Professional Documents
Culture Documents
com/technet
Implementing Application
Security
Wayne Harris MCSE
Senior Consultant
Certified Security Solutions
Defense-in-Depth
Using a layered approach
Increases an attackers risk of detection
Reduces an attackers chance of success
Data
Application
Host
Internal Network
Perimeter
Physical Security
Policies, Procedures, & Awareness
TNTx-xx
http://www.microsoft.com/technet
Network
Shares
Services
Accounts
Registry
Protocols
Ports
Security Updates
Operating System
Application-Specific Security
TNTx-xx
http://www.microsoft.com/technet
Network
Active Directory
Security
Client Security
Shares
Services
Accounts
Registry
Protocols
Ports
Security Updates
Operating System
IIS Security
TNTx-xx
http://www.microsoft.com/technet
TNTx-xx
http://www.microsoft.com/technet
Considerations
Basic authentication
Integrated Windows
authentication
Digest authentication
Forms-based authentication
TNTx-xx
http://www.microsoft.com/technet
TNTx-xx
Locate
Client 2s
public key
4
SMTP
Server
As message
is sent it is
encapsulated
using S/MIME
SMTP
Server
Create a new
message
5
3
Client 1
Client 2s
private key is
used to decrypt
the shared key,
and the shared
key is used to
decrypt the
message
Message
arrives
encrypted
Client 2
http://www.microsoft.com/technet
TNTx-xx
http://www.microsoft.com/technet
Store threshold
User
mailbox
Recipient filtering
Spam
Yes
No
Sender filtering
Intelligent
Message Filter
(Gateway
Threshold)
Safe
Blocked
sender sender
Y
N Y
N
Inbox
Junk
Inbox
TNTx-xx
http://www.microsoft.com/technet
10
TNTx-xx
http://www.microsoft.com/technet
Password
Cracking
Network
Eavesdropping
SQL
Injection
Perimeter Firewall
Browser
Unauthorized
External Access
Internal Firewall
SQL Server
Web App
Network Vulnerabilities
Failure to block SQL ports
Configuration Vulnerabilities
Overprivileged service account
Weak permissions
No certificate
TNTx-xx
http://www.microsoft.com/technet
Network
Shares
Services
Accounts
Registry
Protocols
Ports
Operating System
SQL Server
Network Security
Restrict SQL to TCP/IP
Control who can connect to the server via IPSec policy
Enforce Kerberos authentication
Harden the TCP/IP stack
Restrict ports
Block all ports with the exception of the SQL Server port
and ports required for authentication
Configure IPSec to restrict access to ports 1433 and
1434
TNTx-xx
http://www.microsoft.com/technet
TNTx-xx
http://www.microsoft.com/technet
TNTx-xx
http://www.microsoft.com/technet
TNTx-xx
http://www.microsoft.com/technet
TNTx-xx
http://www.microsoft.com/technet
TNTx-xx
http://www.microsoft.com/technet
Use NTFS
10
Audit connections
Use SQL Server Best Practices Analyzer to examine the SQL Server
configuration based on Microsoft best practices
TNTx-xx
http://www.microsoft.com/technet
URLScan
URLScan helps prevent potentially harmful requests
from reaching the server
URLScan restricts the types of HTTP requests that IIS
will process:
Requests for long URLs
Requests using alternate character sets
Requests containing disallowed methods
Requests matching any pattern
IIS 6.0 implements most of the URLScan functions so
URL scan is only required to enable customized content
blocking
Harden the operating system and apply all relevant security updates
Configure URLScan
Do not enable both the Execute and Write permissions on the same Web
site
10
Use IPSec filtering to allow only required traffic (HTTP and HTTPS) to the
Web server
TNTx-xx
http://www.microsoft.com/technet
Description
Locked-down
server
Web service
extensions list
Default lowprivilege account
TNTx-xx
http://www.microsoft.com/technet
TNTx-xx
http://www.microsoft.com/technet
TNTx-xx
http://www.microsoft.com/technet
TNTx-xx
http://www.microsoft.com/technet
Session Summary
TNTx-xx