教学第一篇区块篇

教学第一篇区块篇第1页/共52页AtRiskTheSoftUnderbellySecurityIssuesToday1Source:ForresterResearch2Source:InformationWeek,26November20013Source:Netcraftsummary4Source:CERT,20035Source:CSI/FBIComputerCrimeandSecuritySurvey6Source:ComputerSecurityInstitute(CSI)ComputerCrimeandSecuritySurvey20027Source:CERT,20028Source:GartnerGroup14BdevicesontheInternetby2010135Mremoteusersby2005265%increaseindynamicWebsites3From2000to2002reportedincidentsrosefrom21,756to82,0944Nearly80percentof445respondentssurveyedsaidtheInternethasbecomeafrequentpointofattack,upfrom57percentjustfouryearsago5

90%detectedsecuritybreaches685%detectedcomputerviruses695%ofallbreachesavoidablewithanalternativeconfiguration7Approximately70percentofallWebattacksoccurattheapplicationlayer8第2页/共52页ApplicationLayerAttacksIdentityTheftWebSiteDefacementUnauthorizedAccessModificationofData,LogsandRecordsTheftofProprietaryInformationServiceDisruptionImplicationsCompliance:SarbanesOxleyGrammLeachBlilelyUSPatriotActHIPAA ThePrivacyAct(CA)Basel2(EU)DataProtectionAct(EU)LitigationFileSharingPiracyHRIssuesShareholderSuitsCustomerImpact第3页/共52页TypesOfSRPRulesPathRuleComparespathoffilebeingruntoanallowedpathlistUsewhenyouhaveafolderwithmanyfilesforthesameapplicationEssentialinwhenSRPsarestrictHashRuleComparestheMD5orSHA1hashofafiletotheoneattemptedtoberunUsewhenyouwanttoallow/prohibitacertainversionofafilefrombeingrunCertificateRuleChecksfordigitalsignatureonapplication(i.e.Authenticode)Usewhenyouwanttorestrictbothwin32applicationsandActiveXcontentInternetZoneRuleControlshowInternetZonescanbeaccessedUsewheninhighsecurityenvironmentstocontrolaccesstowebapplications第4页/共52页SQLServer2005ThemesSupportability&QualityEnterpriseEnhancementsUnified&FlexibleAdministrationPatchSolutionsPrevention,Readiness,RecoveryEaseofusePatchInstallsPatchinintegratedstepIntegratedDatabaseServicesandBusinessIntelligenceFlexibleinstallmanagementAddvaluetoone-stepFailoverClusteringExpandedscriptingsupport第5页/共52页LiveCommunicationsClientRoadmapLC1.2ClientPlatformMultipartyIMP2PVoice

andVideoMPOPGroupsRoamingSIPsupportGPOpolicymanagementLC1.5ClientPlatformRollupofQFEsMPOPAdditionsFederation/ArchivingNotificationHAAdditionsLC2.0ClientPlatformNextgenerationofRTCexperiencesMorecoming!20032H04Longhorn第6页/共52页IntegratedphoneandPDAPrimarilydataviewingInteroperabilitywithOutlookandExchange.NETCompactFrameworkASP.NETmobilecontrolsMobileDeviceSolutionsComplexdocumentauthoring,editingandreadingKeyboardcentricatthedeskKeyboardandmouseinputmethodsFull.NETframeworkavailableCentrinoSolutionsWindowsMobileWindowsXPComplexdocumentauthoring,editingandactivereadingNotetakingandinkannotatingKeyboardcentricatthedesk,penandkeyboardawayfromthedeskKeyboard,mousepluspen,ink,andspeechinputmethodsFull.NETframeworkpreinstalledPen,ink,handwritingandspeechrecognitionAPI’sCentrinoSolutionsViewandsomedataentryIntegratedPDAwithphoneInteroperabilitywithOffice,ExchangeandSQLServer.NETCompactFrameworkASP.NETmobilecontrolsIntelXscaleSolutionsWindows®CEOne-waynetworkInformationconsumptionSmartPersonalObjectsSmartphonePocketPCandPocketPCPhoneNotebookPCTabletPC第7页/共52页TraditionalFirewallsWideopentoadvancedattacksPerformanceversus

securitytradeoffLimitedcapacityforgrowthHardtomanageCodeRed,NimdaSSL-basedattacksSecurityiscomplexITisalreadyoverloadedBandwidthtooexpensiveToomanymovingpartsNoteasilyupgradeableDon’tscalewithbusiness第8页/共52页ChoosingtheRightTypeofAssessment

VulnerabilityScanningFocusesonknownweaknessesOfthethree,requirestheleastexpertiseGenerallyeasytoautomatePenetrationTestingFocusesonknownandunknownweaknessesRequiresadvancedtechnicalexpertiseCarriestremendouslegalburdenincertaincountries/organizationsITSecurityAuditsFocusesonsecuritypoliciesandproceduresOfthethree,requiresthemostexpertiseWhendonerightisthemosteffectivetypeofassessment第9页/共52页PerimeterSecurityEvolutionWideopentoadvancedattacksApplication-levelprotectionPerformanceversus

securitytradeoffSecurityandperformanceLimitedcapacityforgrowthExtensibilityandscalabilityHardtomanageEasiertouse第10页/共52页The

advancedapplicationlayerfirewall,VPNandWebcache

solutionthatenablescustomerstomaximizeITinvestmentsbyimprovingnetworksecurityandperformanceAdvancedprotectionApplicationlayersecuritydesignedtoprotectMicrosoftapplicationsFast,secureaccessEmpowersyoutoconnectuserstorelevantinformationonyour

networkinacostefficientmannerEaseofuseEfficientlydeploy,manage,andenablenewusagescenariosIntroducing:ISAServer2004第11页/共52页Fast,secureaccessEmpowersyoutoconnectuserstorelevantinfo.onyournetworkISAServer2004NewFeatures

ContinuedcommitmenttointegrationEnhancedarchitecture

HighspeeddatatransportUtilizeslatestWindowsandPChardwareSSLbridgingunloadsdownstreamserversWebcache

UpdatedpolicyrulesServecontentlocallyPre-fetchcontentduringlowactivityperiodsInternetaccesscontrol

User-andgroup-basedWebusagepolicyExtensiblebythirdpartiesComprehensiveauthentication

NewsupportforRADIUSandRSASecurIDUser-&group-basedaccesspolicyThirdpartyextensibility第12页/共52页SystemServiceAccountsLocalServiceandNetworkServiceNopasswordtomanageRunswithonlyslightlymorepermissionsthanAuthenticatedUserLocalServicecannotauthenticateacrossthenetwork,NetworkServiceauthenticatesasthecomputeraccountLocalSystemNopasswordtomanageBypassessecuritychecksUserAccountsRunwithlessprivilegethanLocalSystemStorespasswordasanLSAsecretCanbecomplextoconfigure第13页/共52页What’sNewWithIPSec?ManagementIPSecurityMonitorCommand-linemanagementwithNetshLogicaladdressesforlocalIPconfigurationSecurityStrongercryptographicmasterkey(Diffie-Hellman)ComputerstartupsecurityPersistentpolicyforenhancedsecurityAbilitytoexcludethenameoftheCAfromcertificaterequestsBetterdefaultexemptionhandlingInteroperabilityIPSecfunctionalityovernetworkaddresstranslation(NAT)ImprovedIPSecintegrationwithNetworkLoadBalancing第14页/共52页ISAServer2004NewFeatures

NewmanagementtoolsanduserinterfaceMulti-networkarchitectureUnlimitednetworkdefinitionsandtypesFirewallpolicyappliedtoalltrafficPernetworkroutingrelationshipsNetworktemplatesandwizardsWizardautomatesnwkroutingrelationshipsSupports5commonnetworktopologiesEasilycustomizedforsophisticatedscenariosVisualpolicyeditorUnifiedfirewall/VPNpolicyw/onerule-baseDrag/dropeditingw/scenario-drivenwizardsXML-basedconfigurationimport-exportEnhancedtrouble-shootingAllnewmonitoringdashboardReal-timelogviewerContentsensitivetaskpanesEaseofUseEfficientlydeploy,manage,andenablenewusagescenarios第15页/共52页HowToUseWindowsUpdateToconfigureAutomaticUpdates:SelectKeepmycomputeruptodateOpentheSystemapplicationinControlPanel1OntheAutomaticUpdatestab,selectthe

optionyouwant32第16页/共52页OfficeUpdateBenefitsLimitationSinglelocationforofficepatchesandupdatesEasytouseCanbeconfiguredtoupdateconsumeror

enterprisesystemsDoesnotsupportAutomaticUpdates;updatingmustbeinitiatedmanuallyOfficeUpdateWebsite:

/officeupdate第17页/共52页HowToUseOfficeUpdateGoto/officeupdate1ClickCheckforUpdates2InstalltheOfficeUpdateInstallationEngine

(ifnotalreadyinstalled)3Selecttheupdatesyouwanttoinstall4ClickStartInstallation5第18页/共52页HowToUseSUSOntheSUSserverConfiguretheSUSserverat

http://<servername>/SUSAdminOneachSUSclientConfigureAutomaticUpdatesontheclienttousetheSUSserverUseGroupPolicy,manuallyconfigureeachclient,or

usescriptsSettheSUSserversynchronizationscheduleReview,test,andapproveupdates123第19页/共52页HowToUseMBSADownloadandinstallMBSA(onceonly)1LaunchMBSA2Selectthecomputer(s)toscan3Selectrelevantoptions4ClickStartscan5ViewtheSecurityReport6第20页/共52页SoftwareUpdateServiceDeploymentBestPractices(1)RevieweachsecuritypatchDownloadandinstallthepatchTesteachsecuritypatchbeforedeploymentConfigureatestlabUseatestSUSserverConsiderusingVirtualPCsinthetestlabUseastandardacceptancetestingprocedure第21页/共52页SoftwareUpdateServiceDeploymentBestPractices(2)CompletethedeploymentPilotthedeploymentConfigureachildSUSservertoapproveupdatesConfigureaGPOsothatthepatchisdownloadedfromthepilotSUSserveronlybyspecifiedworkstationsIfthepilotfails,removeapprovalfromtheSUSserverandmanuallyuninstallthepatch第22页/共52页HowToUseSMSToDeployPatchesOpentheSMSAdministratorConsole1Right-clickAllWindowsXPComputers,andthenselectAllTasks>DistributeSoftwareUpdates3Usethewizardtocreateanewpackageandprogram4Browsetothepatchtobedeployed5Configureoptionsforhowandwhenthepatchwillbedeployedtoclients6ExpandtheSiteDatabasenode2第23页/共52页SMS–MBSAIntegrationMBSAintegrationincludedwithSMS2003andthe

SUSFeaturePackforSMS2.0ScansSMSclientsformissingsecurityupdatesusingmbsacli.exe/hfSMSdirectsclienttorunlocalMBSAscan1SMSserverparsesdatatodeterminewhichcomputersneedwhichsecurityupdates3Administratorpushesmissingupdatesonlytoclientsthatrequirethem4Clientperformsscan,returnsdatatoSMSserver2第24页/共52页MBSABenefitsScanssystemsforMissingsecuritypatchesPotentialconfigurationissuesWorkswithabroadrangeof

MicrosoftsoftwareAllowsanadministratortocentrallyscanmultiplecomputerssimultaneously MBSAisafreetool,andcanbe

downloadedfrom

/mbsa

第25页/共52页MBSAConsiderationsMBSAreportsimportantvulnerabilitiesPasswordweaknessesGuestaccountnotdisabledAuditingnotconfiguredUnnecessaryservicesinstalledIISvulnerabilitiesIEzonesettingsAutomaticUpdatesconfigurationInternetConnectionFirewallconfiguration第26页/共52页MBSA–ScanOptionsMBSAhasthreescanoptionsMBSAgraphicaluserinterface(GUI)MBSAstandardcommand-line

interface(mbsacli.exe)HFNetChkscan(mbsacli.exe/hf)第27页/共52页BusinessCaseFor

PatchManagementWhendeterminingthepotentialfinancialimpactofpoorpatchmanagement,considerDowntimeRemediationtimeQuestionabledataintegrityLostcredibilityNegativepublicrelationsLegaldefensesStolenintellectualproperty第28页/共52页“WecommendMicrosoftforprovidingenhancedsecurityguidancetoitscustomersaswellasforsolicitinguserinputaspartoftheprocessofproducingthatguidance“ClintKreitnerPresident/CEO“NISTreviewedandprovidedtechnicalcomments&advice,thatwasincorporatedinthisguidance”TimothyGranceManagerSystemsandNetwork

SecurityGroupComments第29页/共52页Securelymakee-mailavailabletooutsideemployeesExchangepublishingYouNeedTo…SecurelymakeinternalapplicationsavailableontheInternetWebandServerPublishingEnablepartnerstoaccessrelevantinformationonmynetworkIntegratedS2SVPNandFWSecureandflexibleremoteaccess,whileprotectingmycorporatenetworkIntegratedRRASVPNandFWSecurelyconnectmybranchofficestothecorporateofficeIntegratedFW,VPN,CacheControlInternetAccessandprotectmyclientsfrommaliciousInternettrafficFW,WebProxyEnsurefastaccesstothemostfrequentlyusedwebcontentCachingISADelivers第30页/共52页RelationalReportingMultiplefacttablesFullrichnessthedimensions’

attributesTransactionlevelaccessStar,snowflake,3NF…Complexrelationships:Multi-grains,many-to-many,roleplaying,indirect…RecursiveselfjoinsSlowlychangingdimensionsTheUnifiedDimensionalModel–

TheBestOfRelationalAndOLAPOLAPCubesMultidimensionalnavigationHierarchicalpresentationFriendlyentitynamesPowerfulMDXcalculationsCentralKPIframework“Actions”LanguagetranslationsMultipleperspectivesPartitionsAggregationsDistributedsources第31页/共52页VisualStudioTeamSystemChangeManagementWorkItemTrackingReportingProjectSiteVisualStudio

TeamFoundationIntegrationServicesProjectManagementProcessandArchitectureGuidanceVisualStudioIndustryPartnersDynamicCodeAnalyzerVisualStudio

TeamArchitectStaticCodeAnalyzerCodeProfilerUnitTestingCodeCoverageVisioandUMLModelingTeamFoundationClientVSProClassModelingLoadTestingManualTestingTestCaseManagementApplicationModelingLogicalInfra.ModelingDeploymentModelingVisualStudio

TeamDeveloperVisualStudio

TeamTestApplicationModelingLogicalInfra.ModelingDeploymentModelingClassModeling第32页/共52页SQLServerCatalogReportServerXMLWebServiceInterfaceReportProcessingDeliveryDeliveryTargets(E-mail,SharePoint,Custom)RenderingOutputFormats(HTML,Excel,PDF,Custom)DataProcessingDataSources(SQL,OLEDB,XML/A,ODBC,Oracle,Custom)SecuritySecurityServices(NT,Passport,Custom)OfficeCustomApplicationBrowserSQLServer2000ReportingServices

Architecture第33页/共52页CMProfileRunscustomizable

postconnectscriptScriptrunsRQCnotifier

with“resultsstring”ListenerRQSreceivesNotifier

“resultsstring”Comparesresultsto

possibleresultsRemovestime-outif

responsereceivedbut

clientoutofdateRemovesquarantinefilter

ifclientuptodateQuarantineVSAsTimerlimitstime

windowtoreceivenotifybeforeautodisconnectQ-filtersetstemporaryroutefiltertoquarantineaccessInternetRASClientRRASServerIASServerQuarantineRQC.exeandRQS.exeareintheWindowsServer2003ResourceKitQuarantineArchitecture第34页/共52页MicrosoftBIProductSuiteAnalysisServicesOLAP&DataMiningDataTransformationServicesSQLServerRelationalEngineReportingServicesManagementToolsDevToolsVisualStudio.NetExcelOWCVisioMapPointDataAnalyzerSharePointPortalServerProjectServerWindowsServerMBSBIApplications第35页/共52页CurrentArchitectureTCP/IPRTCClientAPIUserAppRTPSIPPINTT.120第36页/共52页ServerArchitectureApplicationManagedAPIsApplicationManagedAPIsWinsockStorageADDispatcherDataStoreInterfacesSPLScriptEngineRegistrar/PresenceSIPProxy第37页/共52页ServerApplicationInteractionApplication

1CRMApplication

2BillingApplication

3LoggingRequestModified

Request第38页/共52页WhatisVSTeamFoundation?SourceCodeControlWorkItemTrackingBuildAutomationProjectSiteReporting第39页/共52页TITLEAvailableTodayMicrosoft®Windows®SecurityResourceKitAssessingNetworkSecurityJune23,2004第40页/共52页EAParchitectureTLSGSS_APIKerberosPEAPIKEMD5EAPPPP802.3802.5802.11Anything…methodlayerEAPlayermedialayerMS-CHAPv2TLSSecurID第41页/共52页PartnerSolutionsOfferingsVALUEProposition:

GetmorebusinessvaluefromyourinvestmentinOfficeFinanceSarbanes-OxleyBusinessScorecardExcelAdd-inforSQLServerAnalysisServicesOperationsSixSigmaHRRecruitingSalesProposalsSolutionAcceleratorsMicrosoftProductsOfficeSolutionAcceleratorsVALUEProposition:

GetmorebusinessvaluefromyourinvestmentinOffice第42页/共52页YourPeopleEPMInvolves….YourBusinessProcesses

YourOrganizationYourSoftwareTechnology&ToolsEnterpriseProjectManagementAnorchestrationofyourpeople,processes,organizationwithtechnology第43页/共52页YourBusinessProcesses…GovernancePrioritizationBudgetingHuman

Resources…

etc…InitiativesImplementMicrosoftOfficeProject2003fortheEnterpriseDecisions第44页/共52页-CorporateGoalsandObjectivesExecutivesFinanceSalesandMarketingR&DIT/ISYourOrganization…StrategicInitiativesHRDevelopmentProjectsOperationalImprovementsOnAverage45-50%ofallProjectsarelinkedtoStrategicObjectives.第45页/共52页RepresentativeRisksAndTacticsTacticalSolutionsEnterpriseRisksEmbodyTrustworthyComputingSecureEnvironmentalRemediationUnpatchedDevicesNetworkSegmentationThroughIPSecUnmanagedDevicesSecureRemoteUserRemoteandMobileUsersTwo-FactorforRemoteAccessandAdministratorsSingle-FactorAuthenticationManagedSourceInitiativesFocusControlsAcrossKeyAssets第46页/共52页RemoteAccessSecurity

ThreatRequirementSolutionMalicious

usersTwofactorauthen