Implementing Implementing Application and Data Application and Data SecuritySecurity

Rafal LukawieckiRafal LukawieckiStrategic Consultant & DirectorStrategic Consultant & DirectorProject Botticelli LtdProject Botticelli Ltd

rafal@projectbotticelli.co.ukrafal@projectbotticelli.co.uk

2

AgendaAgenda

IntroductionIntroduction Protecting Exchange Server Protecting Exchange Server Protecting SQL Server Protecting SQL Server  Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security

3

Defense in DepthDefense in Depth Using a layered approach:Using a layered approach:

Increases an attacker’s risk of detection Increases an attacker’s risk of detection Reduces an attacker’s chance of successReduces an attacker’s chance of success

Policies, Procedures, & Awareness

Policies, Procedures, & Awareness

OS hardening, update management, OS hardening, update management, authentication, HIDSauthentication, HIDS

Firewalls, VPN quarantineFirewalls, VPN quarantine

Guards, locks, tracking devicesGuards, locks, tracking devices

Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS

Application hardening, antivirusApplication hardening, antivirus

ACL, encryptionACL, encryption

User educationUser education

Physical SecurityPhysical Security

PerimeterPerimeter

Internal NetworkInternal Network

HostHost

ApplicationApplication

DataData

4

Why Application Security Why Application Security MattersMatters Perimeter defenses provide limited Perimeter defenses provide limited

protectionprotection Many host-based defenses are not Many host-based defenses are not

application specificapplication specific Most modern attacks occur at the Most modern attacks occur at the

application layer application layer

5

Why Data Security MattersWhy Data Security Matters

Secure your data as the last line Secure your data as the last line of defenseof defense

Configure file permissionsConfigure file permissions Configure data encryption Configure data encryption

Protects the confidentiality of Protects the confidentiality of information when physical security information when physical security is compromisedis compromised

6

Application Server Best Application Server Best PracticesPractices

Configure security on the base operating system

Apply operating system and application service packs and patches

Install or enable only those services that are required

Applications accounts should be assigned with the minimal permissions

Apply defense-in-depth principles to increase protection

Assign only those permissions needed to perform required tasks

7

AgendaAgenda

IntroductionIntroduction Protecting Exchange ServerProtecting Exchange Server Protecting SQL Server Protecting SQL Server  Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security

8

Exchange Security Exchange Security DependenciesDependencies

Exchange security is dependent on:Exchange security is dependent on: Operating system securityOperating system security Network securityNetwork security IIS security (if you use OWA)IIS security (if you use OWA) Client security (Outlook)Client security (Outlook) Active Directory securityActive Directory security

Remember: Remember: Defense in DepthDefense in Depth

Remember: Remember: Defense in DepthDefense in Depth

9

Securing Exchange ServersSecuring Exchange Servers Exchange 2000 Back-End ServersExchange 2000 Back-End Servers

Apply baseline security template and the Exchange Apply baseline security template and the Exchange back-end incremental templateback-end incremental template

Exchange 2000 Front-End ServersExchange 2000 Front-End Servers Apply baseline security template and the Exchange Apply baseline security template and the Exchange

front-end incremental templatefront-end incremental template Dismount private and public storesDismount private and public stores

Exchange 2000 OWA ServerExchange 2000 OWA Server Apply IIS Lockdown, including URLScanApply IIS Lockdown, including URLScan

Exchange 2003 Back-End ServerExchange 2003 Back-End Server Apply protocol security templatesApply protocol security templates

Exchange 2003 Front-End and OWA ServerExchange 2003 Front-End and OWA Server IIS Lockdown and URLScan integrated with IIS 6.0IIS Lockdown and URLScan integrated with IIS 6.0 Use application isolation modeUse application isolation mode

10

Aspects of Exchange Server Aspects of Exchange Server SecuritySecurity Securing Access to Exchange ServerSecuring Access to Exchange Server

Blocking unauthorized accessBlocking unauthorized access Securing CommunicationsSecuring Communications

Blocking and encrypting communicationsBlocking and encrypting communications Blocking SpamBlocking Spam

Filtering incoming mailFiltering incoming mail Relay restrictions: Don’t aid spammers!Relay restrictions: Don’t aid spammers!

Blocking Insecure E-Mail MessagesBlocking Insecure E-Mail Messages Virus scanningVirus scanning Attachment blockingAttachment blocking

11

Configuring Authentication, Configuring Authentication, Part 1Part 1

Secure Outlook client authenticationSecure Outlook client authentication Configure Exchange & Outlook 2003 to Configure Exchange & Outlook 2003 to

use RPC over HTTPSuse RPC over HTTPS Configure SPA to encrypt authentication Configure SPA to encrypt authentication

for Internet protocol clientsfor Internet protocol clients

Remember: Secure authentication Remember: Secure authentication does not equal encryption of datadoes not equal encryption of dataRemember: Secure authentication Remember: Secure authentication does not equal encryption of datadoes not equal encryption of data

12

Configuring Authentication, Configuring Authentication, Part 2Part 2

Authentication Method Considerations

Basic authentication Insecure, unless you require SLL

Integrated authentication Limited client support, issues across firewalls

Digest authentication Limited client support

Forms-based authentication

Ability to customize authentication Wide client support Available with Exchange Server 2003

OWA supports several OWA supports several authentication methods:authentication methods:

13

Securing CommunicationsSecuring Communications Configure RPC encryptionConfigure RPC encryption

Client side settingClient side setting Enforcement with ISA Server FP1Enforcement with ISA Server FP1

Firewall blockingFirewall blocking Mail server publishing with ISA ServerMail server publishing with ISA Server

Configure HTTPS for OWAConfigure HTTPS for OWA Use S/MIME for message encryptionUse S/MIME for message encryption Outlook 2003 EnhancementsOutlook 2003 Enhancements

Kerberos authenticationKerberos authentication RPC over HTTPSRPC over HTTPS

14

Encrypting a MessageEncrypting a Message

Active DirectoryDomain Controller

Client 1

Client 2

SMTP VS1SMTP VS 2

Locate Client 2’s public key

Message sent using S/MIME

Message encrypted with a shared key

New message

1

2

3

4

Message arrivesencrypted5

Client 2’s private key is used to decrypt the shared key, and the shared key is used to decrypt the message

6

15

Blocking Spam – Exchange 2000Blocking Spam – Exchange 2000

Close open relays!Close open relays! Protect against address spoofingProtect against address spoofing Prevent Exchange from resolving Prevent Exchange from resolving

recipient names to GAL accountsrecipient names to GAL accounts Configure reverse DNS lookupsConfigure reverse DNS lookups

16

Blocking Spam – Exchange 2003Blocking Spam – Exchange 2003

Use additional features in Exchange Use additional features in Exchange Server 2003Server 2003 Support for real-time block listsSupport for real-time block lists Global deny and accept listsGlobal deny and accept lists Sender and inbound recipient filteringSender and inbound recipient filtering Improved anti-relaying protectionImproved anti-relaying protection Integration with Outlook 2003 and third-party Integration with Outlook 2003 and third-party

junk mail filteringjunk mail filtering

17

Blocking Insecure MessagesBlocking Insecure Messages Implement antivirus gatewaysImplement antivirus gateways

Monitor incoming and outgoing messagesMonitor incoming and outgoing messages Update signatures oftenUpdate signatures often

Configure Outlook attachment securityConfigure Outlook attachment security Web browser security determines whether Web browser security determines whether

attachments can be opened in OWAattachments can be opened in OWA

Implement ISA ServerImplement ISA Server Message Screener can block incoming Message Screener can block incoming

messagesmessages

18

Using Permissions to Secure Using Permissions to Secure ExchangeExchange

Administration modelsAdministration models

CentralizedCentralized DecentralizedDecentralized

Delegating permissionsDelegating permissions Creating administrative groupsCreating administrative groups Using administrative rolesUsing administrative roles Delegating administrative controlDelegating administrative control

19

Enhancements in Exchange Enhancements in Exchange Server 2003Server 2003 Many secure-by-default settingsMany secure-by-default settings More restrictive permissionsMore restrictive permissions New mail transport featuresNew mail transport features New Internet Connection WizardNew Internet Connection Wizard Cross-forest authentication supportCross-forest authentication support

20

Top Ten Things to Secure ExchangeTop Ten Things to Secure Exchange

Install the latest service pack

Install all applicable security patches

Run MBSA

Check relay settings

Disable or secure well-known accounts

Use a layered antivirus approach

Use a firewall

Evaluate ISA Server

Secure OWA

Implement a backup strategy

1

2

3

4

5

6

7

8

9

10

21

AgendaAgenda

IntroductionIntroduction Protecting Exchange ServerProtecting Exchange Server Protecting SQL ServerProtecting SQL Server   Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security

22

Basic Security ConfigurationBasic Security Configuration

Apply service packs and patchesApply service packs and patches Use MBSA to detect missing SQL updatesUse MBSA to detect missing SQL updates

Disable unused servicesDisable unused services MSSQLSERVER (required)MSSQLSERVER (required) SQLSERVERAGENTSQLSERVERAGENT MSSQLServerADHelperMSSQLServerADHelper Microsoft SearchMicrosoft Search Microsoft DTCMicrosoft DTC

23

Common Database Server Common Database Server Threats and Countermeasures Threats and Countermeasures

SQL Server

Browser Web App

Unauthorized External Access

SQL Injection

Password Cracking Network

Eavesdropping

Network VulnerabilitiesFailure to block SQL ports

Configuration VulnerabilitiesOverprivileged service account

Week permissionsNo certificate

Web App VulnerabilitiesOverprivileged accounts

Week input validation

Internal Firewall

Perimeter Firewall

24

Database Server Security Database Server Security Categories Categories N

etw

ork

Op

erat

ing

Sys

tem

SQ

L S

erve

r

Pat

ches

an

d U

pd

ates

Shares

Services

Accounts

Auditing and Logging

Files and Directories

Registry

Protocols Ports

SQL Server Security

Database ObjectsLogins, Users, and

Roles

25

Network SecurityNetwork Security

Restrict SQL to TCP/IPRestrict SQL to TCP/IP Harden the TCP/IP stackHarden the TCP/IP stack Restrict portsRestrict ports

26

Operating System SecurityOperating System Security

Configure the SQL Server service Configure the SQL Server service account with the lowest possible account with the lowest possible permissionspermissions

Delete or disable unused accountsDelete or disable unused accounts Secure authentication trafficSecure authentication traffic

27

Logins, Users, and RolesLogins, Users, and Roles

Use a strong system administrator Use a strong system administrator (sa) password (sa) password

Remove the SQL guest user account Remove the SQL guest user account Remove the BUILTIN\Administrators Remove the BUILTIN\Administrators

server login server login Do not grant permissions for the Do not grant permissions for the

public role public role

28

Files, Directories, and SharesFiles, Directories, and Shares

Verify permissions on SQL Server Verify permissions on SQL Server installation directories installation directories

Verify that Everyone group does not have Verify that Everyone group does not have permissions to SQL Server files permissions to SQL Server files

Secure setup log files Secure setup log files Secure or remove tools, utilities, and Secure or remove tools, utilities, and

SDKsSDKs Remove unnecessary shares Remove unnecessary shares Restrict access to required sharesRestrict access to required shares Secure registry keys with ACLs Secure registry keys with ACLs

29

SQL SecuritySQL Security

Set authentication to Set authentication to Windows onlyWindows only

If you must use SQL If you must use SQL Server authentication, Server authentication, ensure that ensure that authentication traffic is authentication traffic is encryptedencrypted

30

SQL AuditingSQL Auditing

Log all failed Windows login attemptsLog all failed Windows login attempts Preferably, also log successful ones Preferably, also log successful ones Log successful and failed actions across Log successful and failed actions across

the file system the file system Enable SQL Server login auditingEnable SQL Server login auditing Enable SQL Server Enable SQL Server

general auditinggeneral auditing

31

Securing Database ObjectsSecuring Database Objects

Remove the sample databasesRemove the sample databases Secure stored proceduresSecure stored procedures Secure extended stored proceduresSecure extended stored procedures Restrict cmdExec access to the sysadmin Restrict cmdExec access to the sysadmin

rolerole

32

Using Views and Stored Using Views and Stored ProceduresProcedures SQL queries may contain confidential SQL queries may contain confidential

informationinformation Use stored procedures whenever possibleUse stored procedures whenever possible Use views instead of direct table accessUse views instead of direct table access

Implement security best practices for Implement security best practices for Web-based applicationsWeb-based applications

33

Securing Web ApplicationsSecuring Web Applications

Validate all data inputValidate all data input Secure authentication and authorizationSecure authentication and authorization Secure sensitive dataSecure sensitive data Use least-privileged process and service Use least-privileged process and service

accountsaccounts Configure auditing and loggingConfigure auditing and logging Use structured exception handlingUse structured exception handling

34

Top Ten Things to Protect SQL Top Ten Things to Protect SQL ServerServer

Install the most recent service pack

Run MBSA

Configure Windows authentication

Isolate the server and back it up

Check the sa password

Limit privileges of SQL services

Block ports at your firewall

Use NTFS

Remove setup files and sample databases

Audit connections

1

2

3

4

5

6

7

8

9

10

35

AgendaAgenda

IntroductionIntroduction Protecting Exchange Server Protecting Exchange Server Protecting SQL Server Protecting SQL Server  Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security

36

Recognizing ThreatsRecognizing Threats

Small Business Server plays many server Small Business Server plays many server rolesroles

External threatsExternal threats Small Business Server is often connected to Small Business Server is often connected to

the Internetthe Internet

Internal threatsInternal threats All components of Small Business Server All components of Small Business Server

must be securedmust be secured

Many settings secured by defaultMany settings secured by default

37

Protecting Against External Protecting Against External ThreatsThreats Configure password policies to require Configure password policies to require

complex passwordscomplex passwords Configure secure remote accessConfigure secure remote access

Remote Web WorkplaceRemote Web Workplace Remote AccessRemote Access

Rename the Administrator accountRename the Administrator account Implement Exchange and IIS security best Implement Exchange and IIS security best

practicespractices Use a firewallUse a firewall

38

Using a FirewallUsing a Firewall

Included firewall features:Included firewall features: ISA Server 2000 in SBS 2000 and SBS 2003, ISA Server 2000 in SBS 2000 and SBS 2003,

Premium EditionPremium Edition Basic firewall functionality in SBS 2003, Standard Basic firewall functionality in SBS 2003, Standard

EditionEdition

Consider a separate firewallConsider a separate firewall SBS 2003 can communicate with an external firewall SBS 2003 can communicate with an external firewall

by using UPnPby using UPnP ISA Server can provide application-layer protectionISA Server can provide application-layer protection

Internet Firewall LAN

39

Protecting Against Internal Protecting Against Internal ThreatsThreats Implement an antivirus solutionImplement an antivirus solution Implement a backup planImplement a backup plan Run MBSARun MBSA Control access permissionsControl access permissions Educate usersEducate users Do not use the server as a workstationDo not use the server as a workstation Physically secure the serverPhysically secure the server Limit user disk spaceLimit user disk space Update the softwareUpdate the software

40

AgendaAgenda

IntroductionIntroduction Protecting Exchange Server Protecting Exchange Server Protecting SQL Server Protecting SQL Server  Securing Small Business ServerSecuring Small Business Server Providing Data SecurityProviding Data Security

41

Role and Limitations of File Role and Limitations of File PermissionsPermissions Prevent unauthorized accessPrevent unauthorized access Limit administratorsLimit administrators Do not protect against intruders with Do not protect against intruders with

physical accessphysical access Encryption provides additional securityEncryption provides additional security

42

Role and Limitations of EFSRole and Limitations of EFS

Benefit of EFS encryptionBenefit of EFS encryption Ensures privacy of informationEnsures privacy of information Uses robust public key technology Uses robust public key technology

Danger of encryptionDanger of encryption All access to data is lost if the private key is lostAll access to data is lost if the private key is lost

Private keys on client computersPrivate keys on client computers Keys are encrypted with derivative of user’s passwordKeys are encrypted with derivative of user’s password Private keys are only as secure as the passwordPrivate keys are only as secure as the password Private keys are lost when user profile is lostPrivate keys are lost when user profile is lost

43

EFS ArchitectureEFS Architecture

Win32 APIs

NTFS

I/O Manager

EFS.sys

ApplicationsApplications

Encrypted on-disk data storageEncrypted on-disk data storage

User modeUser mode

Kernel modeKernel mode

Crypto API

EFS Service

44

EFS Differences Between EFS Differences Between Windows VersionsWindows Versions Windows 2000 and newer Windows versions Windows 2000 and newer Windows versions

support EFS on NTFS partitionssupport EFS on NTFS partitions Windows XP and Windows Server 2003 include Windows XP and Windows Server 2003 include

new features:new features: Additional users can be authorized Additional users can be authorized Offline files can be encrypted Offline files can be encrypted The triple-DES (3DES) encryption algorithm can The triple-DES (3DES) encryption algorithm can

replace DESXreplace DESX Use AES for encryption by default Use AES for encryption by default A password reset disk can be usedA password reset disk can be used EFS preserves encryption over WebDAVEFS preserves encryption over WebDAV Data recovery agents are recommendedData recovery agents are recommended Usability is enhancedUsability is enhanced

45

Implementing EFS: How to Do It Implementing EFS: How to Do It RightRight Use Group Policy to disable EFS until Use Group Policy to disable EFS until

ready for central implementationready for central implementation Plan and design policiesPlan and design policies Designate recovery agentsDesignate recovery agents Assign certificatesAssign certificates Implement via Group PolicyImplement via Group Policy

46

Next StepsNext Steps

1.1. Stay informed about securityStay informed about security Sign up for security bulletins:Sign up for security bulletins:

http://www.microsoft.com/security/security_bulletins/alerts2.asphttp://www.microsoft.com/security/security_bulletins/alerts2.asp Get the latest Microsoft security guidance:Get the latest Microsoft security guidance:

http://www.microsoft.com/security/guidance/http://www.microsoft.com/security/guidance/

2.2. Get additional security trainingGet additional security training Find online and in-person training seminars:Find online and in-person training seminars:

http://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/seminar/events/security.mspx Find a local CTEC for hands-on training:Find a local CTEC for hands-on training:

http://www.microsoft.com/learning/http://www.microsoft.com/learning/

47

SummarySummary

Securing Exchange, SQL and SBS are Securing Exchange, SQL and SBS are now key responsibilities of the IT Pronow key responsibilities of the IT Pro

Additional protection is provided through Additional protection is provided through EFS – especially important for laptops EFS – especially important for laptops etc.etc.

In-depth security is a combination of In-depth security is a combination of security across network, host and security across network, host and applicationapplication

Use Microsoft Security Operational Use Microsoft Security Operational GuidelinesGuidelines

48

Thank You!Thank You!

Microsoft Security SiteMicrosoft Security Site http://www.microsoft.com/securityhttp://www.microsoft.com/security

MSDN Security Site (Developers)MSDN Security Site (Developers) http://msdn.microsoft.com/securityhttp://msdn.microsoft.com/security

TechNet Security Site (IT Professionals)TechNet Security Site (IT Professionals) http://www.microsoft.com/http://www.microsoft.com/technettechnet/security/security

Copyright 2004 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying Copyright 2004 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties.on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties.