Implementing Application and Data Security

1
Implementing Application and Data Security

• Fred Baumhardt
• Senior Consultant Security and Architecture
• Microsoft Consulting Services - UK

2
Why Application Security Matters

• Perimeter Defences provide limited protection
• Many host-based Defences are not application
  specific
• Most modern attacks occur at the application
  layer

3
Why Data Security Matters

• Secure your data as the last line of Defence
• Configure file permissions
• Configure data encryption
• Protects the confidentiality of information when
  physical security is compromised

4
Application Server Best Practices
Configure security on the base operating system
Apply operating system and application service
packs and patches
Install or enable only those services that are
required
Assign only those permissions needed to perform
required tasks
Applications accounts should be assigned with the
minimal permissions
Apply Defence-in-depth principles to increase
protection
5
Agenda

• Introduction
• Protecting Exchange Server
• Protecting SQL Server 
• Providing Data Security

6
Exchange Security Dependencies

• Exchange security is dependent on
• Operating system security
• Network security
• IIS security (if you use OWA)
• Client security (Outlook)
• Active Directory security

Remember Defence in Depth
7
Exchange Comms Architecture
.
8
Securing Communications

• Configure RPC encryption
• Client side setting
• Enforcement with ISA Server FP1, 2004
• Firewall blocking
• Mail server publishing with ISA Server
• Configure HTTPS for OWA
• Use S/MIME for message encryption
• Outlook 2003 Enhancements
• Kerberos authentication
• RPC over HTTPS

9
Connection Strategies
10
Blocking Spam Exchange 2000

• Close open relays!
• Protect against address spoofing
• Prevent Exchange from resolving recipient names
  to GAL accounts
• Configure reverse DNS lookups
• Implement third party Anti-Spam, no native tools
  exist
• Check out ORDB.org to give you some examples, and
  sample filter

11
Blocking Spam Exchange 2003

• Use additional features in Exchange Server 2003
• Support for real-time block lists
• Global deny and accept lists
• Sender and inbound recipient filtering
• Improved anti-relaying protection
• Integration with Outlook 2003 and third-party
  junk mail filtering
• Intelligent Message Filter now available

12
Blocking Insecure Messages

• Implement antivirus gateways
• Monitor incoming and outgoing messages
• Update signatures often
• Configure Outlook attachment security
• Web browser security determines whether
  attachments can be opened in OWA
• Implement ISA Server
• Message Screener can block incoming messages
• OWA, RPC/HTTP, RPC, SMTP can all be locked down
  with it

13
Enhancements in Exchange Server 2003

• Many secure-by-default settings
• More restrictive permissions
• New mail transport features
• New Internet Connection Wizard
• Cross-forest authentication support

14
Top Ten Things to Secure Exchange
1
Install the latest service pack
2
Install all applicable security patches
3
Run MBSA
4
Check relay settings
5
Disable or secure well-known accounts
6
Use a layered antivirus approach
7
Use a firewall
8
Evaluate ISA Server
9
Secure OWA
10
Implement a backup strategy
15
Agenda

• Introduction
• Protecting Exchange Server
• Protecting SQL Server 
• Providing Data Security

16
Basic Security Configuration

• Apply service packs and patches
• Use MBSA to detect missing SQL updates
• Enforce required services
• MSSQLSERVER
• SQLSERVERAGENT (replication, monitoring,
  scheduled jobs, auto restart, event firing)
• Disable unused services to fit role
• MSSQLServerADHelper (if no AD integration)
• Microsoft Search (if no FTSearch required)
• Microsoft DTC (if not clustered)

17
Common Database Server Threats and
Countermeasures
18
Database Server Security Categories
19
Network Security

• Restrict SQL to TCP/IP
• Harden the TCP/IP stack
• Restrict ports
• Remove SQL from harms way dont let clients
  talk to it
• Use IPSEC to enforce in unsegmented nets
• Use firewalls or VLANs to enforce

20
Operating System Security

• Configure the SQL Server service account with the
  lowest possible permissions- it can run without
  local admin
• Delete or disable unused accounts
• Secure authentication traffic

21
Logins, Users, and Roles

• Use a strong system administrator (sa) password
• Remove the SQL guest user account
• Remove the BUILTIN\Administrators server login
• Do not grant permissions for the public role

22
Files, Directories, and Shares

• Verify permissions on SQL Server installation
  directories
• Verify that Everyone group does not have
  permissions to SQL Server files
• Secure setup log files
• Secure or remove tools, utilities, and SDKs,
  sample DBs (Pubs, Northwind)
• Remove unnecessary shares
• Restrict access to required shares
• Secure registry keys with ACLs
• EFS can be used performance

23
SQL Security

• Set authentication to Windows only
• If you must use SQL Server authentication, ensure
  that authentication traffic is encrypted
• Remember no lockout for SQL mixed mode- windows
  auth only locks out if account policy set to

24
SQL Auditing

• Log all failed Windows login attempts
• Log successful and failed actions across the file
  system
• Enable SQL Server login auditing
• Enable SQL Server general auditing

25
Securing Database Objects

• Remove the sample databases
• Secure stored procedures
• Secure extended stored procedures
• Restrict cmdExec access to the sysadmin role
• Restrict XP_CMDShell check if your application
  needs it

26
Using Views and Stored Procedures

• SQL queries may contain confidential information
• Use stored procedures whenever possible
• Use views instead of direct table access
• Implement security best practices for Web-based
  applications
• Stored Procs should validate input and be the
  only things that access tables, avoid views as
  they are injectionable

27
Securing Web Applications

• Validate all data input
• Secure authentication and authorization
• Secure sensitive data
• Use least-privileged process and service accounts
• Configure auditing and logging
• Use structured exception handling

28
Top Ten Things to Protect SQL Server
1
Install the most recent service pack
2
Run MBSA
3
Configure Windows authentication
4
Isolate the server and back it up
5
Check the sa password remove it ?
6
Limit privileges of SQL services
7
Block ports at your firewall
8
Use NTFS
9
Remove setup files and sample databases
10
Audit connections
29
Agenda

• Introduction
• Protecting Exchange Server
• Protecting SQL Server 
• Securing Small Business Server
• Providing Data Security

30
Role and Limitations of File Permissions

• Prevent unauthorized access
• Limit administrators
• Do not protect against intruders with physical
  access
• Encryption provides additional security

31
Role and Limitations of EFS

• Benefit of EFS encryption
• Ensures privacy of information
• Uses robust public key technology
• Danger of encryption
• All access to data is lost if the private key is
  lost
• Private keys on client computers
• Keys are encrypted with derivative of users
  password
• Private keys are only as secure as the password
• Private keys are lost when user profile is lost

32
EFS Differences Between Windows Versions

• Windows 2000 and newer Windows versions support
  EFS on NTFS partitions
• Windows XP and Windows Server 2003 include new
  features
• Additional users can be authorized
• Offline files can be encrypted
• The triple-DES (3DES) encryption algorithm can
  replace DESX
• A password reset disk can be used
• EFS preserves encryption over WebDAV
• Data recovery agents are recommended
• Usability is enhanced

33
Implementing EFS Advice

• Use Group Policy to disable EFS until ready for
  central implementation
• Plan and design policies
• Designate recovery agents
• Assign certificates
• Implement via Group Policy