implementing application and data security rafal lukawiecki strategic consultant & director...
TRANSCRIPT
Implementing Implementing Application and Data Application and Data SecuritySecurity
Rafal LukawieckiRafal LukawieckiStrategic Consultant & DirectorStrategic Consultant & DirectorProject Botticelli LtdProject Botticelli Ltd
[email protected]@projectbotticelli.co.uk
2
AgendaAgenda
IntroductionIntroduction Protecting Exchange Server Protecting Exchange Server Protecting SQL Server Protecting SQL Server Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security
3
Defense in DepthDefense in Depth Using a layered approach:Using a layered approach:
Increases an attacker’s risk of detection Increases an attacker’s risk of detection Reduces an attacker’s chance of successReduces an attacker’s chance of success
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
OS hardening, update management, OS hardening, update management, authentication, HIDSauthentication, HIDS
Firewalls, VPN quarantineFirewalls, VPN quarantine
Guards, locks, tracking devicesGuards, locks, tracking devices
Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS
Application hardening, antivirusApplication hardening, antivirus
ACL, encryptionACL, encryption
User educationUser education
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
4
Why Application Security Why Application Security MattersMatters Perimeter defenses provide limited Perimeter defenses provide limited
protectionprotection Many host-based defenses are not Many host-based defenses are not
application specificapplication specific Most modern attacks occur at the Most modern attacks occur at the
application layer application layer
5
Why Data Security MattersWhy Data Security Matters
Secure your data as the last line Secure your data as the last line of defenseof defense
Configure file permissionsConfigure file permissions Configure data encryption Configure data encryption
Protects the confidentiality of Protects the confidentiality of information when physical security information when physical security is compromisedis compromised
6
Application Server Best Application Server Best PracticesPractices
Configure security on the base operating system
Apply operating system and application service packs and patches
Install or enable only those services that are required
Applications accounts should be assigned with the minimal permissions
Apply defense-in-depth principles to increase protection
Assign only those permissions needed to perform required tasks
7
AgendaAgenda
IntroductionIntroduction Protecting Exchange ServerProtecting Exchange Server Protecting SQL Server Protecting SQL Server Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security
8
Exchange Security Exchange Security DependenciesDependencies
Exchange security is dependent on:Exchange security is dependent on: Operating system securityOperating system security Network securityNetwork security IIS security (if you use OWA)IIS security (if you use OWA) Client security (Outlook)Client security (Outlook) Active Directory securityActive Directory security
Remember: Remember: Defense in DepthDefense in Depth
Remember: Remember: Defense in DepthDefense in Depth
9
Securing Exchange ServersSecuring Exchange Servers Exchange 2000 Back-End ServersExchange 2000 Back-End Servers
Apply baseline security template and the Exchange Apply baseline security template and the Exchange back-end incremental templateback-end incremental template
Exchange 2000 Front-End ServersExchange 2000 Front-End Servers Apply baseline security template and the Exchange Apply baseline security template and the Exchange
front-end incremental templatefront-end incremental template Dismount private and public storesDismount private and public stores
Exchange 2000 OWA ServerExchange 2000 OWA Server Apply IIS Lockdown, including URLScanApply IIS Lockdown, including URLScan
Exchange 2003 Back-End ServerExchange 2003 Back-End Server Apply protocol security templatesApply protocol security templates
Exchange 2003 Front-End and OWA ServerExchange 2003 Front-End and OWA Server IIS Lockdown and URLScan integrated with IIS 6.0IIS Lockdown and URLScan integrated with IIS 6.0 Use application isolation modeUse application isolation mode
10
Aspects of Exchange Server Aspects of Exchange Server SecuritySecurity Securing Access to Exchange ServerSecuring Access to Exchange Server
Blocking unauthorized accessBlocking unauthorized access Securing CommunicationsSecuring Communications
Blocking and encrypting communicationsBlocking and encrypting communications Blocking SpamBlocking Spam
Filtering incoming mailFiltering incoming mail Relay restrictions: Don’t aid spammers!Relay restrictions: Don’t aid spammers!
Blocking Insecure E-Mail MessagesBlocking Insecure E-Mail Messages Virus scanningVirus scanning Attachment blockingAttachment blocking
11
Configuring Authentication, Configuring Authentication, Part 1Part 1
Secure Outlook client authenticationSecure Outlook client authentication Configure Exchange & Outlook 2003 to Configure Exchange & Outlook 2003 to
use RPC over HTTPSuse RPC over HTTPS Configure SPA to encrypt authentication Configure SPA to encrypt authentication
for Internet protocol clientsfor Internet protocol clients
Remember: Secure authentication Remember: Secure authentication does not equal encryption of datadoes not equal encryption of dataRemember: Secure authentication Remember: Secure authentication does not equal encryption of datadoes not equal encryption of data
12
Configuring Authentication, Configuring Authentication, Part 2Part 2
Authentication Method Considerations
Basic authentication Insecure, unless you require SLL
Integrated authentication Limited client support, issues across firewalls
Digest authentication Limited client support
Forms-based authentication
Ability to customize authentication Wide client support Available with Exchange Server 2003
OWA supports several OWA supports several authentication methods:authentication methods:
13
Securing CommunicationsSecuring Communications Configure RPC encryptionConfigure RPC encryption
Client side settingClient side setting Enforcement with ISA Server FP1Enforcement with ISA Server FP1
Firewall blockingFirewall blocking Mail server publishing with ISA ServerMail server publishing with ISA Server
Configure HTTPS for OWAConfigure HTTPS for OWA Use S/MIME for message encryptionUse S/MIME for message encryption Outlook 2003 EnhancementsOutlook 2003 Enhancements
Kerberos authenticationKerberos authentication RPC over HTTPSRPC over HTTPS
14
Encrypting a MessageEncrypting a Message
Active DirectoryDomain Controller
Client 1
Client 2
SMTP VS1SMTP VS 2
Locate Client 2’s public key
Message sent using S/MIME
Message encrypted with a shared key
New message
1
2
3
4
Message arrivesencrypted5
Client 2’s private key is used to decrypt the shared key, and the shared key is used to decrypt the message
6
15
Blocking Spam – Exchange 2000Blocking Spam – Exchange 2000
Close open relays!Close open relays! Protect against address spoofingProtect against address spoofing Prevent Exchange from resolving Prevent Exchange from resolving
recipient names to GAL accountsrecipient names to GAL accounts Configure reverse DNS lookupsConfigure reverse DNS lookups
16
Blocking Spam – Exchange 2003Blocking Spam – Exchange 2003
Use additional features in Exchange Use additional features in Exchange Server 2003Server 2003 Support for real-time block listsSupport for real-time block lists Global deny and accept listsGlobal deny and accept lists Sender and inbound recipient filteringSender and inbound recipient filtering Improved anti-relaying protectionImproved anti-relaying protection Integration with Outlook 2003 and third-party Integration with Outlook 2003 and third-party
junk mail filteringjunk mail filtering
17
Blocking Insecure MessagesBlocking Insecure Messages Implement antivirus gatewaysImplement antivirus gateways
Monitor incoming and outgoing messagesMonitor incoming and outgoing messages Update signatures oftenUpdate signatures often
Configure Outlook attachment securityConfigure Outlook attachment security Web browser security determines whether Web browser security determines whether
attachments can be opened in OWAattachments can be opened in OWA
Implement ISA ServerImplement ISA Server Message Screener can block incoming Message Screener can block incoming
messagesmessages
18
Using Permissions to Secure Using Permissions to Secure ExchangeExchange
Administration modelsAdministration models
CentralizedCentralized DecentralizedDecentralized
Delegating permissionsDelegating permissions Creating administrative groupsCreating administrative groups Using administrative rolesUsing administrative roles Delegating administrative controlDelegating administrative control
19
Enhancements in Exchange Enhancements in Exchange Server 2003Server 2003 Many secure-by-default settingsMany secure-by-default settings More restrictive permissionsMore restrictive permissions New mail transport featuresNew mail transport features New Internet Connection WizardNew Internet Connection Wizard Cross-forest authentication supportCross-forest authentication support
20
Top Ten Things to Secure ExchangeTop Ten Things to Secure Exchange
Install the latest service pack
Install all applicable security patches
Run MBSA
Check relay settings
Disable or secure well-known accounts
Use a layered antivirus approach
Use a firewall
Evaluate ISA Server
Secure OWA
Implement a backup strategy
1
2
3
4
5
6
7
8
9
10
21
AgendaAgenda
IntroductionIntroduction Protecting Exchange ServerProtecting Exchange Server Protecting SQL ServerProtecting SQL Server Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security
22
Basic Security ConfigurationBasic Security Configuration
Apply service packs and patchesApply service packs and patches Use MBSA to detect missing SQL updatesUse MBSA to detect missing SQL updates
Disable unused servicesDisable unused services MSSQLSERVER (required)MSSQLSERVER (required) SQLSERVERAGENTSQLSERVERAGENT MSSQLServerADHelperMSSQLServerADHelper Microsoft SearchMicrosoft Search Microsoft DTCMicrosoft DTC
23
Common Database Server Common Database Server Threats and Countermeasures Threats and Countermeasures
SQL Server
Browser Web App
Unauthorized External Access
SQL Injection
Password Cracking Network
Eavesdropping
Network VulnerabilitiesFailure to block SQL ports
Configuration VulnerabilitiesOverprivileged service account
Week permissionsNo certificate
Web App VulnerabilitiesOverprivileged accounts
Week input validation
Internal Firewall
Perimeter Firewall
24
Database Server Security Database Server Security Categories Categories N
etw
ork
Op
erat
ing
Sys
tem
SQ
L S
erve
r
Pat
ches
an
d U
pd
ates
Shares
Services
Accounts
Auditing and Logging
Files and Directories
Registry
Protocols Ports
SQL Server Security
Database ObjectsLogins, Users, and
Roles
25
Network SecurityNetwork Security
Restrict SQL to TCP/IPRestrict SQL to TCP/IP Harden the TCP/IP stackHarden the TCP/IP stack Restrict portsRestrict ports
26
Operating System SecurityOperating System Security
Configure the SQL Server service Configure the SQL Server service account with the lowest possible account with the lowest possible permissionspermissions
Delete or disable unused accountsDelete or disable unused accounts Secure authentication trafficSecure authentication traffic
27
Logins, Users, and RolesLogins, Users, and Roles
Use a strong system administrator Use a strong system administrator (sa) password (sa) password
Remove the SQL guest user account Remove the SQL guest user account Remove the BUILTIN\Administrators Remove the BUILTIN\Administrators
server login server login Do not grant permissions for the Do not grant permissions for the
public role public role
28
Files, Directories, and SharesFiles, Directories, and Shares
Verify permissions on SQL Server Verify permissions on SQL Server installation directories installation directories
Verify that Everyone group does not have Verify that Everyone group does not have permissions to SQL Server files permissions to SQL Server files
Secure setup log files Secure setup log files Secure or remove tools, utilities, and Secure or remove tools, utilities, and
SDKsSDKs Remove unnecessary shares Remove unnecessary shares Restrict access to required sharesRestrict access to required shares Secure registry keys with ACLs Secure registry keys with ACLs
29
SQL SecuritySQL Security
Set authentication to Set authentication to Windows onlyWindows only
If you must use SQL If you must use SQL Server authentication, Server authentication, ensure that ensure that authentication traffic is authentication traffic is encryptedencrypted
30
SQL AuditingSQL Auditing
Log all failed Windows login attemptsLog all failed Windows login attempts Preferably, also log successful ones Preferably, also log successful ones Log successful and failed actions across Log successful and failed actions across
the file system the file system Enable SQL Server login auditingEnable SQL Server login auditing Enable SQL Server Enable SQL Server
general auditinggeneral auditing
31
Securing Database ObjectsSecuring Database Objects
Remove the sample databasesRemove the sample databases Secure stored proceduresSecure stored procedures Secure extended stored proceduresSecure extended stored procedures Restrict cmdExec access to the sysadmin Restrict cmdExec access to the sysadmin
rolerole
32
Using Views and Stored Using Views and Stored ProceduresProcedures SQL queries may contain confidential SQL queries may contain confidential
informationinformation Use stored procedures whenever possibleUse stored procedures whenever possible Use views instead of direct table accessUse views instead of direct table access
Implement security best practices for Implement security best practices for Web-based applicationsWeb-based applications
33
Securing Web ApplicationsSecuring Web Applications
Validate all data inputValidate all data input Secure authentication and authorizationSecure authentication and authorization Secure sensitive dataSecure sensitive data Use least-privileged process and service Use least-privileged process and service
accountsaccounts Configure auditing and loggingConfigure auditing and logging Use structured exception handlingUse structured exception handling
34
Top Ten Things to Protect SQL Top Ten Things to Protect SQL ServerServer
Install the most recent service pack
Run MBSA
Configure Windows authentication
Isolate the server and back it up
Check the sa password
Limit privileges of SQL services
Block ports at your firewall
Use NTFS
Remove setup files and sample databases
Audit connections
1
2
3
4
5
6
7
8
9
10
35
AgendaAgenda
IntroductionIntroduction Protecting Exchange Server Protecting Exchange Server Protecting SQL Server Protecting SQL Server Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security
36
Recognizing ThreatsRecognizing Threats
Small Business Server plays many server Small Business Server plays many server rolesroles
External threatsExternal threats Small Business Server is often connected to Small Business Server is often connected to
the Internetthe Internet
Internal threatsInternal threats All components of Small Business Server All components of Small Business Server
must be securedmust be secured
Many settings secured by defaultMany settings secured by default
37
Protecting Against External Protecting Against External ThreatsThreats Configure password policies to require Configure password policies to require
complex passwordscomplex passwords Configure secure remote accessConfigure secure remote access
Remote Web WorkplaceRemote Web Workplace Remote AccessRemote Access
Rename the Administrator accountRename the Administrator account Implement Exchange and IIS security best Implement Exchange and IIS security best
practicespractices Use a firewallUse a firewall
38
Using a FirewallUsing a Firewall
Included firewall features:Included firewall features: ISA Server 2000 in SBS 2000 and SBS 2003, ISA Server 2000 in SBS 2000 and SBS 2003,
Premium EditionPremium Edition Basic firewall functionality in SBS 2003, Standard Basic firewall functionality in SBS 2003, Standard
EditionEdition
Consider a separate firewallConsider a separate firewall SBS 2003 can communicate with an external firewall SBS 2003 can communicate with an external firewall
by using UPnPby using UPnP ISA Server can provide application-layer protectionISA Server can provide application-layer protection
Internet Firewall LAN
39
Protecting Against Internal Protecting Against Internal ThreatsThreats Implement an antivirus solutionImplement an antivirus solution Implement a backup planImplement a backup plan Run MBSARun MBSA Control access permissionsControl access permissions Educate usersEducate users Do not use the server as a workstationDo not use the server as a workstation Physically secure the serverPhysically secure the server Limit user disk spaceLimit user disk space Update the softwareUpdate the software
40
AgendaAgenda
IntroductionIntroduction Protecting Exchange Server Protecting Exchange Server Protecting SQL Server Protecting SQL Server Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security
41
Role and Limitations of File Role and Limitations of File PermissionsPermissions Prevent unauthorized accessPrevent unauthorized access Limit administratorsLimit administrators Do not protect against intruders with Do not protect against intruders with
physical accessphysical access Encryption provides additional securityEncryption provides additional security
42
Role and Limitations of EFSRole and Limitations of EFS
Benefit of EFS encryptionBenefit of EFS encryption Ensures privacy of informationEnsures privacy of information Uses robust public key technology Uses robust public key technology
Danger of encryptionDanger of encryption All access to data is lost if the private key is lostAll access to data is lost if the private key is lost
Private keys on client computersPrivate keys on client computers Keys are encrypted with derivative of user’s passwordKeys are encrypted with derivative of user’s password Private keys are only as secure as the passwordPrivate keys are only as secure as the password Private keys are lost when user profile is lostPrivate keys are lost when user profile is lost
43
EFS ArchitectureEFS Architecture
Win32 APIs
NTFS
I/O Manager
EFS.sys
ApplicationsApplications
Encrypted on-disk data storageEncrypted on-disk data storage
User modeUser mode
Kernel modeKernel mode
Crypto API
EFS Service
44
EFS Differences Between EFS Differences Between Windows VersionsWindows Versions Windows 2000 and newer Windows versions Windows 2000 and newer Windows versions
support EFS on NTFS partitionssupport EFS on NTFS partitions Windows XP and Windows Server 2003 include Windows XP and Windows Server 2003 include
new features:new features: Additional users can be authorized Additional users can be authorized Offline files can be encrypted Offline files can be encrypted The triple-DES (3DES) encryption algorithm can The triple-DES (3DES) encryption algorithm can
replace DESXreplace DESX Use AES for encryption by default Use AES for encryption by default A password reset disk can be usedA password reset disk can be used EFS preserves encryption over WebDAVEFS preserves encryption over WebDAV Data recovery agents are recommendedData recovery agents are recommended Usability is enhancedUsability is enhanced
45
Implementing EFS: How to Do It Implementing EFS: How to Do It RightRight Use Group Policy to disable EFS until Use Group Policy to disable EFS until
ready for central implementationready for central implementation Plan and design policiesPlan and design policies Designate recovery agentsDesignate recovery agents Assign certificatesAssign certificates Implement via Group PolicyImplement via Group Policy
46
Next StepsNext Steps
1.1. Stay informed about securityStay informed about security Sign up for security bulletins:Sign up for security bulletins:
http://www.microsoft.com/security/security_bulletins/alerts2.asphttp://www.microsoft.com/security/security_bulletins/alerts2.asp Get the latest Microsoft security guidance:Get the latest Microsoft security guidance:
http://www.microsoft.com/security/guidance/http://www.microsoft.com/security/guidance/
2.2. Get additional security trainingGet additional security training Find online and in-person training seminars:Find online and in-person training seminars:
http://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/seminar/events/security.mspx Find a local CTEC for hands-on training:Find a local CTEC for hands-on training:
http://www.microsoft.com/learning/http://www.microsoft.com/learning/
47
SummarySummary
Securing Exchange, SQL and SBS are Securing Exchange, SQL and SBS are now key responsibilities of the IT Pronow key responsibilities of the IT Pro
Additional protection is provided through Additional protection is provided through EFS – especially important for laptops EFS – especially important for laptops etc.etc.
In-depth security is a combination of In-depth security is a combination of security across network, host and security across network, host and applicationapplication
Use Microsoft Security Operational Use Microsoft Security Operational GuidelinesGuidelines
48
Thank You!Thank You!
Microsoft Security SiteMicrosoft Security Site http://www.microsoft.com/securityhttp://www.microsoft.com/security
MSDN Security Site (Developers)MSDN Security Site (Developers) http://msdn.microsoft.com/securityhttp://msdn.microsoft.com/security
TechNet Security Site (IT Professionals)TechNet Security Site (IT Professionals) http://www.microsoft.com/http://www.microsoft.com/technettechnet/security/security
Copyright 2004 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying Copyright 2004 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties.on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties.