SlideShare a Scribd company logo

Implementing Application Security

I
Information Technology
Education
1 of 23
Download to read offline
http://www.microsoft.com/technet TNTx-xx Implementing Application Security Wayne Harris MCSE Senior Consultant Certified Security Solutions Defense-in-Depth Using a layered approach Increases an attacker’s risk of detection Reduces an attacker’s chance of success Data ACLs, encryption, EFS Application Application hardening, antivirus OS hardening, authentication, Host patch management, HIDS Internal Network Network segments, IPSec, NIDS Perimeter Firewalls, Network Access Quarantine Control Physical Security Guards, locks, tracking devices Policies, Procedures, & Awareness Security documents, user education
http://www.microsoft.com/technet TNTx-xx Why Application Security Matters Perimeter defenses provide limited protection Most host-based defenses are not application-specific Most modern attacks occur at the application layer Application Security Dependencies Application-Specific Security Operating System Shares Auditing and Logging Security Updates Services Files and Directories Accounts Registry Network Protocols Ports
http://www.microsoft.com/technet TNTx-xx Application Server Best Practices Configure security on the base operating system Apply operating system and application service packs and updates Install or enable only those services and applications that are required Assign only those permissions needed to perform required tasks Application service accounts should be configured with minimal permissions Apply defense-in-depth principles to increase protection Exchange Server Security Dependencies Exchange Server Security Active Directory IIS Security Client Security Security Security Updates Operating System Shares Auditing and Logging Services Files and Directories Accounts Registry Network Protocols Ports
http://www.microsoft.com/technet TNTx-xx Aspects of Exchange Server Security Securing the Exchange Server computer Securing access to Exchange Server Blocking unauthorized access Securing communications Blocking and encrypting communications Blocking spam Filtering incoming mail Relay restrictions: Don’t aid spammers! Blocking insecure e-mail messages Virus scanning Attachment blocking Securing Exchange Servers Using Security Templates Exchange 2000 Server Back-End Servers Apply baseline security template and the Exchange back-end incremental template Exchange 2000 Server Front-End Servers Apply baseline security template and the Exchange front-end incremental template Exchange 2000 Server OWA Server Apply IIS Lockdown, including URLScan Exchange Server 2003 Back-End Apply protocol security templates Exchange Server 2003 Front-End and OWA Server IIS 6.0 provides much of the same functionality as URLScan and IISLockdown Domain Controllers with Exchange Server Apply the domain controller baseline template (BaselineDC.inf), and then apply the Exchange DC incremental template
http://www.microsoft.com/technet TNTx-xx Securing Exchange Servers Using Security Configuration Wizard SCW is an additional component with Windows Server 2003 SP1 SCW provides guided attack surface reduction for servers running Windows that: Configures servers based on roles Disables unnecessary services Disables unnecessary IIS Web extensions Blocks ports that are not required Run SCW on an Exchange server in a specific role, then import the settings on other servers in the same role To apply SCW settings using GPOs, use the Scwcmd Transform command to create a GPO Securing Client Authentication Secure Outlook client authentication Configure Exchange and Outlook 2003 to use RPC over HTTPS Use SPA and SSL to encrypt authentication and messages for Internet protocol clients OWA supports several authentication methods: Authentication Method Considerations Broad client support, but must use SSL for Basic authentication encryption Integrated Windows Limited client support; issues across firewalls authentication Digest authentication Limited client support Cookie-based authentication method Forms-based authentication available with Exchange Server 2003
http://www.microsoft.com/technet TNTx-xx Securing Client Communication Configure RPC encryption Client-side setting Can be enforced with ISA Server 2004 Use RPC over HTTPS for remote Outlook 2003 clients Use firewalls like ISA Server to enable secure remote client connections to Exchange Server Require SSL for OWA client connections Use S/MIME for message encryption Encrypting Messages by Using S/MIME Active Directory Domain Controller 2 Locate Client 2’s public key 4 As message SMTP is sent it is encapsulated SMTP 6 Client 2’s Server using S/MIME Server private key is used to decrypt the shared key, 1 Create a new and the shared message key is used to decrypt the message 5 Message arrives 3 Shared key is generated and encrypted encrypted using recipient’s public key. Message is encrypted with the shared key, and both message and shared key are sent Client 1 Client 2
http://www.microsoft.com/technet TNTx-xx Demonstration 1: Securing Exchange Client Communication Configure Forms-based Authentication Configure RPC over HTTP Blocking Spam with Exchange Server 2003 Use anti-spam features in Exchange Server 2003 Support for real-time block lists Global deny and accept lists Sender and inbound recipient filtering Improved anti-relaying protection Integration with Outlook 2003 and third-party anti-spam products
http://www.microsoft.com/technet TNTx-xx Blocking Spam with Intelligent Message Filter Exchange Server 2003 Back-end Server Exchange Server Store threshold 2003 Gateway Server Connection User Spam filtering mailbox Internet Recipient filtering Yes No Sender filtering Safe Blocked Intelligent sender sender Message Filter Y N Y N (Gateway Threshold) Inbox Junk Inbox Demonstration 2: Configuring Exchange Server Spam Protection Configure Real-Time Block List Support Configure Intelligent Message Filter
http://www.microsoft.com/technet TNTx-xx Protecting Against E-mail Viruses Implement a defense-in-depth approach Install an anti virus scanner on the SMTP gateway server Install anti virus software on the Exchange servers Install anti virus software on all clients Ensure that the anti virus software is compatible with Exchange Server Configure Outlook and OWA attachment security Top 10 Actions to Secure Exchange Server 1 Install the latest service packs 2 Install applicable security updates 3 Apply the principle of least privilege 4 Harden the Exchange servers 5 Secure the e-mail clients 6 Use a layered antivirus approach 7 Implement anti-spam measures 8 Use an application-layer firewall such as ISA Server 9 Secure Outlook Web Access 10 Implement a backup strategy Use Exchange Best Practices Analyzer to examine the Exchange Server organization based on Microsoft best practices
http://www.microsoft.com/technet TNTx-xx Common Database Server Threats Web App Vulnerabilities Password Network Cracking Overprivileged accounts Eavesdropping Weak input validation SQL Injection Perimeter Firewall Internal Firewall Browser Web App SQL Server Unauthorized Network Vulnerabilities Configuration Vulnerabilities External Access Failure to block SQL ports Overprivileged service account Weak permissions No certificate Basic Security Configuration Follow a defense-in-depth approach to securing SQL Server Apply service packs and patches Use MBSA to detect missing SQL updates Disable unused services MSSQLSERVER (required) SQLSERVERAGENT MSSQLServerADHelper Microsoft Search Microsoft DTC
http://www.microsoft.com/technet TNTx-xx Database Server Security Categories SQL Server SQL Server Security Shares Logins, Users, and Auditing and Logging Database Objects Roles Patches and Updates Operating System Shares Auditing and Logging Services Files and Directories Accounts Registry Network Protocols Ports Network Security Restrict SQL to TCP/IP Control who can connect to the server via IPSec policy Enforce Kerberos authentication Harden the TCP/IP stack Restrict ports Block all ports with the exception of the SQL Server port and ports required for authentication Configure IPSec to restrict access to ports 1433 and 1434
http://www.microsoft.com/technet TNTx-xx Operating System Security Configure the SQL Server service account with the lowest possible permissions Service account should not be granted permissions to the Administrators or Users group Delete or disable unused accounts Can be a haven for an attacker who has gained access Audit local accounts/delete those that are not required Secure authentication traffic Configure Windows to require NTLM v2 Logins, Users, and Roles Use a strong system administrator (sa) password Remove the SQL Server guest user account Remove the BUILTINAdministrators server login Do not grant permissions for the public role
http://www.microsoft.com/technet TNTx-xx Files, Directories, and Shares Verify permissions: On SQL Server installation directories To ensure that the Everyone group does not have permissions to SQL Server files To ensure that Registry keys are configured with proper ACLs On required shared folders and remove unnecessary shares Remove passwords that may exist in log files (use KillPwd.exe) Secure or remove tools, utilities, and SDKs SQL Server Authentication Best Practices Set authentication to Windows only Credentials are not passed over the network Security is easier to manage Credentials delegation is available Eliminates the need to store passwords on clients
http://www.microsoft.com/technet TNTx-xx SQL Server Auditing Log all failed Windows logon attempts Log successful and failed actions across the file system Enable SQL Server logon auditing Enable SQL Server general auditing Securing Database Objects Remove the sample databases Restrict access to stored procedures Create SQL logon Map logon to database user Add database user to user-defined database role, then grant permissions to database role Restrict cmdExec access to the Sysadmin role
http://www.microsoft.com/technet TNTx-xx Using Views and Stored Procedures SQL queries may contain confidential information Names of database components Server names Processing logic Account names or passwords Use stored procedures whenever possible Use views instead of direct table access Implement security best practices for Web-based applications Securing Web Applications Validate all data input Secure authentication and authorization Secure sensitive data Use least-privileged process and service accounts Configure auditing and logging Use structured exception handling
http://www.microsoft.com/technet TNTx-xx SQL Server and Windows Server 2003 SP1 Windows Firewall enabled by default on slipstreamed installations No TCP/UDP/Multi-Protocol/Named Pipes port listening is enabled by default for any SQL Server component Shared memory is unaffected; connections on the same machine continue to work against SQL Server/MSDE Getting SQL Server back on the network Create an exception for each instance of SQL Server within Windows Firewall Create an exception for each SQL Server component Define connectivity-specific port that will be used for each SQL Server component and each instance of SQL Server SQL Server 2005 Security Features Computing Initiative SQL Server 2005 development is based on the processes defined by the Trustworthy Secure by design - data encryption in the database, multiple proxy accounts, SQL Profiler does not need administrator rights Secure by default – only required services are installed and started, enforced passwords for standard logon Secure in deployment – granular permissions controlled by policies, separation of users and schema Secure communications – Kerberos authentication for clusters, encrypted communication for Analysis server
http://www.microsoft.com/technet TNTx-xx Top 10 Actions to Protect SQL Server 1 Install the most recent service pack 2 Run MBSA and update identified security issues 3 Configure Windows authentication 4 Isolate the database servers 5 Check the sa password, and ensure that it is complex 6 Limit privileges of SQL Server services 7 Block ports at your firewall 8 Use NTFS 9 Remove setup files and sample databases 10 Audit connections Use SQL Server Best Practices Analyzer to examine the SQL Server configuration based on Microsoft best practices IIS Lockdown Tool The IIS Lockdown Tool turns off unnecessary features to reduce the attack surface of IIS 4.0, IIS 5.0, and IIS 5.1 To provide defense-in-depth, the Lockdown Tool integrates URLScan, which includes customized templates for each supported server role IIS 6.0 is installed with Security Settings configured in previous versions of IIS Lockdown, therefore no IIS Lockdown for IIS 6.0
http://www.microsoft.com/technet TNTx-xx URLScan URLScan helps prevent potentially harmful requests from reaching the server URLScan restricts the types of HTTP requests that IIS will process: Requests for long URLs Requests using alternate character sets Requests containing disallowed methods Requests matching any pattern IIS 6.0 implements most of the URLScan functions so URL scan is only required to enable customized content blocking Top 10 Actions to Secure IIS 5.x 1 Harden the operating system and apply all relevant security updates 2 Remove unnecessary components 3 Run the IIS Lockdown Tool 4 Configure URLScan 5 Place content on a separate NTFS partition 6 Protect files by using minimal permissions 7 Require encryption for sensitive Web traffic Do not enable both the Execute and Write permissions on the same Web 8 site 9 Run applications using Medium or High application protection Use IPSec filtering to allow only required traffic (HTTP and HTTPS) to the 10 Web server
http://www.microsoft.com/technet TNTx-xx Security Enhancements in IIS 6.0 IIS 6.0 is locked down with the strongest time-outs and content limits set by default Feature Description Locked-down IIS 6.0 is not installed by default. A clean install only provides server static file support Web service The default installation does not compile, execute, or serve extensions list files with dynamic content Default low- IIS processes run with significantly lowered privileges by privilege account logging on using the NETWORK SERVICE account URL authentication with Authorization Manager. Constrained, Authorization delegated authentication Configure time-outs and URL length limits. Checking whether URL checking file exists before attempting to run it. No executable virtual directories Improved sandboxing of application. Third-party code runs Process isolation only in worker processes, resource recycling Securing IIS 6.0 Using Security Configuration Wizard When you run SCW on an IIS 6.0 server, you can configure the following settings: Server roles Disable services Enable Windows Firewall and enable port filtering Configure authentication methods Configure audit policy Enable or disable Web Service Extensions Remove legacy virtual directories Block anonymous write access
http://www.microsoft.com/technet TNTx-xx IIS 6.0 Application Pools Application pools are isolated sets of applications and the worker processes that service them If an application fails, it does not affect the availability of applications that are running in other application pools Create separate application pools for applications that do not depend on each other Demonstration 3: Securing IIS 6.0 Configure application pools
http://www.microsoft.com/technet TNTx-xx Windows Small Business Server Overview Windows Small Business Server 2003 provides a complete server solution for small businesses including: Providing e-mail, networking, and Internet connectivity Enabling Small Business Intranet with Microsoft Windows SharePoint Services Enabling remote access Enabling mobile user access Simplified server administration and management Windows Small Business Server Security Security Issues for Small Business Lack of security expertise Limited resources for isolating services Limited security monitoring capability Improper use of server resources Windows Small Business Server Security Risks Many services installed by default Direct connectivity to the Internet
http://www.microsoft.com/technet TNTx-xx Protecting Against External Threats Configure password policies to require complex passwords Configure secure remote access Remote Web Workplace Remote Access Disable all remote access options that you do not require Rename the Administrator account Implement Exchange Server and IIS security best practices Install only required software on the server Protecting Against Internal Threats Implement an antivirus solution Implement a backup plan Run MBSA to check for security vulnerabilities Control access permissions Educate users Do not use the server as a workstation Physically secure the server Update the software
http://www.microsoft.com/technet TNTx-xx Session Summary Secure the base operating system on all application servers Secure clients and client connections to Exchange Server Secure SQL Server authentication and database permissions Implement IIS 6.0 to take advantage of its security enhancements Enable only required services in Windows Small Business Server

Recommended

Microsoft Forefront - Protection 2010 for Exchange Server Datasheet
Microsoft Forefront - Protection 2010 for Exchange Server DatasheetMicrosoft Forefront - Protection 2010 for Exchange Server Datasheet
Microsoft Forefront - Protection 2010 for Exchange Server Datasheet
Microsoft Private Cloud
 
Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2
Mohamed Loey
 
Finjan Vital Security for Web datasheet
Finjan Vital Security for Web datasheetFinjan Vital Security for Web datasheet
Finjan Vital Security for Web datasheet
Elliott Lowe
 
1. introduzione a TMG
1. introduzione a TMG1. introduzione a TMG
1. introduzione a TMG
Fabrizio Volpe
 
50357 a enu-module01
50357 a enu-module0150357 a enu-module01
50357 a enu-module01
Bố Su
 
CCNA Security - Chapter 2
CCNA Security - Chapter 2CCNA Security - Chapter 2
CCNA Security - Chapter 2
Irsandi Hasan
 
Asa sslvpn security
Asa sslvpn securityAsa sslvpn security
Asa sslvpn security
Jack Melson
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Jimmy Saigon
 

Recommended

Microsoft Forefront - Protection 2010 for Exchange Server Datasheet
Microsoft Forefront - Protection 2010 for Exchange Server DatasheetMicrosoft Forefront - Protection 2010 for Exchange Server Datasheet
Microsoft Forefront - Protection 2010 for Exchange Server Datasheet
Microsoft Private Cloud
 
Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2
Mohamed Loey
 
Finjan Vital Security for Web datasheet
Finjan Vital Security for Web datasheetFinjan Vital Security for Web datasheet
Finjan Vital Security for Web datasheet
Elliott Lowe
 
1. introduzione a TMG
1. introduzione a TMG1. introduzione a TMG
1. introduzione a TMG
Fabrizio Volpe
 
50357 a enu-module01
50357 a enu-module0150357 a enu-module01
50357 a enu-module01
Bố Su
 
CCNA Security - Chapter 2
CCNA Security - Chapter 2CCNA Security - Chapter 2
CCNA Security - Chapter 2
Irsandi Hasan
 
Asa sslvpn security
Asa sslvpn securityAsa sslvpn security
Asa sslvpn security
Jack Melson
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Jimmy Saigon
 
50357 a enu-module00
50357 a enu-module0050357 a enu-module00
50357 a enu-module00
Bố Su
 
RESTful Security
RESTful SecurityRESTful Security
RESTful Security
Jim Siegienski
 
Label based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQLLabel based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQL
Kohei KaiGai
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco Service Provider
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
Cisco Service Provider
 
IBM Storwize V7000 Unified: Safeguarding your critical data
IBM Storwize V7000 Unified: Safeguarding your critical dataIBM Storwize V7000 Unified: Safeguarding your critical data
IBM Storwize V7000 Unified: Safeguarding your critical data
IBM India Smarter Computing
 
Session 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry TessierSession 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry Tessier
CTE Solutions Inc.
 
Frank Migge It Security Patch Monitoring With Nagios 02
Frank Migge It Security Patch Monitoring With Nagios 02Frank Migge It Security Patch Monitoring With Nagios 02
Frank Migge It Security Patch Monitoring With Nagios 02
frank4dd
 
Mcafee ips nsp-2011
Mcafee ips nsp-2011Mcafee ips nsp-2011
Mcafee ips nsp-2011
Luluk Kristiawan
 
Securing your IBM MQ environment.
Securing your IBM MQ environment.Securing your IBM MQ environment.
Securing your IBM MQ environment.
Robert Parker
 
LAPP/SELinux - A secure web application platform powered by SELinux
LAPP/SELinux - A secure web application platform powered by SELinuxLAPP/SELinux - A secure web application platform powered by SELinux
LAPP/SELinux - A secure web application platform powered by SELinux
Kohei KaiGai
 
Panda Cloud Protection - protectie maxima, costuri reduse
Panda Cloud Protection - protectie maxima, costuri redusePanda Cloud Protection - protectie maxima, costuri reduse
Panda Cloud Protection - protectie maxima, costuri reduse
IDG Romania
 
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
MSHOWTO Bilisim Toplulugu
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security
Carles Farré
 
Confining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced LinuxConfining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced Linux
webhostingguy
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
Cisco Canada
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0
Jason Edelstein
 
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail SecurityCRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
Jyothishmathi Institute of Technology and Science Karimnagar
 
Microsoft India - Forefront Threat Management Gateway 2010 Case Study
Microsoft India - Forefront Threat Management Gateway 2010 Case StudyMicrosoft India - Forefront Threat Management Gateway 2010 Case Study
Microsoft India - Forefront Threat Management Gateway 2010 Case Study
Microsoft Private Cloud
 
RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012
Symantec
 
Windows server2008
Windows server2008Windows server2008
Windows server2008
jaimeccanto
 
Wcf difference faqs-1
Wcf difference faqs-1Wcf difference faqs-1
Wcf difference faqs-1
Umar Ali
 

More Related Content

What's hot

50357 a enu-module00
50357 a enu-module0050357 a enu-module00
50357 a enu-module00
Bố Su
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco Service Provider
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
Cisco Service Provider
 
Session 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry TessierSession 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry Tessier
CTE Solutions Inc.
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security
Carles Farré
 
Confining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced LinuxConfining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced Linux
webhostingguy
 

What's hot (20)

50357 a enu-module00
50357 a enu-module0050357 a enu-module00
50357 a enu-module00
 
RESTful Security
RESTful SecurityRESTful Security
RESTful Security
 
Label based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQLLabel based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQL
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design Guide
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
 
IBM Storwize V7000 Unified: Safeguarding your critical data
IBM Storwize V7000 Unified: Safeguarding your critical dataIBM Storwize V7000 Unified: Safeguarding your critical data
IBM Storwize V7000 Unified: Safeguarding your critical data
 
Session 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry TessierSession 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry Tessier
 
Frank Migge It Security Patch Monitoring With Nagios 02
Frank Migge It Security Patch Monitoring With Nagios 02Frank Migge It Security Patch Monitoring With Nagios 02
Frank Migge It Security Patch Monitoring With Nagios 02
 
Mcafee ips nsp-2011
Mcafee ips nsp-2011Mcafee ips nsp-2011
Mcafee ips nsp-2011
 
Securing your IBM MQ environment.
Securing your IBM MQ environment.Securing your IBM MQ environment.
Securing your IBM MQ environment.
 
LAPP/SELinux - A secure web application platform powered by SELinux
LAPP/SELinux - A secure web application platform powered by SELinuxLAPP/SELinux - A secure web application platform powered by SELinux
LAPP/SELinux - A secure web application platform powered by SELinux
 
Panda Cloud Protection - protectie maxima, costuri reduse
Panda Cloud Protection - protectie maxima, costuri redusePanda Cloud Protection - protectie maxima, costuri reduse
Panda Cloud Protection - protectie maxima, costuri reduse
 
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security
 
Confining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced LinuxConfining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced Linux
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0
 
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail SecurityCRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
 
Microsoft India - Forefront Threat Management Gateway 2010 Case Study
Microsoft India - Forefront Threat Management Gateway 2010 Case StudyMicrosoft India - Forefront Threat Management Gateway 2010 Case Study
Microsoft India - Forefront Threat Management Gateway 2010 Case Study
 
RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012
 

Similar to Implementing Application Security

Windows server2008
Windows server2008Windows server2008
Windows server2008
jaimeccanto
 
Windows Server 2008 Security Enhancements
Windows Server 2008 Security EnhancementsWindows Server 2008 Security Enhancements
Windows Server 2008 Security Enhancements
Presentologics
 
Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the Cloud
Amazon Web Services
 
Secure email gate way
Secure email gate waySecure email gate way
Secure email gate way
vfmindia
 
Comp tia n+_session_09
Comp tia n+_session_09Comp tia n+_session_09
Comp tia n+_session_09
Niit Care
 

Similar to Implementing Application Security (20)

Windows server2008
Windows server2008Windows server2008
Windows server2008
 
Wcf difference faqs-1
Wcf difference faqs-1Wcf difference faqs-1
Wcf difference faqs-1
 
Web Security
Web SecurityWeb Security
Web Security
 
Windows Server 2008 Security Enhancements
Windows Server 2008 Security EnhancementsWindows Server 2008 Security Enhancements
Windows Server 2008 Security Enhancements
 
Optimer Sikkerheden Exchange Server 2003
Optimer Sikkerheden Exchange Server 2003Optimer Sikkerheden Exchange Server 2003
Optimer Sikkerheden Exchange Server 2003
 
Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the Cloud
 
Secure email gate way
Secure email gate waySecure email gate way
Secure email gate way
 
Comp tia n+_session_09
Comp tia n+_session_09Comp tia n+_session_09
Comp tia n+_session_09
 
Praktiline pilvekonverents - IT haldust hõlbustavad uuendused
Praktiline pilvekonverents - IT haldust hõlbustavad uuendusedPraktiline pilvekonverents - IT haldust hõlbustavad uuendused
Praktiline pilvekonverents - IT haldust hõlbustavad uuendused
 
SafeNet - Data Protection Company
SafeNet - Data Protection CompanySafeNet - Data Protection Company
SafeNet - Data Protection Company
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012
 
IBM MQ Advanced - IBM InterConnect 2016
IBM MQ Advanced - IBM InterConnect 2016IBM MQ Advanced - IBM InterConnect 2016
IBM MQ Advanced - IBM InterConnect 2016
 
Lecture 07 networking
Lecture 07 networkingLecture 07 networking
Lecture 07 networking
 
azure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfazure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdf
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Private cloud day session 5 a solution for private cloud security
Private cloud day session 5 a solution for private cloud securityPrivate cloud day session 5 a solution for private cloud security
Private cloud day session 5 a solution for private cloud security
 
Parallel and distributed computing .pptx
Parallel and distributed computing .pptxParallel and distributed computing .pptx
Parallel and distributed computing .pptx
 
Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 Australia
Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 AustraliaSecurity and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 Australia
Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 Australia
 
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s AssetsEnter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
 

More from Information Technology

MOSS 2007 Deployment Fundamentals -Part2
MOSS 2007 Deployment Fundamentals -Part2MOSS 2007 Deployment Fundamentals -Part2
MOSS 2007 Deployment Fundamentals -Part2
Information Technology
 
MOSS 2007 Deployment Fundamentals -Part1
MOSS 2007 Deployment Fundamentals -Part1MOSS 2007 Deployment Fundamentals -Part1
MOSS 2007 Deployment Fundamentals -Part1
Information Technology
 
Scalable Internet Servers and Load Balancing
Scalable Internet Servers and Load BalancingScalable Internet Servers and Load Balancing
Scalable Internet Servers and Load Balancing
Information Technology
 

More from Information Technology (20)

Web303
Web303Web303
Web303
 
Sql Server Security Best Practices
Sql Server Security Best PracticesSql Server Security Best Practices
Sql Server Security Best Practices
 
SAN
SANSAN
SAN
 
SAN Review
SAN ReviewSAN Review
SAN Review
 
SQL 2005 Disk IO Performance
SQL 2005 Disk IO PerformanceSQL 2005 Disk IO Performance
SQL 2005 Disk IO Performance
 
RAID Review
RAID ReviewRAID Review
RAID Review
 
Review of SQL
Review of SQLReview of SQL
Review of SQL
 
Sql 2005 high availability
Sql 2005 high availabilitySql 2005 high availability
Sql 2005 high availability
 
IIS 7: The Administrator’s Guide
IIS 7: The Administrator’s GuideIIS 7: The Administrator’s Guide
IIS 7: The Administrator’s Guide
 
MOSS 2007 Deployment Fundamentals -Part2
MOSS 2007 Deployment Fundamentals -Part2MOSS 2007 Deployment Fundamentals -Part2
MOSS 2007 Deployment Fundamentals -Part2
 
MOSS 2007 Deployment Fundamentals -Part1
MOSS 2007 Deployment Fundamentals -Part1MOSS 2007 Deployment Fundamentals -Part1
MOSS 2007 Deployment Fundamentals -Part1
 
Clustering and High Availability
Clustering and High Availability Clustering and High Availability
Clustering and High Availability
 
F5 beyond load balancer (nov 2009)
F5 beyond load balancer (nov 2009)F5 beyond load balancer (nov 2009)
F5 beyond load balancer (nov 2009)
 
WSS 3.0 & SharePoint 2007
WSS 3.0 & SharePoint 2007WSS 3.0 & SharePoint 2007
WSS 3.0 & SharePoint 2007
 
SharePoint Topology
SharePoint Topology SharePoint Topology
SharePoint Topology
 
Sharepoint Deployments
Sharepoint DeploymentsSharepoint Deployments
Sharepoint Deployments
 
Microsoft Clustering
Microsoft ClusteringMicrosoft Clustering
Microsoft Clustering
 
Scalable Internet Servers and Load Balancing
Scalable Internet Servers and Load BalancingScalable Internet Servers and Load Balancing
Scalable Internet Servers and Load Balancing
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Migration from ASP to ASP.NET
Migration from ASP to ASP.NETMigration from ASP to ASP.NET
Migration from ASP to ASP.NET
 

Recently uploaded

Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
MateoGardella
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
Chris Hunter
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 

Recently uploaded (20)

Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 

Implementing Application Security

  • 1. http://www.microsoft.com/technet TNTx-xx Implementing Application Security Wayne Harris MCSE Senior Consultant Certified Security Solutions Defense-in-Depth Using a layered approach Increases an attacker’s risk of detection Reduces an attacker’s chance of success Data ACLs, encryption, EFS Application Application hardening, antivirus OS hardening, authentication, Host patch management, HIDS Internal Network Network segments, IPSec, NIDS Perimeter Firewalls, Network Access Quarantine Control Physical Security Guards, locks, tracking devices Policies, Procedures, & Awareness Security documents, user education
  • 2. http://www.microsoft.com/technet TNTx-xx Why Application Security Matters Perimeter defenses provide limited protection Most host-based defenses are not application-specific Most modern attacks occur at the application layer Application Security Dependencies Application-Specific Security Operating System Shares Auditing and Logging Security Updates Services Files and Directories Accounts Registry Network Protocols Ports
  • 3. http://www.microsoft.com/technet TNTx-xx Application Server Best Practices Configure security on the base operating system Apply operating system and application service packs and updates Install or enable only those services and applications that are required Assign only those permissions needed to perform required tasks Application service accounts should be configured with minimal permissions Apply defense-in-depth principles to increase protection Exchange Server Security Dependencies Exchange Server Security Active Directory IIS Security Client Security Security Security Updates Operating System Shares Auditing and Logging Services Files and Directories Accounts Registry Network Protocols Ports
  • 4. http://www.microsoft.com/technet TNTx-xx Aspects of Exchange Server Security Securing the Exchange Server computer Securing access to Exchange Server Blocking unauthorized access Securing communications Blocking and encrypting communications Blocking spam Filtering incoming mail Relay restrictions: Don’t aid spammers! Blocking insecure e-mail messages Virus scanning Attachment blocking Securing Exchange Servers Using Security Templates Exchange 2000 Server Back-End Servers Apply baseline security template and the Exchange back-end incremental template Exchange 2000 Server Front-End Servers Apply baseline security template and the Exchange front-end incremental template Exchange 2000 Server OWA Server Apply IIS Lockdown, including URLScan Exchange Server 2003 Back-End Apply protocol security templates Exchange Server 2003 Front-End and OWA Server IIS 6.0 provides much of the same functionality as URLScan and IISLockdown Domain Controllers with Exchange Server Apply the domain controller baseline template (BaselineDC.inf), and then apply the Exchange DC incremental template
  • 5. http://www.microsoft.com/technet TNTx-xx Securing Exchange Servers Using Security Configuration Wizard SCW is an additional component with Windows Server 2003 SP1 SCW provides guided attack surface reduction for servers running Windows that: Configures servers based on roles Disables unnecessary services Disables unnecessary IIS Web extensions Blocks ports that are not required Run SCW on an Exchange server in a specific role, then import the settings on other servers in the same role To apply SCW settings using GPOs, use the Scwcmd Transform command to create a GPO Securing Client Authentication Secure Outlook client authentication Configure Exchange and Outlook 2003 to use RPC over HTTPS Use SPA and SSL to encrypt authentication and messages for Internet protocol clients OWA supports several authentication methods: Authentication Method Considerations Broad client support, but must use SSL for Basic authentication encryption Integrated Windows Limited client support; issues across firewalls authentication Digest authentication Limited client support Cookie-based authentication method Forms-based authentication available with Exchange Server 2003
  • 6. http://www.microsoft.com/technet TNTx-xx Securing Client Communication Configure RPC encryption Client-side setting Can be enforced with ISA Server 2004 Use RPC over HTTPS for remote Outlook 2003 clients Use firewalls like ISA Server to enable secure remote client connections to Exchange Server Require SSL for OWA client connections Use S/MIME for message encryption Encrypting Messages by Using S/MIME Active Directory Domain Controller 2 Locate Client 2’s public key 4 As message SMTP is sent it is encapsulated SMTP 6 Client 2’s Server using S/MIME Server private key is used to decrypt the shared key, 1 Create a new and the shared message key is used to decrypt the message 5 Message arrives 3 Shared key is generated and encrypted encrypted using recipient’s public key. Message is encrypted with the shared key, and both message and shared key are sent Client 1 Client 2
  • 7. http://www.microsoft.com/technet TNTx-xx Demonstration 1: Securing Exchange Client Communication Configure Forms-based Authentication Configure RPC over HTTP Blocking Spam with Exchange Server 2003 Use anti-spam features in Exchange Server 2003 Support for real-time block lists Global deny and accept lists Sender and inbound recipient filtering Improved anti-relaying protection Integration with Outlook 2003 and third-party anti-spam products
  • 8. http://www.microsoft.com/technet TNTx-xx Blocking Spam with Intelligent Message Filter Exchange Server 2003 Back-end Server Exchange Server Store threshold 2003 Gateway Server Connection User Spam filtering mailbox Internet Recipient filtering Yes No Sender filtering Safe Blocked Intelligent sender sender Message Filter Y N Y N (Gateway Threshold) Inbox Junk Inbox Demonstration 2: Configuring Exchange Server Spam Protection Configure Real-Time Block List Support Configure Intelligent Message Filter
  • 9. http://www.microsoft.com/technet TNTx-xx Protecting Against E-mail Viruses Implement a defense-in-depth approach Install an anti virus scanner on the SMTP gateway server Install anti virus software on the Exchange servers Install anti virus software on all clients Ensure that the anti virus software is compatible with Exchange Server Configure Outlook and OWA attachment security Top 10 Actions to Secure Exchange Server 1 Install the latest service packs 2 Install applicable security updates 3 Apply the principle of least privilege 4 Harden the Exchange servers 5 Secure the e-mail clients 6 Use a layered antivirus approach 7 Implement anti-spam measures 8 Use an application-layer firewall such as ISA Server 9 Secure Outlook Web Access 10 Implement a backup strategy Use Exchange Best Practices Analyzer to examine the Exchange Server organization based on Microsoft best practices
  • 10. http://www.microsoft.com/technet TNTx-xx Common Database Server Threats Web App Vulnerabilities Password Network Cracking Overprivileged accounts Eavesdropping Weak input validation SQL Injection Perimeter Firewall Internal Firewall Browser Web App SQL Server Unauthorized Network Vulnerabilities Configuration Vulnerabilities External Access Failure to block SQL ports Overprivileged service account Weak permissions No certificate Basic Security Configuration Follow a defense-in-depth approach to securing SQL Server Apply service packs and patches Use MBSA to detect missing SQL updates Disable unused services MSSQLSERVER (required) SQLSERVERAGENT MSSQLServerADHelper Microsoft Search Microsoft DTC
  • 11. http://www.microsoft.com/technet TNTx-xx Database Server Security Categories SQL Server SQL Server Security Shares Logins, Users, and Auditing and Logging Database Objects Roles Patches and Updates Operating System Shares Auditing and Logging Services Files and Directories Accounts Registry Network Protocols Ports Network Security Restrict SQL to TCP/IP Control who can connect to the server via IPSec policy Enforce Kerberos authentication Harden the TCP/IP stack Restrict ports Block all ports with the exception of the SQL Server port and ports required for authentication Configure IPSec to restrict access to ports 1433 and 1434
  • 12. http://www.microsoft.com/technet TNTx-xx Operating System Security Configure the SQL Server service account with the lowest possible permissions Service account should not be granted permissions to the Administrators or Users group Delete or disable unused accounts Can be a haven for an attacker who has gained access Audit local accounts/delete those that are not required Secure authentication traffic Configure Windows to require NTLM v2 Logins, Users, and Roles Use a strong system administrator (sa) password Remove the SQL Server guest user account Remove the BUILTINAdministrators server login Do not grant permissions for the public role
  • 13. http://www.microsoft.com/technet TNTx-xx Files, Directories, and Shares Verify permissions: On SQL Server installation directories To ensure that the Everyone group does not have permissions to SQL Server files To ensure that Registry keys are configured with proper ACLs On required shared folders and remove unnecessary shares Remove passwords that may exist in log files (use KillPwd.exe) Secure or remove tools, utilities, and SDKs SQL Server Authentication Best Practices Set authentication to Windows only Credentials are not passed over the network Security is easier to manage Credentials delegation is available Eliminates the need to store passwords on clients
  • 14. http://www.microsoft.com/technet TNTx-xx SQL Server Auditing Log all failed Windows logon attempts Log successful and failed actions across the file system Enable SQL Server logon auditing Enable SQL Server general auditing Securing Database Objects Remove the sample databases Restrict access to stored procedures Create SQL logon Map logon to database user Add database user to user-defined database role, then grant permissions to database role Restrict cmdExec access to the Sysadmin role
  • 15. http://www.microsoft.com/technet TNTx-xx Using Views and Stored Procedures SQL queries may contain confidential information Names of database components Server names Processing logic Account names or passwords Use stored procedures whenever possible Use views instead of direct table access Implement security best practices for Web-based applications Securing Web Applications Validate all data input Secure authentication and authorization Secure sensitive data Use least-privileged process and service accounts Configure auditing and logging Use structured exception handling
  • 16. http://www.microsoft.com/technet TNTx-xx SQL Server and Windows Server 2003 SP1 Windows Firewall enabled by default on slipstreamed installations No TCP/UDP/Multi-Protocol/Named Pipes port listening is enabled by default for any SQL Server component Shared memory is unaffected; connections on the same machine continue to work against SQL Server/MSDE Getting SQL Server back on the network Create an exception for each instance of SQL Server within Windows Firewall Create an exception for each SQL Server component Define connectivity-specific port that will be used for each SQL Server component and each instance of SQL Server SQL Server 2005 Security Features Computing Initiative SQL Server 2005 development is based on the processes defined by the Trustworthy Secure by design - data encryption in the database, multiple proxy accounts, SQL Profiler does not need administrator rights Secure by default – only required services are installed and started, enforced passwords for standard logon Secure in deployment – granular permissions controlled by policies, separation of users and schema Secure communications – Kerberos authentication for clusters, encrypted communication for Analysis server
  • 17. http://www.microsoft.com/technet TNTx-xx Top 10 Actions to Protect SQL Server 1 Install the most recent service pack 2 Run MBSA and update identified security issues 3 Configure Windows authentication 4 Isolate the database servers 5 Check the sa password, and ensure that it is complex 6 Limit privileges of SQL Server services 7 Block ports at your firewall 8 Use NTFS 9 Remove setup files and sample databases 10 Audit connections Use SQL Server Best Practices Analyzer to examine the SQL Server configuration based on Microsoft best practices IIS Lockdown Tool The IIS Lockdown Tool turns off unnecessary features to reduce the attack surface of IIS 4.0, IIS 5.0, and IIS 5.1 To provide defense-in-depth, the Lockdown Tool integrates URLScan, which includes customized templates for each supported server role IIS 6.0 is installed with Security Settings configured in previous versions of IIS Lockdown, therefore no IIS Lockdown for IIS 6.0
  • 18. http://www.microsoft.com/technet TNTx-xx URLScan URLScan helps prevent potentially harmful requests from reaching the server URLScan restricts the types of HTTP requests that IIS will process: Requests for long URLs Requests using alternate character sets Requests containing disallowed methods Requests matching any pattern IIS 6.0 implements most of the URLScan functions so URL scan is only required to enable customized content blocking Top 10 Actions to Secure IIS 5.x 1 Harden the operating system and apply all relevant security updates 2 Remove unnecessary components 3 Run the IIS Lockdown Tool 4 Configure URLScan 5 Place content on a separate NTFS partition 6 Protect files by using minimal permissions 7 Require encryption for sensitive Web traffic Do not enable both the Execute and Write permissions on the same Web 8 site 9 Run applications using Medium or High application protection Use IPSec filtering to allow only required traffic (HTTP and HTTPS) to the 10 Web server
  • 19. http://www.microsoft.com/technet TNTx-xx Security Enhancements in IIS 6.0 IIS 6.0 is locked down with the strongest time-outs and content limits set by default Feature Description Locked-down IIS 6.0 is not installed by default. A clean install only provides server static file support Web service The default installation does not compile, execute, or serve extensions list files with dynamic content Default low- IIS processes run with significantly lowered privileges by privilege account logging on using the NETWORK SERVICE account URL authentication with Authorization Manager. Constrained, Authorization delegated authentication Configure time-outs and URL length limits. Checking whether URL checking file exists before attempting to run it. No executable virtual directories Improved sandboxing of application. Third-party code runs Process isolation only in worker processes, resource recycling Securing IIS 6.0 Using Security Configuration Wizard When you run SCW on an IIS 6.0 server, you can configure the following settings: Server roles Disable services Enable Windows Firewall and enable port filtering Configure authentication methods Configure audit policy Enable or disable Web Service Extensions Remove legacy virtual directories Block anonymous write access
  • 20. http://www.microsoft.com/technet TNTx-xx IIS 6.0 Application Pools Application pools are isolated sets of applications and the worker processes that service them If an application fails, it does not affect the availability of applications that are running in other application pools Create separate application pools for applications that do not depend on each other Demonstration 3: Securing IIS 6.0 Configure application pools
  • 21. http://www.microsoft.com/technet TNTx-xx Windows Small Business Server Overview Windows Small Business Server 2003 provides a complete server solution for small businesses including: Providing e-mail, networking, and Internet connectivity Enabling Small Business Intranet with Microsoft Windows SharePoint Services Enabling remote access Enabling mobile user access Simplified server administration and management Windows Small Business Server Security Security Issues for Small Business Lack of security expertise Limited resources for isolating services Limited security monitoring capability Improper use of server resources Windows Small Business Server Security Risks Many services installed by default Direct connectivity to the Internet
  • 22. http://www.microsoft.com/technet TNTx-xx Protecting Against External Threats Configure password policies to require complex passwords Configure secure remote access Remote Web Workplace Remote Access Disable all remote access options that you do not require Rename the Administrator account Implement Exchange Server and IIS security best practices Install only required software on the server Protecting Against Internal Threats Implement an antivirus solution Implement a backup plan Run MBSA to check for security vulnerabilities Control access permissions Educate users Do not use the server as a workstation Physically secure the server Update the software
  • 23. http://www.microsoft.com/technet TNTx-xx Session Summary Secure the base operating system on all application servers Secure clients and client connections to Exchange Server Secure SQL Server authentication and database permissions Implement IIS 6.0 to take advantage of its security enhancements Enable only required services in Windows Small Business Server