How Microsoft fights off 100,000 attacks per month

Computerworld - Microsoft Corp. has long encouraged its employees to "RAS" into the corporate network from home or from the road to access e-mail, shared files and applications.

RAS, short for Remote Access Services, is an old Microsoft term for what most people now call a client VPN.

Microsoft, of course, maintains valuable intellectual property on its internal network, including the source code to all its operating systems and applications. These are constant targets for hackers, and Microsoft tries to protect its most valuable assets with defenses in depth; they are behind firewalls and on networks segmented with IPsec. In addition, the entire network is monitored for suspicious activity, scanned for malware and so on.

What do I mean by a constant target? Last year, Microsoft IT said it was the target of more than 100,000 intrusion attempts per month. Currently, Microsoft filters out about 9 million spam and virus e-mails a day out of 10 million received. Yes, that means that roughly 90% of incoming e-mails are spam.

In that environment, you'd think that VPN connections might expose Microsoft to serious security risks. So how does Microsoft mitigate those risks while continuing to offer VPN access to remote employees and contractors? The answer to that is manifold.

Two-factor authentication

The first layer of protection for the Microsoft VPN is two-factor authentication. After an infamous incident in fall 2000, Microsoft installed a certificate-based public-key infrastructure and rolled out smart cards to all employees and contractors with remote access to the network and individuals with elevated access accounts such as domain administrators.

Two-factor authentication requires that you have something physical. In this case, it means the smart card and a password.

(The intrusion incident to which I refer was reported by the Wall Street Journal and others, including Computerworld. The news reports said that crackers gained access to Microsoft's network using a stolen username and password, and were able to view, but not alter, some source code. Microsoft disagrees with the information reported.)

"Today, we require a smart card with a valid certificate and PIN, as well as network credentials and authorization to use the network remotely," said Mark Estberg, director of Microsoft's internal security. "We are 'dog-fooding' a deployment using Longhorn Server to implement the same two-factor authorization with SSL VPN from ISA/Whale [acquired by Microsoft in 2006], and with Network Access Protection for endpoint scanning. The back-end authentication and authorization is handled by integration with Active Directory and the Network Policy Server Windows Server."

You might expect Microsoft to adopt biometric security. The company has said it's evaluating it. As yet, however, it's sticking with smart cards.