Securing Business Workflows and Networks for Partners
Technical White Paper
Published: March 2009
Products & Technologies
Microsoft relies on partners to help provide services for many parts of its business, including software and hardware development, marketing, sales, and operations. As the number of partner user accounts increases, so do requirements for tight security, integrated collaboration, and streamlined workflow. Microsoft IT wanted to give partners and employees a secure way to access internal resources.
Microsoft IT designed and implemented the extranet environment based on Microsoft technologies, which give partners real-time access to selected resources in real time, yet maintain security and access controls to data.
Outsourcing and using third-party resources to deliver solutions has been a mainstay of IT organizations for years and continues to increase. In fact, according to Gartner, outsourcing will continue to grow in 2009 despite the economic slowdown. Microsoft, like other corporations, uses vendor resources to help carry out many parts of its business functions. For example, Microsoft uses vendors to fulfill hardware manufacturing, retail software production, and code creation for products. To support the business needs for vendor involvement with Microsoft business units, Microsoft Information Technology (Microsoft IT) designed and implemented an extranet environment that was flexible enough to accommodate many usage scenarios, yet followed best practices for security, operability, and scalability.
In designing the environment, Microsoft IT overcame many challenges related to balancing the need to provide features and usability with security and scalability. These challenges included vendor account provisioning and maintenance, exposure of specific internal services and line-of-business (LOB) applications, and handling exceptions to overall constraints. By analyzing each use scenario and designing an infrastructure that scaled according to demand, using security best practices such as the principle of least privilege, and performing security audits, Microsoft IT created an environment that met business needs, yet did not compromise security requirements.
Currently, the extranet supports more than 120,000 user accounts. The environment offers users many features, including the following:
- Security-enhanced virtual private network (VPN) and terminal server access
- Source code management and development
- Document collaboration and version control
- Workflow and project management
- Outsourced call-center telephony and manufacturing support
By first developing a solid foundation that took into account network controls, firewall restrictions, server hardening, and application hardening, Microsoft IT not only provided business units with the features requires to support vendor engagement, but also paved the way for future services.
This white paper is intended for business and technical decision makers. It assumes that the reader has a working knowledge of the Windows Server® 2008 operating system, Active Directory® Domain Services (AD DS), Microsoft® Internet Security and Acceleration (ISA) Server, Internet Information Services (IIS), and general security design principles.
Note: For security reasons, the sample names of forests, domains, internal resources, organizations, and internally developed security file names used in this paper do not represent real resource names used within Microsoft and are for illustration purposes only.
Microsoft IT maintains more than 500 offices worldwide. These offices support more than 90,000 employees, 120,000 vendor and partner users, and thousands of line-of-business applications for services such as licensing, order management, product activation, and services and sales. The network includes more than 400,000 Ethernet ports, thousands of servers, and multiple high-speed wide area network (WAN) links. Figure 1 shows a summary of the data centers, extranet server distribution, and associated user loads of the network infrastructure.
Figure 1. Data-center topology and user distribution
Although Microsoft uses a centralized approach to monitor and manage the network infrastructure, local data-center leads are responsible for the specifics of issue response, resolution, and day-to-day management decisions. In addition to the data centers shown in Figure 1, Microsoft IT maintains a data center in Silicon Valley for business continuity, and other data centers for specific services, but they have minimal impact on extranet design considerations.
Extranet Usage Scenarios
Microsoft consists of three divisions that together provide a diversified portfolio of software products, hardware devices, and services. The product and service mix includes more than 320 trademarks in the United States alone. As one of its core businesses, Microsoft develops software, but even software creation is separated into various business units, each with an individual culture and unique processes. Among the many use cases and business requirements, the extranet environment had to support the following:
- Content collaboration Teams at Microsoft collaborate with vendors and partners to produce many types of content, ranging from image-laden marketing collateral to text-laden software development kit (SDK) documentation. The content includes Help files, white papers, sales documentation, art, books, Web text, and more. Despite having diverse processes, the teams require similar features for content collaboration, including version control, role-based permissions, check-in/check-out, and support for large file sizes.
- Financial workflows Financial workflows at Microsoft go beyond the typical point-of-sale, order management, and enterprise resource planning (ERP) scenarios common at many companies. Microsoft employees have, over time, developed dozens of custom applications to support the company's financial workflows. The applications include more typical ones to support credit card transactions over Payment Card Industry (PCI)–compliant, security-enhanced communication channels; order fulfillment and customer management; and enterprise resource management. The applications also support more customized workflows, such as vendor management of the enterprise resource system, Web-based interfaces to internal systems and databases for invoicing, and Microsoft BizTalk® solutions for data-exchange middleware.
- Software co-development Because software development is part of the core business of Microsoft, the usage scenarios present challenges in terms of the strict information security requirements and sheer size of development projects. Microsoft teams need the ability to not only share code in a secure way and use a version control system, but also perform project management, distributed testing and quality assurance, workflow tracking, and distribution of major milestone versions as betas and release candidates. Additionally, Microsoft performs internal governance and milestone tollgates as part of the software development life cycle (SDLC). These complexities require internal development teams, governance and quality assurance teams, and external vendors to access specific subsets of data for development projects, all tightly integrated through a common framework and interface.
- Call center working on behalf of Microsoft Microsoft outsources its call centers, yet those representatives need access to Microsoft-specific data such as customer information and case management information. Microsoft IT accommodates this need by using a third-party, thick-client tool via Terminal Server, as well as an internal tool. In addition, some representatives need to send e-mail that appears to originate from a Microsoft-owned domain.
- Manufacturing Part of the Microsoft product offering includes entertainment and media devices such as the Microsoft Xbox® video game system, input devices such as keyboards, and mobile devices. These come with a physical hardware component whose manufacturing Microsoft outsources to partners. Microsoft teams also use partners for other physical deliverables, such as retail software production (printing and CD/DVD replication) and book printing. Other manufacturing scenarios, such as license key distribution, require access to internal resources from outside locations.
- Telephony Microsoft uses vendor resources to help manage part of its legacy telecom infrastructure. This includes existing traditional private branch exchanges (PBXs), trunk lines, and other enterprise telephony components.
When designing, implementing, and operating the IT infrastructure, Microsoft IT considers industry-standard security best practices such as those from National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO), in combination with regulatory requirements such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the PCI Data Security Standard. Moreover, Microsoft IT is mindful of the very practical need to protect company intellectual property in any environment that gives vendors any access to code or financial details. Microsoft IT implements many layers of security by aligning people, processes, and technology to ensure that the environment meets the following goals:
- Network infrastructure "secure by design" Microsoft IT follows the Microsoft Operations Framework (MOF) and Microsoft Solutions Framework (MSF) and applies security principles to all processes. By first analyzing possible risks during the planning phase, Microsoft IT can help ensure that the infrastructure design addresses those risks at the network level through firewall controls and encrypted communication, at the operating system level through sever hardening, and at the application level by working with the product group and third parties to help secure all used applications. Microsoft IT calls this the secure-by-design approach.
- Product-group involvement One unique aspect of Microsoft IT is to be the first and best customer of Microsoft, which in this case entails actively suggesting product improvements related to security based on its real-world findings. After a product group implements improvements, Microsoft IT deploys and verifies the latest software builds. In this way, both customers and Microsoft IT benefit from secure-by-design configurations and products.
- Audited access control Microsoft IT wanted to provide secure and confidential access to the appropriate internal data for vendor resources, which requires assurance that managers can grant access to specific accounts with the proper role-based permissions. Microsoft IT uses internal correlation systems that track access and granted permissions to ensure that system integrity is not compromised and that users do not access data to which permission has not been explicitly granted.
- Server and operating system security With fundamental security measures such as firewalls and security protocols in place, Microsoft IT continues the secure-by-design approach by auditing servers before putting them into production, and by patching the operating system against known vulnerabilities. By using the Microsoft System Center family of products, Microsoft IT helps ensure the update status of all servers. By designing a base, security-enhanced server design and replicating it across all servers, Microsoft IT helps ensure consistent system security across servers.
- Application security Because Microsoft is a software company, Microsoft IT can integrate the results from security audits and risk analyses with the SDLC, and in this way help ensure that internal applications are secure. Microsoft IT also uses a security certification review of third-party products by which external applications can be certified as appropriately secure for use on the Microsoft network.
- Flexibility and redundancy Microsoft IT must not only meet the requirements of confidentiality and data integrity, but also satisfy high-availability and scalability requirements. The extranet solution must scale to accommodate future need, and its services must be available with adequate service levels in place and redundancy built in to the environment.
- Administrative, logical, and physical controls By following best practices, Microsoft IT employs multiple levels of controls to embed security in its environment. Starting from administrative controls that define role-based permissions on specific objects, to logical design concepts such as least-privileged access, to physical control on servers in data centers, Microsoft IT works to ensure that these aspects can be centrally managed and monitored.
- Governance and accountability Microsoft IT uses best practices during operations by ensuring that audit and governance teams are in place to independently check for vulnerabilities and security issues. Microsoft IT uses an independent internal governance team that checks for compliance and recommends best practices and courses of action for internal teams.
The task of fulfilling regulatory compliance is complex for Microsoft because it conducts business worldwide, and countries have varying requirements for privacy, data security, and data retention. In addition to satisfying regulatory requirements, Microsoft IT must ensure that its infrastructure meets internal policies and enables the legal department to carry out discovery and policy enforcement. The legal requirements that Microsoft IT must satisfy include the following:
- Internal policy compliance Microsoft uses established systems and processes to help ensure that the IT environment complies with requirements for data security and risk mitigation. For example, Microsoft uses a contract tracking system for vendor and partner contracts, including nondisclosure agreements (NDAs). Depending on the required level of access for a vendor resource, a director, vice president, or similar authority must approve the permission. Microsoft IT engaged the legal team to ensure that the initial design and later changes complied with legal policy.
- Regulatory compliance As already mentioned, Microsoft IT considers regulatory requirements when planning for security needs in the environment. In addition to using role-based access, security protocols, multiple access controls, and security reviews for applications, Microsoft IT uses reporting and auditing systems to self-certify compliance.
The three relevant environments at Microsoft for access scenarios that deal with Internet-published services are the internal corporate production environment, the extranet, and a separate perimeter network (also known as DMZ, demilitarized zone, and screened subnet). The environments represent security boundaries that enable Microsoft IT to assign appropriate permissions and expose only the systems and interfaces necessary to support the use scenarios.
The corporate production environment exists as the internal network for Microsoft employees and internal users, and it houses internal databases, LOB applications, and other business-critical data. The perimeter network environment exists to house any applications that must be accessed from the Internet and from the corporate production environment, such as Microsoft Office Live Meeting, whereas the extranet exists specifically for vendors, partners, and other third-party users. Microsoft IT checks the configuration and setup of existing and new services to help ensure that each is deployed in the most secure environment.
Prior to designing and implementing the extranet environment, Microsoft IT provided access for vendors through multiple access points that were managed by many teams in a decentralized way. This arrangement made performing security audits difficult, lacked scalability, and could not benefit from centralized monitoring, change management, and operations processes. Microsoft IT wanted to ensure that the extranet supported existing and future use cases by pursuing the following goals in its design:
- Manageability With use cases ranging from basic content collaboration to more complex manufacturing and code development, Microsoft IT wanted to design the extranet environment with low overhead in mind. From an operations point of view, the extranet had to use existing centralized team structures for front-line monitoring, change requests, and issue resolution. Microsoft IT also took into account reporting, auditing, and other operational needs based on MOF.
- Flexibility and expandability Although Microsoft IT surveyed teams to determine their use cases and needs, it is impossible to design for every nuance and anticipate all future needs. To accommodate current and future needs, Microsoft IT wanted to combine the physical and logical design elements, such as network devices, front-end connectivity, account database, and back-end servers, into building blocks. The goal was to have a standardized, audited baseline that could be expanded or changed as future needs emerge. The building blocks use underlying dependencies, such as a forest separate from the corporate production environment with selective authentication trusts, network connectivity, verified server configurations, and strict configuration control. Microsoft IT also wanted to standardize the design for each data center and used the same building blocks to create a consistent design.
- Consistent service and high availability The extranet houses the majority of services and servers at Microsoft. The Microsoft culture of using pre-release and beta software in the corporate production environment means that at times, services hosted in the corporate production environment may encounter planned downtime, version changes, and configuration changes. The extranet is used as an Internet-exposed production environment and requires much more stringent service level agreements (SLAs) for availability. For most extranet services, Microsoft IT meets a 99.99 percent availability target. High availability is crucial for the extranet environment because the services it provides are business critical. Therefore, Microsoft IT designed the extranet to incorporate multiple levels of redundancy by using approaches and technologies such as load balancing, redundant array of independent disks (RAID), server redundancy, application redundancy, and even data-center redundancy with business continuity failover.
- Auditing and reporting To simplify administration and lower overhead, Microsoft IT wanted to use Microsoft products and solutions where possible. The System Center family includes Microsoft System Center Operations Manager and Microsoft System Center Configuration Manager. These products include the capability to monitor systems in real time, check for software update status, and report on system compliance based on predefined templates. Microsoft IT also uses custom tools that check for additional nonsecure configurations, such as granting "Unauthenticated Users" or "Everyone" access on shares. Some Microsoft IT operations team members specialize in auditing systems and reporting on status. In addition, teams outside Microsoft IT perform governance tasks by completing independent audits, security reviews, and compliance verification. Tools such as Audit Collection Services (ACS) for Microsoft System Center Operations Manager 2007 help Microsoft IT collect records generated by the audit policy and store them in a centralized database.
- Multiple authentication options With the variety of features and services that the extranet offers to meet business needs comes the need to offer multiple authentication options. By default, Microsoft IT does not allow anonymous authentication in the extranet and instead supports AD DS authentication, Active Directory Federation Services (AD FS) authentication, and Windows Live™ ID authentication. The majority of extranet services require accounts in the extranet forest, yet the extranet includes some applications designed with Windows Live ID authentication. Windows Live ID accounts are restricted to the specific applications granted for each account in conjunction with client certificates that extranet applications issue. Microsoft IT prefers AD FS–based authentication because it offers finer granularity of control through security identifiers (SIDs), groups, Group Policy settings, and other AD DS features.
- Data privacy Microsoft keeps data privacy as a top priority by designing with security built in at every decision, and by doing proactive intrusion detection and penetration testing during and after deployment. In addition, the Microsoft legal department helped implement vendor policies to check with vendors on the types of data they access and retain. Depending on the access permissions, Microsoft requires vendors to implement internal safeguards for data protection, and perform audits to ensure that the safeguards work as designed.
Microsoft IT designed building blocks for the extranet that include network segments, Active Directory forest and domain details, trusts, firewall access rules, load balancing, and more. These building blocks are arranged into zones, which correspond to data centers. The extranet includes two Active Directory forests (one for production and one for pre-production), firewalls that separate network segments, and servers with specific communication paths that are explicitly defined via least-privilege best practices. Figure 2 shows the network architecture with the extranet building blocks.
Figure 2. Extranet topology design
Each data center houses the standard architecture shown in Figure 2, but with differing numbers of servers to handle the region-specific user load. The building blocks for each data center include the following components:
- Security-enhanced load balancing with network address translation (NAT) Microsoft IT uses devices between the Internet and front-end servers that map a public Internet Protocol (IP) address to a private, non-routable (RFC 1918) IP address through NAT. These devices support various load-balancing schemes and session persistence. Some applications, such as shopping carts that use Secure Sockets Layer (SSL), require load balancers to direct traffic to the same server after a host establishes a session. The devices that Microsoft IT uses support session persistence by tracking the source IP, by tracking the session ID, or by inserting Hypertext Transfer Protocol (HTTP) cookies. The extranet also uses Windows® Network Load Balancing (NLB) in some instances instead of the hardware devices, according to the requirements of specific applications. This building block also incorporates routers, firewall controls, and intrusion detection systems that exist to control access from Internet hosts to extranet servers, and vice versa. Microsoft IT restricts all outgoing traffic unless it is part of a session initiated from an external host to an internal NAT-published front-end server, and publishes only ports 80 and 443 by default. For thick-client applications that require ports 1801 (Message Queuing, also known as MSMQ) and 3389 (Terminal Services), Microsoft IT implemented a security review process to help ensure that only necessary access is granted.
- Global load balancing Microsoft IT uses Domain Name System (DNS), which can globally balance connections that initiate from Internet hosts to the data centers. The DNS-based load balancing directs clients to the most efficient location.
- Business partner segment For dedicated point-to-point connections and Point-to-Point Tunneling Protocol (PPTP) connectivity, Microsoft IT maintains a separate network segment as an added layer of protection. This enables Microsoft IT to explicitly permit traffic from specified partner networks and control access from the partner segment to the front-end segment.
- Front-end segment Microsoft IT uses the front-end network segment to regulate incoming and outgoing traffic by placing servers in it that accept traffic from the Internet or business partner segment, and transmit that traffic to servers in the back-end segment, or vice versa. By default, servers in the front-end segment that are located in different data centers cannot communicate. The servers in this segment are dual homed, with one network card facing the back-end segment and one facing the front-end segment.
- Back-end segment The back-end segment houses servers that are responsible for data storage and that connect to the internal corporate production environment. One-way selective authenticated trusts between the forests enable Microsoft IT to securely permit and log access by using least-privilege principles. This segment includes domain controllers, ERP data silos, and servers running Microsoft SQL Server® database software, Microsoft BizTalk Server, and other middleware platform services. By default, all servers on the back-end segment can communicate to facilitate Active Directory replication and for management and monitoring via the corporate network.
- Active Directory and Windows Server dependencies An extranet building block that is foundational to applications is the underlying Active Directory infrastructure and enabling Windows Server technologies such as AD FS. Microsoft IT developed a custom, centralized authentication and authorization framework solution named Relationship eXperience Platform Security (RXP Security). This solution facilitates application deployment by enabling Microsoft IT to authenticate and verify user identity, and authorize access to defined resources.
As already mentioned, several design decisions persist through the building blocks. For example, in each segment, Microsoft IT uses hardware load balancers that support round robin, ratio, and least-cost connection methods to provide scalability. In addition, Microsoft IT designs the buildings blocks with its security, availability, and monitoring goals in mind.
After Microsoft IT surveyed teams for current and future use scenarios, and designed building blocks that would accommodate security-enhanced user access, LOB and middleware application connectivity, and business requirements, Microsoft IT ensured that the design supported the business requirements. Based on the goals and use cases, Microsoft IT supports the following services in the extranet:
- Workflows Multiple use scenarios involve each property owner using custom workflows to complete the tasks. The Microsoft culture gives each owner an opportunity to define individual workflows, yet the extranet had to support each one. The previous systems deployed to support many workflows proved challenging to integrate from an operations point of view. By using standardized building blocks, Microsoft IT can establish the foundation for supporting many disparate workflows. These workflows include executives gathering for summits and using a workspace to access common documents; or developers sharing very large files such as performance or anomaly logs for diagnostic purposes during software development projects.
- Project and program management Microsoft IT wanted to enable managers to use custom workflows and processes for any projects. Combined with the goal to use Microsoft products, Microsoft Office Project Server provided an ideal solution of an integrated tool for managing deliverables, resources, and timelines. By using Office Project Server, Microsoft IT gave internal and external users access to a shared workspace, resolved the technical challenge of content sharing, and gave people access to the same timelines and plans. For more information about how Microsoft IT configured and deployed Office Project Server in the extranet, refer to the case study "Enterprise Project Management at Microsoft" at http://technet.microsoft.com/en-us/library/bb735146.aspx.
- Document sharing and content version control Microsoft IT uses Microsoft Office SharePoint® Server and Windows SharePoint Services as the solution to provide content version control, and for customized and basic SharePoint sites. SharePoint technologies take advantage of Active Directory control mechanisms and reduce overhead by integrating with Microsoft-based operations tools, such as Microsoft System Center Data Protection Manager and System Center Operations Manager. SharePoint technologies include built-in features such as version control, site templates, and integration with Rights Management Services that embed security in the data elements themselves. Document sharing encompasses many use scenarios, especially for marketing, sales, and product groups to produce training material, books, Web content, Help files, and other documentation.
- Application development and source code management Microsoft Visual Studio® Team System provides Microsoft developers with a platform that can integrate vendor resources and internal resources in a development project. Microsoft IT supports the many features of Visual Studio Team System in the extranet, including team portals, version control, work-item tracking, build management, process guidance, and business intelligence. Visual Studio Team System integrates with Microsoft Office Excel® spreadsheet software and Office Project Server for added project management functionality. Microsoft IT defines Helpdesk, site owner, sponsor, sponsorship manager, sponsorship delegate, and end-user roles with permission templates for each role. The permissions assigned to each role help ensure that governance and monitoring teams can perform auditing and compliance tasks. One example of how a Microsoft team uses Visual Studio Team System is the OEM Division, which uses it to develop and maintain custom solutions for the embedded device industry.
- Financial operations The secure-by-design philosophy that Microsoft IT used in designing the extranet environment helps ensure that financial applications can access back-end databases and that users can access them securely. Although many Microsoft applications deal with finances, several are especially important and widely used. The first is the order system that supports all orders placed at Microsoft, including repairs for hardware, subscriptions, software products, and printed content. It supports security-enhanced credit card transactions that are PCI compliant, communicates with the ERP system, and includes a management user interface, reporting capability, and localized version support. The second widely used system for financial operations is the ERP software, which users can access via Terminal Services, and the client graphical user interface (GUI). Microsoft IT provides dedicated VPN tunnels to the business-partner segment, from which users can access enterprise data. The extranet supports this scenario through remote procedure call (RPC) calls to the database. The third application element is a BizTalk middleware feature that translates data between other applications.
- Terminal Services Several use scenarios that involve sensitive data require Terminal Services access. Microsoft IT approves the use of Terminal Services on a case-by-case basis after reviewing the business use case. Software restriction policies are used to restrict user level activity on the servers to only the specific application permitted.
- Business-enabling application support With the building blocks in place, Microsoft IT can support existing applications and roll out new ones rapidly by deploying the required servers in the network segments, creating accounts, crafting structured onboarding processes, and publishing servers for access from the Internet.
- Telephony The extranet is convenient place to put telephony devices that require external support because it is the security-enhanced middle ground that has access to the internal production environment and supports access for vendors. Telecom vendors who need access can connect to telephony devices via VPN connections.
The extranet environment, as part of the overall Microsoft IT infrastructure, benefits from the centralized monitoring teams, processes, and systems in place. Microsoft IT follows a tiered approach to monitoring, in which the global Helpdesk includes front-line operators who monitor the environment by using System Center Operations Manager. If these tier 1 operators cannot resolve an issue, they escalate it to tier 2 and tier 3 specialists responsible for a specific service. For an example of the team structures responsible for a specific service, refer to the white paper "Operating a Global Messaging Environment by Using Exchange Server 2007" at http://technet.microsoft.com/en-us/library/bb897854.aspx.
The System Center family of products enables Microsoft IT to perform the necessary oversight and meet SLAs. Among other benefits, System Center products help Microsoft IT perform patch management and end-to-end monitoring of its systems. For more details about how Microsoft IT uses System Center in the extranet to monitor LOB applications, refer to the technical solution brief "Managing Line of Business Applications Using Microsoft System Center Operations Manager 2007" at http://technet.microsoft.com/en-us/library/bb735227.aspx, and the white paper "Event Monitoring and Response on the Microsoft Network" at http://technet.microsoft.com/en-us/library/bb735148.aspx.
Microsoft IT developed a custom tool to monitor computers on the network for compliance with security policies. This tool obtains target names from AD DS, IP addresses, or lists of hosts, and then connects to all domain-joined computers running Windows to help ensure policy compliance. Upon discovering non-compliance, the tool attempts to remediate the issue by notifying the user that action is required or by automatically installing necessary security updates or software updates. It can also remove a computer from the network by disabling the network port until the user has completed the necessary action. With the development of Network Access Protection (NAP) for Windows Server 2008, Microsoft IT plans to enforce compliance with required software updates by using Microsoft System Center Configuration Manager 2007 with NAP. For more information about NAP, refer to the case study "Using Configuration Manager 2007 to Extend Software Update Compliance Across Networks" at http://technet.microsoft.com/en-us/library/cc678664.aspx, and the webcast "How Microsoft Does IT: Managing Network Access Protection" at http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032391120&Culture=en-US.
Auditing and Remediation
To satisfy internal policy, assist the legal department with compliance and discovery, report on server and account compliance, and perform other governance tasks, Microsoft uses a combination of systems, teams, and processes. The System Center family includes built-in auditing and reporting features, and add-ins such as ACS that Microsoft IT uses for patch management, configuration auditing, and compliance. Because the extranet has security built in to its design and incorporates classic network controls (firewall and filtering)—in addition to operating systems with unnecessary services disabled and application-level security—collecting logs, usage details, and other access control-related auditing data is a straightforward process. However, even with logs and data collected in a central compliance database, the Microsoft team responsible for governance must correlate the large volume of data to create reports about potential access breaches and configuration discrepancies. For more information about how Microsoft IT monitors network security, responds to intrusion attempts and policy violations, and conducts computer forensic investigations, refer to the webcast "Security Monitoring and Investigations on the Microsoft Corporate Network" at http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032403880&Culture=en-US.
The governance team faces many challenges in ensuring that the extranet environment remains secure and compliant. For example, the reports pull data from a central database that contains data from various log files from servers, firewall logs, summary data from System Center programs, traffic data from intrusion detection systems, antivirus software, and other sources.
Microsoft IT spent months in the planning phase, gathering details, analyzing application needs, and generally making sure that everything was in place before starting deployment. The extranet environment provides the foundation for hosting and publishing applications. Therefore, Microsoft IT must deploy the proper buildings blocks in each data center. With the network and Active Directory environment in place, Microsoft IT fine-tunes settings, creates user accounts, and deploys applications.
In accordance with the typical phased-in approach that Microsoft uses in deployments, Microsoft IT deployed the extranet in three major phases. The first phase involved implementing the physical network in the data centers. This phase entailed requesting routers, switches, server cabinets, and related physical infrastructure. The goal of this phase was to set up a configured environment for implementing the rest of the building blocks. The next phase involved deploying and configuring the Active Directory environment and establishing RXP Security for authentication. The last step occurred over several years and even continues to this day because it involves application and user onboarding. Microsoft IT rolls out features via applications as they exit acceptance testing and become service ready.
By the time that Microsoft IT needed to roll out the underlying network infrastructure, it had spent months planning for an environment that accommodated the necessary use cases. Microsoft IT developed checklists, organized implementation teams, and created architecture diagrams with specific details for what components to roll out and when. Microsoft IT includes a dedicated infrastructure team that takes requirements and implements them in data centers. Figure 3 shows an example implementation in a data center with servers and data flow for one use scenario.
Figure 3. Published service example
With published services, the traffic scenario pursues the following path:
- The user requests the URL of the application with the corresponding published front-end server.
- After being routed through border and security routers, firewall, and network intrusion detection system (NIDS) that block all traffic except ports 80 and 443, the hardware load balancers (HWLBs) with Secure NAT (SNAT) direct requests to the appropriate front-end server that resides on the front-end segment.
- The front-end servers communicate with the back-end servers; the result depends on the application or service used. Some services, such as Windows SharePoint Services, have an intact front-end/back-end architecture that does not require integration with or access to applications that reside on the corporate network.
- One solution that Microsoft IT uses for applications that need to access resources on the corporate network is Message Queuing. In these scenarios, front-end servers send requests to a Message Queuing server in the extranet back-end segment, which communicates with a Message Queuing server on the corporate network. The Message Queuing server on the corporate network can then communicate with internal LOB applications.
Microsoft IT implemented the firewalls, intrusion detection systems, monitoring systems, and building blocks defined in the design specifications to prepare for application deployment.
Microsoft IT uses dedicated teams for each major application or service that it deploys in the extranet. These teams are responsible for administering and configuring their own servers. They design the server architecture, size for capacity, and verify functionality before production deployment. The IT Showcase Web site contains content for the design and deployment details for many services deployed in the extranet, such as the following:
- AD DS on Windows Server 2008 Although this is an underlying dependency in the environment, a dedicated Windows Server team administers servers and manages the environment. Among other tasks, the team configured ADFS to support authentication via RXP Security, configured trusts and Group Policy settings, and configured security features, such as NAP.
- Windows SharePoint Services and Office SharePoint Server technologies Before SharePoint technologies, Microsoft IT used IIS with Web folders and Server Message Block (SMB) shares available over PPTP VPN connections or Web Distributed Authoring and Versioning (WebDAV). SharePoint technologies enable Microsoft to provide customizable content management and collaboration in a centralized way. For more information about SharePoint technologies at Microsoft, refer to the white paper "Microsoft Office SharePoint Server 2007 Hosting" at http://technet.microsoft.com/en-us/library/bb735197.aspx.
- System Center family of products Microsoft uses System Center Operations Manager, System Center Configuration Manager, and System Center Data Protection Manager to lower its administrative overhead. System Center Data Protection Manager also helps with disaster recovery and backup. For more information about the design and deployment details of how Microsoft IT uses the System Center products, refer to the IT Showcase content about systems management at http://technet.microsoft.com/en-us/library/bb687799.aspx.
- Microsoft Exchange Although by default vendors and partners do not receive e-mail accounts, the extranet does host Exchange servers for system mailboxes and to support specific use cases, such as impersonation for customer service representatives. For more information about how Microsoft IT designed, implemented, and manages the Exchange organization, refer to the IT Showcase content about Microsoft Exchange Server at http://technet.microsoft.com/en-us/library/bb687782.aspx.
In the course of designing, implementing, and operating the extranet environment, Microsoft IT followed these best practices:
- Design and plan first The extranet environment works for Microsoft and its vendors and partners because Microsoft IT designed it with security, operations, and usability considerations from the start. The risks, dependencies, technical requirements, and trends must be analyzed for proper provisioning, hardware sizing, and workflow.
- Use proven frameworks Methodologies and approaches such as Information Technology Infrastructure Library (ITIL), MOF, MSF, SDLC, and others define frameworks that Microsoft IT uses to help guide its processes. Using frameworks enables consistency in approach and helps to meet obligations by sticking to best practices.
- Create scalable and flexible building blocks Microsoft IT faced the dilemma of having to support tens of thousands of applications on the extranet, and although they share similarities, it is impossible to account for all the requirements and design support for them. Instead, Microsoft IT created flexible building blocks that included physical network devices and logical security concepts to be able to rapidly scale the infrastructure in a secure way. New and custom applications can be granted exceptions on a case-by-case basis.
- Build security into every component Microsoft IT followed the secure-by-design approach, which entails performing risk analysis on every physical and logical component. Microsoft IT provided security for devices via router access control lists (ACLs), firewall filtering, and intrusion detection systems; communication via security protocols; authentication via policy and Windows Server technologies; segments via separate virtual local area networks (VLANs); and so on.
- Include business stakeholders in decision making The extranet environment represents a policy and administration challenge in addition to a technical challenge. Microsoft IT involved the legal department, managers, and other key stakeholders before settling on a final design.
- Think like a partner Considering partner needs and behaviors enables engineers to anticipate usability and security needs, as well as common ways in which partner users may try to circumvent controls, and design the environment to address these needs.
- Implement change control paths One of the internal tools at Microsoft is an application that tracks all other applications deployed in the extranet. It enables Microsoft IT to view status and plan for change management needs.
- Follow security best practices In addition to standard frameworks, Microsoft IT kept best practices such as the immutable laws of security and lest-privileged access in mind. For more information about common security best practices, refer to the article "Enterprise Security Best Practices" at http://technet.microsoft.com/en-us/library/dd277328.aspx.
- Balance business need with security In the extranet design, Microsoft IT had to follow security best practices, yet accommodate special needs. Sometimes, maintaining this balance entailed asking application owners to change the architecture; and sometimes, it entailed making exceptions for specific applications. Through a security review, Microsoft IT assessed the risks of each and determined the best response.
The extranet environment presented Microsoft IT with many challenges for how to give partners and vendors access, yet maintain security. Microsoft IT methodically examined the business needs of its users and created solutions by using Microsoft products and technologies such as ISA Server, Windows Server, SQL Server, and AD FS. The idea to use building blocks proved helpful because it enabled easier segmentation of responsibilities, deployment, and auditing. All the components underwent security auditing and verification in a pre-production environment before going live.
With the extranet in place, Microsoft IT faces new challenges for how to provide the best and most secure service. The extranet supports many use scenarios, but at its core, it provides an underlying infrastructure that can host applications and act as an intermediary between the Internet and internal hosts. The current extranet uses traditional network design principles such as segments, user access control, and explicit permissions. These network infrastructure components mean application developers depend upon them and design applications with the dependencies in mind.
Microsoft IT recognizes that application developers can benefit from an extranet environment that is not restricted by boundary-dependent workflows. Currently, developers need to navigate through a maze of processes and technical dependencies when deploying applications. There is also a lack of single sign-on (SSO) for cross-enterprise resource access. In other words, Microsoft IT can look forward to future improvement opportunities for next-generation extranet designs that result in better usability and performance tradeoffs with security and operability.
For future enhancements to the partner environment, Microsoft IT plans to reduce focus on network segmentation and instead focus on the emerging hosted service model to deliver extranet services. This change would empower application developers to concentrate on improving business logic, performance, and ease of use by freeing them from topology-dependant solution development. In addition to traditional security controls, Microsoft IT plans to use host communication boundaries for security-enhanced and direct host-to-host communication, identity boundaries for authentication and authorization, application boundaries for more granular access control, and data boundaries to help with data-in-use safeguards to complete the data life-cycle protection, auditing, and compliance.
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information through the World Wide Web, go to:
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, BizTalk, Excel, SharePoint, SQL Server, Visual Studio, Windows, Windows Live, Windows Server, and Xbox are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.