View
215
Download
2
Tags:
Embed Size (px)
Citation preview
© 2003 Microsoft Limited. All rights reserved.© 2003 Microsoft Limited. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summaryThis presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary..
Implementing Application Implementing Application and Data Securityand Data Security
Sukhjinder S. LallSukhjinder S. Lall
Consultant / TrainerConsultant / Trainer
InterQuad Learning LimitedInterQuad Learning Limited
Session PrerequisitesSession Prerequisites
Understanding of networking security Understanding of networking security essentialsessentials
Hands-on experience with WindowsHands-on experience with Windows®® 2000 Server or Windows Server2000 Server or Windows Server™™ 20032003
Experience with Windows Experience with Windows management toolsmanagement tools
Hands-on experience with Exchange Hands-on experience with Exchange Server and Server and SQL Server management toolsSQL Server management toolsLevel 300
IntroductionIntroduction
IntroductionIntroduction
Protecting Exchange Server Protecting Exchange Server
Protecting SQL Server Protecting SQL Server
Securing Small Business ServerSecuring Small Business Server
Providing Data SecurityProviding Data Security
Defense in DepthDefense in DepthUsing a layered approach:Using a layered approach:
Increases an attacker’s risk of detection Increases an attacker’s risk of detection Reduces an attacker’s chance of Reduces an attacker’s chance of successsuccess
OS hardening, update management, authentication, HIDS
Firewalls, VPN quarantine
Guards, locks, tracking devices
Network segments, IPSec, NIDS
Application hardening, antivirus
ACL, encryption
User educationPolicies, Procedures, & AwarenessPolicies, Procedures, & Awareness
Physical SecurityPhysical Security
Perimeter
Internal Network
Host
Application
Data
Why Application Security Why Application Security MattersMatters
Perimeter defenses provide limited Perimeter defenses provide limited protectionprotection
Many host-based defenses are not Many host-based defenses are not application specificapplication specific
Most modern attacks occur at the Most modern attacks occur at the application layer application layer
Why Data Security MattersWhy Data Security Matters
Secure your data as the last line of Secure your data as the last line of defensedefense
Configure file permissionsConfigure file permissions
Configure data encryption Configure data encryption Protects the confidentiality of Protects the confidentiality of information when physical security is information when physical security is compromisedcompromised
Application Server Best Application Server Best PracticesPractices
Configure security on the base operating systemConfigure security on the base operating system
Apply operating system and application service packs and patchesApply operating system and application service packs and patches
Install or enable only those services that are requiredInstall or enable only those services that are required
Assign only those permissions needed to perform required tasksAssign only those permissions needed to perform required tasks
Applications accounts should be assigned with the minimal permissionsApplications accounts should be assigned with the minimal permissions
Apply defense-in-depth principles to increase protectionApply defense-in-depth principles to increase protection
Protecting Exchange Protecting Exchange Server Server
IntroductionIntroduction
Protecting Exchange Server Protecting Exchange Server
Protecting SQL Server Protecting SQL Server
Securing Small Business ServerSecuring Small Business Server
Providing Data SecurityProviding Data Security
Exchange Security Exchange Security DependenciesDependencies
Exchange security is dependent on:Exchange security is dependent on:Operating system securityOperating system security
Network securityNetwork security
IIS security (if you use OWA)IIS security (if you use OWA)
Client security (Outlook)Client security (Outlook)
Active Directory securityActive Directory security
Remember: Remember: Defense in DepthDefense in Depth
Securing Exchange Securing Exchange ServersServers
Exchange 2000 Back-End ServersExchange 2000 Back-End ServersApply baseline security template and the Exchange Apply baseline security template and the Exchange back-end incremental templateback-end incremental template
Exchange 2000 Front-End ServersExchange 2000 Front-End ServersApply baseline security template and the Exchange Apply baseline security template and the Exchange front-end incremental templatefront-end incremental template
Dismount private and public storesDismount private and public stores
Exchange 2000 OWA ServerExchange 2000 OWA ServerApply IIS Lockdown, including URLScanApply IIS Lockdown, including URLScan
Exchange 2003 Back-End ServerExchange 2003 Back-End ServerApply protocol security templatesApply protocol security templates
Exchange 2003 Front-End and OWA ServerExchange 2003 Front-End and OWA ServerIIS Lockdown and URLScan integrated with IIS 6.0IIS Lockdown and URLScan integrated with IIS 6.0
Use application isolation modeUse application isolation mode
Aspects of Exchange Server Aspects of Exchange Server SecuritySecurity
Securing Access to Exchange ServerSecuring Access to Exchange ServerBlocking unauthorized accessBlocking unauthorized access
Securing CommunicationsSecuring CommunicationsBlocking and encrypting Blocking and encrypting communicationscommunications
Blocking SpamBlocking SpamFiltering incoming mailFiltering incoming mail
Relay restrictions: Don’t aid spammers!Relay restrictions: Don’t aid spammers!
Blocking Insecure E-Mail MessagesBlocking Insecure E-Mail MessagesVirus scanningVirus scanning
Attachment blockingAttachment blocking
Configuring Configuring Authentication, Part 1Authentication, Part 1
Secure Outlook client authenticationSecure Outlook client authentication
Configure Exchange & Outlook 2003 Configure Exchange & Outlook 2003 to use RPC over HTTPSto use RPC over HTTPS
Configure SPA to encrypt Configure SPA to encrypt authentication for Internet protocol authentication for Internet protocol clientsclients
Remember: Secure Remember: Secure authentication does not authentication does not equal encryption of dataequal encryption of data
Configuring Configuring Authentication, Part 2Authentication, Part 2
OWA supports several OWA supports several authentication authentication methods:methods:
Authentication Authentication MethodMethod ConsiderationsConsiderations
Basic authenticationBasic authentication Insecure, unless you require SLLInsecure, unless you require SLL
Integrated Integrated authenticationauthentication
Limited client support, issues Limited client support, issues across firewallsacross firewalls
Digest authenticationDigest authentication Limited client supportLimited client support
Forms-based Forms-based authenticationauthentication
Ability to customize Ability to customize authenticationauthentication
Wide client supportWide client support
Available with Exchange Server Available with Exchange Server 20032003
Securing CommunicationsSecuring Communications
Configure RPC encryptionConfigure RPC encryptionClient side settingClient side setting
Enforcement with ISA Server FP1Enforcement with ISA Server FP1
Firewall blockingFirewall blockingMail server publishing with ISA ServerMail server publishing with ISA Server
Configure HTTPS for OWAConfigure HTTPS for OWAUse S/MIME for message encryptionUse S/MIME for message encryptionOutlook 2003 EnhancementsOutlook 2003 Enhancements
Kerberos authenticationKerberos authentication
RPC over HTTPSRPC over HTTPS
Encrypting a MessageEncrypting a Message
Active DirectoryDomain Controller
Client 1 Client 2
SMTP VS1 SMTP VS 2
New messageNew message11
Locate Client 2’s public keyLocate Client 2’s public key22
Message sent using S/MIMEMessage sent using S/MIME44
Message encrypted with a shared keyMessage encrypted with a shared key33 Message arrives
encryptedMessage arrives encrypted55
Client 2’s private key is used to decrypt the shared key, and the shared key is used to decrypt the message
Client 2’s private key is used to decrypt the shared key, and the shared key is used to decrypt the message
66
Blocking Spam – Exchange Blocking Spam – Exchange 20002000
Close open relays!Close open relays!
Protect against address spoofingProtect against address spoofing
Prevent Exchange from resolving Prevent Exchange from resolving recipient names to GAL accountsrecipient names to GAL accounts
Configure reverse DNS lookupsConfigure reverse DNS lookups
Blocking Spam – Exchange Blocking Spam – Exchange 20032003
Use additional features in Exchange Use additional features in Exchange Server 2003Server 2003
Support for real-time block listsSupport for real-time block lists
Global deny and accept listsGlobal deny and accept lists
Sender and inbound recipient filteringSender and inbound recipient filtering
Improved anti-relaying protectionImproved anti-relaying protection
Integration with Outlook 2003 and third-Integration with Outlook 2003 and third-party junk mail filteringparty junk mail filtering
Configuring Exchange Spam Configuring Exchange Spam ProtectionProtection
Blocking Insecure Blocking Insecure MessagesMessages
Implement antivirus gatewaysImplement antivirus gatewaysMonitor incoming and outgoing Monitor incoming and outgoing messagesmessages
Update signatures oftenUpdate signatures often
Configure Outlook attachment Configure Outlook attachment securitysecurity
Web browser security determines Web browser security determines whether attachments can be opened in whether attachments can be opened in OWAOWA
Implement ISA ServerImplement ISA ServerMessage Screener can block incoming Message Screener can block incoming messagesmessages
Using Permissions to Secure Using Permissions to Secure ExchangeExchange
Delegating permissionsDelegating permissionsCreating administrative groupsCreating administrative groups
Using administrative rolesUsing administrative roles
Delegating administrative controlDelegating administrative control
Administration modelsAdministration models
CentralizedCentralized DecentralizedDecentralized
Enhancements in Enhancements in Exchange Server 2003Exchange Server 2003
Many secure-by-default settingsMany secure-by-default settings
More restrictive permissionsMore restrictive permissions
New mail transport featuresNew mail transport features
New Internet Connection WizardNew Internet Connection Wizard
Cross-forest authentication supportCross-forest authentication support
Defense in DepthDefense in DepthEfficiency Continuity
Performance TuningExchange SystemPoliciesCapacity Management
Security
StorageManagement
Hardware UpgradesPerformanceMonitoring
Disaster RecoverySupportAntivirus
Event MonitoringChange
Management
Security PoliciesFirewall Issues
Exchange System PoliciesAD Group Membership
UPSRecovery TestingAvailability MonitoringAvailability Management
Group Policies Backup
Top Ten Things to Secure Top Ten Things to Secure ExchangeExchange
11 Install the latest service packInstall the latest service pack
22 Install all applicable security patchesInstall all applicable security patches
33 Run MBSARun MBSA
44 Check relay settingsCheck relay settings
55 Disable or secure well-known accountsDisable or secure well-known accounts
66 Use a layered antivirus approachUse a layered antivirus approach
77 Use a firewallUse a firewall
88 Evaluate ISA ServerEvaluate ISA Server
99 Secure OWASecure OWA
1100
Implement a backup strategyImplement a backup strategy
Protecting SQL ServerProtecting SQL Server
IntroductionIntroduction
Protecting Exchange ServerProtecting Exchange Server
Protecting SQL Server Protecting SQL Server
Securing Small Business ServerSecuring Small Business Server
Providing Data SecurityProviding Data Security
Basic Security Basic Security ConfigurationConfiguration
Apply service packs and patchesApply service packs and patchesUse MBSA to detect missing SQL Use MBSA to detect missing SQL updatesupdates
Disable unused servicesDisable unused servicesMSSQLSERVER (required)MSSQLSERVER (required)
SQLSERVERAGENTSQLSERVERAGENT
MSSQLServerADHelperMSSQLServerADHelper
Microsoft SearchMicrosoft Search
Microsoft DTCMicrosoft DTC
Common Database Server Common Database Server Threats and Threats and CountermeasuresCountermeasures
SQL ServerSQL Server
BrowserBrowser Web AppWeb App
Unauthorized External Access
Unauthorized External Access
SQL Injection
SQL Injection
Network Eavesdropping
Network Eavesdropping
Network VulnerabilitiesFailure to block SQL ports
Configuration VulnerabilitiesOverprivileged service account
Week permissionsNo certificate
Web App VulnerabilitiesOverprivileged accounts
Week input validationInternal Firewall
Perimeter Firewall
Password Cracking
Password Cracking
Database Server Security Database Server Security CategoriesCategories
Patc
hes
and
Upd
ates
Ope
ratin
g Sy
stem Shares
Services
Accounts
Auditing and Logging
Files and Directories
Registry
Net
wor
k
Protocols Ports
SQL
Serv
er SQL Server Security
Database ObjectsLogins, Users, and Roles
Network SecurityNetwork Security
Restrict SQL to TCP/IPRestrict SQL to TCP/IP
Harden the TCP/IP stackHarden the TCP/IP stack
Restrict portsRestrict ports
Operating System SecurityOperating System Security
Configure the SQL Server service Configure the SQL Server service account with the lowest possible account with the lowest possible permissionspermissions
Delete or disable unused accountsDelete or disable unused accounts
Secure authentication trafficSecure authentication traffic
Logins, Users, and RolesLogins, Users, and Roles
Use a strong system administrator Use a strong system administrator (sa) password (sa) password
Remove the SQL guest user account Remove the SQL guest user account
Remove the BUILTIN\Administrators Remove the BUILTIN\Administrators server login server login
Do not grant permissions for the Do not grant permissions for the public role public role
Files, Directories, and Files, Directories, and SharesShares
Verify permissions on SQL Server Verify permissions on SQL Server installation directories installation directories
Verify that Everyone group does not Verify that Everyone group does not have permissions to SQL Server files have permissions to SQL Server files
Secure setup log files Secure setup log files
Secure or remove tools, utilities, and Secure or remove tools, utilities, and SDKsSDKs
Remove unnecessary shares Remove unnecessary shares
Restrict access to required sharesRestrict access to required shares
Secure registry keys with ACLs Secure registry keys with ACLs
SQL SecuritySQL Security
Set Set authentication authentication to Windows onlyto Windows only
If you must use If you must use SQL Server SQL Server authentication, authentication, ensure that ensure that authentication authentication traffic is traffic is encryptedencrypted
SQL AuditingSQL Auditing
Log all failed Windows login Log all failed Windows login attempts attempts
Log successful and failed actions Log successful and failed actions across the file system across the file system
Enable SQL Server login auditingEnable SQL Server login auditing
Enable SQL Server general auditingEnable SQL Server general auditing
Securing Database Securing Database ObjectsObjects
Remove the sample databasesRemove the sample databases
Secure stored proceduresSecure stored procedures
Secure extended stored proceduresSecure extended stored procedures
Restrict cmdExec access to the Restrict cmdExec access to the sysadmin rolesysadmin role
Using Views and Stored Using Views and Stored ProceduresProcedures
SQL queries may contain confidential SQL queries may contain confidential informationinformation
Use stored procedures whenever Use stored procedures whenever possiblepossible
Use views instead of direct table accessUse views instead of direct table access
Implement security best practices for Implement security best practices for Web-based applicationsWeb-based applications
Securing Web ApplicationsSecuring Web Applications
Validate all data inputValidate all data input
Secure authentication and Secure authentication and authorizationauthorization
Secure sensitive dataSecure sensitive data
Use least-privileged process and Use least-privileged process and service accountsservice accounts
Configure auditing and loggingConfigure auditing and logging
Use structured exception handlingUse structured exception handling
Top Ten Things to Protect Top Ten Things to Protect SQL ServerSQL Server
11Install the most recent service Install the most recent service packpack
22 Run MBSARun MBSA
33Configure Windows Configure Windows authenticationauthentication
44 Isolate the server and back it upIsolate the server and back it up
55 Check the sa passwordCheck the sa password
66 Limit privileges of SQL servicesLimit privileges of SQL services
77 Block ports at your firewallBlock ports at your firewall
88 Use NTFSUse NTFS
99Remove setup files and sample Remove setup files and sample databasesdatabases
1010 Audit connectionsAudit connections
Securing Small Business Securing Small Business ServerServer
IntroductionIntroduction
Protecting Exchange Server Protecting Exchange Server
Protecting SQL Server Protecting SQL Server
Securing Small Business ServerSecuring Small Business Server
Providing Data SecurityProviding Data Security
Recognizing ThreatsRecognizing Threats
Small Business Server plays Small Business Server plays many server rolesmany server roles
External threatsExternal threatsSmall Business Server is often Small Business Server is often connected to the Internetconnected to the Internet
Internal threatsInternal threatsAll components of Small Business All components of Small Business Server must be securedServer must be secured
Many settings secured by Many settings secured by defaultdefault
Protecting Against Protecting Against External ThreatsExternal Threats
Configure password policies to Configure password policies to require complex passwordsrequire complex passwords
Configure secure remote accessConfigure secure remote accessRemote Web WorkplaceRemote Web Workplace
Remote AccessRemote Access
Rename the Administrator accountRename the Administrator account
Implement Exchange and IIS security Implement Exchange and IIS security best practicesbest practices
Use a firewallUse a firewall
Using a FirewallUsing a Firewall
Included firewall features:Included firewall features:ISA Server 2000 in SBS 2000 and SBS ISA Server 2000 in SBS 2000 and SBS 2003, Premium Edition2003, Premium EditionBasic firewall functionality in SBS 2003, Basic firewall functionality in SBS 2003, Standard EditionStandard Edition
Consider a separate firewallConsider a separate firewallSBS 2003 can communicate with an SBS 2003 can communicate with an external firewall by using UPnPexternal firewall by using UPnPISA Server can provide application-layer ISA Server can provide application-layer protectionprotection
Internet Firewall LAN
Protecting Against Internal Protecting Against Internal ThreatsThreats
Implement an antivirus solutionImplement an antivirus solution
Implement a backup planImplement a backup plan
Run MBSARun MBSA
Control access permissionsControl access permissions
Educate usersEducate users
Do not use the server as a Do not use the server as a workstationworkstation
Physically secure the serverPhysically secure the server
Limit user disk spaceLimit user disk space
Update the softwareUpdate the software
Providing Data SecurityProviding Data Security
IntroductionIntroduction
Protecting Exchange Server Protecting Exchange Server
Protecting SQL Server Protecting SQL Server
Securing Small Business ServerSecuring Small Business Server
Providing Data SecurityProviding Data Security
Role and Limitations of Role and Limitations of File PermissionsFile Permissions
Prevent unauthorized accessPrevent unauthorized access
Limit administratorsLimit administrators
Do not protect against intruders with Do not protect against intruders with physical accessphysical access
Encryption provides additional Encryption provides additional securitysecurity
Role and Limitations of Role and Limitations of EFSEFS
Benefit of EFS encryptionBenefit of EFS encryptionEnsures privacy of informationEnsures privacy of information
Uses robust public key technology Uses robust public key technology
Danger of encryptionDanger of encryptionAll access to data is lost if the private All access to data is lost if the private key is lostkey is lost
Private keys on client computersPrivate keys on client computersKeys are encrypted with derivative of Keys are encrypted with derivative of user’s passworduser’s password
Private keys are only as secure as the Private keys are only as secure as the passwordpassword
Private keys are lost when user profile is Private keys are lost when user profile is lostlost
EFS ArchitectureEFS Architecture
Encrypted on-disk data storageEncrypted on-disk data storage
User mode
Kernel mode
Applications
NTFSNTFS
Win32 APIsWin32 APIs
EFS.sysEFS.sys
I/O ManagerI/O Manager
Crypto APICrypto API
EFS Service
EFS Differences Between EFS Differences Between Windows VersionsWindows Versions
Windows 2000 and newer Windows Windows 2000 and newer Windows versions support EFS on NTFS partitionsversions support EFS on NTFS partitions
Windows XP and Windows Server 2003 Windows XP and Windows Server 2003 include new features:include new features:
Additional users can be authorized Additional users can be authorized
Offline files can be encrypted Offline files can be encrypted
The triple-DES (3DES) encryption algorithm The triple-DES (3DES) encryption algorithm can replace DESX can replace DESX
A password reset disk can be usedA password reset disk can be used
EFS preserves encryption over WebDAVEFS preserves encryption over WebDAV
Data recovery agents are recommendedData recovery agents are recommended
Usability is enhancedUsability is enhanced
Implementing EFS: How to Implementing EFS: How to Do It RightDo It Right
Use Group Policy to disable EFS until Use Group Policy to disable EFS until ready for central implementationready for central implementation
Plan and design policiesPlan and design policies
Designate recovery agentsDesignate recovery agents
Assign certificatesAssign certificates
Implement via Group PolicyImplement via Group Policy
Configuring EFSConfiguring EFS
Session SummarySession Summary
Protecting Applications and DataProtecting Applications and Data
Protecting Exchange Server Protecting Exchange Server
Protecting SQL Server Protecting SQL Server
Securing Small Business ServerSecuring Small Business Server
Providing Data SecurityProviding Data Security
Next StepsNext Steps
1.1. Stay informed about securityStay informed about securitySign up for security bulletins:Sign up for security bulletins:http://www.microsoft.com/security/http://www.microsoft.com/security/security_bulletins/security_bulletins/alerts2.aspalerts2.aspGet the latest Microsoft security guidance:Get the latest Microsoft security guidance:http://www.microsoft.com/security/guidance/http://www.microsoft.com/security/guidance/
2.2. Get additional security trainingGet additional security trainingFind online and in-person training seminars:Find online and in-person training seminars:http://www.microsoft.com/seminar/events/http://www.microsoft.com/seminar/events/security.mspxsecurity.mspxFind a local CTEC for hands-on training:Find a local CTEC for hands-on training:http://www.microsoft.com/learninghttp://www.microsoft.com/learning//
For More InformationFor More Information
Microsoft Security Site (all Microsoft Security Site (all audiences)audiences)http://www.microsoft.com/securityhttp://www.microsoft.com/security
TechNet Security Site (IT TechNet Security Site (IT professionals)professionals)http://www.microsoft.com/technet/http://www.microsoft.com/technet/
securitysecurity
MSDN Security Site (developers)MSDN Security Site (developers)http://msdn.microsoft.com/securityhttp://msdn.microsoft.com/security
© 2003 Microsoft Limited. All rights reserved.© 2003 Microsoft Limited. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summaryThis presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary..