Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK."— Presentation transcript:

1 Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK

2 Why Application Security Matters  Perimeter Defences provide limited protection  Many host-based Defences are not application specific  Most modern attacks occur at the application layer

3 Why Data Security Matters  Secure your data as the last line of Defence  Configure file permissions  Configure data encryption  Protects the confidentiality of information when physical security is compromised

4 Application Server Best Practices Configure security on the base operating system Apply operating system and application service packs and patches Install or enable only those services that are required Applications accounts should be assigned with the minimal permissions Apply Defence-in-depth principles to increase protection Assign only those permissions needed to perform required tasks

5 Agenda  Introduction  Protecting Exchange Server  Protecting SQL Server  Protecting SQL Server  Providing Data Security

6 Exchange Security Dependencies  Exchange security is dependent on:  Operating system security  Network security  IIS security (if you use OWA)  Client security (Outlook)  Active Directory security Remember: Defence in Depth

7 Exchange Comms Architecture.

8 Securing Communications  Configure RPC encryption  Client side setting  Enforcement with ISA Server FP1, 2004  Firewall blocking  Mail server publishing with ISA Server  Configure HTTPS for OWA  Use S/MIME for message encryption  Outlook 2003 Enhancements  Kerberos authentication  RPC over HTTPS

9 Connection Strategies MethodExperienceComplexitySecurity POP3/IMAP4 via SSL with SMTP Basic Medium/ High Medium OWA via SSL with ISA ModerateLowFull VPN – PPTPv2 FullHighFull Secure RPC with ISA FullMediumFull RPC over HTTP Full Medium/Lo w Full in None Out

10 Blocking Spam – Exchange 2000  Close open relays!  Protect against address spoofing  Prevent Exchange from resolving recipient names to GAL accounts  Configure reverse DNS lookups  Implement third party Anti-Spam, no native tools exist  Check out ORDB.org to give you some examples, and sample filter

11 Blocking Spam – Exchange 2003  Use additional features in Exchange Server 2003  Support for real-time block lists  Global deny and accept lists  Sender and inbound recipient filtering  Improved anti-relaying protection  Integration with Outlook 2003 and third-party junk mail filtering  Intelligent Message Filter now available

12 Blocking Insecure Messages  Implement antivirus gateways  Monitor incoming and outgoing messages  Update signatures often  Configure Outlook attachment security  Web browser security determines whether attachments can be opened in OWA  Implement ISA Server  Message Screener can block incoming messages  OWA, RPC/HTTP, RPC, SMTP can all be locked down with it

13 Enhancements in Exchange Server 2003  Many secure-by-default settings  More restrictive permissions  New mail transport features  New Internet Connection Wizard  Cross-forest authentication support

14 Top Ten Things to Secure Exchange Install the latest service pack Install all applicable security patches Run MBSA Check relay settings Disable or secure well-known accounts Use a layered antivirus approach Use a firewall Evaluate ISA Server Secure OWA Implement a backup strategy 1 2 3 4 5 6 7 8 9 10

15 Agenda  Introduction  Protecting Exchange Server  Protecting SQL Server  Protecting SQL Server  Providing Data Security

16 Basic Security Configuration  Apply service packs and patches  Use MBSA to detect missing SQL updates  Enforce required services  MSSQLSERVER  SQLSERVERAGENT (replication, monitoring, scheduled jobs, auto restart, event firing)  Disable unused services to fit role  MSSQLServerADHelper (if no AD integration)  Microsoft Search (if no FTSearch required)  Microsoft DTC (if not clustered)

17 Common Database Server Threats and Countermeasures SQL Server Browser Web App Unauthorized External Access SQL Injection Password Cracking Network Eavesdropping Network Vulnerabilities Failure to block SQL ports Configuration Vulnerabilities Overprivileged service account Week permissions No certificate Web App Vulnerabilities Overprivileged accounts Week input validation Internal Firewall Perimeter Firewall

18 Database Server Security Categories Network Operating System SQL Server Patches and Updates Shares Services Accounts Auditing and Logging Files and Directories Registry ProtocolsPorts SQL Server Security Database Objects Logins, Users, and Roles

19 Network Security  Restrict SQL to TCP/IP  Harden the TCP/IP stack  Restrict ports  Remove SQL from harms way – don’t let clients talk to it  Use IPSEC to enforce in unsegmented nets  Use firewalls or VLANs to enforce

20 Operating System Security  Configure the SQL Server service account with the lowest possible permissions- it can run without local admin  Delete or disable unused accounts  Secure authentication traffic

21 Logins, Users, and Roles  Use a strong system administrator (sa) password  Remove the SQL guest user account  Remove the BUILTIN\Administrators server login  Do not grant permissions for the public role

22 Files, Directories, and Shares  Verify permissions on SQL Server installation directories  Verify that Everyone group does not have permissions to SQL Server files  Secure setup log files  Secure or remove tools, utilities, and SDKs, sample DBs (Pubs, Northwind)  Remove unnecessary shares  Restrict access to required shares  Secure registry keys with ACLs  EFS can be used – performance

23 SQL Security  Set authentication to Windows only  If you must use SQL Server authentication, ensure that authentication traffic is encrypted  Remember – no lockout for SQL mixed mode- windows auth only locks out if account policy set to

24 SQL Auditing  Log all failed Windows login attempts  Log successful and failed actions across the file system  Enable SQL Server login auditing  Enable SQL Server general auditing

25 Securing Database Objects  Remove the sample databases  Secure stored procedures  Secure extended stored procedures  Restrict cmdExec access to the sysadmin role  Restrict XP_CMDShell – check if your application needs it

26 Using Views and Stored Procedures  SQL queries may contain confidential information  Use stored procedures whenever possible  Use views instead of direct table access  Implement security best practices for Web-based applications  Stored Procs should validate input and be the only things that access tables, avoid views as they are “injectionable”

27 Securing Web Applications  Validate all data input  Secure authentication and authorization  Secure sensitive data  Use least-privileged process and service accounts  Configure auditing and logging  Use structured exception handling

28 Top Ten Things to Protect SQL Server Install the most recent service pack Run MBSA Configure Windows authentication Isolate the server and back it up Check the sa password – remove it Limit privileges of SQL services Block ports at your firewall Use NTFS Remove setup files and sample databases Audit connections 1 2 3 4 5 6 7 8 9 10

29 Agenda  Introduction  Protecting Exchange Server  Protecting SQL Server  Protecting SQL Server  Securing Small Business Server  Providing Data Security

30 Role and Limitations of File Permissions  Prevent unauthorized access  Limit administrators  Do not protect against intruders with physical access  Encryption provides additional security

31 Role and Limitations of EFS  Benefit of EFS encryption  Ensures privacy of information  Uses robust public key technology  Danger of encryption  All access to data is lost if the private key is lost  Private keys on client computers  Keys are encrypted with derivative of user’s password  Private keys are only as secure as the password  Private keys are lost when user profile is lost

32 EFS Differences Between Windows Versions  Windows 2000 and newer Windows versions support EFS on NTFS partitions  Windows XP and Windows Server 2003 include new features:  Additional users can be authorized  Offline files can be encrypted  The triple-DES (3DES) encryption algorithm can replace DESX  A password reset disk can be used  EFS preserves encryption over WebDAV  Data recovery agents are recommended  Usability is enhanced

33 Implementing EFS: Advice  Use Group Policy to disable EFS until ready for central implementation  Plan and design policies  Designate recovery agents  Assign certificates  Implement via Group Policy

Download ppt "Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK."

Similar presentations

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Paula Kiernan Senior Consultant Ward Solutions

Paula Kiernan Senior Consultant Ward Solutions
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Securing Exchange, IIS, and SQL Infrastructures

Securing Exchange, IIS, and SQL Infrastructures
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,

© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,
Implementing Application and Data Security Presenter Name Job Title Company.

Implementing Application and Data Security Presenter Name Job Title Company.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Secure SQL Server configuration Pat Larkin Ward Solutions

Secure SQL Server configuration Pat Larkin Ward Solutions
1 Integrating ISA Server and Exchange Server. 2 How email works.

1 Integrating ISA Server and Exchange Server. 2 How works.
Implementing Exchange Server Security Ward Solutions.

Implementing Exchange Server Security Ward Solutions.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Securing Exchange Server 2003. Session Goals: Introduce you to the concepts and mechanisms for securing Exchange 2003. Examine the techniques and tools.

Securing Exchange Server Session Goals: Introduce you to the concepts and mechanisms for securing Exchange Examine the techniques and tools.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

Similar presentations

Ads by Google