The Solution Accelerators team is at it again, releasing the IT Infrastructure Threat Modeling Guide, which provides an easy-to-understand method for developing threat models that can help prioritize investments in IT infrastructure security. This guide describes and considers the extensive methodology that exists for Microsoft Security Development Lifecycle (SDL) threat modeling and uses it to establish a threat modeling process for IT infrastructure.
Included in the guide are the following:
Chapter 1: IT Infrastructure Components
This chapter focuses on understanding the details of the components that the IT infrastructure threat modeling process will consider, including diagramming, identifying threats, mitigating threats, and validating all the information that is acquired during the process. The chapter discusses use scenarios, dependencies, implementation assumptions, entry points, and trust levels.
Chapter 2: The IT Infrastructure Threat Model Portfolio
This chapter describes how to populate the IT infrastructure threat model portfolio with relevant data about your components. The chapter includes information about prioritization and is essential for helping you mitigate threats with the greatest potential impact to your organization.
Chapter 3: Applied Example – The Threat Modeling Process
This chapter uses a fictitious organization's communications system as an example for the IT infrastructure threat modeling process. The rapid introduction of mobile devices into IT infrastructure could make such a system an ideal target for an attacker. You can use the SDL Threat Modeling Tool as described in this guide or another of your own choosing.
The threat modeling guide also discusses how you would use the Microsoft SDL Threat Modeling tool, and walks through some applied examples with our good friends at Fabrikam.
To download a copy of the IT Infrastructure Threat Modeling Guide, click here.
The following resources provide additional information about security topics and in-depth discussion of the concepts and security prescriptions in this guide:
Cool Instant Answer on Bing… just visit and search for “<job> salary”
If you are involved in a project to plan or upgrade Active Directory in your branch offices, you may have questions such as: What type of domain controller should I use for a given branch office? Does a given branch office even need a Domain Controller? What topology should I use? How do I monitor AD at the Branch Office location? Can I upgrade an existing 2003 Domain Controller to a Windows Server 2008 RODC? All these questions and more are answered in the new RODC Branch Office Guide, which explains how to plan, deploy, and administer read-only domain controllers (RODCs) in branch office environments.
This guide describes new features in Windows Server 2008 that can provide benefits for Active Directory deployments that include branch offices. It explains how to assess an existing deployment of domain controllers in branch offices to determine whether deploying read-only domain controllers (RODCs) in existing or future branch offices is appropriate for your organization. For more general information about how to install and configure an RODC, see Planning and Deploying Read-Only Domain Controllers. For more information about deploying an RODC in a perimeter network (also known as DMZ), see Active Directory Domain Services in the Perimeter Network (Windows Server 2008).
Get the Read-Only Domain Controller (RODC) Branch Office Guide here: