Implementing Application and Data Security Brjann Brekkan Senior System Engineer Microsoft.

Slides:



Advertisements
Similar presentations
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Advertisements

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Paula Kiernan Senior Consultant Ward Solutions
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK.
System and Network Security Practices COEN 351 E-Commerce Security.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 7 HARDENING SERVERS.
© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,
Implementing Application and Data Security Presenter Name Job Title Company.
Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor
Secure SQL Server configuration Pat Larkin Ward Solutions
Installing and Configuring a Secure Web Server COEN 351 David Papay.
Implementing Exchange Server Security Ward Solutions.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Securing Exchange Server Session Goals: Introduce you to the concepts and mechanisms for securing Exchange Examine the techniques and tools.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Securing Windows Servers Using Group Policy Objects
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Securing Operating Systems Chapter 10. Security Maintenance Practices and Principles Basic proactive security can prevent many problems Maintenance involves.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Chapter 7: Using Windows Servers to Share Information.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Securing Microsoft® Exchange Server 2010
Module 6: Manage and Configure Messaging. Configuring Internet Mail Using Small Business Server (SBS) 2008 Console Configuring Protection Configuring.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Module 14: Configuring Server Security Compliance
Windows Small Business Server 2003 Setting up and Connecting David Overton Partner Technical Specialist.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Module 4 Planning and Deploying Client Access Services in Microsoft® Exchange Server 2010 Presentation: 120 minutes Lab: 90 minutes After completing.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.
Module 6: Designing Security for Network Hosts
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Implementing Server Security on Windows 2000 and Windows Server 2003
Implementing Application and Data Security Rafal Lukawiecki Strategic Consultant & Director Project Botticelli Ltd
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Module 7: Implementing Security Using Group Policy.
Security fundamentals Topic 9 Securing internet messaging.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
NetTech Solutions Protecting the Computer Lesson 10.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Module 8 Implementing Security Using Group Policy.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Securing the Network Perimeter with ISA Server 2004 Ravi Sankar IT Professional Evangelist Microsoft.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Securing Access to Data Using IPsec Josh Jones Cosc352.
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.
.
Working at a Small-to-Medium Business or ISP – Chapter 8
Configuring Windows Firewall with Advanced Security
Securing the Network Perimeter with ISA 2004
Lesson 16-Windows NT Security Issues
Implementing Client Security on Windows 2000 and Windows XP Level 150
Designing IIS Security (IIS – Internet Information Service)
Using Software Restriction Policies
Presentation transcript:

Implementing Application and Data Security Brjann Brekkan Senior System Engineer Microsoft

Session Prerequisites  Understanding of network security essentials  Hands-on experience with Windows® 2000 Server or Windows Server™ 2003  Experience with Windows management tools  Hands-on experience with Exchange Server and SQL Server management tools Level 300

Agenda  Introduction  Protecting Exchange Server  Protecting SQL Server  Protecting SQL Server  Securing Small Business Server  Providing Data Security

Defense in Depth  Using a layered approach:  Increases an attacker’s risk of detection  Reduces an attacker’s chance of success Policies, Procedures, & Awareness OS hardening, update management, authentication, HIDS Firewalls, VPN quarantine Guards, locks, tracking devices Network segments, IPSec, NIDS Application hardening, antivirus ACL, encryption User education Physical Security Perimeter Internal Network Host Application Data

Why Application Security Matters  Perimeter defenses provide limited protection  Many host-based defenses are not application specific  Most modern attacks occur at the application layer

Why Data Security Matters  Secure your data as the last line of defense  Configure file permissions  Configure data encryption  Protects the confidentiality of information when physical security is compromised

Application Server Best Practices Configure security on the base operating system Apply operating system and application service packs and patches Install or enable only those services that are required Applications accounts should be assigned with the minimal permissions Apply defense-in-depth principles to increase protection Assign only those permissions needed to perform required tasks

Agenda  Introduction  Protecting Exchange Server  Protecting SQL Server  Protecting SQL Server  Securing Small Business Server  Providing Data Security

Exchange Security Dependencies  Exchange security is dependent on:  Operating system security  Network security  IIS security (if you use OWA)  Client security (Outlook)  Active Directory security Remember: Defense in Depth

Securing Exchange Servers  Exchange 2000 Back-End Servers  Apply baseline security template and the Exchange back-end incremental template  Exchange 2000 Front-End Servers  Apply baseline security template and the Exchange front-end incremental template  Dismount private and public stores  Exchange 2000 OWA Server  Apply IIS Lockdown, including URLScan  Exchange 2003 Back-End Server  Apply protocol security templates  Exchange 2003 Front-End and OWA Server  IIS Lockdown and URLScan integrated with IIS 6.0  Use application isolation mode

Aspects of Exchange Server Security  Securing Access to Exchange Server  Blocking unauthorized access  Securing Communications  Blocking and encrypting communications  Blocking Spam  Filtering incoming mail  Relay restrictions: Don’t aid spammers!  Blocking Insecure Messages  Virus scanning  Attachment blocking

Configuring Authentication, Part 1  Secure Outlook client authentication  Configure Exchange & Outlook 2003 to use RPC over HTTPS  Configure SPA to encrypt authentication for Internet protocol clients Remember: Secure authentication does not equal encryption of data

Configuring Authentication, Part 2 Authentication MethodConsiderations Basic authentication  Insecure, unless you require SLL Integrated authentication  Limited client support, issues across firewalls Digest authentication  Limited client support Forms-based authentication  Ability to customize authentication  Wide client support  Available with Exchange Server 2003  OWA supports several authentication methods:

Securing Communications  Configure RPC encryption  Client side setting  Enforcement with ISA Server FP1  Firewall blocking  Mail server publishing with ISA Server  Configure HTTPS for OWA  Use S/MIME for message encryption  Outlook 2003 Enhancements  Kerberos authentication  RPC over HTTPS

Encrypting a Message Active Directory Domain Controller Client 1 Client 2 SMTP VS1 SMTP VS 2 Locate Client 2’s public key Message sent using S/MIME Message encrypted with a shared key New message Message arrives encrypted 5 Client 2’s private key is used to decrypt the shared key, and the shared key is used to decrypt the message 6

Blocking Spam – Exchange 2000  Close open relays!  Protect against address spoofing  Prevent Exchange from resolving recipient names to GAL accounts  Configure reverse DNS lookups

Blocking Spam – Exchange 2003  Use additional features in Exchange Server 2003  Support for real-time block lists  Global deny and accept lists  Sender and inbound recipient filtering  Improved anti-relaying protection  Integration with Outlook 2003 and third-party junk mail filtering

Blocking Insecure Messages  Implement antivirus gateways  Monitor incoming and outgoing messages  Update signatures often  Configure Outlook attachment security  Web browser security determines whether attachments can be opened in OWA  Implement ISA Server  Message Screener can block incoming messages

Using Permissions to Secure Exchange Administration models Centralized Decentralized  Delegating permissions  Creating administrative groups  Using administrative roles  Delegating administrative control

Enhancements in Exchange Server 2003  Many secure-by-default settings  More restrictive permissions  New mail transport features  New Internet Connection Wizard  Cross-forest authentication support

Top Ten Things to Secure Exchange Install the latest service pack Install all applicable security patches Run MBSA Check relay settings Disable or secure well-known accounts Use a layered antivirus approach Use a firewall Evaluate ISA Server Secure OWA Implement a backup strategy

Agenda  Introduction  Protecting Exchange Server  Protecting SQL Server  Protecting SQL Server  Securing Small Business Server  Providing Data Security

Basic Security Configuration  Apply service packs and patches  Use MBSA to detect missing SQL updates  Disable unused services  MSSQLSERVER (required)  SQLSERVERAGENT  MSSQLServerADHelper  Microsoft Search  Microsoft DTC

Common Database Server Threats and Countermeasures SQL Server Browser Web App Unauthorized External Access SQL Injection Password Cracking Network Eavesdropping Network Vulnerabilities Failure to block SQL ports Configuration Vulnerabilities Overprivileged service account Week permissions No certificate Web App Vulnerabilities Overprivileged accounts Week input validation Internal Firewall Perimeter Firewall

Database Server Security Categories Network Operating System SQL Server Patches and Updates Shares Services Accounts Auditing and Logging Files and Directories Registry ProtocolsPorts SQL Server Security Database Objects Logins, Users, and Roles

Network Security  Restrict SQL to TCP/IP  Harden the TCP/IP stack  Restrict ports

Operating System Security  Configure the SQL Server service account with the lowest possible permissions  Delete or disable unused accounts  Secure authentication traffic

Logins, Users, and Roles  Use a strong system administrator (sa) password  Remove the SQL guest user account  Remove the BUILTIN\Administrators server login  Do not grant permissions for the public role

Files, Directories, and Shares  Verify permissions on SQL Server installation directories  Verify that Everyone group does not have permissions to SQL Server files  Secure setup log files  Secure or remove tools, utilities, and SDKs  Remove unnecessary shares  Restrict access to required shares  Secure registry keys with ACLs

SQL Security  Set authentication to Windows only  If you must use SQL Server authentication, ensure that authentication traffic is encrypted

SQL Auditing  Log all failed Windows login attempts  Log successful and failed actions across the file system  Enable SQL Server login auditing  Enable SQL Server general auditing

Securing Database Objects  Remove the sample databases  Secure stored procedures  Secure extended stored procedures  Restrict cmdExec access to the sysadmin role

Using Views and Stored Procedures  SQL queries may contain confidential information  Use stored procedures whenever possible  Use views instead of direct table access  Implement security best practices for Web-based applications

Securing Web Applications  Validate all data input  Secure authentication and authorization  Secure sensitive data  Use least-privileged process and service accounts  Configure auditing and logging  Use structured exception handling

Top Ten Things to Protect SQL Server Install the most recent service pack Run MBSA Configure Windows authentication Isolate the server and back it up Check the sa password Limit privileges of SQL services Block ports at your firewall Use NTFS Remove setup files and sample databases Audit connections

Agenda  Introduction  Protecting Exchange Server  Protecting SQL Server  Protecting SQL Server  Securing Small Business Server  Providing Data Security

Recognizing Threats  Small Business Server plays many server roles  External threats  Small Business Server is often connected to the Internet  Internal threats  All components of Small Business Server must be secured  Many settings secured by default

Protecting Against External Threats  Configure password policies to require complex passwords  Configure secure remote access  Remote Web Workplace  Remote Access  Rename the Administrator account  Implement Exchange and IIS security best practices  Use a firewall

Using a Firewall  Included firewall features:  ISA Server 2000 in SBS 2000 and SBS 2003, Premium Edition  Basic firewall functionality in SBS 2003, Standard Edition  Consider a separate firewall  SBS 2003 can communicate with an external firewall by using UPnP  ISA Server can provide application-layer protection InternetFirewallLAN

Protecting Against Internal Threats  Implement an antivirus solution  Implement a backup plan  Run MBSA  Control access permissions  Educate users  Do not use the server as a workstation  Physically secure the server  Limit user disk space  Update the software

Agenda  Introduction  Protecting Exchange Server  Protecting SQL Server  Protecting SQL Server  Securing Small Business Server  Providing Data Security

Role and Limitations of File Permissions  Prevent unauthorized access  Limit administrators  Do not protect against intruders with physical access  Encryption provides additional security

Role and Limitations of EFS  Benefit of EFS encryption  Ensures privacy of information  Uses robust public key technology  Danger of encryption  All access to data is lost if the private key is lost  Private keys on client computers  Keys are encrypted with derivative of user’s password  Private keys are only as secure as the password  Private keys are lost when user profile is lost

EFS Architecture Win32 APIs NTFS I/O Manager EFS.sys Applications Encrypted on-disk data storage User mode Kernel mode Crypto API EFS Service

EFS Differences Between Windows Versions  Windows 2000 and newer Windows versions support EFS on NTFS partitions  Windows XP and Windows Server 2003 include new features:  Additional users can be authorized  Offline files can be encrypted  The triple-DES (3DES) encryption algorithm can replace DESX  A password reset disk can be used  EFS preserves encryption over WebDAV  Data recovery agents are recommended  Usability is enhanced

Implementing EFS: How to Do It Right  Use Group Policy to disable EFS until ready for central implementation  Plan and design policies  Designate recovery agents  Assign certificates  Implement via Group Policy

Session Summary  Protecting Applications and Data  Protecting Exchange Server  Protecting SQL Server  Protecting SQL Server  Securing Small Business Server  Providing Data Security

Next Steps 1. Stay informed about security  Sign up for security bulletins:  Get the latest Microsoft security guidance: 2. Get additional security training  Find online and in-person training seminars:  Find a local CTEC for hands-on training:

For More Information  Microsoft Security Site (all audiences)   TechNet Security Site (IT professionals)   MSDN Security Site (developers) 

Questions and Answers