Office Client Security Keeping Enterprise Data Safe Brad Albrecht Senior Security Program Manager Microsoft Corporation SESSION CODE OSP201 Required Slide Session Objectives and Takeaways Session Objectives ID: 480247
Download Presentation The PPT/PDF document "Advances in Microsoft" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Advances in Microsoft Office Client Security: Keeping Enterprise Data Safe
Brad AlbrechtSenior Security Program ManagerMicrosoft Corporation
SESSION CODE: OSP201
Required SlideSlide2
Session Objectives and Takeaways
Session Objective(s): Explain Office 2010 Security
Today’s risk is not macrosSecurity is working in the backgroundOffice 2010 security is game changingFile Validation, Protected View, Better user experienceSlide3
Threat Landscape
* Diagram from SANS – The Top Cyber Security Risks
Number of Vulnerabilities
Applications
OS Libraries
OS Transport
NetworkSlide4
How do we protect ourselves from these threats?
Attack Resilience
Layered Defences
Integrity Protection
Protection Technology
Encryption
Data Protection
Enterprise Management
Secure Collaboration
Core Security
Threat Modelling
Validation Tools
Secure Coding Practices
Security Development Lifecycle
Intensive Distributing
Fuzzing
Security EngineeringSlide5
Security Engineering
Valid File
Fuzzer
Fuzzed File
Target
Application
Security Development Lifecycle (SDL)
Intensive Distributing FuzzingSlide6
Layered Defenses
Harden the Attack Surface
Reduce the Attack Surface
Improve User Experience
Mitigate the ExploitsSlide7
Security Engineering
Security Development Lifecycle FoundationIntensive Distributed FuzzingIntegrate OS AdvancesSupport for DEP/NXLeverage WIC Image ParsersRobust & Agile Cryptography
Harden the Attack Surface
Harden the Attack SurfaceSlide8
Reduce the Attack Surface
Reduce the Attack SurfaceSlide9
Office File Validation
Binary filesRuns automatically on openEvaluates file for ‘correctness’Protects against unknown exploitsFaster updates for changes to rules
Reduce the Attack Surface
Reduce the Attack SurfaceSlide10
Gatekeeper vs MSRC casesSlide11
Mitigate the Exploits
Protected Viewer ‘Sandbox’
Word, Excel, PPT files can run in the ‘sandbox’
Prevents harmful documents from damaging user data and OS
Help users make better trust decisionsSlide12
Protected Viewer
Office Protected Viewer
Files that failed
File Validation
Files that don’t comply with File Block Policy
Files in unsafe folders
All Outlook
Attachments
Files from the Internet Zone
Mitigate the ExploitsSlide13
Improve User Experience
Better information to make trust decisions
Avoid forcing choice between security and productivity
Remembers users selections for security decisions, and does not ask again
Reduced Prompts
Improve User ExperienceSlide14
‘My Stuff’...
Improve User Experience
Incoming
Strong protection from all classes of malware inside sandbox.
Trust decisions are ‘sticky’
View document before trust decision is made. Many scenarios stop here – reading is enough.
Open email
attachment
‘Gatekeeper’
Validation
Sandboxed
Viewer
User Clicks
‘Enable’
Document opens,
fully enabled
Save
Document
Reopen
DocumentSlide15
Office 2007 PromptsSlide16
Protecting your documents
Encryption
Enterprise
Mgmt
Data Protection
Digital SignatureSlide17
Information Rights Management
Users can control permissionsRestrictions on sensitive dataCopy preventionEnable Collaboration between two enterprisesCan lock down content
Data Protection
Data ProtectionSlide18
Encryption
Full Crypto Agility via native CNG Support
Allows agility in organizations
Effective in
Govt
organizations
Integrity Checks
Validates encrypted messages
Enforce Domain password complexity
Enabled through GPO
EncryptionSlide19
Digital Signature
Timestamping
RFC 3161
Documents valid after certificate expires
XAdES
International standard
Enables stronger signatures
Digital SignatureSlide20
Enterprise
Mgmt
Define policies and use Office to enforce them
More IT Admin control in 2010
More granularity within group policy management
Enterprise ManagementSlide21
Resources
Required Slide
www.microsoft.com/teched
Sessions On-Demand & Community
Microsoft Certification & Training Resources
ht
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet
OfficeITPro.com
http://microsoft.com/msdn
http://
msdn.microsoft.com/office
LearningSlide22
Complete an evaluation on
CommNet
and
enter to win!
Required SlideSlide23
Play the Microsoft Office & SharePoint Track Tag Contest
Download the Microsoft Tag ReaderOpen the internet browser on your mobile phone and visit http://gettag.mobi
Come to the Expo Hall – Yellow Section OSP Info Desk for Official Rules & Collect Additional Tags!
Grand Prize (1)
Xbox 360 Prize Package and Microsoft® Office 2010
Daily Prizes
40 copies of
Microsoft® Office 2010Slide24
©
2010 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Slide25
Required Slide