Download presentation
Presentation is loading. Please wait.
1
TNQ200-06
2
How To Implement Secure, Web-Based Business Solutions Based On Windows ® 2000 Server And Internet Information Server 5.0 Name Title Microsoft Corporation
3
Session Prerequisites This session assumes that you understand: Basic knowledge of Internet Information Server Fundamentals of PKI Fundamentals of Active Directory This is a level 300 session
4
What You Will Learn Today How to analyze a Web application for security risks Correctly apply technology to counter or mitigate these risks Secure Internet Information Server for the Internet
5
Agenda What’s the problem? Some ingredients Baking a solution IP security Certificates Smart cards Kerberos Digest authentication
6
What’s The Problem? Building secure Web apps is very difficult Complex technologies Difficult to implement Difficult to hide complexity from users Often “pasted” on after the fact Lack of skills in the market
7
What’s The Problem? Building secure Web apps means: Analyzing your threats Designing a system to cope with the threats Choosing the technologies Finally, building the system Weigh the risks Especially the non-tangible like “good faith” and your “name”
8
Masquerading Strong authentication CertificatesSmartcards SSL/TLS(schannel) Firewalls Threats, Defenses, Tools Eavesdropping Encryption Data modification Message digests Replay attacks Time stamps, sequence numbers Denial of service Filtering
9
RouterRouter Internet FIREWALL Ethernet Corp Network Intranet Server Internet Server Ethernet Typical Internet Information Server Setting
10
Security And Auditing Internet Information Server log file formats Internet Information Server log file format NCSA common log file format ODBC logging W3C extended log file format All logs configured per Web site Windows NT event logging Recommended log - W3C Tip: W3C logging is the default
11
Security And Auditing Performance of logging Logging does not affect performance Two benefits of logging and auditing Intruder Detection Problem Resolution Tip: When setting NT log file size, make it as big as possible.
12
Authentication Anonymous access Authenticated access Basic authentication Digest authentication Needs to run on a Domain Controller Enable Encrypted Passwords Checked Integrated Windows authentication Tip: Digest authentication requires IE 5.0
13
Authentication The packets are the difference IP Header IP Payload Clear Text IP Header IP Payload Encrypted Text IP Header IP Payload RPC Encrypted Text TCP/IP Packet Clear Text TCP/IP Packet Digest NT RPC
14
Needs to run on a DC and encrypted passwords Recommended Log type? W3C Quiz: Authentication Name two requirements of digest authentication?
15
Demo Security and Authentication Demo of digest authentication Demo of setting logs in Internet Information Server
16
TCP/IP Security Identify the protocols used Verify the ports required by protocol Tools to help diagnose IP and UDP ports Port mapper Ping Internet services manager Tip: TechNet CD contains a list of ports used by NT
17
TCP/IP Security Well-known TCP/IP ports used FTP - TCP port 21 SMTP - IP port 25 HTTP - TCP port 80 SSL - TCP port 443 LDAP - IP Port 389 or 636 (SSL)
18
TCP/IP Security TCP/IP security can applied via: IP address and domain name restrictions (dialog in Internet Information Server console) TCP/IP filtering (advanced TCP/IP settings) IP security policy snap in Security configuration tool set Tip: Network hardware will need to support IPSEC
19
Port mapper, and Internet Information Server snap in Name two places where IP can be filtered Network card and Internet Information Server snap in Quiz: TCP/IP Security Name two tools used to identify open ports
20
Client Server Demo: Locking IP Ports Demo TCP/IP ports Discovering ports that are open Locking down TCP/IP ports using Internet Information Server console Locking down TCP/IP ports using TCP/IP filtering
21
Certificates Four types of certificate authorities Enterprise certificate authority Subordinate enterprise authority Stand-alone certificate authority Subordinate certificate authority Certificate templates are found in the CA snap In Tip: Test certificates in a small group before deploying company wide
22
Certificates Certificate mapping Performed via Internet Information Server snap in Windows NT certificate Trust List Only one Certificate can be applied to a site Certificate Usage Authentication Schannel Permission
23
IPSEC Authentication EFS Basic EFS Domain Controller Web Server Computer User Subordinate CA Administration User Signature Only Smart Card Smart Card Logon Code Signing Trust List Signing Enrollment Agent Router Certificates Windows 2000 comes with templates for:
24
Certificates Recommendations Use a key length of 1024 or 2048 Remember the CN used to identify the CA object Store CRL's in shared folder and directory Experiment before deployment! Use CSP defaults Use hash algorithm defaults
25
Enterprise and Stand-alone Name three uses of Certificates Authentication, Permissions, Schannel Quiz: Certificates Name two types of CAs
26
Client Server 1 2 Demo: Certificates Certificate demo Demonstrate the Web enrollment wizard Apply security to a site From client verify
27
Securing The Channel Secured channel methods SSL - rides on top of the IP layer IPSEC - VPN PPTP - VPN L2TP - VPN
28
Server (Request Only) Server Request’s security then negotiates Client Server Client (Respond Only) Client Request’s security then negotiates Client Server Secure Server (Require Security) ClientServer Require Security using Kerberos Securing The Channel
29
IPSEC can be established Shared key Kerberos Certificate SSL
30
IPSEC and PPTP Name the schannel HTTP, SSL, TCP/IP SSL Quiz: SCHANNEL Name two VPN protocols
31
Client Server 1 2 Demo: Secure Channel Demo using SSL
32
Scenario: Schannel SSL Secured communication with diverse browsers Dynamic connection environment PPTP, L2TP VPN for corporate access IPSEC High level security required Communication is not using Internet protocols
33
Scenario: Authentication Anonymous Public Web pages Digest Strong security in a lightweight fashion Certificates Code signing E-commerce Tip: Business requirements will dictate the best authentication technology for your company
34
Y2K Compliance Rating (all languages): will ship compliant Beta Product: testing ongoing Known Y2K Issues: none Y2K Readiness for Windows 2000 Year 2000 Readiness Disclosure
35
Session Review Name three threats, defenses and tools Name two ways to apply IP filtering Name two ways to create a schannel What are requirements for digest authentication? Does logging adversely affect performance?
36
For More Information Refer to the TechNet Web site at www.Microsoft.Com/TechNet/ Windows NT security (whitepapers, etc.) http://www.Microsoft.com/windows/server/ Technical/security/default.asp Http://www.Microsoft.Com/windows/server/ technical/security/pki.Asp Http://www.Microsoft.Com/windows/server/ technical/security/pkiintro.Asp Microsoft® Official Curriculum 1443A-Windows2000Specialty-IIS5Upgrade
37
Discussion
38
Session Credits Author: Hank Voight Program Manager: Andrew Cushman Producer/editor: Jim Stuart Thanks to our Microsoft technical field personnel who reviewed this session: Debra Kennedy
40
Definitions PKI Schannel Ssl TLS Web DAV Web folders NCSA W3c LDAP Ca EFS CN CRL CSP IPSEC PPTP L2tp Public key infrastructure Secured channel Secure sockets layer See SSL Web digital audio video protocol Office 2000 National center for supercomputing applications World wide web consortium Light weight directory access protocol Certificate authority Encrypted file system Common name Certificate revocation list Cryptographic service provider Internet protocol security Point to point tunneling protocol Layer 2 tunneling protocol
Similar presentations
