Event Name here

1
Principles and Patterns of Security
Ron Jacobs Architect Evangelist Microsoft
TEAVNOST 200
2
ARCast.TV / ARCast Radio
http//channel9.msdn.com
3
Agenda

• Threat Modeling
• Basic Security Concepts
• Security Code Review
• Summary / QA

4
Threat Analysis

• Secure software starts with understanding the
  threats
• Threats are not vulnerabilities
• Threats live forever
• How will attackers attempt to compromise the
  system?

Asset
Mitigation
Threat
Vulnerability
5
Threat Modeling
http//msdn2.microsoft.com/en-us/library/ms978527.
aspx
6
Security Objectives

• What do you not want to happen?
• Confidentiality
• I do not want unauthorized users to gain access
  to confidential information
• Integrity
• I do not want unauthorized users to tamper with
  data
• Availability
• I do not want the system to be unavailable
  because of an attack
• Agree on security objectives up front
• Helps to scope and focus your security efforts

7
Agenda

• Threat Modeling
• Basic Security Concepts
• Security Code Review
• Summary / QA

8
Basic Security Concepts

• Reduce Attack Surface
• Defense In Depth
• Least Privilege
• Fail to Secure Mode

9
Attack Surface

• The Attack Surface is the sum of the ways in
  which an attacker can get at you
• Smaller Attack Surface is better

Which one has the Smaller attack surface?
10
Understand Your Attack Surface

• Networking protocols that are enabled by default
• Network Endpoints
• Code that auto-starts or will execute when
  accessed
• Examples Services, daemons, ISAPI filters and
  applications, SOAP services, and Web roots
• Reusable components
• ActiveX controls, COM objects, and .NET Framework
  assemblies, especially those marked with the
  AllowParticallyTrustedCallersAttribute)
• Process identities for all the code you run
• User accounts installed

11
Reducing Attack Surface
Service Autostart SYSTEM
12
Reducing Attack Surface
Service Autostart SYSTEM
Turn off less-used ports
13
Reducing Attack Surface
Service Autostart SYSTEM
Turn off UDP connections
14
Reducing Attack Surface
Service Autostart SYSTEM
Restrict requests to subnet/IP range
15
Reducing Attack Surface
Service Autostart SYSTEM
Authenticate connections
16
Reducing Attack Surface
Service Manual NetService
Lower privilege Turn feature off
17
Reducing Attack Surface
Service Manual NetService
Everyone (Full Control)
Admin (Full Control) Everyone (Read) Service (RW)
Harden ACLs on data store
18
Basic Security Concepts

• Reduce Attack Surface
• Defense In Depth
• Least Privilege
• Fail to Secure Mode

19
Defense In Depth

• Dont count on one line of defense for everything
• What if the attacker penetrates that defense?
• Contain the damage
• An example Nuclear Plants
• Multiple redundant safety systems. Nuclear
  plants are designed according to a "defense in
  depth" philosophy that requires redundant,
  diverse, reliable safety systems. Two or more
  safety systems perform key functions
  independently, such that, if one fails, there is
  always another to back it up, providing
  continuous protection.
• - Nuclear Energy Institute

20
Defense in Depth (MS03-007)Windows Server 2003
Unaffected
Microsoft Security Bulletin MS03-007 Unchecked
Buffer In Windows Component Could Cause Server
Compromise (815021) Originally posted March 17,
2003 Impact of vulnerability Run code of
attacker's choice Maximum Severity
Rating Critical Affected Software Microsoft
Windows NT 4.0 Microsoft Windows 2000 Microsoft
Windows XP Not Affected Software Microsoft
Windows Server 2003
21
Basic Security Concepts

• Reduce Attack Surface
• Defense In Depth
• Least Privilege
• Fail to Secure Mode

22
Least Privilege

• A defense in depth measure
• Code should run with only the permissions it
  requires
• Attackers can only do whatever the code was
  already allowed to do
• Recommendations
• Use least privilege accounts
• Use code access security
• Write Apps that non-admins can actually use

23
Basic Security Concepts

• Reduce Attack Surface
• Defense In Depth
• Least Privilege
• Fail to Secure Mode

24
Fail To Secure Mode
Function Authenticate(UserID As String, Password
As String) Dim Authenticated As Boolean
True Try Dim conn As New
SqlConnection(connString) conn.Open()
Dim cmd As New SqlCommand("SELECT Count() FROM
Users ) Dim count As Integer count
cmd.ExecuteScalar() Authenticated
(count 1) Catch ex As Exception
MessageBox.Show("Error logging in "
ex.Message) End Try Return Authenticated End
Function
Authenticated As Boolean True
Danger!! Assumes Success
Authenticated flag may still be true here
Catch ex As Exception
25
Insecure Failure

• Watch out for exceptions!

26
Agenda

• Threat Modeling
• Basic Security Concepts
• Security Code Review
• Summary / QA

27
Security Code Review
Never connect as SA
Dont Embed Secrets
user idsa
passwordpassword
Unencrypted Weak Password
WHERE ID'" ID "'"
Dont Concatenate arguments
For Each err As SqlError
Dont reveal everything to an attacker
28
How to get 0wn3d

• How to lose control of your database server in 3
  easy steps

29
Why not connect as SA?

• Violates the principle of least privilege
• Threat Code is subject to attacker elevating
  privilege
• Mitigation Recommendation
• Defense in depth
• Action Run SQL as Network Service rather than
  Local System
• Reduce surface area eliminate privileges on
  everything except for the required stored
  procedures
• Action Create stored procedures
• Least privilege run as a lesser privileged user
  when connecting to database
• Action Fix the connection string

30
Why not embed secrets?

• Violates the principle of avoiding security by
  obscurity
• Threat Secrets are easily discovered
• Mitigation Recommendation
• Dont Store Secrets
• Tip Use Windows Authentication
• Encrypt secrets
• For .NET 1.1 consider Enterprise Library
• For .NET 2.0 use Enterprise Library or
  System.Security.Cryptography.ProtectedData
• For SQL Server 2005 use EncryptByKey /
  DecryptByKey

31
Never create your own encryption
32
Why not use easy passwords?

• Because they are easily broken by brute force
  attacks
• Threat Attacker guesses or brute forces password
  to access secrets
• Mitigation
• Enforce a strong password policy
• Enable password policy enforcement on SQL Server
• Uses Windows Server 2003 policy

33
Brute Force Dictionary Attacks
34
Password Policy
SQL Server 2005 Management Studio Tool Shown
35
Why not concatenate arguments?

• Violates the principle of All Input Is Evil
  (Until Proven Otherwise)
• Threat Code is subject to luring attacks via SQL
  Injection
• Mitigation Recommendation
• Reduce Attack Surface
• Use parameters with SQL
• Create stored procedures and grant access only to
  the stored procedure
• Disable unneeded SQL Server Features

36
Security Fix Validate Input

• Constrain
• Look for valid data and reject everything else
• Set Max Length to 5
• Use Regular Expressions to permit only what you
  want
• Integer expression 0-90,5
• Reject
• Reject things you know are bad
• Sanitize
• use SQL Parameters
• HTMLEncode output

37
Why not reveal all exceptions?

• Most users wont understand the details anyway
• Threat Code is subject to information disclosure
  threats
• Mitigation Recommendation
• Map low level error messages to meaningful
  messages for your users
• Never disclose secrets in error messages

38
Meaningful Error Messages
What this error really means No SmartCard
inserted in card reader
39
Threat Model Checklist

• No design is complete without a threat model!
• Capture your work in a threat model document
• Investigate threats
• Track and prioritize vulnerabilities through to
  mitigation and testing
• Take advantage of security guidance
  http//msdn.microsoft.com/securityguidance

vuln
threat
asset
40
(No Transcript)