Defending Steps

1. Defending Steps Lecture 11

2. Defending the Network Harden firewalls • Stay current with patches and updates • Block unused ports and protocols • Use filtering to reject illicit requests Harden routers and switches • Stay current with patches and updates • Use ingress/egress filtering to reject spoofed packets • Screen ICMP traffic from the internal network • Screen directed broadcast requests from the internal network • Reject trace routing requests Encrypt sensitive communications 1,2 i

3. Defending the Host Stay current with service packs and updates 3 Harden IIS with IISLockdown and URLScan 4,5 Harden the Web server's TCP/IP stack 6 Run ASP.NET using principle of least privilege ACL resources to prevent unauthorized access 7 Disable unused shares and services Move Web root to drive other than C: i

4. Defending the Application Never trust user input (validate!) Access databases securely Avoid vulnerabilities in forms authentication Secure ASP.NET session state Store secrets securely Anticipate errors and handle them appropriately i

5. Validating Input Filter potentially injurious characters and strings HTML-encode all input echoed to a Web page Use "safe" character encodings <globalization requestEncoding="ISO-8859-1" responseEncoding="ISO-8859-1" /> Avoid using file names as input if possible i

6. Tools for Validating Input

7. Accessing Data Securely Use stored procedures or parameterized commands in lieu of dynamic SQL commands Never use sa to access Web databases Store connection strings securely Apply administrative protections to SQL Server 8 Optionally use SSL/TLS or IPSec to secure the connection to the database server 2,9 i

8. Forms Authentication Protect login credentials with SSL/TLS 1 Don't store passwords; store password hashes Limit authentication cookie lifetimes to minimize windows for replay attacks Assume authentication cookies are spoofed or stolen when performing sensitive operations Don't rely on forms authentication to protect resources not owned by ASP.NET

9. Securing Session State Limit session time-outs as much as possible Avoid using cookieless session state if possible Close port 42424 in firewall if using state service Disable ASP.NET state service if you're not using it Close ports 1433 and 1434 if using SQL Server Encrypt connection string if using SQL Server 11

10. Session State, Cont. Don’t store potentially injurious data (such as credit card numbers) in session state Optionally use SSL/TLS to protect session ID cookies 1 Optionally use SSL/TLS or IPSec to secure the connection to the database server 2,9

11. Error Handling Anticipate errors and handle them sensibly Use <customErrors> to display custom error pages Don't reveal too much information in error pages Beware mode="off" and debug="true" Log unhandled exceptions Be aggressive about logging failures

12. Defending the Host Stay current with service packs and updates Harden IIS 5 by running IISLockdown • Disables FTP, SMTP, and NNTP • Removes key script mappings such as .idq, .htr, and .printer • Removes IISSamples, IISHelp, Scripts, and other virtual directories • ACLs system tools and Web content directories to limit access • Disables WebDAV • Installs URLScan Harden IIS 5 and 6 by installing URLScan • Logs failed requests • Limits request sizes to mitigate DoS attacks • Masks content headers revealing IIS type and version number • Blocks requests with potentially injurious characters (e.g., dots in path names) • Canonicalizes and verifies path names to thwart directory traversal attacks • Disables specified verbs (e.g., "DEBUG") i http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh16.asp

13. Defending the Host, Cont. Disable unused shares and services • Delete nonessential shares and restrict access to others • Disable nonessential services and protocols (e.g., SMB and NetBIOS) • Remove or secure Remote Data Services (RDS) Harden user accounts • Disable the Guest account • Use strong passwords on all accounts • Rename the administrator account • Disallow null sessions (anonymous logons) • Restrict remote logons to only those who need it Be aggressive about logging and auditing • Log failed logon attempts • Log failed actions anywhere in the system • Secure IIS log files with NTFS permissions • Audit access to Metabase.bin

14. Defending the Host, Cont. Use ACLs to limit access to critical resources • Restrict access to the %systemroot%\System32 directory • Restrict access to %systemroot%\Microsoft.NET\Framework • Restrict write access to %systemroot%\System32\Logfiles • Restrict write access to Web content directories • Restrict access to registry keys where secrets are stored Protect the bin directory • Remove all Web permissions (Read, Write, Directory Browsing) from bin • Set Execute permission to None on bin • Allow neither anonymous access nor authenticated access to bin

15. Full Trust SQL Server OLE DB Unmanaged Code SqlClientPermission SecurityPermission.- UnmanagedCode Registry OleDbClientPermission File System RegistryPermission Application FileIOPermission DNS DnsPermission EnvironmentPermission EventLogPermission Environment Variables SocketsPermission Windows Event Log WebPermission Web Services Remote Servers

16. High Trust SQL Server OLE DB Unmanaged Code SqlClientPermission Registry File System RegistryPermission Application FileIOPermission DNS DnsPermission EnvironmentPermission EventLogPermission Environment Variables SocketsPermission Windows Event Log WebPermission Web Services Remote Servers

17. Medium Trust SQL Server OLE DB Unmanaged Code SqlClientPermission Registry Restricted File System Application FileIOPermission DNS DnsPermission EnvironmentPermission Restricted Environment Variables Windows Event Log WebPermission Restricted Web Services Remote Servers

18. Low Trust SQL Server OLE DB Unmanaged Code Registry Heavily Restricted File System Application FileIOPermission DNS Environment Variables Windows Event Log Web Services Remote Servers