Network Perimeter Security at Microsoft

Topics on this Page

Situation
Firewall Solution
Firewall Best Practices
Wireless LAN Situation
Wireless LAN Solution
Wireless LAN Lessons Learned
Wireless LAN Best Practices
Benefits
Conclusion
For More Information

Published: December 2002

As part of the companys ongoing, multi-year Trustworthy Computing strategy, Microsofts Operations and
Technology Group (OTG) recently focused on two key technology implementations to make computing more
secure at Microsoft.
Situation
Microsofts network infrastructure needed to serve Microsoft employees, who must stay connected and work
from remote locations without compromising network security.
Solution
Key components of the IT groups security strategy include the deployment of an enterprise firewall solution
and creation of a new, secure wireless LAN.
Products & Technologies
802.1X wireless security protocol
Microsoft Internet Security and Acceleration (ISA) Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows XP Professional and the Windows .NET Server family
Outlook Web Access
Mobile Information Server 2001
The Active Directory directory service
Benefits
Hardened perimeter around the corporate network provides greater security.
Standardization on latest technologies and the consolidation of some services makes administration and
maintenance easier.
Microsoft employees have secure, mobile access to the resources they need for optimal performance.
Although first conceived and articulated by Microsoft, the evolving goals of Trustworthy Computing will
require industry collaboration, as well as commitment from customers to establish and maintain secure
environments.
The ongoing work of OTG is only one part of the global Trustworthy Computing effort. This group is
responsible for running the company's internal networks, telecommunication systems, corporate servers, and
all line-of-business applications. OTGs mission is to provide an IT environment comprised of services,

applications, and infrastructure that provide availability, privacy, and security to Microsoft employees
worldwide. In addition to running the utility as it is called internally, OTG is also committed to testing
Microsoft enterprise products in production before they are released to the general public. Finally, Microsoft
is committed to sharing its internal security best practices and lessons learned with customers, through papers
such as this one.
This case study outlines a small part of OTGs approach to Trustworthy Computing, describing two recent
security initiatives that help ensure a reliable, private, and secure infrastructure within Microsoft:
Hardening the messaging perimeter with Microsoft Internet Security and Acceleration (ISA) Server
Creating a secure wireless LAN
Although not intended to serve as a general guide or plan for enterprise security, this paper explains the
approach OTG has taken to help secure its internal computing environment. Because each enterprise
environment comprises unique circumstances, each organization should adapt the plans, specifications, and
lessons learned described in this paper to meet its specific needs.
Situation

Microsofts corporate network consists of thousands of interconnected servers that house intellectual property,
human resource records, and other sensitive information.
Enabling e-mail access over the Internet for mobile employees through services such as Outlook Web
Access (OWA) requires a server that is accessible to both the Internet and the corporate network. However,
this dual-homed server configuration would present unacceptable risks to Microsoft. Not only are dualhomed servers single points of network failure (if these servers are disabled, communication between mobile
employees and the corporate network is impaired), but dual-homed servers also create the potential for
malicious software and external users to access the corporate network. If a dual-homed server is
compromised, an intruder is then free to impersonate the server within the trusted corporate network
environment.
If your browser does not support inline frames, click here to view on a separate page.
Figure 1 Dual-homed servers before ISA firewall installation
Services requiring dual-homed servers are also vulnerable to hacks, network attacks, and intrusion attempts as
Internet users communicate with these servers and the servers then communicate with corporate network, as
shown in figure 1.
This architecture can also expose any known vulnerabilities for which server administrators have not yet
applied available patches. (Failure to apply an available patch accounted for at least some of the prolific
spread of the Code Red and Nimba viruses across corporate America in 2001.)
Firewall Solution

To reduce the risk of intruders gaining unauthorized access to Microsofts network and restricted information,
OTG deployed ISA Server as an enterprise firewall in front of OWA and Mobile Information Server (MIS)
deployments. This solution effectively created a hardened perimeter around these corporate servers while still
allowing Microsoft employees to use both OWA and MIS.

OTG uses a single service platform (in which a server runs only one service) for both OWA and MIS. Single
service platforms provide fewer points of failure, minimize server load, maximize performance, and ease
administration tasks, such as the frequent server rebuild required to support ongoing product development and
real-world testing that takes place at Microsoft.
With the new architecture, shown in figure 2, the MIS and OWA servers are homed on the internal corporate
network and are no longer connected to the Internet. Instead, the ISA server connects to the Internet and to the
corporate network. When accessing the Internet, Microsoft employees who use MIS and OWA are connected
to the ISA Server external interface, but the behavior is as if they are directly connected to the MIS or OWA
server. For further protection, the ISA server uses the MIS Web filter to authenticate MIS clients before they
reach MIS servers.
If your browser does not support inline frames, click here to view on a separate page.
Figure 2 Perimeter firewall using ISA Server in front of OWA
The ISA server also logs all activity, which includes client activity connecting to the MIS and OWA servers,
and any intrusion attempts against the ISA server.
Firewall Best Practices

For maximum corporate security, OTG recommends using the following options and methods when
configuring ISA Server:
Hardened firewall security. ISA Servers hardened security options protect general purpose servers (file
servers, Web servers, application servers, and so on) from the hazards of the Internet. Most of these servers
are designed to perform their specific function only and offer no protection from Internet risks on their own.
ISA Servers purpose is to provide this sort of protection for these servers.
Network isolation. OTG moved exposed servers to a non-Internet network segment behind the ISA firewall
servers.
Stateful packet inspection. With this configuration option, only data that is appropriate in the context of its
protocol and connection state can cross the firewall. This greatly reduces the chances that a malicious user can
hack into the system using alternate protocols or connection states. Stateful inspection should be performed
on the incoming HTTP Secure (HTTPS) traffic to ensure that the packet is legitimate HTTPS traffic and
adheres to the protocol standard.
Application and protocol filtering. This feature enables ISA Server to inspect and reject application packets
that are invalid before they reach the application server. Because Internet protocol (IP) filters block Internet
traffic that is not part of a valid client session, no scanning or intrusion attempts can be executed successfully
against the ISA server.
Perimeter authentication. For application server performance purposes, the firewall, not the service, should
authenticate users.
Unused services. To reduce the risk of intrusion, OTG disabled all unused services. Disabling unused services
also reduces the complexity of the environment, simplifies troubleshooting, and increases the amount of
system resources available to the required services.
Disable publishing during migration. ISA Server must be configured to enable users to access Microsoft
Exchange mailboxes by using OWA. In cases where two front-end OWA servers are implemented, disable
publishing on the first front-end OWA server so that all client requests are directed to the second server before
the migration. Doing so will minimize the service downtime during the migration. When migration is
complete, re-establish the publishing feature on the first front-end OWA server.
Certificate management. Export existing certificates of authority from the existing OWA servers and then
import them to the publishing ISA servers to provide trusted SSL connections. For security purposes,
carefully manage exposure of the exported certificate and the private key password. Make sure that the front-

end OWA server has internally issued certificates. The common name of the front-end OWA server certificate
must match the configured OWA publishing rules on the corresponding ISA servers.
Wireless LAN Situation

Microsoft employees need to stay connected and work from whichever Microsoft offices their jobs take them
to.
The companys legacy wireless network security model was based on a static shared Wired Equivalent
Privacy (WEP) key (used to encrypt traffic between the client and wireless access point) for encryption and
authentication. Attackers can take physical possession of wireless cards that have the WEP key stored on them
or learn the WEP key using readily available hacking tools.
Wireless LAN Solution

OTG used IEEEs 802.1X wireless security protocol, which is built into Microsoft Windows XP
Professional and the Windows .NET Server family to make wireless connections more secure across
Microsoft offices throughout the world.
The 802.1X authentication protocol enhances the security of 802.11b by blocking any network activity until a
user and/or computer are successfully authenticated. In the 802.1X solution, the access point controls client
network access based on authentication of the user, the computer account, or both the user and the computer
account.
OTTG used a Public Key Infrastructure (PKI) to provide the certificates to verify and authenticate the validity
of each user and computer. To implement PKI cost-effectively at Microsoft, OTG leveraged the built-in PKI
capability of Microsoft Windows 2000 and Windows .NET Server 2003. To enhance security, Microsoft
authenticates both client users and client computers against an Internet Authentication Server (IAS), which is
the Microsoft implementation of the RADIUS standard.
OTG performed the following steps in deploying 802.1x:
Upgraded firmware in existing access points to support 802.1x
Globally disabled the shared WEP key
Prohibited the use of non-IT managed access points by policy and enforced the policy by scanning for rogue
access points
Used PKI to issue and validate user and computer certificates (using Internet Engineering Task Force standard
X.509 v3, client authentication certificates to authenticate computers and users on the wireless network)
In the spring of 2000, after the completion of engineering and operations design documentation, OTG began
the eight-month process of installing WLAN equipment in 70 buildings on the Redmond campusa process
that involved more that 1,300 access points. In the summer of 2000, OTG began installing WLAN equipment
(including 1,200 access points) in additional Microsoft buildings worldwide. A year later, OTG spent one
month to deploy 802.1X security across the entire Microsoft network, involving buildings on the Redmond
campus and 23 other locations worldwide.
Wireless LAN Lessons Learned

During this first and largest deployment of an 802.1x secure wireless LAN, OTG encountered the following
issues:
End-to-end operational support required the integration of disparate support organizations. Troubleshooting
involves a WLAN client and an access point, as well as back-end technologies such as PKI, RADIUS, and
Active Directory, all of which may be managed by disparate IT teams.
Because Microsoft employees were interested in using their home WLAN installations to connect to the
corporate network via a Virtual Private Network (VPN), OTG required that the projects hardware vendors
provide a solution compatible with home WLAN systems.
Radio frequency (RF) health and safety concerns raised by Microsoft employees led OTG to analyze different
aspects of the hardware infrastructure; the results of this analysis were shared with employees in answer to
their concerns.
Wireless LAN Best Practices

When deploying WLAN services, OTG recommends the following best practices based on its internal
deployment experiences:
Network administrators should balance security needs and server loads when setting the intervals at which
WEP keys are changed. In OTGs implementation, WEP keys are dynamic in an 802.1X-based WLAN,
changing with each new connection session, when roaming occurs between access points, and at preset time
intervals.
IT operations and other technical support personnel should be involved early in the planning process.
Effective troubleshooting requires input from many different teams.
Develop a mechanism to prohibit the installation of rogue access points on the corporate network, including
technical monitoring to ensure that violations are detected and a process to remove them from the corporate
network.
RF requirements and regulations vary between countries; therefore, local codes and restrictions need to be
checked carefully and followed closely.
Enclose access point units and antennas within plenum-rated enclosures to meet building fire codes. Use a
central, low-voltage power supply on an uninterruptible power supply (UPS).
Benefits

By deploying ISA Server as an enterprise firewall, OTG resolved the security issues associated with having
dual-homed servers connected directly to the internet. With ISA Server, OTG created a hardened perimeter
around its servers to protect sensitive services. Only pertinent traffic is sent to the MIS and OWA servers,
which keeps these servers secure from Internet traffic.
Creating a wireless network with powerful security technologies that all Microsoft employees can use offers
these benefits:
Increased protection of Microsofts network assets from unauthorized users
Increased job satisfaction and employee productivity through secure mobility (by more than 30 minutes a day
according to pilot studies)
Enhanced collaboration speed , allowing better, faster decisions
Conclusion

With a hardened perimeter now in place around the corporate network and a wireless network with strong
security features and technologies, OTG has tightened security at Microsoft, provided enhanced access and
productivity to its employees, and advanced the companys multi-year Trustworthy Computing strategy. Other
corporations can use these examples to make their own systems more secure.
General Security Best Practices
OTG recommends the following best practices when implementing any project intended to make your
corporations computing environment more trustworthy:
For corporations with Microsoft Windows NT 4.0 domains, the first step is to upgrade their operating
systems to maximize the latest and best technology, including remote access policy for WLAN access. Note
that additional client upgrades may be required to take advantage of IEEE 802.1x. Perform an analysis of
infrastructure requirements prior to upgrading.
Make an honest assessment of available resources. Focus on the highest priority items first, as defined by
your risk assessment process. At Microsoft:
Risk is acknowledged as a fundamental part of operations that is neither good nor bad. A risk is the possibility
of a future loss, and although the loss itself may be seen as bad, the risk as a whole is not.
Risk is not something to fear. Because risk is not bad, it is not something to avoid. Risk is something to
manage. Operations teams deal with risks by actively addressing each identified risk in advance. If a loss is
one possible future outcome, then other possible outcomes are gains, smaller losses, or larger losses. Risk
management lets the team change the situation to favor one outcome over the others.
The goal is knowing that your enterprise is as prepared as it can be, and has a plan for staying prepared.
Start with a pilot project in a small, controlled area. When the pilot is successful, deploy the product to a
larger, but still closely monitored area. Then deploy to the rest of the organization as resources and time
permit.
Consider network bandwidth constraints before modifying core IT services such as messaging or wireless
LAN. It is likely that the network design used different assumptions and the risk of business disruption must
be carefully managed.
Prevent disabling of virus detection software, force timely virus signature updates and use only trusted
software. Because end users are an important factor in security, educate them to identify virus behavior and to
respond effectively. This can minimize the impact of malicious code attacks before a new virus signature is
propagated.
Stay secure and informed by subscribing to the security bulletins available at
http://www.microsoft.com/technet/security/Default.asp.
Review Microsofts Security Best Practices at http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bestprac/default.asp.
Future Plans
Microsoft Operations and Technology Group will continue to play an important role in Microsofts global
Trustworthy Computing strategy and to share its best practices and lessons learned with customers.
Further information on Microsofts internal security operations, intitiaves, best practices and lessons learned is
posted and updated at http://www.microsoft.com/technet/itsolutions/techsol/showcase/default.asp.
For More Information

To view additional IT Showcase material, please visit:

http://www.microsoft.com/technet/itsolutions/techsol/showcase/default.asp
For any questions, comments, or suggestions on about this document, or to obtain additional information
about Microsoft IT Showcase, please send e-mail to: showcase@microsoft.com
http://www.microsoft.com/presspass/exec/craig/10-02trustworthywp.asp

 2002 Microsoft Corporation. All rights reserved.

This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS
OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, Outlook, Windows, and Windows NT are
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries. The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.