Defense in Depth Using Microsoft Security Products and Solutions

By Alberto Oliveira, Microsoft Forefront MVP and Yuri Diogenes, Security Support Engineer, Microsoft ISA and IAG Team

See other Security MVP Article of the Month columns.

Introduction

Achieving security without sacrificing usability, flexibility, and connectivity from anywhere is one of the biggest challenges companies face today. In a "connected world" -- a world with wireless connections, virtual private networks (VPNs), terminal services, remote application execution, and branch offices with poor or no physical security -- we must pay greater attention to making our systems more secure.

The different technologies that allow people to access resources from anywhere are growing. With this proliferation comes the need to protect your assets. Security involves many issues, including e-mail protection, phishing, Web access control, remote resource access, patch management, internal applications access, data protection, network assets, and people.

The purpose of this article is to highlight some of the most important security measures available for an in-depth defense strategy and to indicate what products Microsoft provides to make our lives more comfortable, easier, and more secure. We will give you an overview of some of the most important layers of security and how we can make our networks, applications, and data more secure.

Figure 1. Overview of the Security Layers

Layer 1: Remote Access

The three pillars of any security implementation are availability, integrity, and confidentiality. The first security layer we will address -- remote access -- is really broad, because it can be categorized as a mechanism that will allow availability of the data for the end user from anywhere. Remote access also raises the question: Who really needs to access my network?

Following the principles of least privilege and need to know, the security administrator needs to give access only to users who are eligible to have access according to the companys security policy. But there is also another aspect to remote access: to guarantee security endpoint compliance with company policy. Microsoft started to address this aim with the Quarantine Control feature, which was made available in Windows Server 2003 and later added to the Microsoft Internet Security and Acceleration (ISA) Server 2004.

Network Access Protection (NAP), which is a built-in feature in Windows Server 2008, is the next step in the evolution of remote access technology. This feature evaluates the state of health of the endpoint computer before allowing full access to the remote server. However, if your company needs a more robust and dedicated solution for that task, we have Microsoft Intelligent Application Gateway (IAG) 2007. This application provides a complete remote access solution using a Secure Sockets Layer (SSL) VPN and security endpoint detection and remediation.

Layer 2: Application Publishing

The application publish is a feature that is still growing on a business environment, mainly because the full network access it is not necessary for some ramifications of the business. But, the key aspect of application publishing is that a user can gain access to only a piece of information that is available internally as opposed to having full network access. To allow a secure access to this resource, we need to identify the user, authenticate the identity, and authorize based on the users needs.

In the Microsoft Forefront family of business security products, we have ISA Server 2006, which allows secure application publishing using HTTPS and authentication delegation against your internal Active Directory service infrastructure or other repository, such as an LDAP directory. If your company needs even more flexibility and customization, IAG 2007 is the answer. With IAG 2007, you can change the application on the fly while still maintaining highly secure access to the resource.

Figure 2. URL Set Using Regular Expression on IAG 2007

Layer 3: Unified Security

By using new Microsoft products for security, companies will be able to implement a high-level state of compliance, awareness, and prevention as well as manageability. With Microsoft Forefront code name Stirling, we will have unified security and dynamic response to threats. In a corporate environment, the battle between vulnerabilities and mitigations is sometimes reactive, and the company relies on the IT staff to address them in a timely manner. With a unified security system, we can automatically identify when a workstation is compromised, block the Internet access for that workstation, and send a new scan job to the workstation to cure the virus that might have infected the system.

Figure 3: Proactive Action Using Stirling

Layer 4: Patch Management

One of the main concerns in the security area is how to attend to the needs of the operating environment while still being secure and without affecting availability. With Windows Server Update Services (WSUS), your company can act according to its confirmation management policy to allow, in a secure manner, the patch distribution task. In a secure environment, change control policies are really restrictive and well planned. To automate this process, WSUS offers resources that your company can use to set up a structured plan of patch management.

Although companies sometimes still need to go through the whole process of change control (request, approval, document, test, implement, and report the change), WSUS can be used to allow flexibility within the testing and production environment.

Layer 5: Data Protection

The final layer of security that companies need to worry about is data protection. This is a delicate area because, besides the fact that the data is the golden treasure of a company, there are also regulations that the company needs to be compliant with. The concern about data theft and how to mitigate it is an area in which companies today are investing with more frequency.

Microsoft has several products that include security measures that can address this concern with easy user interaction. Windows Vista first introduced BitLocker Drive Encryption, a technology that provides enhanced protection against data theft or exposure on computers that are lost or stolen. For a corporate environment where we need to guarantee transparency and recoverability for the data distributed among the server, we have Microsoft System Center Data Protection Manager 2007.

Another helpful tool is Active Directory Rights Management Services. With this tool, not only can your company implement its security policy for the purpose of data protection, it can also address other security areas, such as integrity and confidentiality.

Conclusion

In this article, we have outlined the main areas where Microsoft products can address security concerns that are important on todays market. It is important to emphasize that there is much more information that we could cover. However, the core idea here has been to give you guidelines on how you can begin to take a Defense in Depth approach using Microsoft Products to help make your companys operating environment more secure.

Alberto Oliveira (MVP,MCSE+S, MCT,MCTS, MCITP, Security+, CCNA, ITIL, SCTA) works for a Microsoft Gold Certified Partner as Security Engineer on the Support Team. Based in Recife/PE, Brazil, Alberto also writes articles for TechNet Magazine and speaks at security events around Brazil.

Yuri Diogenes (MCSE+S, MCTS, MCITP, Security+, Network+, CCNP),works for Microsoft as Security Support Engineer on the ISA Server/IAG Team based on Texas Campus. He also writes articles for ISA Server Team Blog (https://blogs.technet.com/isablog) and for TechNet Magazine.