security considerations and checklist

8/19/2019 Security Considerations and Checklist

1/28

Design Considerations

Check

Description Check

Production

Check Pre-

Production

Check

Training

The authentication strategy has been

identifed.

Privacy and integrity requirements o SOAPmessages have been considered.

Identities that are used or resource access

have been identifed.

Impications o code access security trust

eves have been considered.

Deveopment Considerations

Input Validation

Description Check

Production

Check Pre-

Production

Check

Training

Input to !eb methods is constrained and vaidated or

type" ength" ormat" and range.


2/28

Input data saniti#ation is ony perormed in addition to

constraining input data.

$%& input data is vaidated based on an agreed

schema.

Authentication

Description Check

Production

Check Pre-

Production

Check

Training

!eb services that support restricted operations or

provide sensitive data support authentication.

I pain te't credentias are passed in SOAP headers"

SOAP messages are ony passed over encrypted

communication channes" or e'ampe" using SS&.

(asic authentication is ony used over an encrypted

communication channe.

Authentication mechanisms that use SOAP headers

are based on !eb Services Security )!S Security*

using the !eb Services +nhancements !S+*.

Authorization

Description Check

Production

Check Pre-

Production

Check

Training


3/28

!eb services that support restricted operations or

provide sensitive data support authori#ation.

!here appropriate" access to !eb service is restricted

using ,-& authori#ation or fe authori#ation i

!indos authentication is used.

!here appropriate" access to pubicy accessibe !eb

methods is restricted using decarative principe

permission demands.

Sensitive Data

Description Check

Production

Check Pre-

Production

Check

Training

Sensitive data in !eb service SOAP messages is

encrypted using $%& encryption O- messages are

ony passed over encrypted communication channes

)or e'ampe" using SS&.*

Parameter Manipulation

Description Check

Production

Check Pre-

Production

Check

Training

I parameter manipuation is a concern )particuary

here messages are routed through mutipe

intermediary nodes across mutipe netor/ in/s*.

%essages are digitay signed to ensure that they

cannot be tampered ith.


4/28

Exception Management

Description Check

Production

Check Pre-

Production

Check

Training

Structured e'ception handing is used hen

impementing !eb services.

+'ception detais are ogged )e'cept or private data"

such as passords*.

SoapExceptions are thron and returned to the

cient using the standard SOAP eement.

I appication0eve e'ception handing is required a

custom SOAP e'tension is used.

Auditing and Logging

Description

The !eb service ogs transactions and /ey operations.

Proxy Considerations

Che

ck Description


5/28

The endpoint address in !eb Services Description &anguage )!SD&* is

chec/ed or vaidity.

The ,-& (ehavior property o the !eb reerence is set to dynamic or

added 1e'ibiity.

Administration Considerations

Check Description

,nnecessary !eb service protocos" incuding 2TTP 3+T and 2TTP POST"

are disabed.

The documentation protoco is disabed i you do not ant to support the

dynamic generation o !SD&.

The !eb service runs using a east0privieged process account )confgured

through the eement in %achine.confg.*

Custom accounts are encrypted by using Aspnet_setref.exe.

Tracing is disabed ith4

5trace enabed67ase7 89

Debug compiations are disabed ith4

5compiation debug67ase7 e'picit67true7 deaut&anguage67vb79


6/28

Patches and ,pdates

Check Description

MBSA is run on a regular interval to check for latest operating system andcomponents updates.

The latest updates and patches are applied for indo!s" ##S server" and the .$%T&rame!ork. 'These are tested on development servers prior to deployment on the production servers.(

Subscribe to the Microsoft Security $otification Serviceat http)**!!!.microsoft.com*technet*security*bulletin*notify.asp.

Services

Check Description

+nnecessary services are disabled.

Services are running !ith least,privileged accounts.

&T-" SMT-" and $$T- services are disabled if they are not reuired.

https://technet.microsoft.com/en-us/security/dd252948.aspxhttps://technet.microsoft.com/en-us/security/dd252948.aspxhttps://technet.microsoft.com/en-us/security/dd252948.aspx


7/28

Telnet service is disabled.

AS- .$%T state service is disabled and is not used by your applications.

Protocos

Check Description

eb/A0 is disabled if not used by the application 12 it is secured if it is reuired.&or more information" see Microsoft 3no!ledge Base article 454678" 9:o! To)Create a Secure eb/A0 -ublishing /irectory.9

TC-*#- stack is hardened.

$etB#1S and SMB are disabled 'closes ports ;47" ;4(.

Accounts

Check Description

+nused accounts are removed from the server.

indo!s ?uest account is disabled.


8/28

Administrator account is renamed and has a strong pass!ord..

#+S2_MAC:#$% account is disabled if it is not used by the application.

#f your applications reuire anonymous access" a custom least,privileged anonymousaccount is created.

The anonymous account does not have !rite access to eb content directories and

cannot execute command,line tools.

AS-.$%T process account is configured for least privilege. 'This only applies if youare not using the default AS-$%T account" !hich is a least,privileged account.(

Strong account and pass!ord policies are enforced for the server.

2emote logons are restricted. 'The 9Access this computer from the net!ork9 user,right is removed from the %veryone group.(

Accounts are not shared among administrators.

$ull sessions 'anonymous logons( are disabled.


9/28

Approval is reuired for account delegation.

+sers and administrators do not share accounts.

$o more than t!o accounts exist in the Administrators group.

Administrators are reuired to log on locally 12 the remote administration solutionis secure.

:ies and Directories

Check Description

&iles and directories are contained on $T&S volumes.

eb site content is located on a non,system $T&S volume.

@og files are located on a non,system $T&S volume and not on the same volume!here the eb site content resides.

The %veryone group is restricted 'no access to #$$Tsystem45 or ebdirectories(.


10/28

eb site root directory has deny !rite AC% for anonymous #nternet accounts.

Content directories have deny !rite AC% for anonymous #nternet accounts.

2emote ##S administration application is removed'#$$TSystem45#netsrv##SAdmin(.

2esource kit tools" utilities" and S/3s are removed.

Sample applications are removed '#$$T:elp##S:elp" #netpub##SSamples(.

Shares

Check Description

All unnecessary shares are removed 'including default administration shares(.

Access to reuired shares is restricted 'the %veryone group does not have access(.

Administrative shares 'C and Admin( are removed if they are not reuired'Microsoft Management Server 'SMS( and Microsoft 1perations Manager 'M1M(reuire these shares(.

Ports


11/28

Check Description

#nternet,facing interfaces are restricted to port


12/28

@og files are configured !ith an appropriate sie depending on the applicationsecurity reuirement.

@og files are regularly archived and analyed.

Access to the Metabase.bin file is audited.

##S is configured for 4C %xtended log file format auditing.

Sites and ;irtua Directories

Check Description

eb sites are located on a non,system partition.

9-arent paths9 setting is disabled.

-otentially dangerous virtual directories" including ##SSamples" ##SAdmin" ##S:elp"and Scripts virtual directories" are removed.

MSA/C virtual directory '2/S( is removed or secured.


13/28

#nclude directories do not have 2ead eb permission.

0irtual directories that allo! anonymous access restrict rite and %xecute eb permissions for the anonymous account.

There is script source access only on folders that support content authoring.

There is !rite access only on folders that support content authoring and these folder

are configured for authentication 'and SS@ encryption" if reuired(.

&ront-age Server %xtensions '&-S%( are removed if not used. #f they are used" theyare updated and access to &-S% is restricted.

Script %appings

Check Description

%xtensions not used by the application are mapped to 686.dll '.id" .ht!" .ida".shtml" .shtm" .stm" idc" .htr" .printer(.

+nnecessary AS-.$%T file type extensions are mapped to 9:ttp&orbidden:andler9

in Machine.config.

ISAPI :iters

Check Description


14/28

+nnecessary or unused #SA-# filters are removed from the server.

Server Certifcates

Check Description

Certificate date ranges are valid.

Certificates are used for their intended purpose 'for example" the server certificate isnot used for e,mail(.

The certificateDs public key is valid" all the !ay to a trusted root authority.

The certificate has not been revoked.

%achine.confg

Check Description

-rotected resources are mapped to :ttp&orbidden:andler.


15/28

+nused :ttpModules are removed.

Tracing is disabled Etrace enableF9false9*G

/ebug compiles are turned off.

5compiation debug67ase7 e'picit67true7 deaut&anguage67vb79

Code Access Security

Check Description

Code access security is enabled on the server.

All permissions have been removed from the local intranet one.

All permissions have been removed from the #nternet one.

Other Chec/ Points

Check Description

##S@ockdo!n tool has been run on the server.


16/28

:TT- reuests are filtered. +2@Scan is installed and configured.

2emote administration of the server is secured and configured for encryption" lo!session time,outs" and account lockouts.

Dos and Don


17/28

SI@ Server Agent is not installed if it is not being used by any application.

SI@ Server is installed on a dedicated database server.

SI@ Server is installed on an $T&S partition.

indo!s Authentication mode is selected unless SI@ Server Authentication isspecifically reuired" in !hich case Mixed Mode is selected.

A strong pass!ord is applied for the sa account or any other member ofthe sysadmin role. '+se strong pass!ords for all accounts.(

The database server is physically secured.

• Patches and ,pdates

Chec

k Description

The latest service packs and patches have been applied for SI@ Server.'See http)**support.microsoft.com*default.aspxJscidFkbK%$,+SK5=85;;.(

-ost service,pack patches have been applied for SI@ server.'See http)**!!!.microsoft.com*technet*security*current.aspJ productidF48LservicepackidF8.(

http://support.microsoft.com/default.aspx?scid=kb;EN-US;290211https://www.microsoft.com/technet/security/current.aspxhttps://www.microsoft.com/technet/security/current.aspxhttp://support.microsoft.com/default.aspx?scid=kb;EN-US;290211https://www.microsoft.com/technet/security/current.aspxhttps://www.microsoft.com/technet/security/current.aspx


18/28

• Services

Check Description

+nnecessary Microsoft indo!sH services are disabled on the database server.

All optional services" including Microsoft Search Service" MSSI@ServerA/:elper"and SI@ServerAgent" are disabled if not used by any applications.

The Microsoft /istributed Transaction Coordinator 'MS /TC( is disabled if it is not being used by any applications.

A least,privileged local*domain account is used to run the various SI@ Serverservices" for example" back up and replication.

•

Protocos

Check Description

All protocols except TC-*#- are disabled !ithin SI@ Server. Check this using theServer $et!ork +tility.

The TC-*#- stack is hardened on the database server.

• Accounts


19/28

Check Description

SI@ Server is running using a least,privileged local account 'or optionally" a least, privileged domain account if net!ork services are reuired(.

+nused accounts are removed from indo!s and SI@ Server.

The indo!s guest account is disabled.

The administrator account is renamed and has a strong pass!ord.

Strong pass!ord policy is enforced.

2emote logons are restricted.

$ull sessions 'anonymous logons( are restricted.

Approval is reuired for account delegation.

Shared accounts are not used.


20/28

Membership of the local administrators group is restricted 'ideally" no more than t!oadministration accounts(.

• :ies and Directories

Check Description

2estrictive permissions are configured on SI@ Server installation directories 'per theguide(.

The %veryone group does not have permission to access SI@ Server installationdirectories.

Setup log files are secured.

Tools" utilities" and S/3s are removed or secured.

Sensitive data files are encrypted using %&S 'This is an optional step. #fimplemented" use %&S only to encrypt M/& files" not @/& log files(.

• Shares

Check Description

All unnecessary shares are removed from the server.


21/28

Access to reuired shares is restricted 'the %veryone group doesnDt have access(.

Administrative shares 'C and Admin( are removed if they are not reuired'Microsoft Management Server 'SMS( and Microsoft 1perations Manager 'M1M(reuire these shares(.

• Ports

Check Description

2estrict access to all ports on the server except the ports configured for SI@ Serverand database instances 'TC- ;644 and +/- ;646 by default(.

$amed instances are configured to listen on the same port.

-ort 44


22/28

Check Description

SI@ Server registry keys are secured !ith restricted permissions.

The SAM is secured 'standalone servers only(.

• Auditing and &ogging

Check Description

All failed indo!s login attempts are logged.

All failed actions are logged across the file system.

SI@ Server login auditing is enabled.

@og files are relocated from the default location and secured !ith access control lists.

@og files are configured !ith an appropriate sie depending on the applicationsecurity reuirement.

here the database contents are highly sensitive or vital" indo!s is set to Shut


23/28

/o!n mode on overflo! of the security logs.

•

S=& Server Security

Check Description

SI@ Server authentication is set to Windows only 'if supported by the application(.

The SI@ Server audit level is set to Failure or All.

SI@ Server runs using a least,privileged account.

• S=& Server &ogins" ,sers" and -oes

Check Description

A strong sa pass!ord is used 'for all accounts(.

SI@ Server guest user accounts are removed.

B+#@T#$Administrators server login is removed.


24/28

-ermissions are not granted for the public role.

Members of sysadmin fixed server role are limited 'ideally" no more than t!o users(.

2estricted database permissions are granted. +se of built,in roles" such asdb_datareader and db_data!riter" are avoided because they provide limitedauthoriation granularity.

/efault permissions that are applied to SI@ Server obects are not altered.

• S=& Server Database Ob>ects

Check Description

Sample databases 'including -ubs and $orth!ind( are removed.

Stored procedures and extended stored procedures are secured.

Access to cmd%xec is restricted to members of the sysadmin role.

• Additiona Considerations

Check Description


25/28

A certificate is installed on the database server to support SS@ communication andthe automatic encryption of SI@ account credentials 'optional(.

$T@M version 5 is enabled by setting LCompati!ilityLevel to >.

• Staying Secure

Check Description

2egular backups are performed.

?roup membership is audited.

Audit logs are regularly monitored.

Security assessments are regularly performed.

-outer Considerations

Check Description

@atest patches and updates are installed.


26/28

Nou subscribed to router vendorDs security notification service.

3no!n vulnerable ports are blocked.

#ngress and egress filtering is enabled. #ncoming and outgoing packets are confirmedas coming from public or internal net!orks.

#CM- traffic is screened from the internal net!ork.

Administration interfaces to the router are enumerated and secured.

eb,facing administration is disabled.

/irected broadcast traffic is not received or for!arded.

+nused services are disabled 'for example" T&T-(.

Strong pass!ords are used.

@ogging is enabled and audited for unusual traffic or patterns.


27/28

@arge ping packets are screened.

2outing #nformation -rotocol '2#-( packets" if used" are blocked at the outermostrouter.

:irea Considerations

Check Description


%ffective filters are in place to prevent malicious traffic from entering the perimeter

+nused ports are blocked by default.

+nused protocols are blocked by default.

#-sec is configured for encrypted communication !ithin the perimeter net!ork.

#ntrusion detection is enabled at the fire!all.

Sitch Considerations

Check Description


28/28


Administrative interfaces are enumerated and secured.

+nused administrative interfaces are disabled.

+nused services are disabled.

Available services are secured.

security considerations and checklist

Documents