Understanding Microsoft Web Application Security

Similar documents
Windows IIS Server hardening checklist

Web Plus Security Features and Recommendations

Hardening IIS Servers

IIS Web Server Hardening

Locking down a Hitachi ID Suite server

Windows Server. Introduction to Windows Server 2008 and Windows Server 2008 R2

Introduction to the EIS Guide

Deploying F5 to Replace Microsoft TMG or ISA Server

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

The Windows Web Platform. Michael Epprecht Microsoft Switzerland twitter: fastflame

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

FileCloud Security FAQ

Owner of the content within this article is Written by Marc Grote

PRODUCT VERSION: LYNC SERVER 2010, LYNC SERVER 2013, WINDOWS SERVER 2008

System Administration Training Guide. S100 Installation and Site Management

Introduction to Mobile Access Gateway Installation

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

A Roadmap for Securing IIS 5.0

Last Updated: July STATISTICA Enterprise Server Security

ANNEXURE TO TENDER NO. MRPU/IGCAR/COMP/5239

E-Commerce for IT Advanced. Louis Aguila & Matt Burt

RSA SecurID Ready Implementation Guide

CITY UNIVERSITY OF HONG KONG Network and Platform Security Standard

Web Security School Entrance Exam

Filtering remote users with Websense remote filtering software v7.6

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Click Studios. Passwordstate. Installation Instructions

Technical Requirements for OneStop Reporting products

Deploying F5 with Microsoft Forefront Threat Management Gateway 2010

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Microsoft Lync Server 2010

Password Reset PRO. Quick Setup Guide for Single Server or Two-Tier Installation

How to use mobilecho with Microsoft Forefront Threat Management Gateway (TMG)

Network Configuration/Bandwidth Planning Scope

Microsoft Baseline Security Analyzer

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Windows Server 2003 default services

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services

Windows Remote Access

411-Administering Windows Server 2012

Deployment Guide Microsoft IIS 7.0

CERT-In Indian Computer Emergency Response Team Enhancing Cyber Security in India

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

74% 96 Action Items. Compliance

Building Your Complete Remote Access Infrastructure on Windows Server 2012

Administering Windows Server 2012

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Basic & Advanced Administration for Citrix NetScaler 9.2

Description of Microsoft Internet Information Services (IIS) 5.0 and

Security. TestOut Modules

Move over, TMG! Replacing TMG with Sophos UTM

Network Configuration Settings

NETASQ MIGRATING FROM V8 TO V9

Configuring Windows Server 2008 Network Infrastructure

KEMP LoadMaster. Enabling Hybrid Cloud Solutions in Microsoft Azure

Deploy Remote Desktop Gateway on the AWS Cloud

A Guide to New Features in Propalms OneGate 4.0

Data Security and Governance with Enterprise Enabler

Web Security School Final Exam

SonicWALL PCI 1.1 Implementation Guide

Did you know your security solution can help with PCI compliance too?

JapanCert 専 門 IT 認 証 試 験 問 題 集 提 供 者

Sitefinity Security and Best Practices

GlobalSCAPE DMZ Gateway, v1. User Guide

Internet Information TE Services 5.0. Training Division, NIC New Delhi

Secure Web Appliance. Reverse Proxy

HP ProLiant DL320 Firewall/VPN/Cache Server User Guide

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

imagepress CR Server A7000 Powered by Creo Color Server Technology For the Canon imagepress C7000VP/C6000VP/ C6000

Firewall Audit Techniques. K.S.Narayanan HCL Technologies Limited

ICANWK406A Install, configure and test network security

Barracuda Load Balancer Online Demo Guide

Interwise Connect. Working with Reverse Proxy Version 7.x

MICROSOFT WINDOWS SERVER8 ADMINISTRATION

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Administering Windows Server 2012

Using Microsoft s Free Security Tools Help Secure your Windows Systems taken from Web and Other Sources by Thomas Jerry Scott November, 2003

How To Install Powerpoint 6 On A Windows Server With A Powerpoint 2.5 (Powerpoint) And Powerpoint On A Microsoft Powerpoint 4.5 Powerpoint (Powerpoints) And A Powerpoints 2

PC Monitor Enterprise Server. Setup Guide

ecopy ShareScan v4.3 Pre-Installation Checklist

Post-TMG: Securely Delivering Microsoft Applications

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Network Defense Tools

Filr 2.0 Administration Guide. April 2016

IIS Deployment Procedures

Executive Summary and Purpose

SSL SSL VPN

By Citrix Consulting Services. Citrix Systems, Inc.

Securing IIS Servers. Securing IIS Servers. Securing IIS Servers. Securing IIS Server. Securing IIS Servers. Securing IIS Servers.

Security IIS Service Lesson 6

BlackBerry Enterprise Service 10. Version: Configuration Guide

Owner of the content within this article is Written by Marc Grote

FreeFlow Core, Version 4.0 August P Xerox FreeFlow Core Security Guide

Security Technology: Firewalls and VPNs

Networking for Caribbean Development

LifeSize Control Installation Guide

CA MDM MOBILE DEVICE MANAGEMENT

Implementing PCoIP Proxy as a Security Server/Access Point Alternative

Transcription:

Understanding Microsoft Web Application Security Rajya Bhaiya Gradient Vision Info@GradientVision.com (415) 599-0220 www.gradientvision.com (ISC) 2 San Francisco Chapter Info@ISC2-SF-Chapter.org (415) 602-3751 www.isc2-sf-chapter.org

Code Security Network security Web Server security Windows Security Network Security Network topology Windows Security Operating system configuration Web Server Security Services configuration Code Security Best practices for data & custom code

Common practice - NAT ports Corporate Network DMZ 80/443 NAT 80/443 NAT Web server Web server Web server Web server Traditional network DMZ Corporate network Allow external users NAT rules 80 ports No inspection on the ports Only source and destination IP logged Exchange 2010 Client Access role does not support DMZ Risk This allows frontal assault Outlook Web access Exchange Lync DFS SQL 2012 ERP

Substituent Layer 7 firewalls Upgraded the firewall to a Layer 7 firewall Outlook Web access Web server Corporate Network Exchange Lync DFS Web server SQL 2012 DMZ Web server Web server ERP Upgraded to a Layer 7 firewall Checks for valid HTTP request If valid then allowed Else drop packet HTTPS can be used to secure traffic between client and server Most application firewall cannot inspect HTTPS

Microsoft TMG/UAG implementation Upgraded the firewall to a Layer 7 firewall Web server Web server Corporate Network DMZ Web server Web server Same Cert as web server Microsoft Threat Management Gateway (TMG)/Unified Access Gateway (UAG) TMG/UAG supports a server farm Install the same certificate as the web servers on TMG servers TMG can open all traffic incl. HTTPS traffic Smarter proxy system No need to install every security update on the webservers the day they are released. The TMG/UAG servers take care of the dropping malicious traffic Outlook Web access Exchange Lync DFS SQL 2012 ERP

UAG Internal Architecture Windows 2012 support Multi-domain support complex Multiple entry points with automatic failover Monitoring and troubleshooting problematic DirectAccess Always connected clients No VPN application

UAG Solution Architecture

UAG vs TMG TMG 2010 UAG 2010 Wizards and predefined settings basic Information Leakage Prevention (Session clean up) Endpoint Health-based Authorization Web farm load balancing (WFLB) Advanced Authentication Schemes (e.g. AD FS) Rich Client Authentication Single Sign on Unified Portal Application Protection (Web Application Firewall) basic Policy-based access (granular Policies) Array Support AAM Support Customization and Manipulation (UI, Applications) basic ForeFront Threat Management Gateway (TMG) is an outbound internet proxy for internal corporate users. Include advanced anti-virus, antimalware, and intrusion detection features. TMG can impersonate the external site's SSL certificate Perform application level inspection of the traffic ForeFront Unified Access Gateway (UAG) is recommended as an inbound access to internal corporate resources. Includes acting as a reverse proxy for applications such as OWA, MOSS, and robustly supports DirectAccess UAG will also include the TMG engine

Code Security Network security Web Server security Windows Security Network Security Network topology Windows Security Operating system configuration Web Server Security Services configuration Code Security Best practices for data & custom code

First dilemma - Windows install Server Core None of the GUI Server Features have been enabled Minimal Shell ( Min Shell ) Graphical Management Tools and Infrastructure Full Installation In a Full Installation, both feature has are enabled: Graphical Management Tools and Infrastructure Server Graphical Shell Full Installation with Desktop Experience Windows RunTime Windows Store Ability to buy, download and run Apps in the Start Screen

Easy to switch

Windows System System Place the server in a physically secure location Do not share accounts among administrators Secure physical media (floppy drive, CD-ROM drive and so on) Do not connect an IIS Server to the Internet until it is fully hardened Install service packs, patches and hot fixes Secure Extensible Firmware Interface (EFI)/Unified (UEFI) settings Secure SAM (HKLM\ System\ CurrentControlSet\ Control\ LSA\NoLMHash) Do not install the IIS server on a domain controller Do not install a printer Account Remove unused accounts from the server Rename Administrator account Require approval for account delegation Enforce strong password policies Do not create more than two accounts in the Administrators group Disable Windows Guest account Disable IUSR_MACHINE account if it is not used by the application Create a custom least-privileged anonymous account Multiple Web apps, configure separate anonymous user accounts Do not give the anonymous account write/execute access

Windows System (Contd.) Network Restrict Internet-facing interfaces to port 80/443 Use two network interfaces in the server one for admin and one for the network Disable NetBIOS and SMB (closing ports 137, 138, 139 and 445) Content storage Put Web site content on a non-system NTFS volume Put log files on a non-system and non Web site content volume Reconfigure Recycle Bin and Page file system data policies Auditing and Logging Audit failed logon attempts Relocate and secure IIS log files and analyze log files Audit access to the Metabase.bin file Configure IIS for W3C Extended log file format auditing Use SQL Server to analyze Web logs Remote Administration / Other Services Restrict remote registry access Restrict remote log-ons Secure remote administration, configure for encryption & low session time-outs Disable Telnet, FTP, SMTP, MS Index Server and NNTP services if they are not required Shares Remove all unnecessary shares Restrict access to required shares Remove Administrative shares (C$ and Admin$) Remove unwanted content Remove resource kit tools, utilities and SDKs Remove sample applications (\WINNT \Help \IISHelp, \Inetpub\IISSamples). Restrict the Everyone group (no access to \WINNT\system32 or Web directories). Remove remote IIS administration application (\WINNT\System32\Inetsrv\IISAdmin)

Code Security Network security Web Server security Windows Security Network Security Network topology Windows Security Operating system configuration Web Server Security Services configuration Code Security Best practices for data & custom code

IIS Architecture and Components SMTP IIS Admin Service Windows Activation Service (WAS) ISAPI Extensions Managed Modules ISAPI Extensions Managed Modules FTP Metabase WWW Service ISAPI Filters ISAPI Filters Inetinfo.exe Process ApplicationHosts.config Svchost.exe App Pool 1 App Pool 2 App Pool 3 (webgarden) WinSock API HTTP.sys API User Mode Components Kernel Mode Components HTTP Listener Request Queues Kernel Output Cache HTTP.sys SSL HTTP.sys Kernel Driver TCP / IP Protocol Layer

IIS System Run IISLockdown run on the server Install and configure URLScan Configure ASP.NET process account for least privilege Disable ASP.NET state service if not used by your applications. Disable webdav if not used by the application, or secure it if it is required. (See How To: Create a secure webdav Publishing Directory at support.microsoft.com.) Do not install the MS FrontPage Server extensions unless required Script Mappings Map extensions not used by the application to 404.dll (.idq,.htw,.ida,.shtml,.shtm,.stm, idc,.htr,.printer). Map unnecessary ASP.NET file type extensions to HttpForbiddenHandler in Machine.config Sites and Virtual Directories Disable Parent paths setting Remove potentially dangerous virtual directories including IISSamples, IISAdmin, IISHelp and Scripts Remove or secure MSADC virtual directory (RDS) Do not grant included directories Read Web permission Ensure there is script source access only on folders that support content authoring. Ensure there is write access only on folders that support content authoring and these folders are configured for authentication (and SSL encryption, if required). Remove FrontPage Server Extensions (FPSE) if not used. If FPSE are used, update and restrict access to them. Remove the IIS Internet Printing virtual directory.

Server Certificates Ensure certificate date ranges are valid. Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail). Ensure the certificate s public key is valid, all the way to a trusted root authority. Confirm that the certificate has not been revoked. Machine.config Map protected resources to HttpForbiddenHandler. Remove unused HttpModules. Disable tracing. <trace enable= false /> Turn off debug compiles. <compilation debug= false explicit= true defaultlanguage= vb > ISAPI Filters Remove from the server unnecessary or unused ISAPI filters. IIS Metabase Restrict access to the metabase by using NTFS permissions (%systemroot%\system32\inetsrv\metabase. bin) Restrict IIS banner information (Disable IP address in content location)

Code Security Network security Web Server security Windows Security Network Security Network topology Windows Security Operating system configuration Web Server Security Services configuration Code Security Best practices for data & custom code

Recommended reading Buffer Overrun Determining Good Access Control Running with Least Privilege Cryptographic Foibles Don t use Registry as a database Create and Store temp files securely Allow long passwords Cross site scripting SQL injection Stack overflow Custom pages (Yellow screen of death) Samples are typically templates Beware!!!

QUESTIONS

Windows 2012 hidden feature

Thank you for your Attention! Our core focus: Microsoft Dynamics CRM Microsoft SharePoint Cloud Computing Azure Amazon Office 365 Database and Business intelligence Database Data Integration Integration Services Business Intelligence Reporting Services Analysis Services

References http://www.technet.com http://www.msdn.microsoft.com http://video.ch9.ms/teched/2012/na/wsv326.ppt x

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information