detect - react - remediate" model. At each layer, the model works like this:
Prevent - Obviously, the primary goal of a security system should be to prevent intrusions whenever possible, and to ensure that breaching the security of one layer doesn't enable the intruder to breach other ones.
Detect - Security measures should be in place that constantly monitor the system for signs of an intrusion.
React - When an intrusion is detected, the system should take action to monitor the intruder and limit further damage.
Remediate - Once the intrusion has been countered, the security system should be capable of returning the network to its former secure state.
Building a security system and a security organization around these principles is the only way to assure robust security for a large organization and network.
It sounds like achieving network security is a significant responsibility.
The job of security officer is a critical one for an organization that operates in today's connected world. It is important to designate a security officer, and to give him or her the resources and authority needed to do the job and protect the organization's information assets.