Security Best Practices

1
Security Best Practices

• Presented by
• Patrick Hynds
• President, CriticalSites
• Microsoft Regional Director

2
What is at stake / What if

• Your customer list were made public
• Sensitive data fell into the hands of a
  competitor?
• You lost your financial records?
• What if all your emails went away?
• Your systems were used to attack another
  business?
• Sarbanes-Oxley and HIPAA exposure?

3
Complicated Environments
Rich clients
Browser
HTML
SOAP
SMTP Server
Load Balancer, Hardware or software
Web Server
Web Server
Web Server
Front End web servers Connect to backend databases
Lookup DB
SQL Content DB
SQL Content DB
Each system needs credentials to talk to the other
4
Storing Secrets

• Do avoid secrets when you can
• Consider using integrated authentication or the
  membership providers (now you know how)
• Use layered protection when you need secrets
• Access control settings
• Data Protection API (DPAPI) or better
• Use aspnet_setreg for ASP.NET secrets
• ltprocessModelgt, ltidentitygt, ltsessionStategt
• http//support.microsoft.com/default.aspx?scidkb
  EN-US329290

5
Storing Secrets

• Typical examples of secrets include
• SQL connection strings
• Credentials used for SQL application roles
• Fixed identities in Web.config
• Process identity in Machine.config
• Keys used to store data securely
• SQL Server session state
• Passwords used for Forms authentication against a
  database
• Credit cards for auto processing (dropship)

6
Connection String as an Example

• Contains authentication information used by the
  applications to connect to the data source
• Contains vital information about the application
  itself and details about the type of connection
  established
• Is used to authenticate to a database from
  unauthorized access

7
Secrets in Source

• Advantages
• Embedding secrets, especially connection strings,
  in source code offers high performance
• Application does not have to reference an
  external source
• Disadvantages
• Changes in the connection string would require
  the application to be recompiled
• Source code can be decompiled or reverse
  engineered

8
Secrets in Registry

• Windows registry is a central hierarchical
  database used to store configuration information
  and other settings unique to the system
• Logical location to store items such as
  connection strings
• Drawback is that other people / processes can
  access the registry
• Performance inhibitor

9
SQL Injection

• Exploits applications that use external input in
  database commands
• Input from ltformgt fields
• Input from query strings
• The technique
• Find a ltformgt field or query string parameter
  used to generate SQL commands
• Submit input that modifies the commands
• Compromise, corrupt, and destroy data

10
How SQL Injection Works
Model Query
SELECT COUNT () FROM Users WHERE
UserNameJeff AND PasswordAr_at_g0rnRul3z
Malicious Query
SELECT COUNT () FROM Users WHERE UserName or
11-- AND Password
"or 11" matches every record in the table
"--" comments out the remainder of the query
11
Validation Controls

• Client-side validation
• Provides instant feedback
• Reduces postback cycles
• No security related checks
• Server-side validation
• Repeats all client-side validation
• Validates against stored data, if required
• Checks for what was expected
• Checks for malicious input
• Punishes if hacking attempt

12
Security through Obscurity

• Hides secrets (like connection strings) on or
  outside of web server file system
• Offers false sense of security
• Common locations include compiled source code and
  Windows registry
• Tolerable as an additional line of defense
• You never want to advertise your implementation
  details
• M1 Tanks dont require obscurity for defense, but
  we still keep where they are a secret in a battle!

13
Encryption Algorithms

• Selecting an Algorithm
• Some encryption algorithms perform better than
  others while some provide stronger encryption.
  Typically, larger encryption key sizes increase
  security.
• A Common Mistake
• Developing your own encryption algorithms

14
Security Trimming

• Feature of site map providers
• Varies navigation UI based on roles

lt?xml version"1.0" encoding"utf-8"
?gt ltsiteMapgt ltsiteMapNode roles""gt
ltsiteMapNode title"Home" url"/Default.aspx"
/gt ltsiteMapNode title"Tickets"
url"/Tickets.aspx" /gt ltsiteMapNode
title"Concert Gear" url"/Gear.aspx" /gt
ltsiteMapNode title"Backstage" roles"Members"
url"/MembersOnly/Backstage.aspx" /gt
ltsiteMapNode title"Preferences" roles"Members"
url"/MembersOnly/Preferences.aspx" /gt
lt/siteMapNodegt lt/siteMapgt
15
Security Trimming in Action
16
Accounts Best Practices

• Implement Account Deception Planning
• Rename Administrator (follow your naming)
• Create a new account named Administrator
• Assign the new account a strong password
• Audit the dummy Administrator account
• Establish password reuse policies with penalties
  for non-compliance
• Limit password exposure using key utilities or
  faithfully followed procedures

17
Urgent Problem

• Service Accounts on Windows
• Typically have local Administrator access
• Often are members of Domain Admin group
• Known to the Network Administrators
• Often difficult to change which means they are
  almost never changed
• Risk
• Many otherwise secure networks have ex-employees
  that still may know the username and password to
  one or more accounts that are members of the
  Administrators Group

18
Service Account Controller

• Features
• Manages service accounts passwords across
  distributed systems
• Change services account passwords by randomly
  generating a passwords so that no one knows the
  passwords
• Change service account startup settings
• Add servers you would like to manage
• Add/hide services you would like to watch

19
Service Account Controller

• Benefits
• Create fully secure service accounts, satisfying
  compliance and security requirements for Window
  services
• Administer a distributed service account used by
  multiple servers and/or services from one
  location across an enterprise
• Conceal the service account passwords, so they
  can't be used as backdoors by rogue administrators

20
Service Account Controller for Windows (SAC) Alpha
21
Challenges and Tradeoffs

• Ease of Use vs. Security
• Admin capabilities through the firewall?
• You can buy as much security as you want, it is
  like insurance there is no limit
• Decide whether you should
• Hire a CSO and associated staff
• Train the entire staff to think security
• Get external help as you need it

22
Knowing instead of Guessing

• Secure applications are actually quite rare
• Hackers often dont make their presence known
  until months after they take over
• Proactive steps all organizations MUST do
• Threat Modeling
• External Audits
• Disaster Recovery Planning
• Spot Check Procedures
• User Education
• Technical Staff Education

23
Conclusion

• None of these methods is 100 fool proof, but
  together they add up to better security
• When implemented effectively they reduce the risk
  of unauthorized access to the sensitive
  information
• Solution should be selected based on the
  application requirements and established security
  policy

24
Special Offer!

• First 100 Mini Code Camp attendees that provide
  contact information (business card or similar)
  will be added to our SAC Beta
• Limited space
• Feedback on the product is required, we want to
  make it better with the help of those who think
  about security

25
The stuff

• Patrick Hynds
• Duane LaFlotte
• Thom Robbins (http