View
218
Download
1
Embed Size (px)
Citation preview
Implementing Implementing Application and Data Application and Data SecuritySecurity
Presenter NamePresenter Name
Job TitleJob Title
CompanyCompany
Session PrerequisitesSession Prerequisites
Understanding of network security Understanding of network security essentialsessentials
Hands-on experience with Windows® Hands-on experience with Windows® 2000 Server or Windows Server™ 20032000 Server or Windows Server™ 2003
Experience with Windows management Experience with Windows management toolstools
Hands-on experience with Exchange Hands-on experience with Exchange Server and SQL Server management toolsServer and SQL Server management tools
Level 300Level 300
AgendaAgenda
IntroductionIntroduction Protecting Exchange Server Protecting Exchange Server Protecting SQL Server Protecting SQL Server Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security
Defense in DepthDefense in Depth Using a layered approach:Using a layered approach:
Increases an attacker’s risk of detection Increases an attacker’s risk of detection Reduces an attacker’s chance of successReduces an attacker’s chance of success
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
OS hardening, update management, OS hardening, update management, authentication, HIDSauthentication, HIDS
Firewalls, VPN quarantineFirewalls, VPN quarantine
Guards, locks, tracking devicesGuards, locks, tracking devices
Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS
Application hardening, antivirusApplication hardening, antivirus
ACL, encryptionACL, encryption
User educationUser education
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
Why Application Security Why Application Security MattersMatters Perimeter defenses provide limited Perimeter defenses provide limited
protectionprotection Many host-based defenses are not Many host-based defenses are not
application specificapplication specific Most modern attacks occur at the Most modern attacks occur at the
application layer application layer
Why Data Security MattersWhy Data Security Matters
Secure your data as the last line Secure your data as the last line of defenseof defense
Configure file permissionsConfigure file permissions Configure data encryption Configure data encryption
Protects the confidentiality of Protects the confidentiality of information when physical security information when physical security is compromisedis compromised
Application Server Best Application Server Best PracticesPractices
Configure security on the base operating system
Apply operating system and application service packs and patches
Install or enable only those services that are required
Applications accounts should be assigned with the minimal permissions
Apply defense-in-depth principles to increase protection
Assign only those permissions needed to perform required tasks
AgendaAgenda
IntroductionIntroduction Protecting Exchange ServerProtecting Exchange Server Protecting SQL Server Protecting SQL Server Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security
Exchange Security Exchange Security DependenciesDependencies
Exchange security is dependent on:Exchange security is dependent on: Operating system securityOperating system security Network securityNetwork security IIS security (if you use OWA)IIS security (if you use OWA) Client security (Outlook)Client security (Outlook) Active Directory securityActive Directory security
Remember: Remember: Defense in DepthDefense in Depth
Remember: Remember: Defense in DepthDefense in Depth
Securing Exchange ServersSecuring Exchange Servers Exchange 2000 Back-End ServersExchange 2000 Back-End Servers
Apply baseline security template and the Exchange Apply baseline security template and the Exchange back-end incremental templateback-end incremental template
Exchange 2000 Front-End ServersExchange 2000 Front-End Servers Apply baseline security template and the Exchange Apply baseline security template and the Exchange
front-end incremental templatefront-end incremental template Dismount private and public storesDismount private and public stores
Exchange 2000 OWA ServerExchange 2000 OWA Server Apply IIS Lockdown, including URLScanApply IIS Lockdown, including URLScan
Exchange 2003 Back-End ServerExchange 2003 Back-End Server Apply protocol security templatesApply protocol security templates
Exchange 2003 Front-End and OWA ServerExchange 2003 Front-End and OWA Server IIS Lockdown and URLScan integrated with IIS 6.0IIS Lockdown and URLScan integrated with IIS 6.0 Use application isolation modeUse application isolation mode
Aspects of Exchange Server Aspects of Exchange Server SecuritySecurity Securing Access to Exchange ServerSecuring Access to Exchange Server
Blocking unauthorized accessBlocking unauthorized access Securing CommunicationsSecuring Communications
Blocking and encrypting communicationsBlocking and encrypting communications Blocking SpamBlocking Spam
Filtering incoming mailFiltering incoming mail Relay restrictions: Don’t aid spammers!Relay restrictions: Don’t aid spammers!
Blocking Insecure E-Mail MessagesBlocking Insecure E-Mail Messages Virus scanningVirus scanning Attachment blockingAttachment blocking
Configuring Authentication, Configuring Authentication, Part 1Part 1
Secure Outlook client authenticationSecure Outlook client authentication Configure Exchange & Outlook 2003 to Configure Exchange & Outlook 2003 to
use RPC over HTTPSuse RPC over HTTPS Configure SPA to encrypt authentication Configure SPA to encrypt authentication
for Internet protocol clientsfor Internet protocol clients
Remember: Secure authentication Remember: Secure authentication does not equal encryption of datadoes not equal encryption of dataRemember: Secure authentication Remember: Secure authentication does not equal encryption of datadoes not equal encryption of data
Configuring Authentication, Configuring Authentication, Part 2Part 2
Authentication Method Considerations
Basic authentication Insecure, unless you require SLL
Integrated authentication Limited client support, issues across firewalls
Digest authentication Limited client support
Forms-based authentication
Ability to customize authentication Wide client support Available with Exchange Server 2003
OWA supports several OWA supports several authentication methods:authentication methods:
Securing CommunicationsSecuring Communications Configure RPC encryptionConfigure RPC encryption
Client side settingClient side setting Enforcement with ISA Server FP1Enforcement with ISA Server FP1
Firewall blockingFirewall blocking Mail server publishing with ISA ServerMail server publishing with ISA Server
Configure HTTPS for OWAConfigure HTTPS for OWA Use S/MIME for message encryptionUse S/MIME for message encryption Outlook 2003 EnhancementsOutlook 2003 Enhancements
Kerberos authenticationKerberos authentication RPC over HTTPSRPC over HTTPS
Encrypting a MessageEncrypting a Message
Active DirectoryDomain Controller
Client 1
Client 2
SMTP VS1SMTP VS 2
Locate Client 2’s public key
Message sent using S/MIME
Message encrypted with a shared key
New message
1
2
3
4
Message arrivesencrypted5
Client 2’s private key is used to decrypt the shared key, and the shared key is used to decrypt the message
6
Demonstration 1Demonstration 1Securing ExchangeSecuring Exchange
Configuring Forms-Based Configuring Forms-Based AuthenticationAuthentication
Configuring RPC EncryptionConfiguring RPC EncryptionUsing ISA Server to Publish Using ISA Server to Publish
ExchangeExchange
Blocking Spam – Exchange 2000Blocking Spam – Exchange 2000
Close open relays!Close open relays! Protect against address spoofingProtect against address spoofing Prevent Exchange from resolving Prevent Exchange from resolving
recipient names to GAL accountsrecipient names to GAL accounts Configure reverse DNS lookupsConfigure reverse DNS lookups
Blocking Spam – Exchange 2003Blocking Spam – Exchange 2003
Use additional features in Exchange Use additional features in Exchange Server 2003Server 2003 Support for real-time block listsSupport for real-time block lists Global deny and accept listsGlobal deny and accept lists Sender and inbound recipient filteringSender and inbound recipient filtering Improved anti-relaying protectionImproved anti-relaying protection Integration with Outlook 2003 and third-party Integration with Outlook 2003 and third-party
junk mail filteringjunk mail filtering
Demonstration 2 Demonstration 2 Configuring Exchange Spam Configuring Exchange Spam
ProtectionProtection
Anti-Relay ProtectionAnti-Relay Protection
Blocking Insecure MessagesBlocking Insecure Messages Implement antivirus gatewaysImplement antivirus gateways
Monitor incoming and outgoing messagesMonitor incoming and outgoing messages Update signatures oftenUpdate signatures often
Configure Outlook attachment securityConfigure Outlook attachment security Web browser security determines whether Web browser security determines whether
attachments can be opened in OWAattachments can be opened in OWA
Implement ISA ServerImplement ISA Server Message Screener can block incoming Message Screener can block incoming
messagesmessages
Using Permissions to Secure Using Permissions to Secure ExchangeExchange
Administration modelsAdministration models
CentralizedCentralized DecentralizedDecentralized
Delegating permissionsDelegating permissions Creating administrative groupsCreating administrative groups Using administrative rolesUsing administrative roles Delegating administrative controlDelegating administrative control
Enhancements in Exchange Enhancements in Exchange Server 2003Server 2003 Many secure-by-default settingsMany secure-by-default settings More restrictive permissionsMore restrictive permissions New mail transport featuresNew mail transport features New Internet Connection WizardNew Internet Connection Wizard Cross-forest authentication supportCross-forest authentication support
Defense in DepthDefense in Depth
Efficiency Continuity
Performance TuningExchange SystemPoliciesCapacity Management
Security
StorageManagement
Hardware UpgradesPerformanceMonitoring
Disaster RecoverySupportAntivirus
Event MonitoringChange
Management
Security PoliciesFirewall Issues
Exchange System PoliciesAD Group Membership
UPSRecovery TestingAvailability MonitoringAvailability Management
Group Policies Backup
Top Ten Things to Secure ExchangeTop Ten Things to Secure Exchange
Install the latest service pack
Install all applicable security patches
Run MBSA
Check relay settings
Disable or secure well-known accounts
Use a layered antivirus approach
Use a firewall
Evaluate ISA Server
Secure OWA
Implement a backup strategy
1
2
3
4
5
6
7
8
9
10
AgendaAgenda
IntroductionIntroduction Protecting Exchange ServerProtecting Exchange Server Protecting SQL ServerProtecting SQL Server Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security
Basic Security ConfigurationBasic Security Configuration
Apply service packs and patchesApply service packs and patches Use MBSA to detect missing SQL updatesUse MBSA to detect missing SQL updates
Disable unused servicesDisable unused services MSSQLSERVER (required)MSSQLSERVER (required) SQLSERVERAGENTSQLSERVERAGENT MSSQLServerADHelperMSSQLServerADHelper Microsoft SearchMicrosoft Search Microsoft DTCMicrosoft DTC
Common Database Server Common Database Server Threats and Countermeasures Threats and Countermeasures
SQL Server
Browser Web App
Unauthorized External Access
SQL Injection
Password Cracking Network
Eavesdropping
Network VulnerabilitiesFailure to block SQL ports
Configuration VulnerabilitiesOverprivileged service account
Week permissionsNo certificate
Web App VulnerabilitiesOverprivileged accounts
Week input validation
Internal Firewall
Perimeter Firewall
Database Server Security Database Server Security Categories Categories N
etw
ork
Op
erat
ing
Sys
tem
SQ
L S
erve
r
Pat
ches
an
d U
pd
ates
Shares
Services
Accounts
Auditing and Logging
Files and Directories
Registry
Protocols Ports
SQL Server Security
Database ObjectsLogins, Users, and
Roles
Network SecurityNetwork Security
Restrict SQL to TCP/IPRestrict SQL to TCP/IP Harden the TCP/IP stackHarden the TCP/IP stack Restrict portsRestrict ports
Operating System SecurityOperating System Security
Configure the SQL Server service Configure the SQL Server service account with the lowest possible account with the lowest possible permissionspermissions
Delete or disable unused accountsDelete or disable unused accounts Secure authentication trafficSecure authentication traffic
Logins, Users, and RolesLogins, Users, and Roles
Use a strong system administrator Use a strong system administrator (sa) password (sa) password
Remove the SQL guest user account Remove the SQL guest user account Remove the BUILTIN\Administrators Remove the BUILTIN\Administrators
server login server login Do not grant permissions for the Do not grant permissions for the
public role public role
Files, Directories, and SharesFiles, Directories, and Shares
Verify permissions on SQL Server Verify permissions on SQL Server installation directories installation directories
Verify that Everyone group does not have Verify that Everyone group does not have permissions to SQL Server files permissions to SQL Server files
Secure setup log files Secure setup log files Secure or remove tools, utilities, and Secure or remove tools, utilities, and
SDKsSDKs Remove unnecessary shares Remove unnecessary shares Restrict access to required sharesRestrict access to required shares Secure registry keys with ACLs Secure registry keys with ACLs
SQL SecuritySQL Security
Set authentication to Set authentication to Windows onlyWindows only
If you must use SQL If you must use SQL Server authentication, Server authentication, ensure that ensure that authentication traffic is authentication traffic is encryptedencrypted
SQL AuditingSQL Auditing
Log all failed Windows login attempts Log all failed Windows login attempts Log successful and failed actions across Log successful and failed actions across
the file system the file system Enable SQL Server login auditingEnable SQL Server login auditing Enable SQL Server general auditingEnable SQL Server general auditing
Securing Database ObjectsSecuring Database Objects
Remove the sample databasesRemove the sample databases Secure stored proceduresSecure stored procedures Secure extended stored proceduresSecure extended stored procedures Restrict cmdExec access to the sysadmin Restrict cmdExec access to the sysadmin
rolerole
Using Views and Stored Using Views and Stored ProceduresProcedures SQL queries may contain confidential SQL queries may contain confidential
informationinformation Use stored procedures whenever possibleUse stored procedures whenever possible Use views instead of direct table accessUse views instead of direct table access
Implement security best practices for Implement security best practices for Web-based applicationsWeb-based applications
Securing Web ApplicationsSecuring Web Applications
Validate all data inputValidate all data input Secure authentication and authorizationSecure authentication and authorization Secure sensitive dataSecure sensitive data Use least-privileged process and service Use least-privileged process and service
accountsaccounts Configure auditing and loggingConfigure auditing and logging Use structured exception handlingUse structured exception handling
Top Ten Things to Protect SQL Top Ten Things to Protect SQL ServerServer
Install the most recent service pack
Run MBSA
Configure Windows authentication
Isolate the server and back it up
Check the sa password
Limit privileges of SQL services
Block ports at your firewall
Use NTFS
Remove setup files and sample databases
Audit connections
1
2
3
4
5
6
7
8
9
10
AgendaAgenda
IntroductionIntroduction Protecting Exchange Server Protecting Exchange Server Protecting SQL Server Protecting SQL Server Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security
Recognizing ThreatsRecognizing Threats
Small Business Server plays many server Small Business Server plays many server rolesroles
External threatsExternal threats Small Business Server is often connected to Small Business Server is often connected to
the Internetthe Internet
Internal threatsInternal threats All components of Small Business Server All components of Small Business Server
must be securedmust be secured
Many settings secured by defaultMany settings secured by default
Protecting Against External Protecting Against External ThreatsThreats Configure password policies to require Configure password policies to require
complex passwordscomplex passwords Configure secure remote accessConfigure secure remote access
Remote Web WorkplaceRemote Web Workplace Remote AccessRemote Access
Rename the Administrator accountRename the Administrator account Implement Exchange and IIS security best Implement Exchange and IIS security best
practicespractices Use a firewallUse a firewall
Using a FirewallUsing a Firewall
Included firewall features:Included firewall features: ISA Server 2000 in SBS 2000 and SBS 2003, ISA Server 2000 in SBS 2000 and SBS 2003,
Premium EditionPremium Edition Basic firewall functionality in SBS 2003, Standard Basic firewall functionality in SBS 2003, Standard
EditionEdition
Consider a separate firewallConsider a separate firewall SBS 2003 can communicate with an external firewall SBS 2003 can communicate with an external firewall
by using UPnPby using UPnP ISA Server can provide application-layer protectionISA Server can provide application-layer protection
Internet Firewall LAN
Protecting Against Internal Protecting Against Internal ThreatsThreats Implement an antivirus solutionImplement an antivirus solution Implement a backup planImplement a backup plan Run MBSARun MBSA Control access permissionsControl access permissions Educate usersEducate users Do not use the server as a workstationDo not use the server as a workstation Physically secure the serverPhysically secure the server Limit user disk spaceLimit user disk space Update the softwareUpdate the software
AgendaAgenda
IntroductionIntroduction Protecting Exchange Server Protecting Exchange Server Protecting SQL Server Protecting SQL Server Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security
Role and Limitations of File Role and Limitations of File PermissionsPermissions Prevent unauthorized accessPrevent unauthorized access Limit administratorsLimit administrators Do not protect against intruders with Do not protect against intruders with
physical accessphysical access Encryption provides additional securityEncryption provides additional security
Role and Limitations of EFSRole and Limitations of EFS
Benefit of EFS encryptionBenefit of EFS encryption Ensures privacy of informationEnsures privacy of information Uses robust public key technology Uses robust public key technology
Danger of encryptionDanger of encryption All access to data is lost if the private key is lostAll access to data is lost if the private key is lost
Private keys on client computersPrivate keys on client computers Keys are encrypted with derivative of user’s passwordKeys are encrypted with derivative of user’s password Private keys are only as secure as the passwordPrivate keys are only as secure as the password Private keys are lost when user profile is lostPrivate keys are lost when user profile is lost
EFS ArchitectureEFS Architecture
Win32 APIs
NTFS
I/O Manager
EFS.sys
ApplicationsApplications
Encrypted on-disk data storageEncrypted on-disk data storage
User modeUser mode
Kernel modeKernel mode
Crypto API
EFS Service
EFS Differences Between EFS Differences Between Windows VersionsWindows Versions Windows 2000 and newer Windows versions Windows 2000 and newer Windows versions
support EFS on NTFS partitionssupport EFS on NTFS partitions Windows XP and Windows Server 2003 include Windows XP and Windows Server 2003 include
new features:new features: Additional users can be authorized Additional users can be authorized Offline files can be encrypted Offline files can be encrypted The triple-DES (3DES) encryption algorithm can The triple-DES (3DES) encryption algorithm can
replace DESX replace DESX A password reset disk can be usedA password reset disk can be used EFS preserves encryption over WebDAVEFS preserves encryption over WebDAV Data recovery agents are recommendedData recovery agents are recommended Usability is enhancedUsability is enhanced
Implementing EFS: How to Do It Implementing EFS: How to Do It RightRight Use Group Policy to disable EFS until Use Group Policy to disable EFS until
ready for central implementationready for central implementation Plan and design policiesPlan and design policies Designate recovery agentsDesignate recovery agents Assign certificatesAssign certificates Implement via Group PolicyImplement via Group Policy
Demonstration 3Demonstration 3 Configuring EFS Configuring EFS
Configuring Data Recovery AgentsConfiguring Data Recovery Agents
Encrypting FilesEncrypting FilesDecrypting FilesDecrypting FilesViewing EFS infoViewing EFS info
Session SummarySession Summary
Protecting Applications and DataProtecting Applications and Data Protecting Exchange Server Protecting Exchange Server Protecting SQL Server Protecting SQL Server Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security
Next StepsNext Steps
1.1. Stay informed about securityStay informed about security Sign up for security bulletins:Sign up for security bulletins:
http://www.microsoft.com/security/security_bulletins/alerts2.asphttp://www.microsoft.com/security/security_bulletins/alerts2.asp Get the latest Microsoft security guidance:Get the latest Microsoft security guidance:
http://www.microsoft.com/security/guidance/http://www.microsoft.com/security/guidance/
2.2. Get additional security trainingGet additional security training Find online and in-person training seminars:Find online and in-person training seminars:
http://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/seminar/events/security.mspx Find a local CTEC for hands-on training:Find a local CTEC for hands-on training:
http://www.microsoft.com/learning/http://www.microsoft.com/learning/
For More InformationFor More Information
Microsoft Security Site (all audiences)Microsoft Security Site (all audiences) http://www.microsoft.com/securityhttp://www.microsoft.com/security
TechNet Security Site (IT professionals)TechNet Security Site (IT professionals) http://www.microsoft.com/technet/securityhttp://www.microsoft.com/technet/security
MSDN Security Site (developers)MSDN Security Site (developers) http://msdn.microsoft.com/securityhttp://msdn.microsoft.com/security