Implementing Application and Data Security Rafal Lukawiecki
48 Slides1.59 MB
Implementing Application and Data Security Rafal Lukawiecki Strategic Consultant & Director Project Botticelli Ltd [email protected]
2 Agenda Introduction Protecting Exchange Server Protecting SQL Server Securing Small Business Server Providing Data Security
3 Defense in Depth Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success Data Application Host Internal Network Perimeter Physical Security Policies, Procedures, & Awareness ACL, encryption Application hardening, antivirus OS hardening, update management, authentication, HIDS Network segments, IPSec, NIDS Firewalls, VPN quarantine Guards, locks, tracking devices User education
4 Why Application Security Matters Perimeter defenses provide limited protection Many host-based defenses are not application specific Most modern attacks occur at the application layer
5 Why Data Security Matters Secure your data as the last line of defense Configure file permissions Configure data encryption Protects the confidentiality of information when physical security is compromised
6 Application Server Best Practices Configure security on the base operating system Apply operating system and application service packs and patches Install or enable only those services that are required Assign only those permissions needed to perform required tasks Applications accounts should be assigned with the minimal permissions Apply defense-in-depth principles to increase protection
7 Agenda Introduction Protecting Exchange Server Protecting SQL Server Securing Small Business Server Providing Data Security
8 Exchange Security Dependencies Exchange security is dependent on: Operating system security Network security IIS security (if you use OWA) Client security (Outlook) Active Directory security Remember: Defense in Depth
9 Securing Exchange Servers Exchange 2000 Back-End Servers Exchange 2000 Front-End Servers Apply IIS Lockdown, including URLScan Exchange 2003 Back-End Server Apply baseline security template and the Exchange front-end incremental template Dismount private and public stores Exchange 2000 OWA Server Apply baseline security template and the Exchange back-end incremental template Apply protocol security templates Exchange 2003 Front-End and OWA Server IIS Lockdown and URLScan integrated with IIS 6.0 Use application isolation mode
10 Aspects of Exchange Server Security Securing Access to Exchange Server Securing Communications Blocking and encrypting communications Blocking Spam Blocking unauthorized access Filtering incoming mail Relay restrictions: Don’t aid spammers! Blocking Insecure E-Mail Messages Virus scanning Attachment blocking
11 Configuring Authentication, Part 1 Secure Outlook client authentication Configure Exchange & Outlook 2003 to use RPC over HTTPS Configure SPA to encrypt authentication for Internet protocol clients Remember: Secure authentication does not equal encryption of data
12 Configuring Authentication, Part 2 OWA supports several authentication methods: Authentication Method Basic authentication Integrated authentication Digest authentication Forms-based authentication Considerations Insecure, unless you require SLL Limited client support, issues across firewalls Limited client support Ability to customize authentication Wide client support Available with Exchange Server 2003
13 Securing Communications Configure RPC encryption Firewall blocking Client side setting Enforcement with ISA Server FP1 Mail server publishing with ISA Server Configure HTTPS for OWA Use S/MIME for message encryption Outlook 2003 Enhancements Kerberos authentication RPC over HTTPS
14 Encrypting a Message Active Directory Domain Controller 2 Locate Client 2’s public key 6 4 1 Message sent using S/MIME SMTP VS1 New message 3 Message encrypted with a shared key Client 2’s private key is used to decrypt the shared key, and the shared key is used to decrypt the message SMTP VS 2 5 Message arrives encrypted Client 2 Client 1
15 Blocking Spam – Exchange 2000 Close open relays! Protect against address spoofing Prevent Exchange from resolving recipient names to GAL accounts Configure reverse DNS lookups
16 Blocking Spam – Exchange 2003 Use additional features in Exchange Server 2003 Support for real-time block lists Global deny and accept lists Sender and inbound recipient filtering Improved anti-relaying protection Integration with Outlook 2003 and third-party junk mail filtering
17 Blocking Insecure Messages Implement antivirus gateways Configure Outlook attachment security Monitor incoming and outgoing messages Update signatures often Web browser security determines whether attachments can be opened in OWA Implement ISA Server Message Screener can block incoming messages
18 Using Permissions to Secure Exchange Administration models Centralized Decentralized Delegating permissions Creating administrative groups Using administrative roles Delegating administrative control
19 Enhancements in Exchange Server 2003 Many secure-by-default settings More restrictive permissions New mail transport features New Internet Connection Wizard Cross-forest authentication support
20 Top Ten Things to Secure Exchange 1 Install the latest service pack 2 Install all applicable security patches 3 Run MBSA 4 Check relay settings 5 Disable or secure well-known accounts 6 Use a layered antivirus approach 7 Use a firewall 8 Evaluate ISA Server 9 Secure OWA 10 Implement a backup strategy
21 Agenda Introduction Protecting Exchange Server Protecting SQL Server Securing Small Business Server Providing Data Security
22 Basic Security Configuration Apply service packs and patches Use MBSA to detect missing SQL updates Disable unused services MSSQLSERVER (required) SQLSERVERAGENT MSSQLServerADHelper Microsoft Search Microsoft DTC
23 Common Database Server Threats and Countermeasures Password Cracking SQL Injection Web App Vulnerabilities Overprivileged accounts Week input validation Perimeter Firewall Browser Unauthorized External Access Network Eavesdropping Internal Firewall SQL Server Web App Network Vulnerabilities Failure to block SQL ports Configuration Vulnerabilities Overprivileged service account Week permissions No certificate
24 Network SQL Server Security Logins, Users, and Roles Database Objects Shares Auditing and Logging Services Files and Directories Accounts Registry Protocols Ports Patches and Updates Operating System SQL Server Database Server Security Categories
25 Network Security Restrict SQL to TCP/IP Harden the TCP/IP stack Restrict ports
26 Operating System Security Configure the SQL Server service account with the lowest possible permissions Delete or disable unused accounts Secure authentication traffic
27 Logins, Users, and Roles Use a strong system administrator (sa) password Remove the SQL guest user account Remove the BUILTIN\Administrators server login Do not grant permissions for the public role
28 Files, Directories, and Shares Verify permissions on SQL Server installation directories Verify that Everyone group does not have permissions to SQL Server files Secure setup log files Secure or remove tools, utilities, and SDKs Remove unnecessary shares Restrict access to required shares Secure registry keys with ACLs
29 SQL Security Set authentication to Windows only If you must use SQL Server authentication, ensure that authentication traffic is encrypted
30 SQL Auditing Log all failed Windows login attempts Preferably, also log successful ones Log successful and failed actions across the file system Enable SQL Server login auditing Enable SQL Server general auditing
31 Securing Database Objects Remove the sample databases Secure stored procedures Secure extended stored procedures Restrict cmdExec access to the sysadmin role
32 Using Views and Stored Procedures SQL queries may contain confidential information Use stored procedures whenever possible Use views instead of direct table access Implement security best practices for Web-based applications
33 Securing Web Applications Validate all data input Secure authentication and authorization Secure sensitive data Use least-privileged process and service accounts Configure auditing and logging Use structured exception handling
34 Top Ten Things to Protect SQL Server 1 Install the most recent service pack 2 Run MBSA 3 Configure Windows authentication 4 Isolate the server and back it up 5 Check the sa password 6 Limit privileges of SQL services 7 Block ports at your firewall 8 Use NTFS 9 Remove setup files and sample databases 10 Audit connections
35 Agenda Introduction Protecting Exchange Server Protecting SQL Server Securing Small Business Server Providing Data Security
36 Recognizing Threats Small Business Server plays many server roles External threats Internal threats Small Business Server is often connected to the Internet All components of Small Business Server must be secured Many settings secured by default
37 Protecting Against External Threats Configure password policies to require complex passwords Configure secure remote access Remote Web Workplace Remote Access Rename the Administrator account Implement Exchange and IIS security best practices Use a firewall
38 Using a Firewall Internet LAN Included firewall features: Firewall ISA Server 2000 in SBS 2000 and SBS 2003, Premium Edition Basic firewall functionality in SBS 2003, Standard Edition Consider a separate firewall SBS 2003 can communicate with an external firewall by using UPnP ISA Server can provide application-layer protection
39 Protecting Against Internal Threats Implement an antivirus solution Implement a backup plan Run MBSA Control access permissions Educate users Do not use the server as a workstation Physically secure the server Limit user disk space Update the software
40 Agenda Introduction Protecting Exchange Server Protecting SQL Server Securing Small Business Server Providing Data Security
41 Role and Limitations of File Permissions Prevent unauthorized access Limit administrators Do not protect against intruders with physical access Encryption provides additional security
42 Role and Limitations of EFS Benefit of EFS encryption Danger of encryption Ensures privacy of information Uses robust public key technology All access to data is lost if the private key is lost Private keys on client computers Keys are encrypted with derivative of user’s password Private keys are only as secure as the password Private keys are lost when user profile is lost
43 EFS Architecture Applications Win32 APIs Crypto API EFS Service User mode Kernel mode I/O Manager EFS.sys NTFS Encrypted on-disk data storage
44 EFS Differences Between Windows Versions Windows 2000 and newer Windows versions support EFS on NTFS partitions Windows XP and Windows Server 2003 include new features: Additional users can be authorized Offline files can be encrypted The triple-DES (3DES) encryption algorithm can replace DESX Use AES for encryption by default A password reset disk can be used EFS preserves encryption over WebDAV Data recovery agents are recommended Usability is enhanced
45 Implementing EFS: How to Do It Right Use Group Policy to disable EFS until ready for central implementation Plan and design policies Designate recovery agents Assign certificates Implement via Group Policy
46 Next Steps 1. Stay informed about security Sign up for security bulletins: http://www.microsoft.com/security/security bulletins/alerts2.asp Get the latest Microsoft security guidance: http://www.microsoft.com/security/guidance/ 2. Get additional security training Find online and in-person training seminars: http://www.microsoft.com/seminar/events/security.mspx Find a local CTEC for hands-on training: http://www.microsoft.com/learning/
47 Summary Securing Exchange, SQL and SBS are now key responsibilities of the IT Pro Additional protection is provided through EFS – especially important for laptops etc. In-depth security is a combination of security across network, host and application Use Microsoft Security Operational Guidelines
48 Thank You! Microsoft Security Site MSDN Security Site (Developers) http://www.microsoft.com/security http://msdn.microsoft.com/security TechNet Security Site (IT Professionals) http://www.microsoft.com/technet/security Copyright 2004 Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties.
