Microsoft將每個帳戶和ENTRA ID令牌簽名鍵移至硬件安全模塊中

吹捧它所謂的“歷史上最大的網絡安全工程項目”

Microsoft is making progress on a broad cybersecurity initiative that was announced earlier this year following a high-profile hack of government email accounts that was traced to a Chinese threat actor.

微軟正在一項廣泛的網絡安全計劃取得進展，該計劃在今年早些時候宣布了一大批政府電子郵件帳戶，該帳戶可追溯到中國威脅參與者。

In a blog post summarizing the Secure Future Initiative that was launched in November, Microsoft security chief Charlie Bell said five of the program’s 28 objectives are “near completion” and that 11 others have made “significant progress.” Among these achievements, Bell highlighted the completion of a project to put all Microsoft Account and Entra ID token-signing keys into hardware security modules or Azure confidential virtual machines and the hardening of the company’s software development kit to validate first-party identity tokens.

微軟安全負責人查理·貝爾（Charlie Bell）在一篇博客文章中總結了11月發起的安全未來倡議，該計劃的28個目標中有5個是“接近完成的”，而其他11個目標已經取得了“重大進展”。在這些成就中，貝爾強調了一個項目的完成，以將所有Microsoft帳戶和ENTRA ID令牌簽名鍵放入硬件安全模塊或Azure機密虛擬機器以及公司軟件開發套件的硬件以驗證第一方身份令牌。

“We’ve applied new defense-in-depth protections in response to our Red Team research and assessments, migrated the MSA signing service to Azure confidential VMs, and are migrating Entra ID signing service to the same,” Bell said.

貝爾說：“我們已經對我們的紅色團隊研究和評估，將MSA簽名服務遷移到Azure機密VM，並將ENTRA ID ID簽署服務遷移到同時，對我們的紅色團隊研究和評估進行了新的深入保護措施。”

He noted that each of these improvements help mitigate the attack vectors that we suspect the actor used in a Chinese APT attack on Microsoft.

他指出，這些改進中的每一個都有助於減輕我們懷疑演員在中國對微軟的攻擊中使用的攻擊向量。

Microsoft has publicly blamed the incident on a crash dump stolen from a hacked engineer’s corporate account. The crash dump, which dated back to April 2021, contained a Microsoft account (MSA) consumer key that was used to forge tokens to break into OWA and Outlook.com accounts.

微軟已將事件公開歸咎於被黑客工程師的公司帳戶偷走的崩潰垃圾場。撞車站的歷史可追溯至2021年4月，其中包含一個Microsoft帳戶（MSA）消費者密鑰，用於偽造令牌以闖入OWA和Outlook.com帳戶。

On the architecture side, Bell reported the purging of 6.3 million dormant Azure tenants to protect cloud tenants and isolate production systems.

在建築方面，貝爾報告說，清除了630萬處休眠的Azure租戶，以保護雲租戶和隔離生產系統。

Microsoft also reported the migration of 88 percent of active resources into Azure Resource Manager for tighter policy enforcement and the segmenting of 4.4 million managed identities so they can authenticate only from approved network locations.

微軟還報告了88％的活動資源遷移到Azure Resource Manager中，以進行更嚴格的政策執行和440萬個託管身份的細分，因此它們只能從批准的網絡位置進行身份驗證。

The Secure Future Initiative was publicly rolled out in November 2023 with a promise to deliver faster cloud patches, better management of identity signing keys and a commitment to ship software with a higher default security bar.

安全的未來計劃於2023年11月公開推出，並承諾提供更快的雲補丁，更好地管理身份簽名鍵以及對具有更高默認安全欄的船舶軟件的承諾。

Microsoft has itself faced intense criticism for its own approach to third-party vulnerability research of its cloud products and continues to struggle with faulty and incomplete patches and a surge in Windows zero-day attacks.

微軟本身因其對雲產品的第三方脆弱性研究的方法而面臨激烈的批評，並繼續在零時的零日攻擊中遇到不良和不完整的補丁和激增。