© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,

© 2003 Microsoft Limited. All rights reserved.© 2003 Microsoft Limited. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summaryThis presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary..

Implementing Application Implementing Application and Data Securityand Data Security

Sukhjinder S. LallSukhjinder S. Lall

Consultant / TrainerConsultant / Trainer

InterQuad Learning LimitedInterQuad Learning Limited

Session PrerequisitesSession Prerequisites

Understanding of networking security Understanding of networking security essentialsessentials

Hands-on experience with WindowsHands-on experience with Windows®® 2000 Server or Windows Server2000 Server or Windows Server™™ 20032003

Experience with Windows Experience with Windows management toolsmanagement tools

Hands-on experience with Exchange Hands-on experience with Exchange Server and Server and SQL Server management toolsSQL Server management toolsLevel 300

IntroductionIntroduction


Protecting Exchange Server Protecting Exchange Server

Protecting SQL Server Protecting SQL Server

Securing Small Business ServerSecuring Small Business Server

Providing Data SecurityProviding Data Security

Defense in DepthDefense in DepthUsing a layered approach:Using a layered approach:

Increases an attacker’s risk of detection Increases an attacker’s risk of detection Reduces an attacker’s chance of Reduces an attacker’s chance of successsuccess

OS hardening, update management, authentication, HIDS

Firewalls, VPN quarantine

Guards, locks, tracking devices

Network segments, IPSec, NIDS

Application hardening, antivirus

ACL, encryption

User educationPolicies, Procedures, & AwarenessPolicies, Procedures, & Awareness

Physical SecurityPhysical Security

Perimeter

Internal Network

Host

Application

Data

Why Application Security Why Application Security MattersMatters

Perimeter defenses provide limited Perimeter defenses provide limited protectionprotection

Many host-based defenses are not Many host-based defenses are not application specificapplication specific

Most modern attacks occur at the Most modern attacks occur at the application layer application layer

Why Data Security MattersWhy Data Security Matters

Secure your data as the last line of Secure your data as the last line of defensedefense

Configure file permissionsConfigure file permissions

Configure data encryption Configure data encryption Protects the confidentiality of Protects the confidentiality of information when physical security is information when physical security is compromisedcompromised

Application Server Best Application Server Best PracticesPractices

Configure security on the base operating systemConfigure security on the base operating system

Apply operating system and application service packs and patchesApply operating system and application service packs and patches

Install or enable only those services that are requiredInstall or enable only those services that are required

Assign only those permissions needed to perform required tasksAssign only those permissions needed to perform required tasks

Applications accounts should be assigned with the minimal permissionsApplications accounts should be assigned with the minimal permissions

Apply defense-in-depth principles to increase protectionApply defense-in-depth principles to increase protection

Protecting Exchange Protecting Exchange Server Server






Exchange Security Exchange Security DependenciesDependencies

Exchange security is dependent on:Exchange security is dependent on:Operating system securityOperating system security

Network securityNetwork security

IIS security (if you use OWA)IIS security (if you use OWA)

Client security (Outlook)Client security (Outlook)

Active Directory securityActive Directory security

Remember: Remember: Defense in DepthDefense in Depth

Securing Exchange Securing Exchange ServersServers

Exchange 2000 Back-End ServersExchange 2000 Back-End ServersApply baseline security template and the Exchange Apply baseline security template and the Exchange back-end incremental templateback-end incremental template

Exchange 2000 Front-End ServersExchange 2000 Front-End ServersApply baseline security template and the Exchange Apply baseline security template and the Exchange front-end incremental templatefront-end incremental template

Dismount private and public storesDismount private and public stores

Exchange 2000 OWA ServerExchange 2000 OWA ServerApply IIS Lockdown, including URLScanApply IIS Lockdown, including URLScan

Exchange 2003 Back-End ServerExchange 2003 Back-End ServerApply protocol security templatesApply protocol security templates

Exchange 2003 Front-End and OWA ServerExchange 2003 Front-End and OWA ServerIIS Lockdown and URLScan integrated with IIS 6.0IIS Lockdown and URLScan integrated with IIS 6.0

Use application isolation modeUse application isolation mode

Aspects of Exchange Server Aspects of Exchange Server SecuritySecurity

Securing Access to Exchange ServerSecuring Access to Exchange ServerBlocking unauthorized accessBlocking unauthorized access

Securing CommunicationsSecuring CommunicationsBlocking and encrypting Blocking and encrypting communicationscommunications

Blocking SpamBlocking SpamFiltering incoming mailFiltering incoming mail

Relay restrictions: Don’t aid spammers!Relay restrictions: Don’t aid spammers!

Blocking Insecure E-Mail MessagesBlocking Insecure E-Mail MessagesVirus scanningVirus scanning

Attachment blockingAttachment blocking

Configuring Configuring Authentication, Part 1Authentication, Part 1

Secure Outlook client authenticationSecure Outlook client authentication

Configure Exchange & Outlook 2003 Configure Exchange & Outlook 2003 to use RPC over HTTPSto use RPC over HTTPS

Configure SPA to encrypt Configure SPA to encrypt authentication for Internet protocol authentication for Internet protocol clientsclients

Remember: Secure Remember: Secure authentication does not authentication does not equal encryption of dataequal encryption of data

Configuring Configuring Authentication, Part 2Authentication, Part 2

OWA supports several OWA supports several authentication authentication methods:methods:

Authentication Authentication MethodMethod ConsiderationsConsiderations

Basic authenticationBasic authentication Insecure, unless you require SLLInsecure, unless you require SLL

Integrated Integrated authenticationauthentication

Limited client support, issues Limited client support, issues across firewallsacross firewalls

Digest authenticationDigest authentication Limited client supportLimited client support

Forms-based Forms-based authenticationauthentication

Ability to customize Ability to customize authenticationauthentication

Wide client supportWide client support

Available with Exchange Server Available with Exchange Server 20032003

Securing CommunicationsSecuring Communications

Configure RPC encryptionConfigure RPC encryptionClient side settingClient side setting

Enforcement with ISA Server FP1Enforcement with ISA Server FP1

Firewall blockingFirewall blockingMail server publishing with ISA ServerMail server publishing with ISA Server

Configure HTTPS for OWAConfigure HTTPS for OWAUse S/MIME for message encryptionUse S/MIME for message encryptionOutlook 2003 EnhancementsOutlook 2003 Enhancements

Kerberos authenticationKerberos authentication

RPC over HTTPSRPC over HTTPS

Encrypting a MessageEncrypting a Message

Active DirectoryDomain Controller

Client 1 Client 2

SMTP VS1 SMTP VS 2

New messageNew message11

Locate Client 2’s public keyLocate Client 2’s public key22

Message sent using S/MIMEMessage sent using S/MIME44

Message encrypted with a shared keyMessage encrypted with a shared key33 Message arrives

encryptedMessage arrives encrypted55

Client 2’s private key is used to decrypt the shared key, and the shared key is used to decrypt the message

Client 2’s private key is used to decrypt the shared key, and the shared key is used to decrypt the message

66

Blocking Spam – Exchange Blocking Spam – Exchange 20002000

Close open relays!Close open relays!

Protect against address spoofingProtect against address spoofing

Prevent Exchange from resolving Prevent Exchange from resolving recipient names to GAL accountsrecipient names to GAL accounts

Configure reverse DNS lookupsConfigure reverse DNS lookups

Blocking Spam – Exchange Blocking Spam – Exchange 20032003

Use additional features in Exchange Use additional features in Exchange Server 2003Server 2003

Support for real-time block listsSupport for real-time block lists

Global deny and accept listsGlobal deny and accept lists

Sender and inbound recipient filteringSender and inbound recipient filtering

Improved anti-relaying protectionImproved anti-relaying protection

Integration with Outlook 2003 and third-Integration with Outlook 2003 and third-party junk mail filteringparty junk mail filtering

Configuring Exchange Spam Configuring Exchange Spam ProtectionProtection

Blocking Insecure Blocking Insecure MessagesMessages

Implement antivirus gatewaysImplement antivirus gatewaysMonitor incoming and outgoing Monitor incoming and outgoing messagesmessages

Update signatures oftenUpdate signatures often

Configure Outlook attachment Configure Outlook attachment securitysecurity

Web browser security determines Web browser security determines whether attachments can be opened in whether attachments can be opened in OWAOWA

Implement ISA ServerImplement ISA ServerMessage Screener can block incoming Message Screener can block incoming messagesmessages

Using Permissions to Secure Using Permissions to Secure ExchangeExchange

Delegating permissionsDelegating permissionsCreating administrative groupsCreating administrative groups

Using administrative rolesUsing administrative roles

Delegating administrative controlDelegating administrative control

Administration modelsAdministration models

CentralizedCentralized DecentralizedDecentralized

Enhancements in Enhancements in Exchange Server 2003Exchange Server 2003

Many secure-by-default settingsMany secure-by-default settings

More restrictive permissionsMore restrictive permissions

New mail transport featuresNew mail transport features

New Internet Connection WizardNew Internet Connection Wizard

Cross-forest authentication supportCross-forest authentication support

Defense in DepthDefense in DepthEfficiency Continuity

Performance TuningExchange SystemPoliciesCapacity Management

Security

StorageManagement

Hardware UpgradesPerformanceMonitoring

Disaster RecoverySupportAntivirus

Event MonitoringChange

Management

Security PoliciesFirewall Issues

Exchange System PoliciesAD Group Membership

UPSRecovery TestingAvailability MonitoringAvailability Management

Group Policies Backup

Top Ten Things to Secure Top Ten Things to Secure ExchangeExchange

11 Install the latest service packInstall the latest service pack

22 Install all applicable security patchesInstall all applicable security patches

33 Run MBSARun MBSA

44 Check relay settingsCheck relay settings

55 Disable or secure well-known accountsDisable or secure well-known accounts

66 Use a layered antivirus approachUse a layered antivirus approach

77 Use a firewallUse a firewall

88 Evaluate ISA ServerEvaluate ISA Server

99 Secure OWASecure OWA

1100

Implement a backup strategyImplement a backup strategy

Protecting SQL ServerProtecting SQL Server


Protecting Exchange ServerProtecting Exchange Server




Basic Security Basic Security ConfigurationConfiguration

Apply service packs and patchesApply service packs and patchesUse MBSA to detect missing SQL Use MBSA to detect missing SQL updatesupdates

Disable unused servicesDisable unused servicesMSSQLSERVER (required)MSSQLSERVER (required)

SQLSERVERAGENTSQLSERVERAGENT

MSSQLServerADHelperMSSQLServerADHelper

Microsoft SearchMicrosoft Search

Microsoft DTCMicrosoft DTC

Common Database Server Common Database Server Threats and Threats and CountermeasuresCountermeasures

SQL ServerSQL Server

BrowserBrowser Web AppWeb App

Unauthorized External Access

Unauthorized External Access

SQL Injection

SQL Injection

Network Eavesdropping

Network Eavesdropping

Network VulnerabilitiesFailure to block SQL ports

Configuration VulnerabilitiesOverprivileged service account

Week permissionsNo certificate

Web App VulnerabilitiesOverprivileged accounts

Week input validationInternal Firewall

Perimeter Firewall

Password Cracking

Password Cracking

Database Server Security Database Server Security CategoriesCategories

Patc

hes

and

Upd

ates

Ope

ratin

g Sy

stem Shares

Services

Accounts

Auditing and Logging

Files and Directories

Registry

Net

wor

k

Protocols Ports

SQL

Serv

er SQL Server Security

Database ObjectsLogins, Users, and Roles

Network SecurityNetwork Security

Restrict SQL to TCP/IPRestrict SQL to TCP/IP

Harden the TCP/IP stackHarden the TCP/IP stack

Restrict portsRestrict ports

Operating System SecurityOperating System Security

Configure the SQL Server service Configure the SQL Server service account with the lowest possible account with the lowest possible permissionspermissions

Delete or disable unused accountsDelete or disable unused accounts

Secure authentication trafficSecure authentication traffic

Logins, Users, and RolesLogins, Users, and Roles

Use a strong system administrator Use a strong system administrator (sa) password (sa) password

Remove the SQL guest user account Remove the SQL guest user account

Remove the BUILTIN\Administrators Remove the BUILTIN\Administrators server login server login

Do not grant permissions for the Do not grant permissions for the public role public role

Files, Directories, and Files, Directories, and SharesShares

Verify permissions on SQL Server Verify permissions on SQL Server installation directories installation directories

Verify that Everyone group does not Verify that Everyone group does not have permissions to SQL Server files have permissions to SQL Server files

Secure setup log files Secure setup log files

Secure or remove tools, utilities, and Secure or remove tools, utilities, and SDKsSDKs

Remove unnecessary shares Remove unnecessary shares

Restrict access to required sharesRestrict access to required shares

Secure registry keys with ACLs Secure registry keys with ACLs

SQL SecuritySQL Security

Set Set authentication authentication to Windows onlyto Windows only

If you must use If you must use SQL Server SQL Server authentication, authentication, ensure that ensure that authentication authentication traffic is traffic is encryptedencrypted

SQL AuditingSQL Auditing

Log all failed Windows login Log all failed Windows login attempts attempts

Log successful and failed actions Log successful and failed actions across the file system across the file system

Enable SQL Server login auditingEnable SQL Server login auditing

Enable SQL Server general auditingEnable SQL Server general auditing

Securing Database Securing Database ObjectsObjects

Remove the sample databasesRemove the sample databases

Secure stored proceduresSecure stored procedures

Secure extended stored proceduresSecure extended stored procedures

Restrict cmdExec access to the Restrict cmdExec access to the sysadmin rolesysadmin role

Using Views and Stored Using Views and Stored ProceduresProcedures

SQL queries may contain confidential SQL queries may contain confidential informationinformation

Use stored procedures whenever Use stored procedures whenever possiblepossible

Use views instead of direct table accessUse views instead of direct table access

Implement security best practices for Implement security best practices for Web-based applicationsWeb-based applications

Securing Web ApplicationsSecuring Web Applications

Validate all data inputValidate all data input

Secure authentication and Secure authentication and authorizationauthorization

Secure sensitive dataSecure sensitive data

Use least-privileged process and Use least-privileged process and service accountsservice accounts

Configure auditing and loggingConfigure auditing and logging

Use structured exception handlingUse structured exception handling

Top Ten Things to Protect Top Ten Things to Protect SQL ServerSQL Server

11Install the most recent service Install the most recent service packpack

22 Run MBSARun MBSA

33Configure Windows Configure Windows authenticationauthentication

44 Isolate the server and back it upIsolate the server and back it up

55 Check the sa passwordCheck the sa password

66 Limit privileges of SQL servicesLimit privileges of SQL services

77 Block ports at your firewallBlock ports at your firewall

88 Use NTFSUse NTFS

99Remove setup files and sample Remove setup files and sample databasesdatabases

1010 Audit connectionsAudit connections

Securing Small Business Securing Small Business ServerServer






Recognizing ThreatsRecognizing Threats

Small Business Server plays Small Business Server plays many server rolesmany server roles

External threatsExternal threatsSmall Business Server is often Small Business Server is often connected to the Internetconnected to the Internet

Internal threatsInternal threatsAll components of Small Business All components of Small Business Server must be securedServer must be secured

Many settings secured by Many settings secured by defaultdefault

Protecting Against Protecting Against External ThreatsExternal Threats

Configure password policies to Configure password policies to require complex passwordsrequire complex passwords

Configure secure remote accessConfigure secure remote accessRemote Web WorkplaceRemote Web Workplace

Remote AccessRemote Access

Rename the Administrator accountRename the Administrator account

Implement Exchange and IIS security Implement Exchange and IIS security best practicesbest practices

Use a firewallUse a firewall

Using a FirewallUsing a Firewall

Included firewall features:Included firewall features:ISA Server 2000 in SBS 2000 and SBS ISA Server 2000 in SBS 2000 and SBS 2003, Premium Edition2003, Premium EditionBasic firewall functionality in SBS 2003, Basic firewall functionality in SBS 2003, Standard EditionStandard Edition

Consider a separate firewallConsider a separate firewallSBS 2003 can communicate with an SBS 2003 can communicate with an external firewall by using UPnPexternal firewall by using UPnPISA Server can provide application-layer ISA Server can provide application-layer protectionprotection

Internet Firewall LAN

Protecting Against Internal Protecting Against Internal ThreatsThreats

Implement an antivirus solutionImplement an antivirus solution

Implement a backup planImplement a backup plan

Run MBSARun MBSA

Control access permissionsControl access permissions

Educate usersEducate users

Do not use the server as a Do not use the server as a workstationworkstation

Physically secure the serverPhysically secure the server

Limit user disk spaceLimit user disk space

Update the softwareUpdate the software







Role and Limitations of Role and Limitations of File PermissionsFile Permissions

Prevent unauthorized accessPrevent unauthorized access

Limit administratorsLimit administrators

Do not protect against intruders with Do not protect against intruders with physical accessphysical access

Encryption provides additional Encryption provides additional securitysecurity

Role and Limitations of Role and Limitations of EFSEFS

Benefit of EFS encryptionBenefit of EFS encryptionEnsures privacy of informationEnsures privacy of information

Uses robust public key technology Uses robust public key technology

Danger of encryptionDanger of encryptionAll access to data is lost if the private All access to data is lost if the private key is lostkey is lost

Private keys on client computersPrivate keys on client computersKeys are encrypted with derivative of Keys are encrypted with derivative of user’s passworduser’s password

Private keys are only as secure as the Private keys are only as secure as the passwordpassword

Private keys are lost when user profile is Private keys are lost when user profile is lostlost

EFS ArchitectureEFS Architecture

Encrypted on-disk data storageEncrypted on-disk data storage

User mode

Kernel mode

Applications

NTFSNTFS

Win32 APIsWin32 APIs

EFS.sysEFS.sys

I/O ManagerI/O Manager

Crypto APICrypto API

EFS Service

EFS Differences Between EFS Differences Between Windows VersionsWindows Versions

Windows 2000 and newer Windows Windows 2000 and newer Windows versions support EFS on NTFS partitionsversions support EFS on NTFS partitions

Windows XP and Windows Server 2003 Windows XP and Windows Server 2003 include new features:include new features:

Additional users can be authorized Additional users can be authorized

Offline files can be encrypted Offline files can be encrypted

The triple-DES (3DES) encryption algorithm The triple-DES (3DES) encryption algorithm can replace DESX can replace DESX

A password reset disk can be usedA password reset disk can be used

EFS preserves encryption over WebDAVEFS preserves encryption over WebDAV

Data recovery agents are recommendedData recovery agents are recommended

Usability is enhancedUsability is enhanced

Implementing EFS: How to Implementing EFS: How to Do It RightDo It Right

Use Group Policy to disable EFS until Use Group Policy to disable EFS until ready for central implementationready for central implementation

Plan and design policiesPlan and design policies

Designate recovery agentsDesignate recovery agents

Assign certificatesAssign certificates

Implement via Group PolicyImplement via Group Policy

Configuring EFSConfiguring EFS

Session SummarySession Summary

Protecting Applications and DataProtecting Applications and Data





Next StepsNext Steps

1.1. Stay informed about securityStay informed about securitySign up for security bulletins:Sign up for security bulletins:http://www.microsoft.com/security/http://www.microsoft.com/security/security_bulletins/security_bulletins/alerts2.aspalerts2.aspGet the latest Microsoft security guidance:Get the latest Microsoft security guidance:http://www.microsoft.com/security/guidance/http://www.microsoft.com/security/guidance/

2.2. Get additional security trainingGet additional security trainingFind online and in-person training seminars:Find online and in-person training seminars:http://www.microsoft.com/seminar/events/http://www.microsoft.com/seminar/events/security.mspxsecurity.mspxFind a local CTEC for hands-on training:Find a local CTEC for hands-on training:http://www.microsoft.com/learninghttp://www.microsoft.com/learning//

For More InformationFor More Information

Microsoft Security Site (all Microsoft Security Site (all audiences)audiences)http://www.microsoft.com/securityhttp://www.microsoft.com/security

TechNet Security Site (IT TechNet Security Site (IT professionals)professionals)http://www.microsoft.com/technet/http://www.microsoft.com/technet/

securitysecurity

MSDN Security Site (developers)MSDN Security Site (developers)http://msdn.microsoft.com/securityhttp://msdn.microsoft.com/security

© 2003 Microsoft Limited. All rights reserved.© 2003 Microsoft Limited. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summaryThis presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary..

Documents

© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,