1 / 33

Implementing Application and Data Security

Implementing Application and Data Security. Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK. Why Application Security Matters. Perimeter Defences provide limited protection Many host-based Defences are not application specific

ros
Télécharger la présentation

Implementing Application and Data Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK

  2. Why Application Security Matters • Perimeter Defences provide limited protection • Many host-based Defences are not application specific • Most modern attacks occur at the application layer

  3. Why Data Security Matters • Secure your data as the last line of Defence • Configure file permissions • Configure data encryption • Protects the confidentiality of information when physical security is compromised

  4. Application Server Best Practices Configure security on the base operating system Apply operating system and application service packs and patches Install or enable only those services that are required Assign only those permissions needed to perform required tasks Applications accounts should be assigned with the minimal permissions Apply Defence-in-depth principles to increase protection

  5. Agenda • Introduction • Protecting Exchange Server • Protecting SQL Server  • Providing Data Security

  6. Exchange Security Dependencies • Exchange security is dependent on: • Operating system security • Network security • IIS security (if you use OWA) • Client security (Outlook) • Active Directory security Remember: Defence in Depth

  7. Exchange Comms Architecture .

  8. Securing Communications • Configure RPC encryption • Client side setting • Enforcement with ISA Server FP1, 2004 • Firewall blocking • Mail server publishing with ISA Server • Configure HTTPS for OWA • Use S/MIME for message encryption • Outlook 2003 Enhancements • Kerberos authentication • RPC over HTTPS

  9. Connection Strategies

  10. Blocking Spam – Exchange 2000 • Close open relays! • Protect against address spoofing • Prevent Exchange from resolving recipient names to GAL accounts • Configure reverse DNS lookups • Implement third party Anti-Spam, no native tools exist • Check out ORDB.org to give you some examples, and sample filter

  11. Blocking Spam – Exchange 2003 • Use additional features in Exchange Server 2003 • Support for real-time block lists • Global deny and accept lists • Sender and inbound recipient filtering • Improved anti-relaying protection • Integration with Outlook 2003 and third-party junk mail filtering • Intelligent Message Filter now available

  12. Blocking Insecure Messages • Implement antivirus gateways • Monitor incoming and outgoing messages • Update signatures often • Configure Outlook attachment security • Web browser security determines whether attachments can be opened in OWA • Implement ISA Server • Message Screener can block incoming messages • OWA, RPC/HTTP, RPC, SMTP can all be locked down with it

  13. Enhancements in Exchange Server 2003 • Many secure-by-default settings • More restrictive permissions • New mail transport features • New Internet Connection Wizard • Cross-forest authentication support

  14. Top Ten Things to Secure Exchange 1 Install the latest service pack 2 Install all applicable security patches 3 Run MBSA 4 Check relay settings 5 Disable or secure well-known accounts 6 Use a layered antivirus approach 7 Use a firewall 8 Evaluate ISA Server 9 Secure OWA 10 Implement a backup strategy

  15. Agenda • Introduction • Protecting Exchange Server • Protecting SQL Server • Providing Data Security

  16. Basic Security Configuration • Apply service packs and patches • Use MBSA to detect missing SQL updates • Enforce required services • MSSQLSERVER • SQLSERVERAGENT (replication, monitoring, scheduled jobs, auto restart, event firing) • Disable unused services to fit role • MSSQLServerADHelper (if no AD integration) • Microsoft Search (if no FTSearch required) • Microsoft DTC (if not clustered)

  17. Password Cracking Web App Vulnerabilities Overprivileged accounts Week input validation Network Eavesdropping SQL Injection Perimeter Firewall Internal Firewall SQL Server Web App Browser Unauthorized External Access Network Vulnerabilities Failure to block SQL ports Configuration Vulnerabilities Overprivileged service account Week permissions No certificate Common Database Server Threats and Countermeasures

  18. SQL Server Security SQL Server Logins, Users, and Roles Database Objects Shares Auditing and Logging Patches and Updates Operating System Services Files and Directories Accounts Registry Protocols Ports Network Database Server Security Categories

  19. Network Security • Restrict SQL to TCP/IP • Harden the TCP/IP stack • Restrict ports • Remove SQL from harms way – don’t let clients talk to it • Use IPSEC to enforce in unsegmented nets • Use firewalls or VLANs to enforce

  20. Operating System Security • Configure the SQL Server service account with the lowest possible permissions- it can run without local admin • Delete or disable unused accounts • Secure authentication traffic

  21. Logins, Users, and Roles • Use a strong system administrator (sa) password • Remove the SQL guest user account • Remove the BUILTIN\Administrators server login • Do not grant permissions for the public role

  22. Files, Directories, and Shares • Verify permissions on SQL Server installation directories • Verify that Everyone group does not have permissions to SQL Server files • Secure setup log files • Secure or remove tools, utilities, and SDKs, sample DBs (Pubs, Northwind) • Remove unnecessary shares • Restrict access to required shares • Secure registry keys with ACLs • EFS can be used – performance

  23. SQL Security • Set authentication to Windows only • If you must use SQL Server authentication, ensure that authentication traffic is encrypted • Remember – no lockout for SQL mixed mode- windows auth only locks out if account policy set to

  24. SQL Auditing • Log all failed Windows login attempts • Log successful and failed actions across the file system • Enable SQL Server login auditing • Enable SQL Server general auditing

  25. Securing Database Objects • Remove the sample databases • Secure stored procedures • Secure extended stored procedures • Restrict cmdExec access to the sysadmin role • Restrict XP_CMDShell – check if your application needs it

  26. Using Views and Stored Procedures • SQL queries may contain confidential information • Use stored procedures whenever possible • Use views instead of direct table access • Implement security best practices for Web-based applications • Stored Procs should validate input and be the only things that access tables, avoid views as they are “injectionable”

  27. Securing Web Applications • Validate all data input • Secure authentication and authorization • Secure sensitive data • Use least-privileged process and service accounts • Configure auditing and logging • Use structured exception handling

  28. Top Ten Things to Protect SQL Server 1 Install the most recent service pack 2 Run MBSA 3 Configure Windows authentication 4 Isolate the server and back it up 5 Check the sa password – remove it  6 Limit privileges of SQL services 7 Block ports at your firewall 8 Use NTFS 9 Remove setup files and sample databases 10 Audit connections

  29. Agenda • Introduction • Protecting Exchange Server • Protecting SQL Server  • Securing Small Business Server • Providing Data Security

  30. Role and Limitations of File Permissions • Prevent unauthorized access • Limit administrators • Do not protect against intruders with physical access • Encryption provides additional security

  31. Role and Limitations of EFS • Benefit of EFS encryption • Ensures privacy of information • Uses robust public key technology • Danger of encryption • All access to data is lost if the private key is lost • Private keys on client computers • Keys are encrypted with derivative of user’s password • Private keys are only as secure as the password • Private keys are lost when user profile is lost

  32. EFS Differences Between Windows Versions • Windows 2000 and newer Windows versions support EFS on NTFS partitions • Windows XP and Windows Server 2003 include new features: • Additional users can be authorized • Offline files can be encrypted • The triple-DES (3DES) encryption algorithm can replace DESX • A password reset disk can be used • EFS preserves encryption over WebDAV • Data recovery agents are recommended • Usability is enhanced

  33. Implementing EFS: Advice • Use Group Policy to disable EFS until ready for central implementation • Plan and design policies • Designate recovery agents • Assign certificates • Implement via Group Policy

More Related