implementing application and data security n.
Skip this Video
Loading SlideShow in 5 Seconds..
Implementing Application and Data Security PowerPoint Presentation
Download Presentation
Implementing Application and Data Security

Loading in 2 Seconds...

play fullscreen
1 / 33

Implementing Application and Data Security - PowerPoint PPT Presentation

  • Uploaded on

Implementing Application and Data Security. Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK. Why Application Security Matters. Perimeter Defences provide limited protection Many host-based Defences are not application specific

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Implementing Application and Data Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
implementing application and data security

Implementing Application and Data Security

Fred Baumhardt

Senior Consultant – Security and Architecture

Microsoft Consulting Services - UK

why application security matters
Why Application Security Matters
  • Perimeter Defences provide limited protection
  • Many host-based Defences are not application specific
  • Most modern attacks occur at the application layer
why data security matters
Why Data Security Matters
  • Secure your data as the last line of Defence
  • Configure file permissions
  • Configure data encryption
    • Protects the confidentiality of information when physical security is compromised
application server best practices
Application Server Best Practices

Configure security on the base operating system

Apply operating system and application service packs and patches

Install or enable only those services that are required

Assign only those permissions needed to perform required tasks

Applications accounts should be assigned with the minimal permissions

Apply Defence-in-depth principles to increase protection

  • Introduction
  • Protecting Exchange Server
  • Protecting SQL Server 
  • Providing Data Security
exchange security dependencies
Exchange Security Dependencies
  • Exchange security is dependent on:
    • Operating system security
    • Network security
    • IIS security (if you use OWA)
    • Client security (Outlook)
    • Active Directory security

Remember: Defence in Depth

securing communications
Securing Communications
  • Configure RPC encryption
    • Client side setting
    • Enforcement with ISA Server FP1, 2004
  • Firewall blocking
    • Mail server publishing with ISA Server
  • Configure HTTPS for OWA
  • Use S/MIME for message encryption
  • Outlook 2003 Enhancements
    • Kerberos authentication
    • RPC over HTTPS
blocking spam exchange 2000
Blocking Spam – Exchange 2000
  • Close open relays!
  • Protect against address spoofing
  • Prevent Exchange from resolving recipient names to GAL accounts
  • Configure reverse DNS lookups
  • Implement third party Anti-Spam, no native tools exist
  • Check out to give you some examples, and sample filter
blocking spam exchange 2003
Blocking Spam – Exchange 2003
  • Use additional features in Exchange Server 2003
    • Support for real-time block lists
    • Global deny and accept lists
    • Sender and inbound recipient filtering
    • Improved anti-relaying protection
    • Integration with Outlook 2003 and third-party junk mail filtering
    • Intelligent Message Filter now available
blocking insecure messages
Blocking Insecure Messages
  • Implement antivirus gateways
    • Monitor incoming and outgoing messages
    • Update signatures often
  • Configure Outlook attachment security
    • Web browser security determines whether attachments can be opened in OWA
  • Implement ISA Server
    • Message Screener can block incoming messages
    • OWA, RPC/HTTP, RPC, SMTP can all be locked down with it
enhancements in exchange server 2003
Enhancements in Exchange Server 2003
  • Many secure-by-default settings
  • More restrictive permissions
  • New mail transport features
  • New Internet Connection Wizard
  • Cross-forest authentication support
top ten things to secure exchange
Top Ten Things to Secure Exchange


Install the latest service pack


Install all applicable security patches




Check relay settings


Disable or secure well-known accounts


Use a layered antivirus approach


Use a firewall


Evaluate ISA Server


Secure OWA


Implement a backup strategy

  • Introduction
  • Protecting Exchange Server
  • Protecting SQL Server
  • Providing Data Security
basic security configuration
Basic Security Configuration
  • Apply service packs and patches
    • Use MBSA to detect missing SQL updates
  • Enforce required services
    • SQLSERVERAGENT (replication, monitoring, scheduled jobs, auto restart, event firing)
  • Disable unused services to fit role
    • MSSQLServerADHelper (if no AD integration)
    • Microsoft Search (if no FTSearch required)
    • Microsoft DTC (if not clustered)
common database server threats and countermeasures

Password Cracking

Web App Vulnerabilities

Overprivileged accounts

Week input validation

Network Eavesdropping

SQL Injection

Perimeter Firewall

Internal Firewall

SQL Server

Web App


Unauthorized External Access

Network Vulnerabilities

Failure to block SQL ports

Configuration Vulnerabilities

Overprivileged service account

Week permissions

No certificate

Common Database Server Threats and Countermeasures
database server security categories

SQL Server Security

SQL Server

Logins, Users, and Roles

Database Objects


Auditing and Logging

Patches and Updates

Operating System


Files and Directories






Database Server Security Categories
network security
Network Security
  • Restrict SQL to TCP/IP
  • Harden the TCP/IP stack
  • Restrict ports
  • Remove SQL from harms way – don’t let clients talk to it
    • Use IPSEC to enforce in unsegmented nets
    • Use firewalls or VLANs to enforce
operating system security
Operating System Security
  • Configure the SQL Server service account with the lowest possible permissions- it can run without local admin
  • Delete or disable unused accounts
  • Secure authentication traffic
logins users and roles
Logins, Users, and Roles
  • Use a strong system administrator (sa) password
  • Remove the SQL guest user account
  • Remove the BUILTIN\Administrators server login
  • Do not grant permissions for the public role
files directories and shares
Files, Directories, and Shares
  • Verify permissions on SQL Server installation directories
  • Verify that Everyone group does not have permissions to SQL Server files
  • Secure setup log files
  • Secure or remove tools, utilities, and SDKs, sample DBs (Pubs, Northwind)
  • Remove unnecessary shares
  • Restrict access to required shares
  • Secure registry keys with ACLs
  • EFS can be used – performance
sql security
SQL Security
  • Set authentication to Windows only
  • If you must use SQL Server authentication, ensure that authentication traffic is encrypted
  • Remember – no lockout for SQL mixed mode- windows auth only locks out if account policy set to
sql auditing
SQL Auditing
  • Log all failed Windows login attempts
  • Log successful and failed actions across the file system
  • Enable SQL Server login auditing
  • Enable SQL Server general auditing
securing database objects
Securing Database Objects
  • Remove the sample databases
  • Secure stored procedures
  • Secure extended stored procedures
  • Restrict cmdExec access to the sysadmin role
  • Restrict XP_CMDShell – check if your application needs it
using views and stored procedures
Using Views and Stored Procedures
  • SQL queries may contain confidential information
    • Use stored procedures whenever possible
    • Use views instead of direct table access
  • Implement security best practices for Web-based applications
  • Stored Procs should validate input and be the only things that access tables, avoid views as they are “injectionable”
securing web applications
Securing Web Applications
  • Validate all data input
  • Secure authentication and authorization
  • Secure sensitive data
  • Use least-privileged process and service accounts
  • Configure auditing and logging
  • Use structured exception handling
top ten things to protect sql server
Top Ten Things to Protect SQL Server


Install the most recent service pack




Configure Windows authentication


Isolate the server and back it up


Check the sa password – remove it 


Limit privileges of SQL services


Block ports at your firewall




Remove setup files and sample databases


Audit connections

  • Introduction
  • Protecting Exchange Server
  • Protecting SQL Server 
  • Securing Small Business Server
  • Providing Data Security
role and limitations of file permissions
Role and Limitations of File Permissions
  • Prevent unauthorized access
  • Limit administrators
  • Do not protect against intruders with physical access
  • Encryption provides additional security
role and limitations of efs
Role and Limitations of EFS
  • Benefit of EFS encryption
    • Ensures privacy of information
    • Uses robust public key technology
  • Danger of encryption
    • All access to data is lost if the private key is lost
  • Private keys on client computers
    • Keys are encrypted with derivative of user’s password
    • Private keys are only as secure as the password
    • Private keys are lost when user profile is lost
efs differences between windows versions
EFS Differences Between Windows Versions
  • Windows 2000 and newer Windows versions support EFS on NTFS partitions
  • Windows XP and Windows Server 2003 include new features:
    • Additional users can be authorized
    • Offline files can be encrypted
    • The triple-DES (3DES) encryption algorithm can replace DESX
    • A password reset disk can be used
    • EFS preserves encryption over WebDAV
    • Data recovery agents are recommended
    • Usability is enhanced
implementing efs advice
Implementing EFS: Advice
  • Use Group Policy to disable EFS until ready for central implementation
  • Plan and design policies
  • Designate recovery agents
  • Assign certificates
  • Implement via Group Policy