Web Security - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Web Security

Description:

SQL Injection. Denial Of Service. April 21, 2004. American ... SQL Server Transact SQL. April 21, 2004. American Management Systems, Inc. Architecture ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 22
Provided by: andy83
Learn more at: https://www.cs.odu.edu
Category:
Tags: security | web

less

Transcript and Presenter's Notes

Title: Web Security


1
Web Security
  • Glen Dorton

2
Introduction
  • Authentication
  • Data protection
  • Attacks
  • Other Risks
  • Detailed example

3
Authentication
  • Anonymous
  • Basic Authentication
  • Windows Challenge Response
  • Client Certificates
  • Digest (Active Directory, RFC 2617)
  • Fortezza

4
Windows Integrated
  • Windows Challenge Response
  • Kerberos
  • Internet Explorer 5.0 and above
  • Active Directory
  • Internet Information Server 5.0 and above
  • Windows Challenge Response
  • IE 3.01 and above
  • IIS 4.0 and above

5
Certificates
  • Each client requires certificate
  • Server requires its own certificate and copy of
    all client certificates
  • Maps certificate to local user account (one to
    one or many to one)

6
Digest Authentication
  • Checksum (default MD5) of username, password,
    nonce value, HTTP method and requested URI
  • More secure than Basic Authentication, but less
    secure than Kerberos
  • Users password stored with reversible encryption
    on server

7
Fortezza
  • Cryptographic smart cards
  • Client certificates and private keys
  • Trademarked by NSA

8
Data Protection
  • S-HTTP Confidentiality, authentication,
    integrity
  • SSL Secure Sockets Layer
  • TLS Transport Layer Security
  • PCT Private Communication Technology
  • SET Secure Electronic Transaction

9
Other Risks
  • Mobile Code
  • Java
  • ActiveX
  • Scripting
  • Others
  • CGI Common Gateway Interface
  • ISAPI Internet Services API

10
Attacks
  • Buffer overflows
  • Cross site scripting
  • URL Attacks
  • Phishing
  • Parent Paths
  • SQL Injection
  • Denial Of Service

11
3-Tiered Web Application
  • Enterprise application used to manage corporate
    clients
  • All Microsoft solution

12
Platform
  • Internet Explorer version 6
  • IIS version 5
  • Windows 2000 Advanced Server
  • SQL Server 2000

13
Application Development
  • Active Server Pages
  • VB Script
  • ActiveX controls
  • Visual Basic
  • SQL Server Transact SQL

14
Architecture
  • Presentation Layer
  • Internet Explorer
  • ActiveX controls
  • ActiveX Data Objects/Remote Data Services
  • VB Script

15
Architecture
  • Business Layer
  • Internet Information Server (IIS)
  • ActiveX Data Objects
  • Custom COM components in Visual Basic

16
Architecture
  • Data Layer
  • SQL Server 2000

17
Security Mechanisms
  • SSL
  • Windows Integrated Authentication
  • User Management
  • Server Hardening
  • COM security
  • SQL Server Security
  • IIS Security

18
IIS Security
  • The Good
  • Integrates tightly with operating system
  • Flexibility
  • Logging
  • The Bad
  • Integrates tightly with operating system
  • Flexibility
  • Installs in an open configuration
  • The Ugly
  • Its a Microsoft product

19
Weak Areas
  • PASSWORDS!
  • Remote Data Objects
  • SQL Injection

20
Questions?
21
References
  • http//technet.microsoft.com/
  • http//www.microsoft.com/security
  • http//msdn.microsoft.com/
  • http//www.w3.org/Security/Faq/www-security-faq.ht
    ml
Write a Comment
User Comments (0)
About PowerShow.com