Microsoft has released a technical case study of its internal security procedures, in which it spells out a three-pronged approach to thwarting malicious hacker attacks and urges enterprise admins to spend more time anticipating and preventing attacks.

The release of the case study comes on the same day the company unveiled a new patch management strategy and renamed its main automatic updating services as part of its Management Summit in Las Vegas.

"In addition to using a consistent process for responding to incidents as they occur, the Microsoft security methodology includes reducing its 'attack surface' to avert incidents," the company said. Microsoft also said its internal Microsoft IT group uses specific vulnerability management polices and procedures to deal with incident response and to reduce exposure to attacks.

The company chided enterprises for adopting a reactionary approach to malicious attacks instead of spending more time anticipating and preventing attacks. "With the vast number of tools available to attackers today, an active approach is needed to help secure networks from exploits. It is less expensive to reduce the risk beforehand than to mitigate the damage afterward."

Microsoft's own approach to reducing the frequency and severity of network attacks is to implement a security methodology that reduces its attack surface on both Internet-facing and intranet-facing hosts. The methodology includes strict management of user privileges, periodic risk assessments and ongoing monitoring of compliance with security guidelines.

The first step, the company explained, is to focus on active prevention to close vulnerabilities before exploits are created and distributed. This involves active vulnerability scanning, audits, intrusion detection, risk assessment and continuous diligence.

Microsoft said its three-pronged security approach includes Monitoring and Compliance, Security Consulting and Tools Development and Support. Because attackers use multiple tools to target an enterprise, the Monitoring and Compliance group uses publicly available scanning tools such as the Microsoft Baseline Security Analyzer (MBSA) or the HFNetChk (hotfix checker) to scan against an XML database for missing hotfixes and patches in its various software products.

According to the case study released Tuesday, the Monitoring and Compliance group also uses an internally developed "hacking toolkit" to identify and plug security holes immediately. The "hacking toolkit" was built with the Visual C++ development system and programming language and uses a SQL Server database for reporting and tracking. Access to the toolkit is strictly controlled.

Information from the "hacking toolkit" is then reported via its SQL Server 2000 database to track risk assessment, analysis, and reporting.

The company said regular audits are conducted against the list of risk-rated vulnerabilities established in the baseline and priority is assigned to any non-complying system and a service request is opened to correct the problem. "Verifying that a problem has been fixed involves scanning, reviewing the scanning report, and then entering a remediation loop that fixes the problem or creates a notification of the problem and then scans again. The process continues repeatedly until the problem is resolved," Microsoft explained.

The case study includes several best practice recommendations for IT admins, including:

  • The creation of a risk model for the enterprise to pinpoint potential risk areas and the probability and impact of a compromise to each area.
  • Plans to determining what is worth risking and what must be fixed. "Doing nothing is an option if the risk probability or impact is low."
  • The development of a library of the risk-rated vulnerabilities to verify if the known vulnerabilities are present in the scanning process and the documentation of technologies and resources (people and devices) that have access to those technologies.
  • Management of the vulnerabilities by notifying users and forcing a patch or disconnecting the vulnerable system from the network.
  • The company said it used a combination of Microsoft and third-party tools to monitor for intrusions. The unit reviews Internet Security and Acceleration (ISA) Server logs and conducts audits to ensure that remote access accounts are used only by the owners of those accounts. The Microsoft Operations Manager (MOM) is used for event collection and to diagnose suspicious incidents while the Microsoft Audit Collection System component of MOM is used to collect and analyze security event logs.