Qx FYxx Content

1
(No Transcript)
2
Implementing Application and Data Security

• Presenter Name
• Job Title
• Company

3
Session Prerequisites

• Understanding of network security essentials
• Hands-on experience with Windows 2000 Server or
  Windows Server 2003
• Experience with Windows management tools
• Hands-on experience with Exchange Server and SQL
  Server management tools

Level 300
4
Agenda

• Introduction
• Protecting Exchange Server
• Protecting SQL Server 
• Securing Small Business Server
• Providing Data Security

5
Defense in Depth

• Using a layered approach
• Increases an attackers risk of detection
• Reduces an attackers chance of success

Policies, Procedures, Awareness
Physical Security
ACL, encryption
Data
Application
Application hardening, antivirus
OS hardening, update management, authentication,
HIDS
Host
Network segments, IPSec, NIDS
Internal Network
Firewalls, VPN quarantine
Perimeter
Guards, locks, tracking devices
User education
6
Why Application Security Matters

• Perimeter defenses provide limited protection
• Many host-based defenses are not application
  specific
• Most modern attacks occur at the application
  layer

7
Why Data Security Matters

• Secure your data as the last line of defense
• Configure file permissions
• Configure data encryption
• Protects the confidentiality of information when
  physical security is compromised

8
Application Server Best Practices
Configure security on the base operating system
Apply operating system and application service
packs and patches
Install or enable only those services that are
required
Assign only those permissions needed to perform
required tasks
Applications accounts should be assigned with the
minimal permissions
Apply defense-in-depth principles to increase
protection
9
Agenda

• Introduction
• Protecting Exchange Server
• Protecting SQL Server 
• Securing Small Business Server
• Providing Data Security

10
Exchange Security Dependencies

• Exchange security is dependent on
• Operating system security
• Network security
• IIS security (if you use OWA)
• Client security (Outlook)
• Active Directory security

Remember Defense in Depth
11
Securing Exchange Servers

• Exchange 2000 Back-End Servers
• Apply baseline security template and the Exchange
  back-end incremental template
• Exchange 2000 Front-End Servers
• Apply baseline security template and the Exchange
  front-end incremental template
• Dismount private and public stores
• Exchange 2000 OWA Server
• Apply IIS Lockdown, including URLScan
• Exchange 2003 Back-End Server
• Apply protocol security templates
• Exchange 2003 Front-End and OWA Server
• IIS Lockdown and URLScan integrated with IIS 6.0
• Use application isolation mode

12
Aspects of Exchange Server Security

• Securing Access to Exchange Server
• Blocking unauthorized access
• Securing Communications
• Blocking and encrypting communications
• Blocking Spam
• Filtering incoming mail
• Relay restrictions Dont aid spammers!
• Blocking Insecure E-Mail Messages
• Virus scanning
• Attachment blocking

13
Configuring Authentication, Part 1

• Secure Outlook client authentication
• Configure Exchange Outlook 2003 to use RPC over
  HTTPS
• Configure SPA to encrypt authentication for
  Internet protocol clients

Remember Secure authentication does not equal
encryption of data
14
Configuring Authentication, Part 2

• OWA supports several authentication methods

Authentication Method Considerations
Basic authentication Insecure, unless you require SLL
Integrated authentication Limited client support, issues across firewalls
Digest authentication Limited client support
Forms-based authentication Ability to customize authentication Wide client support Available with Exchange Server 2003
15
Securing Communications

• Configure RPC encryption
• Client side setting
• Enforcement with ISA Server FP1
• Firewall blocking
• Mail server publishing with ISA Server
• Configure HTTPS for OWA
• Use S/MIME for message encryption
• Outlook 2003 Enhancements
• Kerberos authentication
• RPC over HTTPS

16
Encrypting a Message
Active Directory Domain Controller
2
Locate Client 2s public key
6
Client 2s private key is used to decrypt the
shared key, and the shared key is used to decrypt
the message
4
Message sent using S/MIME
1
SMTP VS1
SMTP VS 2
New message
Message arrives encrypted
5
Message encrypted with a shared key
3
Client 2
Client 1
17
Demonstration 1Securing Exchange Configuring
Forms-Based Authentication Configuring RPC
EncryptionUsing ISA Server to Publish Exchange
18
Blocking Spam Exchange 2000

• Close open relays!
• Protect against address spoofing
• Prevent Exchange from resolving recipient names
  to GAL accounts
• Configure reverse DNS lookups

19
Blocking Spam Exchange 2003

• Use additional features in Exchange Server 2003
• Support for real-time block lists
• Global deny and accept lists
• Sender and inbound recipient filtering
• Improved anti-relaying protection
• Integration with Outlook 2003 and third-party
  junk mail filtering

20
Demonstration 2 Configuring Exchange Spam
Protection Anti-Relay Protection
21
Blocking Insecure Messages

• Implement antivirus gateways
• Monitor incoming and outgoing messages
• Update signatures often
• Configure Outlook attachment security
• Web browser security determines whether
  attachments can be opened in OWA
• Implement ISA Server
• Message Screener can block incoming messages

22
Using Permissions to Secure Exchange

• Administration models

Centralized
Decentralized

• Delegating permissions
• Creating administrative groups
• Using administrative roles
• Delegating administrative control

23
Enhancements in Exchange Server 2003

• Many secure-by-default settings
• More restrictive permissions
• New mail transport features
• New Internet Connection Wizard
• Cross-forest authentication support

24
Defense in Depth
25
Top Ten Things to Secure Exchange
1
Install the latest service pack
2
Install all applicable security patches
3
Run MBSA
4
Check relay settings
5
Disable or secure well-known accounts
6
Use a layered antivirus approach
7
Use a firewall
8
Evaluate ISA Server
9
Secure OWA
10
Implement a backup strategy
26
Agenda

• Introduction
• Protecting Exchange Server
• Protecting SQL Server 
• Securing Small Business Server
• Providing Data Security

27
Basic Security Configuration

• Apply service packs and patches
• Use MBSA to detect missing SQL updates
• Disable unused services
• MSSQLSERVER (required)
• SQLSERVERAGENT
• MSSQLServerADHelper
• Microsoft Search
• Microsoft DTC

28
Common Database Server Threats and
Countermeasures
29
Database Server Security Categories
30
Network Security

• Restrict SQL to TCP/IP
• Harden the TCP/IP stack
• Restrict ports

31
Operating System Security

• Configure the SQL Server service account with the
  lowest possible permissions
• Delete or disable unused accounts
• Secure authentication traffic

32
Logins, Users, and Roles

• Use a strong system administrator (sa) password
• Remove the SQL guest user account
• Remove the BUILTIN\Administrators server login
• Do not grant permissions for the public role

33
Files, Directories, and Shares

• Verify permissions on SQL Server installation
  directories
• Verify that Everyone group does not have
  permissions to SQL Server files
• Secure setup log files
• Secure or remove tools, utilities, and SDKs
• Remove unnecessary shares
• Restrict access to required shares
• Secure registry keys with ACLs

34
SQL Security

• Set authentication to Windows only
• If you must use SQL Server authentication, ensure
  that authentication traffic is encrypted

35
SQL Auditing

• Log all failed Windows login attempts
• Log successful and failed actions across the file
  system
• Enable SQL Server login auditing
• Enable SQL Server general auditing

36
Securing Database Objects

• Remove the sample databases
• Secure stored procedures
• Secure extended stored procedures
• Restrict cmdExec access to the sysadmin role

37
Using Views and Stored Procedures

• SQL queries may contain confidential information
• Use stored procedures whenever possible
• Use views instead of direct table access
• Implement security best practices for Web-based
  applications

38
Securing Web Applications

• Validate all data input
• Secure authentication and authorization
• Secure sensitive data
• Use least-privileged process and service accounts
• Configure auditing and logging
• Use structured exception handling

39
Top Ten Things to Protect SQL Server
1
Install the most recent service pack
2
Run MBSA
3
Configure Windows authentication
4
Isolate the server and back it up
5
Check the sa password
6
Limit privileges of SQL services
7
Block ports at your firewall
8
Use NTFS
9
Remove setup files and sample databases
10
Audit connections
40
Agenda

• Introduction
• Protecting Exchange Server
• Protecting SQL Server 
• Securing Small Business Server
• Providing Data Security

41
Recognizing Threats

• Small Business Server plays many server roles
• External threats
• Small Business Server is often connected to the
  Internet
• Internal threats
• All components of Small Business Server must be
  secured
• Many settings secured by default

42
Protecting Against External Threats

• Configure password policies to require complex
  passwords
• Configure secure remote access
• Remote Web Workplace
• Remote Access
• Rename the Administrator account
• Implement Exchange and IIS security best
  practices
• Use a firewall

43
Using a Firewall
Internet
Firewall
LAN

• Included firewall features
• ISA Server 2000 in SBS 2000 and SBS 2003, Premium
  Edition
• Basic firewall functionality in SBS 2003,
  Standard Edition
• Consider a separate firewall
• SBS 2003 can communicate with an external
  firewall by using UPnP
• ISA Server can provide application-layer
  protection

44
Protecting Against Internal Threats

• Implement an antivirus solution
• Implement a backup plan
• Run MBSA
• Control access permissions
• Educate users
• Do not use the server as a workstation
• Physically secure the server
• Limit user disk space
• Update the software

45
Agenda

• Introduction
• Protecting Exchange Server
• Protecting SQL Server 
• Securing Small Business Server
• Providing Data Security

46
Role and Limitations of File Permissions

• Prevent unauthorized access
• Limit administrators
• Do not protect against intruders with physical
  access
• Encryption provides additional security

47
Role and Limitations of EFS

• Benefit of EFS encryption
• Ensures privacy of information
• Uses robust public key technology
• Danger of encryption
• All access to data is lost if the private key is
  lost
• Private keys on client computers
• Keys are encrypted with derivative of users
  password
• Private keys are only as secure as the password
• Private keys are lost when user profile is lost

48
EFS Architecture
49
EFS Differences Between Windows Versions

• Windows 2000 and newer Windows versions support
  EFS on NTFS partitions
• Windows XP and Windows Server 2003 include new
  features
• Additional users can be authorized
• Offline files can be encrypted
• The triple-DES (3DES) encryption algorithm can
  replace DESX
• A password reset disk can be used
• EFS preserves encryption over WebDAV
• Data recovery agents are recommended
• Usability is enhanced

50
Implementing EFS How to Do It Right

• Use Group Policy to disable EFS until ready for
  central implementation
• Plan and design policies
• Designate recovery agents
• Assign certificates
• Implement via Group Policy

51
Demonstration 3 Configuring EFS Configuring
Data Recovery AgentsEncrypting FilesDecrypting
FilesViewing EFS info
52
Session Summary

• Protecting Applications and Data
• Protecting Exchange Server
• Protecting SQL Server 
• Securing Small Business Server
• Providing Data Security

53
Next Steps

• Stay informed about security
• Sign up for security bulletins
• http//www.microsoft.com/security/security_bullet
  ins/alerts2.asp
• Get the latest Microsoft security guidance
• http//www.microsoft.com/security/guidance/
• Get additional security training
• Find online and in-person training seminars
• http//www.microsoft.com/seminar/events/security.
  mspx
• Find a local CTEC for hands-on training
• http//www.microsoft.com/learning/

54
For More Information

• Microsoft Security Site (all audiences)
• http//www.microsoft.com/security
• TechNet Security Site (IT professionals)
• http//www.microsoft.com/technet/security
• MSDN Security Site (developers)
• http//msdn.microsoft.com/security

55
Questions and Answers
56
(No Transcript)