In case you haven't yet seen it, Microsoft has a paper outlining Microsoft's internal wireless network deployment available at: http://www.microsoft.com/technet/itsolutions/msit/security/secwlan.asp

..also, from a Q&A regarding IT Security comes the following (long... sorry): ShopTalk Webcast: IT Security Sponsored by Microsoft TechNet 12/01/03

Q&A (Most frequently asked during the session)

Question: What types of antivirus software does Microsoft use? What does Microsoft use to eliminate e-mail born viruses and spam? Answer: At Microsoft, antivirus software is deployed on all desktop computers, servers, e-mail gateways, internet gateways, and Personal Digital Assistants (PDAs). Computer Associates eTrust is used on all desktop computers and fully managed servers, except the gateways, which run Trend Micro InterScan Viruswall and also Brightmail software. About 5 million inbound e-mail messages are scanned every day. On average, 800 viruses are stripped per day, and approximately 2.4 million junk e-mail messages are filtered per day.

Question: Where does the Microsoft Corporate Security Group reside in the Microsoft organization structure? Answer: Microsoft's Corporate Security Group reports into Rick Devenuti, the chief information officer (CIO) and corporate vice president for the Worldwide Services Organization at Microsoft Corp

Question: Does the Microsoft Corporate Security Group attempt to break into your own systems to assess the strength of your network? Answer: The attack and penetration team in the Microsoft Corporate Security Group evaluates compliance with security policies and standards. This team provides real-world threat assessment auditing and consulting services across all layers of the ecosystem, including controls on the network, host, application, trust, and account levels. The team's objective is to measure the effectiveness of Microsoft's security controls against internal and external threats and then assist in developing cost-effective risk mitigating solutions.

Question: What are the advantages of using smart cards over USB tokens or RSA tokens? Answer: The Microsoft Corporate Security Group identified three areas where smart cards are more appropriate for our environment compared to USB or RSA tokens. First, our assessment indicated that a smart card is less likely to be compromised than USB or RSA tokens. Second, smart card chips could be embedded into the existing proximity cards that Microsoft employees already use for building access, eliminating the need for users to carry and additional device for two-factor authentication. Finally, smart cards can be used for multiple applications such as two-factor remote access authentication and Secure Multipurpose Internet Mail Extensions (S/MIME) for digitally signing and encrypting of e-mail. More details on Microsoft's smart card deployment can be found at: http://www.microsoft.com/technet/itsolutions/msit/security/smartcrd.asp and http://www.microsoft.com/technet/itsolutions/msit/security/smtcrdcs.asp

More detail on Microsoft's self hosted Public Key Infrastructure (PKI) can be found at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio...

Question: What product does the Microsoft Corporate Security Group use for intrusion detection? Answer: The Microsoft Corporate Security Group manages intrusion detection with a number of third-party and internally developed programs and tools, including Microsoft Audit Collections System (MACS), BlackICE and RealSecure from Internet Security Systems, and proxy traffic monitoring and antivirus software.

Question: What method does the Microsoft Corporate Security Group use to determine the particular patches to deploy and the urgency of their deployment? Answer: The Microsoft Corporate Security Group relies on a formal decision support process to determine which patches to apply and their urgency in Microsoft's environment. At a high level, patches are considered critical in the Microsoft environment if the vulnerability addressed by the patch results in escalation of privilege, expansion of access or control or exposure of business critical data. Additional detail on Microsoft's Corporate Security Group's security strategy is available at: http://www.microsoft.com/technet/itsolutions/msit/security/mssecbp.asp

Question: Is Windows Update integrated in Microsoft's patch compliance process? Answer: Windows Update is one of the technologies used in Microsoft's patch compliance strategy. Additional technologies include Microsoft Systems Management Server (SMS) and custom tools.

Question: What is Connection Manager? Answer: Connection Manager is a suite of components that provides administrators with the ability to create and distribute customized remote access connections, called service profiles, and to create, distribute, and automatically update customized phone books. Connection Manager service profiles appear as network connections on client computers, and profiles can be used to connect to remote networks through servers that are running Routing and Remote Access, Internet Authentication Service (IAS), or remote access and virtual private networking technologies from companies other than Microsoft. Further information about Connection Manager is available at: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/tech...

Question: What are some of the challenges in self hosting a Public Key Infrastructure (PKI)? Answer: One of the challenges to self hosting a PKI is the need to secure the Certificate Authority servers in a secure vault that is subject to highly restricted access controls. More detail on Microsoft's self hosted Public Key Infrastructure (PKI), including lessons learned through our own deployment, can be found at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio...

Question: What steps do you take when a smart card is lost or stolen? Answer: After a card is reported as lost or stolen, the smart card's certificate is immediately revoked by Microsoft authentication servers, permanently preventing access by the holder of the missing smart card. A new smart card is then issued from a local card issuance site. Additional information about Microsoft's smart card deployment and operations can be found at: http://www.microsoft.com/technet/itsolutions/msit/security/smartcrd.asp

Question: What kind of custom tools has Microsoft's Corporate Security Group developed? Is there any intention of releasing such tools to customers or integrating the functionality into Microsoft products? Answer: Microsoft's Corporate Security Group has developed a number of custom tools to meet the needs of our environment. As part of a two-way feedback process with Microsoft's product groups, many features developed by Microsoft's Corporate Security Group are incorporated into Microsoft products.

Question: When the term "VPN" was used during the security remote access presentation, was it used to refer exclusively to remote users? Answer: Yes, the term "VPN" was used to refer to remote users. Additional detail about Microsoft's remote access infrastructure is available at: http://www.microsoft.com/technet/itsolutions/msit/security/smartcrd.asp

Question: Does the Microsoft Corporate Security audit your policies and procedures to ensure that employees do not circumvent these policies? If so, how often do the audits occur? Answer: Yes, Microsoft's Corporate Security Group audits policies and procedures. The frequency of the audits is based on the security risks addressed by the specific policies and procedures. Additional detail on the Microsoft Corporate Security Group functions, including audit and compliance team functions, is available at: http://www.microsoft.com/technet/itsolutions/msit/security/mssecbp.asp

Question: What percentage of Microsoft's 300,000 network devices are subject to the Microsoft Corporate Security Group's compliance policies, including scanning and remediation? Answer: All devices connected to Microsoft's corporate network are subject to the Microsoft Corporate Security Group's compliance policies, including scanning and remediation

Question: Is compliance to Microsoft Corporate Security policies centrally managed? If so, how is compliance managed at remote sites? Answer: Yes, compliance to Microsoft Corporate Security policies is centrally managed. Compliance at remote sites is primarily managed through remote scanning and, as necessary, on-site visits.

Question: What does Microsoft do internally with regards to securing wireless within your IT infrastructure? Answer: A paper outlining Microsoft's internal wireless network deployment is available at: http://www.microsoft.com/technet/itsolutions/msit/security/secwlan.asp

Question: Does the Microsoft Corporate Security Group operate an Intrusion Prevention System? Answer: Intrusion Prevention Systems are not implemented in a full production environment although we are actively evaluating the technologies.