Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK

Why Application Security Matters  Perimeter Defences provide limited protection  Many host-based Defences are not application specific  Most modern attacks occur at the application layer

Why Data Security Matters  Secure your data as the last line of Defence  Configure file permissions  Configure data encryption  Protects the confidentiality of information when physical security is compromised

Application Server Best Practices Configure security on the base operating system Apply operating system and application service packs and patches Install or enable only those services that are required Applications accounts should be assigned with the minimal permissions Apply Defence-in-depth principles to increase protection Assign only those permissions needed to perform required tasks

Agenda  Introduction  Protecting Exchange Server  Protecting SQL Server  Protecting SQL Server  Providing Data Security

Exchange Security Dependencies  Exchange security is dependent on:  Operating system security  Network security  IIS security (if you use OWA)  Client security (Outlook)  Active Directory security Remember: Defence in Depth

Exchange Comms Architecture.

Securing Communications  Configure RPC encryption  Client side setting  Enforcement with ISA Server FP1, 2004  Firewall blocking  Mail server publishing with ISA Server  Configure HTTPS for OWA  Use S/MIME for message encryption  Outlook 2003 Enhancements  Kerberos authentication  RPC over HTTPS

Connection Strategies MethodExperienceComplexitySecurity POP3/IMAP4 via SSL with SMTP Basic Medium/ High Medium OWA via SSL with ISA ModerateLowFull VPN – PPTPv2 FullHighFull Secure RPC with ISA FullMediumFull RPC over HTTP Full Medium/Lo w Full in None Out

Blocking Spam – Exchange 2000  Close open relays!  Protect against address spoofing  Prevent Exchange from resolving recipient names to GAL accounts  Configure reverse DNS lookups  Implement third party Anti-Spam, no native tools exist  Check out ORDB.org to give you some examples, and sample filter

Blocking Spam – Exchange 2003  Use additional features in Exchange Server 2003  Support for real-time block lists  Global deny and accept lists  Sender and inbound recipient filtering  Improved anti-relaying protection  Integration with Outlook 2003 and third-party junk mail filtering  Intelligent Message Filter now available

Blocking Insecure Messages  Implement antivirus gateways  Monitor incoming and outgoing messages  Update signatures often  Configure Outlook attachment security  Web browser security determines whether attachments can be opened in OWA  Implement ISA Server  Message Screener can block incoming messages  OWA, RPC/HTTP, RPC, SMTP can all be locked down with it

Enhancements in Exchange Server 2003  Many secure-by-default settings  More restrictive permissions  New mail transport features  New Internet Connection Wizard  Cross-forest authentication support

Top Ten Things to Secure Exchange Install the latest service pack Install all applicable security patches Run MBSA Check relay settings Disable or secure well-known accounts Use a layered antivirus approach Use a firewall Evaluate ISA Server Secure OWA Implement a backup strategy

Agenda  Introduction  Protecting Exchange Server  Protecting SQL Server  Protecting SQL Server  Providing Data Security

Basic Security Configuration  Apply service packs and patches  Use MBSA to detect missing SQL updates  Enforce required services  MSSQLSERVER  SQLSERVERAGENT (replication, monitoring, scheduled jobs, auto restart, event firing)  Disable unused services to fit role  MSSQLServerADHelper (if no AD integration)  Microsoft Search (if no FTSearch required)  Microsoft DTC (if not clustered)

Common Database Server Threats and Countermeasures SQL Server Browser Web App Unauthorized External Access SQL Injection Password Cracking Network Eavesdropping Network Vulnerabilities Failure to block SQL ports Configuration Vulnerabilities Overprivileged service account Week permissions No certificate Web App Vulnerabilities Overprivileged accounts Week input validation Internal Firewall Perimeter Firewall

Database Server Security Categories Network Operating System SQL Server Patches and Updates Shares Services Accounts Auditing and Logging Files and Directories Registry ProtocolsPorts SQL Server Security Database Objects Logins, Users, and Roles

Network Security  Restrict SQL to TCP/IP  Harden the TCP/IP stack  Restrict ports  Remove SQL from harms way – don’t let clients talk to it  Use IPSEC to enforce in unsegmented nets  Use firewalls or VLANs to enforce

Operating System Security  Configure the SQL Server service account with the lowest possible permissions- it can run without local admin  Delete or disable unused accounts  Secure authentication traffic

Logins, Users, and Roles  Use a strong system administrator (sa) password  Remove the SQL guest user account  Remove the BUILTIN\Administrators server login  Do not grant permissions for the public role

Files, Directories, and Shares  Verify permissions on SQL Server installation directories  Verify that Everyone group does not have permissions to SQL Server files  Secure setup log files  Secure or remove tools, utilities, and SDKs, sample DBs (Pubs, Northwind)  Remove unnecessary shares  Restrict access to required shares  Secure registry keys with ACLs  EFS can be used – performance

SQL Security  Set authentication to Windows only  If you must use SQL Server authentication, ensure that authentication traffic is encrypted  Remember – no lockout for SQL mixed mode- windows auth only locks out if account policy set to

SQL Auditing  Log all failed Windows login attempts  Log successful and failed actions across the file system  Enable SQL Server login auditing  Enable SQL Server general auditing

Securing Database Objects  Remove the sample databases  Secure stored procedures  Secure extended stored procedures  Restrict cmdExec access to the sysadmin role  Restrict XP_CMDShell – check if your application needs it

Using Views and Stored Procedures  SQL queries may contain confidential information  Use stored procedures whenever possible  Use views instead of direct table access  Implement security best practices for Web-based applications  Stored Procs should validate input and be the only things that access tables, avoid views as they are “injectionable”

Securing Web Applications  Validate all data input  Secure authentication and authorization  Secure sensitive data  Use least-privileged process and service accounts  Configure auditing and logging  Use structured exception handling

Top Ten Things to Protect SQL Server Install the most recent service pack Run MBSA Configure Windows authentication Isolate the server and back it up Check the sa password – remove it Limit privileges of SQL services Block ports at your firewall Use NTFS Remove setup files and sample databases Audit connections

Agenda  Introduction  Protecting Exchange Server  Protecting SQL Server  Protecting SQL Server  Securing Small Business Server  Providing Data Security

Role and Limitations of File Permissions  Prevent unauthorized access  Limit administrators  Do not protect against intruders with physical access  Encryption provides additional security

Role and Limitations of EFS  Benefit of EFS encryption  Ensures privacy of information  Uses robust public key technology  Danger of encryption  All access to data is lost if the private key is lost  Private keys on client computers  Keys are encrypted with derivative of user’s password  Private keys are only as secure as the password  Private keys are lost when user profile is lost

EFS Differences Between Windows Versions  Windows 2000 and newer Windows versions support EFS on NTFS partitions  Windows XP and Windows Server 2003 include new features:  Additional users can be authorized  Offline files can be encrypted  The triple-DES (3DES) encryption algorithm can replace DESX  A password reset disk can be used  EFS preserves encryption over WebDAV  Data recovery agents are recommended  Usability is enhanced

Implementing EFS: Advice  Use Group Policy to disable EFS until ready for central implementation  Plan and design policies  Designate recovery agents  Assign certificates  Implement via Group Policy