implementing application and data security rafal lukawiecki strategic consultant & director project...

Download Implementing Application and Data Security Rafal Lukawiecki Strategic Consultant & Director Project Botticelli Ltd rafal@projectbotticelli.co.uk

Post on 17-Jan-2016

219 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

  • Implementing Application and Data SecurityRafal Lukawiecki Strategic Consultant & Director Project Botticelli Ltdrafal@projectbotticelli.co.uk

    *

    AgendaIntroductionProtecting Exchange Server Protecting SQL ServerSecuring Small Business ServerProviding Data Security

    *

    Defense in DepthUsing a layered approach:Increases an attackers risk of detection Reduces an attackers chance of success

    Policies, Procedures, & AwarenessOS hardening, update management, authentication, HIDSFirewalls, VPN quarantineGuards, locks, tracking devicesNetwork segments, IPSec, NIDSApplication hardening, antivirusACL, encryptionUser educationPhysical SecurityPerimeterInternal NetworkHostApplicationData

    *

    Why Application Security MattersPerimeter defenses provide limited protectionMany host-based defenses are not application specificMost modern attacks occur at the application layer

    *

    Why Data Security MattersSecure your data as the last line of defenseConfigure file permissionsConfigure data encryption Protects the confidentiality of information when physical security is compromised

    *

    Application Server Best PracticesConfigure security on the base operating systemApply operating system and application service packs and patchesInstall or enable only those services that are requiredApplications accounts should be assigned with the minimal permissionsApply defense-in-depth principles to increase protectionAssign only those permissions needed to perform required tasks

    *

    AgendaIntroductionProtecting Exchange Server Protecting SQL ServerSecuring Small Business ServerProviding Data Security

    *

    Exchange Security DependenciesExchange security is dependent on:Operating system securityNetwork securityIIS security (if you use OWA)Client security (Outlook)Active Directory securityRemember: Defense in Depth

    *

    Securing Exchange ServersExchange 2000 Back-End ServersApply baseline security template and the Exchange back-end incremental templateExchange 2000 Front-End ServersApply baseline security template and the Exchange front-end incremental templateDismount private and public storesExchange 2000 OWA ServerApply IIS Lockdown, including URLScanExchange 2003 Back-End ServerApply protocol security templatesExchange 2003 Front-End and OWA ServerIIS Lockdown and URLScan integrated with IIS 6.0Use application isolation mode

    *

    Aspects of Exchange Server SecuritySecuring Access to Exchange ServerBlocking unauthorized accessSecuring CommunicationsBlocking and encrypting communicationsBlocking SpamFiltering incoming mailRelay restrictions: Dont aid spammers!Blocking Insecure E-Mail MessagesVirus scanningAttachment blocking

    *

    Configuring Authentication, Part 1Secure Outlook client authenticationConfigure Exchange & Outlook 2003 to use RPC over HTTPSConfigure SPA to encrypt authentication for Internet protocol clientsRemember: Secure authentication does not equal encryption of data

    *

    Configuring Authentication, Part 2OWA supports several authentication methods:

    *

    Securing CommunicationsConfigure RPC encryptionClient side settingEnforcement with ISA Server FP1Firewall blockingMail server publishing with ISA ServerConfigure HTTPS for OWAUse S/MIME for message encryptionOutlook 2003 EnhancementsKerberos authenticationRPC over HTTPS

    *

    Encrypting a MessageActive DirectoryDomain ControllerClient 1Client 2SMTP VS1SMTP VS 2Locate Client 2s public keyMessage sent using S/MIMEMessage encrypted with a shared keyNew message1234Message arrivesencrypted5Client 2s private key is used to decrypt the shared key, and the shared key is used to decrypt the message6

    *

    Blocking Spam Exchange 2000Close open relays!Protect against address spoofingPrevent Exchange from resolving recipient names to GAL accountsConfigure reverse DNS lookups

    *

    Blocking Spam Exchange 2003Use additional features in Exchange Server 2003Support for real-time block listsGlobal deny and accept listsSender and inbound recipient filteringImproved anti-relaying protectionIntegration with Outlook 2003 and third-party junk mail filtering

    *

    Blocking Insecure MessagesImplement antivirus gatewaysMonitor incoming and outgoing messagesUpdate signatures oftenConfigure Outlook attachment securityWeb browser security determines whether attachments can be opened in OWAImplement ISA ServerMessage Screener can block incoming messages

    *

    Using Permissions to Secure ExchangeAdministration models

    CentralizedDecentralizedDelegating permissionsCreating administrative groupsUsing administrative rolesDelegating administrative control

    *

    Enhancements in Exchange Server 2003

    Many secure-by-default settingsMore restrictive permissionsNew mail transport featuresNew Internet Connection WizardCross-forest authentication support

    *

    Top Ten Things to Secure ExchangeInstall the latest service packInstall all applicable security patchesRun MBSACheck relay settingsDisable or secure well-known accountsUse a layered antivirus approachUse a firewallEvaluate ISA ServerSecure OWAImplement a backup strategy12345678910

    *

    AgendaIntroductionProtecting Exchange Server Protecting SQL ServerSecuring Small Business ServerProviding Data Security

    *

    Basic Security ConfigurationApply service packs and patchesUse MBSA to detect missing SQL updatesDisable unused servicesMSSQLSERVER (required)SQLSERVERAGENTMSSQLServerADHelperMicrosoft SearchMicrosoft DTC

    *

    Common Database Server Threats and Countermeasures

    *

    Database Server Security Categories

    *

    Network SecurityRestrict SQL to TCP/IPHarden the TCP/IP stackRestrict ports

    *

    Operating System SecurityConfigure the SQL Server service account with the lowest possible permissionsDelete or disable unused accountsSecure authentication traffic

    *

    Logins, Users, and RolesUse a strong system administrator (sa) password Remove the SQL guest user account Remove the BUILTIN\Administrators server login Do not grant permissions for the public role

    *

    Files, Directories, and SharesVerify permissions on SQL Server installation directories Verify that Everyone group does not have permissions to SQL Server files Secure setup log files Secure or remove tools, utilities, and SDKsRemove unnecessary shares Restrict access to required sharesSecure registry keys with ACLs

    *

    SQL Security

    Set authentication to Windows onlyIf you must use SQL Server authentication, ensure that authentication traffic is encrypted

    *

    SQL AuditingLog all failed Windows login attemptsPreferably, also log successful ones Log successful and failed actions across the file system Enable SQL Server login auditingEnable SQL Server general auditing

    *

    Securing Database ObjectsRemove the sample databasesSecure stored proceduresSecure extended stored proceduresRestrict cmdExec access to the sysadmin role

    *

    Using Views and Stored ProceduresSQL queries may contain confidential informationUse stored procedures whenever possibleUse views instead of direct table accessImplement security best practices for Web-based applications

    *

    Securing Web ApplicationsValidate all data inputSecure authentication and authorizationSecure sensitive dataUse least-privileged process and service accountsConfigure auditing and loggingUse structured exception handling

    *

    Top Ten Things to Protect SQL ServerInstall the most recent service packRun MBSAConfigure Windows authenticationIsolate the server and back it upCheck the sa passwordLimit privileges of SQL servicesBlock ports at your firewallUse NTFSRemove setup files and sample databasesAudit connections12345678910

    *

    AgendaIntroductionProtecting Exchange Server Protecting SQL ServerSecuring Small Business ServerProviding Data Security

    *

    Recognizing ThreatsSmall Business Server plays many server rolesExternal threatsSmall Business Server is often connected to the InternetInternal threatsAll components of Small Business Server must be securedMany settings secured by default

    *

    Protecting Against External ThreatsConfigure password policies to require complex passwordsConfigure secure remote accessRemote Web WorkplaceRemote AccessRename the Administrator accountImplement Exchange and IIS security best practicesUse a firewall

    *

    Using a FirewallIncluded firewall features:ISA Server 2000 in SBS 2000 and SBS 2003, Premium EditionBasic firewall functionality in SBS 2003, Standard EditionConsider a separate firewallSBS 2003 can communicate with an external firewall by using UPnPISA Server can provide application-layer protectionInternetFirewallLAN

    *

    Protecting Against Internal ThreatsImplement an antivirus solutionImplement a backup planRun MBSAControl access permissionsEducate usersDo not use the server as a workstationPhysically secure the serverLimit user disk spaceUpdate the software

    *

    AgendaIntroductionProtecting Exchange Server Protecting SQL ServerSecuring Small Business ServerProviding Data Security

    *

    Role and Limitations of File PermissionsPrevent unauthorized accessLimit administratorsDo not protect against intruders with physical accessEncryption provides additional security

    *

    Role and Limitations of EFSBenefit of EFS encryptionEnsures privacy of informationUses robust public key technology Danger of encryptionAll access to data is lost if the private key is lostPrivate keys on client computersKeys are encrypted with derivative of users passwordPrivate keys are only as secure as the passwordPrivate keys are lost when user profile is lost

    *

    EFS Architecture

    *

    EFS Differences Between Windows VersionsWindows 2000 and newer Windows versions support EFS on NTFS partitionsWindows XP and Windows Server

Recommended

View more >