implementing application and data security fred baumhardt senior consultant – security and...
Post on 18-Dec-2015
221 views
TRANSCRIPT
Implementing Implementing Application and Data Application and Data SecuritySecurity
Fred BaumhardtFred BaumhardtSenior Consultant – Security and ArchitectureSenior Consultant – Security and Architecture
Microsoft Consulting Services - UKMicrosoft Consulting Services - UK
Why Application Security Why Application Security MattersMatters Perimeter Defences provide limited Perimeter Defences provide limited
protectionprotection Many host-based Defences are not Many host-based Defences are not
application specificapplication specific Most modern attacks occur at the Most modern attacks occur at the
application layer application layer
Why Data Security MattersWhy Data Security Matters
Secure your data as the last line Secure your data as the last line of Defence of Defence
Configure file permissionsConfigure file permissions Configure data encryption Configure data encryption
Protects the confidentiality of Protects the confidentiality of information when physical security information when physical security is compromisedis compromised
Application Server Best Application Server Best PracticesPractices
Configure security on the base operating system
Apply operating system and application service packs and patches
Install or enable only those services that are required
Applications accounts should be assigned with the minimal permissions
Apply Defence-in-depth principles to increase protection
Assign only those permissions needed to perform required tasks
AgendaAgenda
IntroductionIntroduction Protecting Exchange ServerProtecting Exchange Server Protecting SQL Server Protecting SQL Server Providing Data SecurityProviding Data Security
Exchange Security Exchange Security DependenciesDependencies
Exchange security is dependent on:Exchange security is dependent on: Operating system securityOperating system security Network securityNetwork security IIS security (if you use OWA)IIS security (if you use OWA) Client security (Outlook)Client security (Outlook) Active Directory securityActive Directory security
Remember: Remember: Defence in DepthDefence in Depth
Remember: Remember: Defence in DepthDefence in Depth
Exchange Comms ArchitectureExchange Comms Architecture
Front End BackendFirewallPotentialFirewall
Mail Server
Internal Clients
Internal Net
TCP80, TCP443 for Web
TCP80 TCP443 encapsulating RPC
TCP25 for inbound and outbound mail
TCP25 in/outTCP443 InTCP80 In
RPC or RPC oHT
Too many to list (see slide)
DC/GC
RP
C, G
C, K
erb,
Net
logo
n
Depends on Auth Status
..
Securing CommunicationsSecuring Communications Configure RPC encryptionConfigure RPC encryption
Client side settingClient side setting Enforcement with ISA Server FP1, 2004Enforcement with ISA Server FP1, 2004
Firewall blockingFirewall blocking Mail server publishing with ISA ServerMail server publishing with ISA Server
Configure HTTPS for OWAConfigure HTTPS for OWA Use S/MIME for message encryptionUse S/MIME for message encryption Outlook 2003 EnhancementsOutlook 2003 Enhancements
Kerberos authenticationKerberos authentication RPC over HTTPSRPC over HTTPS
Connection StrategiesConnection StrategiesMethodMethod ExperienceExperience ComplexityComplexity SecuritySecurity
POP3/IMAP4 via POP3/IMAP4 via SSL with SMTPSSL with SMTP
BasicBasic Medium/ Medium/ HighHigh
MediumMedium
OWA via SSL OWA via SSL with ISAwith ISA
ModerateModerate LowLow FullFull
VPN – PPTPv2VPN – PPTPv2 FullFull HighHigh FullFull
Secure RPC with Secure RPC with ISAISA
FullFull MediumMedium FullFull
RPC over HTTPRPC over HTTP FullFull Medium/Medium/LowLow
Full inFull in
None None OutOut
Blocking Spam – Exchange 2000Blocking Spam – Exchange 2000
Close open relays!Close open relays! Protect against address spoofingProtect against address spoofing Prevent Exchange from resolving Prevent Exchange from resolving
recipient names to GAL accountsrecipient names to GAL accounts Configure reverse DNS lookupsConfigure reverse DNS lookups
Implement third party Anti-Spam, no Implement third party Anti-Spam, no native tools exist native tools exist
Check out ORDB.org to give you some Check out ORDB.org to give you some examples, and sample filterexamples, and sample filter
Blocking Spam – Exchange 2003Blocking Spam – Exchange 2003
Use additional features in Exchange Use additional features in Exchange Server 2003Server 2003 Support for real-time block listsSupport for real-time block lists Global deny and accept listsGlobal deny and accept lists Sender and inbound recipient filteringSender and inbound recipient filtering Improved anti-relaying protectionImproved anti-relaying protection Integration with Outlook 2003 and third-party Integration with Outlook 2003 and third-party
junk mail filteringjunk mail filtering Intelligent Message Filter now availableIntelligent Message Filter now available
Blocking Insecure MessagesBlocking Insecure Messages Implement antivirus gatewaysImplement antivirus gateways
Monitor incoming and outgoing messagesMonitor incoming and outgoing messages Update signatures oftenUpdate signatures often
Configure Outlook attachment securityConfigure Outlook attachment security Web browser security determines whether Web browser security determines whether
attachments can be opened in OWAattachments can be opened in OWA
Implement ISA ServerImplement ISA Server Message Screener can block incoming Message Screener can block incoming
messagesmessages OWA, RPC/HTTP, RPC, SMTP can all be OWA, RPC/HTTP, RPC, SMTP can all be
locked down with itlocked down with it
Enhancements in Exchange Enhancements in Exchange Server 2003Server 2003 Many secure-by-default settingsMany secure-by-default settings More restrictive permissionsMore restrictive permissions New mail transport featuresNew mail transport features New Internet Connection WizardNew Internet Connection Wizard Cross-forest authentication supportCross-forest authentication support
Top Ten Things to Secure ExchangeTop Ten Things to Secure Exchange
Install the latest service pack
Install all applicable security patches
Run MBSA
Check relay settings
Disable or secure well-known accounts
Use a layered antivirus approach
Use a firewall
Evaluate ISA Server
Secure OWA
Implement a backup strategy
1
2
3
4
5
6
7
8
9
10
AgendaAgenda
IntroductionIntroduction Protecting Exchange ServerProtecting Exchange Server Protecting SQL ServerProtecting SQL Server Providing Data SecurityProviding Data Security
Basic Security ConfigurationBasic Security Configuration
Apply service packs and patchesApply service packs and patches Use MBSA to detect missing SQL updatesUse MBSA to detect missing SQL updates
Enforce required servicesEnforce required services MSSQLSERVERMSSQLSERVER SQLSERVERAGENTSQLSERVERAGENT (replication, monitoring, (replication, monitoring,
scheduled jobs, auto restart, event firing)scheduled jobs, auto restart, event firing)
Disable unused services to fit roleDisable unused services to fit role MSSQLServerADHelper (if no AD integration)MSSQLServerADHelper (if no AD integration) Microsoft Search (if no FTSearch required)Microsoft Search (if no FTSearch required) Microsoft DTC (if not clustered)Microsoft DTC (if not clustered)
Common Database Server Common Database Server Threats and Countermeasures Threats and Countermeasures
SQL Server
Browser Web App
Unauthorized External Access
SQL Injection
Password Cracking Network
Eavesdropping
Network VulnerabilitiesFailure to block SQL ports
Configuration VulnerabilitiesOverprivileged service account
Week permissionsNo certificate
Web App VulnerabilitiesOverprivileged accounts
Week input validation
Internal Firewall
Perimeter Firewall
Database Server Security Database Server Security Categories Categories N
etw
ork
Op
erat
ing
Sys
tem
SQ
L S
erve
r
Pat
ches
an
d U
pd
ates
Shares
Services
Accounts
Auditing and Logging
Files and Directories
Registry
Protocols Ports
SQL Server Security
Database ObjectsLogins, Users, and
Roles
Network SecurityNetwork Security
Restrict SQL to TCP/IPRestrict SQL to TCP/IP Harden the TCP/IP stackHarden the TCP/IP stack Restrict portsRestrict ports Remove SQL from harms way – don’t Remove SQL from harms way – don’t
let clients talk to it let clients talk to it Use IPSEC to enforce in unsegmented Use IPSEC to enforce in unsegmented
netsnets Use firewalls or VLANs to enforceUse firewalls or VLANs to enforce
Operating System SecurityOperating System Security
Configure the SQL Server service Configure the SQL Server service account with the lowest possible account with the lowest possible permissions- it can run permissions- it can run withoutwithout local local adminadmin
Delete or disable unused accountsDelete or disable unused accounts Secure authentication trafficSecure authentication traffic
Logins, Users, and RolesLogins, Users, and Roles
Use a strong system administrator Use a strong system administrator (sa) password (sa) password
Remove the SQL guest user account Remove the SQL guest user account Remove the BUILTIN\Administrators Remove the BUILTIN\Administrators
server login server login Do not grant permissions for the Do not grant permissions for the
public role public role
Files, Directories, and SharesFiles, Directories, and Shares Verify permissions on SQL Server Verify permissions on SQL Server
installation directories installation directories Verify that Everyone group does not have Verify that Everyone group does not have
permissions to SQL Server files permissions to SQL Server files Secure setup log files Secure setup log files Secure or remove tools, utilities, and Secure or remove tools, utilities, and
SDKs, sample DBs (Pubs, Northwind)SDKs, sample DBs (Pubs, Northwind) Remove unnecessary shares Remove unnecessary shares Restrict access to required sharesRestrict access to required shares Secure registry keys with ACLs Secure registry keys with ACLs EFS can be used – performance EFS can be used – performance
SQL SecuritySQL Security
Set authentication to Set authentication to Windows onlyWindows only
If you must use SQL If you must use SQL Server authentication, Server authentication, ensure that ensure that authentication traffic is authentication traffic is encryptedencrypted
Remember – no lockout Remember – no lockout for SQL mixed mode- for SQL mixed mode- windows auth only windows auth only locks out if account locks out if account policy set topolicy set to
SQL AuditingSQL Auditing
Log all failed Windows login attempts Log all failed Windows login attempts Log successful and failed actions across Log successful and failed actions across
the file system the file system Enable SQL Server login auditingEnable SQL Server login auditing Enable SQL Server general auditingEnable SQL Server general auditing
Securing Database ObjectsSecuring Database Objects
Remove the sample databasesRemove the sample databases Secure stored proceduresSecure stored procedures Secure extended stored proceduresSecure extended stored procedures Restrict cmdExec access to the sysadmin Restrict cmdExec access to the sysadmin
rolerole Restrict XP_CMDShell – check if your Restrict XP_CMDShell – check if your
application needs itapplication needs it
Using Views and Stored Using Views and Stored ProceduresProcedures SQL queries may contain confidential SQL queries may contain confidential
informationinformation Use stored procedures whenever possibleUse stored procedures whenever possible Use views instead of direct table accessUse views instead of direct table access
Implement security best practices for Implement security best practices for Web-based applicationsWeb-based applications
Stored Procs should validate input and be Stored Procs should validate input and be the only things that access tables, avoid the only things that access tables, avoid views as they are “injectionable”views as they are “injectionable”
Securing Web ApplicationsSecuring Web Applications
Validate all data inputValidate all data input Secure authentication and authorizationSecure authentication and authorization Secure sensitive dataSecure sensitive data Use least-privileged process and service Use least-privileged process and service
accountsaccounts Configure auditing and loggingConfigure auditing and logging Use structured exception handlingUse structured exception handling
Top Ten Things to Protect SQL Top Ten Things to Protect SQL ServerServer
Install the most recent service pack
Run MBSA
Configure Windows authentication
Isolate the server and back it up
Check the sa password – remove it
Limit privileges of SQL services
Block ports at your firewall
Use NTFS
Remove setup files and sample databases
Audit connections
1
2
3
4
5
6
7
8
9
10
AgendaAgenda
IntroductionIntroduction Protecting Exchange Server Protecting Exchange Server Protecting SQL Server Protecting SQL Server Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security
Role and Limitations of File Role and Limitations of File PermissionsPermissions Prevent unauthorized accessPrevent unauthorized access Limit administratorsLimit administrators Do not protect against intruders with Do not protect against intruders with
physical accessphysical access Encryption provides additional securityEncryption provides additional security
Role and Limitations of EFSRole and Limitations of EFS
Benefit of EFS encryptionBenefit of EFS encryption Ensures privacy of informationEnsures privacy of information Uses robust public key technology Uses robust public key technology
Danger of encryptionDanger of encryption All access to data is lost if the private key is lostAll access to data is lost if the private key is lost
Private keys on client computersPrivate keys on client computers Keys are encrypted with derivative of user’s passwordKeys are encrypted with derivative of user’s password Private keys are only as secure as the passwordPrivate keys are only as secure as the password Private keys are lost when user profile is lostPrivate keys are lost when user profile is lost
EFS Differences Between EFS Differences Between Windows VersionsWindows Versions Windows 2000 and newer Windows versions Windows 2000 and newer Windows versions
support EFS on NTFS partitionssupport EFS on NTFS partitions Windows XP and Windows Server 2003 include Windows XP and Windows Server 2003 include
new features:new features: Additional users can be authorized Additional users can be authorized Offline files can be encrypted Offline files can be encrypted The triple-DES (3DES) encryption algorithm can The triple-DES (3DES) encryption algorithm can
replace DESX replace DESX A password reset disk can be usedA password reset disk can be used EFS preserves encryption over WebDAVEFS preserves encryption over WebDAV Data recovery agents are recommendedData recovery agents are recommended Usability is enhancedUsability is enhanced
Implementing EFS: AdviceImplementing EFS: Advice
Use Group Policy to disable EFS until Use Group Policy to disable EFS until ready for central implementationready for central implementation
Plan and design policiesPlan and design policies Designate recovery agentsDesignate recovery agents Assign certificatesAssign certificates Implement via Group PolicyImplement via Group Policy