Chapter 3: Security
Overview
Security is a core aspect of Service Management in today's business world. It is a protective barrier that keeps the business operating in a safe, productive environment. Security insulates infrastructure and provides reliability and credibility to the business. Windows Vista technology offers an organization many new and enhanced security features.
Scenario...
Linda approaches Kevin Cook, Woodgrove's Security Manager, to provide support for the Windows Vista deployment. Kevin discusses this with his Security Advisory committee, stating that this WindowsVista desktop deployment should initially be viewed like any other IT project: as an ongoing process of analysis and adjustment with regards to people, process, and technology. Kevin outlines the scope of the project to his team: 1) Build security into the multiple user profiles; 2) Establish data migration procedures.
Kevin and his team identify several security challenges that WindowsVista security technologies will address:
- A user is tricked into downloading malware from the Web.
- Installation of non-standard software violates system integrity.
- AutoPlay attempts to run malware automatically from a removable drive.
- An offline attack method is used to view confidential data on a stolen laptop.
Kevin explains to this team that the solutions they come up with must incorporate administrative controls, technical controls, and physical controls while meeting functional requirements.
Classifying IT controls into general categories helps identify the nature of the control while establishing the likely approach to monitoring, testing, and assessing the design and operating effectiveness of the control:
- Administrative controls. Standards, policies, and procedures, as well as ancillary controls such as communications and awareness training programs. Examples include:
- Information Classification Policy. Ensures classification of information and rights of access at each level.
- Business Continuance Policy. Ensures that all aspects of the business are considered in the event of a disruption or disaster.
- Change management process. Ensures that changes to the IT environment are applied in the correct manner.
- Technical controls. Access controls, encryption mechanisms, and other technologies used to protect logical information assets from unauthorized use. Examples include:
- Microsoft BitLocker drive encryption
- Encrypting File System (EFS)
- User Account Control (UAC)
- Access Control Lists (ACL)
- Physical access to computer is controlled through password protected screensavers.
- Physical controls. Controls that protect the physical devices on which the information is stored or transmitted. Examples include:
- Security cables on computers inhibit unauthorized removal of equipment.
- Locks on doors and windows help control physical access to devices.
- Universal Power Supply (UPS) is available to sustain business activity on computers in case of a power outage.
- Data and OS are backed up and recoverable to remote location for business continuance.
Scenario...
Kevin considers the duty cycleof the laptop computer, from OFFto ONto OFF,and evaluates the use and impact of different WindowsVista features and business and security requirements at each phase of the cycle. First, he read the Windows Vista Security Guide to understand and evaluate recommendations for protecting his Windows Vista computers. By using WindowsVista BitLocker and EFS technologies, Kevin plans to achieve the necessary level of security required for the Financial Analysts' laptops. He takes time to talk with other IT professionals as well as business users to understand the risks and costs involved in applying or not applying the technology. He determines how these issues can be addressed using BitLocker and EFS through the Information Classification Policy as well as other technical and physical controls required based on his company's security policy. He organizes his understanding according to the following duty cycle phases, illustrated in Figure 3.1.
Figure 3.1. Windows Vista security throughout the laptop duty cycle
By focusing on WindowsVista data protection and security features, an IT professional will be able to define a controlled desktop environment. The following WindowsVista data protection features can aid in securing a mobile computer environment:
BitLocker drive encryption. Helps protect the operating system and the data on the system volume in two ways. First, BitLocker can validate that critical components of the operating system have not been tampered with prior to startup. This is done in conjunction with a Trusted Platform Module (TPM 1.2) that is installed on the system board of the computer. In addition, BitLocker can encrypt the system volume, protecting the data on that volume from being read by unauthorized individuals. The BitLocker encryption keys can be stored using the TPM, the TPM plus a PIN, a USB device alone, or a TPM combined with a USB device.
Encrypting File System. EFS is integrated into the New Technology File System, (NTFS) and its purpose, to encrypt files and folders to help protect data, is completely transparent to users. Authorized users are able to access and work with encrypted files like any other file, whereas other users are denied access.**
Risk assessment.** EFS can help mitigate data theft or compromise due to lost or stolen mobile computers or due to exposure by an insider.
Rights Management Services (RMS). RMS helps protect sensitive e-mail, documents, and Web content through a mix of security and usage policy enforcement.
Risk assessment.** RMS can help mitigate the risk of unauthorized personnel being able to view sensitive information.
Table 3.1. Data Protection Technology Comparison in Windows Vista
Scenario
BitLocker
EFS
RMS
Physical Control
Laptop data protection
X
X
X
Local single-user file and folder protection
X
X
Desktop data protection
X
X
X
Shared computer file and folder protection
X
Remote file and folder protection
X
Untrusted network administrator protection
X
Remote document policy enforcement
X
Protect content in transit
X
Protect content during collaboration
X
Protect against data theft
X
Windows Vista security features that provide enhanced defense against malware:
User Account Control (UAC). The main goal of the UAC is to reduce the exposure and attack surface of the operating system by requiring that all users run in standard user mode. This tool provides a method of separating standard user privileges and tasks from those that require administrator access.
For more information, see "Windows Vista: User Account Control" at https://technet.microsoft.com/en-us/windowsvista/aa905108.aspx.
Windows Firewall. Now includes both inbound and outbound filtering to help protect users. It does this by restricting operating system resources that behave atypically. The firewall starts up automatically and is integrated with the WindowsVista network awareness so that specialized rules can be applied depending on the location of the client computer. For example, if a laptop computer is located on an organization's network, firewall rules can be defined by the administrator of the domain network environment that will match the security requirements of that network. However, when a user attempts to connect the same laptop to the Internet via a public network, such as a free wireless hotspot, a different set of firewall rules can be automatically applied to help ensure that the computer is protected from an attack.
For more information, see "Windows Firewall" at https://www.microsoft.com/technet/network/wf/default.mspx.
Windows Vista Defender. Protects against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It performs real-time monitoring of important WindowsVista locations where malware may reside (such as Startup folder and the autorun registry entries).
To offer the best protection against malicious software, Microsoft strongly recommends that customers also deploy a full antivirus solution in conjunction with Windows Defender.
For more information, see "Windows Defender" at https://technet.microsoft.com/en-us/windowsvista/aa905112.aspx.
Windows Vista Security Center (WSC). WSC runs automatically in WindowsVista as a background process that checks and displays the status of the firewall, automatic updates, malware protection, and other security settings. It is the computer's central hub of security information and constantly checks and displays the status of four important security categories:
- Firewall
- Automatic updates
- Malware protection
- Other security settings. For client computers running WindowsVista, WSC provides direct links to vendors that can be used to remediate problems that may arise on the computer. For example, if a third-party antivirus or anti-spyware solution is turned off or is out of date, WSC provides a button that the user can click to launch a vendor solution on the computer to correct the problem.
For more information, see “Windows Vista Security Center” at https://www.microsoft.com/windows/products/windowsvista/features/details/securitycenter.mspx.
Note **WSC provides links to the vendor Web site that the user can use to activate or renew a subscription or obtain updates. Knowing when security software is turned off or is out-of-date and having the ability to easily download updates is key to maintaining a virus-free environment.
Windows Vista Malicious Software Removal Tool. If somehow malicious software does infect a client computer, the WindowsVista Malicious Software Removal Tool provides a way to help remove the malware from the computer. When this tool is run, it scans the computer in the background and produces a report if it detects any infections. This tool operates outside of the OS and does not have any Group Policy settings in WindowsVista.
For more information, see "Windows Vista Malicious Software Removal Tool" at https://www.microsoft.com/security/malwareremove/default.mspx.
Risk assessment**. The Malicious Software Removal Tool provides an additional layer of security to help detect and remove common malicious software in the following instances:
- If the installed real-time antivirus scanner does not detect a specific instance of malware.
- If the malware manages to disable the installed real-time antivirus scanner.
****
Scenario...
The Security Advisory committee works through the following steps to come up with an IT security solution for the Windows Vista deployment project. By following the steps shown in Figure 3.2, the project team can ensure that the security solution supports the objectives and key success criteria of the desktop service.
Figure 3.2. Steps for security planning, implementation, validation, and maintenance
Security Management Process
Step 1: Review Project Functional Requirements
Objective:
- Analyze and understand the business priorities of the end users' various functional requirements.
Success Criteria:
- A prioritized list of business requirements that will be used to allocate resources.
- Gain contextual information for possible security and functionality trade-offs.
Frequency:
- Initial work to interview business customer stakeholders and identify points of alignment.
- Initial observations of end users in their workplaces.
Step 2: Baseline Security Threat Agents, Threats, Risks, and Exposures
Objective:
- Use the organization's internal knowledge, internal guidelines, and up-to-date information on IT security from vendors' support sites to proactively determine and document likely security concerns related to each user profile and the chosen products and technologies.
Success Criteria:
- Proactive use of organization's IT security track record.
- Potential security threat agents, threats, and exposures are documented.
Frequency:
- Initial effort for each project.
- Ongoing tracking of organizational successes and challenges.
- Regular monitoring of industry status with regards to IT security.
A Visio diagram, such as the example included below of the Woodgrove Sample Security Risk Assessment, is a good way to document risk assessment.
Exhibit 3.1. Sample Security Risk Assessment
Access this content as part of the WVSLM download package.
Step 3: Analyze and Prioritize Security Exposures
Objectives:
- Gain deeper insight into the probabilities and possible business impacts of various IT security risk conditions by defining and prioritizing IT security risks to the project according to their potential impact to the business.
- Assign ownership of security risks to the proper subject matter expert (SME).
Success Criteria:
- Detailed, prioritized IT security risk management document that calls out top risk factors with assigned ownership.
Frequency:
- Initial creation of documents.
- Ongoing (weekly to bi-weekly) tracking of risk ranking/reprioritization.
- Ongoing tracking and management by individual risk owners.
Step 4: Develop Mitigation Plans for Top Risks
Objective:
- Create specific mitigations for the top risks by evaluating, selecting, and planning for development, testing, and implementation of people, process, and technology countermeasures.
Success Criteria:
- Specific designs, including products and technologies, to mitigate the most likely IT security exposures have been incorporated into the project's functional specification (or design documents).
- The security plan sets a baseline and is submitted to project management (see below in Tools and Techniques) for incorporation into the master project plan.
- Resources for IT security risk mitigation and contingency planning have been allocated in project schedules.
Frequency:
- After initial creation of a prioritized risk management document.
- Each time a risk enters the top risk list during periodic review
The process of risk identification, analysis, and ultimate mitigation can be considered as a set of related steps. By following the risk management approach in MOF, organizations can deepen their understanding of risk and develop more effective and efficient risk mitigations*.* For more details, see MOF Risk Management Disciplineat https://www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/mofrisk.mspx.
Figure 3.3. The 6-step MOF Risk Management Discipline
Step 5: Build the Security Solution
Objective:
- To develop and integrate the IT security solution into the overall project solution build.
Success Criteria:
- Team creates the IT security solution in tandem with required business functionality, including infrastructure, code, release documentation, and user experience.
- IT security solution is unit-tested and accepted by the developing team.
- A dedicated security testing team is formed.
- The IT security solution passes review.
Frequency:
- Ongoing during Build phase of project.
- This activity should cease when all functionality in scope has been built into the solution.
Step 6: Stabilize the Security Solution
Objective:
The dedicated test team validates that the solution meets security requirements or works with the build team to fix issues or create acceptable workarounds. The test team performs the following tasks:
- Distributes internal releases to the solution team.
- Tracks and fixes security issues until the solution meets agreed-upon quality.
- Validates effectiveness of contingency plans for security components.
- Approves security components for release with the solution.
Success Criteria:
- Contingency tests are completed and contingency triggers are established.
- Pilot test is completed.
- Security components of the solution are tested and audited by a dedicated team..(Depending on the solution and industry, this could be a third-party review of infrastructure and code, a white hattesting to defeat the safeguards, or a combination of the two.)
- Release Management has approved deployment of the solution.
Frequency:
- Ongoing during the stabilizing phase of the project.
Step 7: Deploy the Security Solution
Objective:
- Deploy the security solution to the organization as part of a larger IT project solution, targeting the relevant user groups with security safeguards and countermeasures.
Success Criteria:
- Systems are secure with minimal negative impact of necessary business functionality.
- Project's closure documentation includes all aspects of the security solution.
Frequency:
- At deployment completion milestone or project closure.
Step 8: Optimize Secured Desktop Service
Objective:
- Periodically review and adjust the security solution to:
- Meet new security threats.
- Respond to changing business requirements.
- Take advantage of technological advancements.
Success Criteria:
- Security requirements and solutions are reviewed and updated as needed.
Frequency:
- Ongoing after completion of project.
Scenario...
During Kevin's evaluation of technical solutions, he and the Infrastructure team develop a desktop profile based on BitLocker and Encrypting File System (EFS). Kevin determines that the base Enterprise Client laptop profile as defined in the WindowsVista Security Guide can be used with few modifications. Kevin and his team have now worked through a Group Policy solution that ensures client computers within an Active Directory infrastructure meet the security standards of Woodgrove Bank. Kevin works with the Infrastructure team to include these settings in the Secure Data Profile build image.
NoteThe Windows Vista Security Guide identifies the security policy settings for the Enterprise Client (EC) and Specialized Security Limited Functionality (SSLF) environments and provides the recommended settings configured through the automated process. For more information, see the "Windows Vista Security Guide Appendix A" at https://www.microsoft.com/technet/windowsvista/security/security_group_policy_settings.mspx.
Figure 3.4. Example OU structure for computers running WindowsVista
Because the Woodgrove Bank Financial Analysts Group's computers are laptops, the Group Policy discussion focuses on the laptop organizational unit (OU). See Appendix Aof the Windows Vista Security Guide for laptop OU settings.
NoteThe Windows Vista Security Guide also includes an extensive discussion on Group Policy object (GPO) testing and implementation with Active Directory OUs and Group Policy Management Console (GPMC). It is available at https://www.microsoft.com/technet/windowsvista/security/guide.mspx.
Technical Guidance
- Microsoft Security Central: https://www.microsoft.com/security/default.mspx
- Windows Vista Security Guide: https://www.microsoft.com/technet/windowsvista/security/guide.mspx
- Trusted Computing Group: https://www.trustedcomputinggroup.org/home/
Tools and Techniques
Table 3.2 IT Security Project Plan
Tool |
IT Security Project Plan |
Owner |
Security Manager or Project Manager |
Description |
This document outlines Security Management's approach to any particular IT project. Note that this is not a Gantt chart or project scheduleit resembles a business plan with sufficient background information, justifications, constraints, assumptions, and risks to enable others to understand the IT security side of the project at hand. |
Input |
The IT Security Project Plan is populated with input from:
|
Output |
The IT Security Project Plan is used by:
|
See also |
Microsoft provides both technical and business support through:
|
Suggested content |
The security project plan should be a description of how the solution will be completed. Its language and format should be such that the pertinent information is easily communicated to other members of the project team (or sponsors) who are not necessarily knowledgeable in information technology security. The plan should include the following components:
Much of the information in this plan flows from the data in the Security Risk Management document (below). The plan will help define conceptual, logical, and physical design definitions in the functional specification. |
Table 3.3. Security Risk Management Document
Tool |
Security Risk Management Document |
Owner |
Security Manager or Project Manager |
Description |
This document details the major security risks identified for the project as a whole. It should include the following:
|
Input |
The Security Risk Management document is populated with input from:
|
Output |
The Security Risk Management document is used by:
|