[ISN] How Microsoft fights off 100,000 attacks per month

From: InfoSec News (alerts@private)
Date: Sun Dec 10 2006 - 23:22:16 PST


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9005756

By Martin Heller
December 08, 2006
Computerworld

Microsoft Corp. has long encouraged its employees to "RAS" into the 
corporate network from home or from the road to access e-mail, shared 
files and applications.

RAS, short for Remote Access Services, is an old Microsoft term for what 
most people now call a client VPN.

Microsoft, of course, maintains valuable intellectual property on its 
internal network, including the source code to all its operating systems 
and applications. These are constant targets for hackers, and Microsoft 
tries to protect its most valuable assets with defenses in depth; they 
are behind firewalls and on networks segmented with IPsec. In addition, 
the entire network is monitored for suspicious activity, scanned for 
malware and so on.

What do I mean by a constant target? Last year, Microsoft IT said it was 
the target of more than 100,000 intrusion attempts per month. Currently, 
Microsoft filters out about 9 million spam and virus e-mails a day out 
of 10 million received. Yes, that means that roughly 90% of incoming 
e-mails are spam.

In that environment, you'd think that VPN connections might expose 
Microsoft to serious security risks. So how does Microsoft mitigate 
those risks while continuing to offer VPN access to remote employees and 
contractors? The answer to that is manifold.


Two-factor authentication

The first layer of protection for the Microsoft VPN is two-factor 
authentication. After an infamous incident in fall 2000, Microsoft 
installed a certificate-based public-key infrastructure and rolled out 
smart cards to all employees and contractors with remote access to the 
network and individuals with elevated access accounts such as domain 
administrators.

Two-factor authentication requires that you have something physical. In 
this case, it means the smart card and a password.

(The intrusion incident to which I refer was reported by the Wall Street 
Journal and others, including Computerworld. The news reports said that 
crackers gained access to Microsoft's network using a stolen username 
and password, and were able to view, but not alter, some source code. 
Microsoft disagrees with the information reported.)

"Today, we require a smart card with a valid certificate and PIN, as 
well as network credentials and authorization to use the network 
remotely," said Mark Estberg, director of Microsoft's internal security. 
"We are 'dog-fooding' a deployment using Longhorn Server to implement 
the same two-factor authorization with SSL VPN from ISA/Whale [acquired 
by Microsoft in 2006], and with Network Access Protection for endpoint 
scanning. The back-end authentication and authorization is handled by 
integration with Active Directory and the Network Policy Server Windows 
Server."

You might expect Microsoft to adopt biometric security. The company has 
said it's evaluating it. As yet, however, it's sticking with smart 
cards.


'Sandbox' connections

The second layer of protection for the Microsoft corporate VPN is a 
connection "sandbox," implemented using Windows Server 2003s Network 
Access Quarantine Control. Before a connected computer can access any 
resources on the corporate network, a program scans the computer for 
security.

An approved operating system must be installed, along with all critical 
security patches; the scanning program coordinates with Microsofts 
methods for deploying patches, such as the Microsoft Update site. In 
addition, Windows Firewall must be enabled. Finally, the remote computer 
must not be connected to any other VPNs or be using any other type of 
remote-access software.

If the scan finds a deficiency, it attempts to correct it. For example, 
it will update antivirus signatures and force the installation of 
critical security patches. If the user rejects these updates, the 
scanner ends the connection. Once the scan has determined that the 
computer is clean and fully patched, the connection is allowed out of 
the sandbox and onto the corporate network.

All of this due diligence can be time-consuming, and potentially 
annoying to users. According to Microsoft IT, scanning at VPN sign-in 
can sometimes take as long as five minutes, and on rare occasions up to 
15 minutes, for a computer that is not compliant with the standards and 
has not recently connected to the network.

It would be normal human behavior to hold on to a connection that took 
you 15 minutes to establish for as long as you conceivably could, and 
VPN connections are a limited resource that shouldn't be squandered. 
Therefore, the Microsoft VPN system speeds up the log-in process for 
frequent VPN users.

The network servers remember what has been scanned at each log-in, and 
grant a grace period before requiring a rescan. Frequent users of the 
VPN can often log into the network in under a minute.


Encryption and strong passwords

Microsoft follows its own recommendations for VPN encryption, 
authentication, password strength, and password updates. Microsoft says 
that the most secure VPN authentication is provided by Extensible 
Authentication Protocol-Transport Level Security (EAP-TLS) used with 
smart cards, and thats exactly what it uses itself. Point-to-Point 
Tunneling Protocol (PPTP) with EAP-TLS provides the primary VPN services 
of encapsulation and encryption.

Windows Server 2003 comes set to a default password policy that requires 
moderately long passwords with a mix of character types (uppercase, 
lowercase, numeric and symbol characters), along with a mandatory 
password change every so many days. Microsoft uses what is a slightly 
stricter version of the standard Windows Server 2003 password policy for 
its own network, or perhaps I should say that Windows Server 2003 comes 
standard with a slightly relaxed version of the secure password policy 
Microsoft first deployed and vetted internally.


E-mail and IM without RAS

At one time, Microsoft would run out of VPN connections every time there 
was snow in the Puget Sound area, because most employees working from 
home would connect to the VPN to send and receive e-mail to and from 
their Exchange server for extended periods.

Microsoft employees, in general, send and receive huge amounts of 
e-mail, and use it as one of their principal ways to collaborate and 
manage. Eventually, the Exchange group developed a method for connecting 
to mail servers with full functionality without requiring the client to 
be on the network.

This method involves setting up an Exchange proxy server to allow 
Outlook to access Exchange via RPC over HTTP, protected by SSL 
encryption. Microsoft deployed Exchange proxy servers, as well as 
scripts to simplify the proxy setup for Outlook clients, several years 
ago.

This is ideal for employees and contractors working remotely from their 
own computers, and eliminates the need to use the VPN for e-mail. It 
offers more functionality than standard POP3 or IMAP mail or Web mail. 
Exchange also has Web mail, and Microsoft has heavy internal usage of 
Outlook Web Access.

Many Microsoft employees have so much e-mail that they develop a backlog 
of unread noncritical messages. One way to cut through that backlog is 
instant messaging, and Microsoft offers an Enterprise-class product in 
that area, Microsoft Office Communicator 2005. That product can work 
securely over the Internet without a VPN connection, using a proxy. It 
evolved from earlier internal instant messaging systems that forced 
users to connect to the VPN to send secure instant messages.


External SharePoint sites

Another common reason for connecting to the VPN is to work with files 
from the network. That's perfectly reasonable when only a few people 
need access to the files, or the files are very sensitive. On the other 
hand, it doesn't make a lot of sense to tie up the VPN for 
low-sensitivity files that many people need when they're working 
remotely, such as the official Microsoft glossary of computer terms.

To serve those needs, Microsoft IT has set up several SharePoint sites 
as secure password-protected extranets. More accurately, what Microsoft 
IT did was empower employees to set up their own SharePoint sites as 
intranets or extranets, depending on the target audience and sensitivity 
of the material, and post their own content.

So, for example, writers working on Microsoft projects can download the 
Word templates they need from an extranet site run by the group that 
manages that kind of writing project, and download the current copyright 
and trademark list from another extranet site maintained by Microsoft's 
legal department.

"Recently, we had a snowstorm hit at our headquarters, and we estimate 
that more than three quarters of Microsoft's Seattle-area workers 
checked e-mail and did other work from home," said Microsoft CIO Stuart 
Scott. "Our network and exchange environments scaled to meet this need 
while doing so securely."

Martin Heller develops software and writes from Andover, Mass. Reach 
Martin at cw (at) mheller.com.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Sun Dec 10 2006 - 23:29:38 PST