This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Understanding of networking security Understanding of networking security essentialsessentials
Hands-on experience with WindowsHands-on experience with Windows®® 2000 Server or Windows Server2000 Server or Windows Server™™ 20032003
Experience with Windows Experience with Windows management toolsmanagement tools
Hands-on experience with Exchange Hands-on experience with Exchange Server and Server and SQL Server management toolsSQL Server management toolsLevel 300
IntroductionIntroduction
IntroductionIntroduction
Protecting Exchange Server Protecting Exchange Server
Protecting SQL Server Protecting SQL Server
Securing Small Business ServerSecuring Small Business Server
Providing Data SecurityProviding Data Security
Defense in DepthDefense in DepthUsing a layered approach:Using a layered approach:
Increases an attacker’s risk of detection Increases an attacker’s risk of detection Reduces an attacker’s chance of Reduces an attacker’s chance of successsuccess
OS hardening, update management, authentication, HIDS
Firewalls, VPN quarantine
Guards, locks, tracking devices
Network segments, IPSec, NIDS
Application hardening, antivirus
ACL, encryption
User educationPolicies, Procedures, & AwarenessPolicies, Procedures, & Awareness
Configure data encryption Configure data encryption Protects the confidentiality of Protects the confidentiality of information when physical security is information when physical security is compromisedcompromised
Application Server Best Application Server Best PracticesPractices
Configure security on the base operating systemConfigure security on the base operating system
Apply operating system and application service packs and patchesApply operating system and application service packs and patches
Install or enable only those services that are requiredInstall or enable only those services that are required
Assign only those permissions needed to perform required tasksAssign only those permissions needed to perform required tasks
Applications accounts should be assigned with the minimal permissionsApplications accounts should be assigned with the minimal permissions
Apply defense-in-depth principles to increase protectionApply defense-in-depth principles to increase protection
Protecting Exchange Protecting Exchange Server Server
IntroductionIntroduction
Protecting Exchange Server Protecting Exchange Server
Protecting SQL Server Protecting SQL Server
Securing Small Business ServerSecuring Small Business Server
Exchange 2003 Front-End and OWA ServerExchange 2003 Front-End and OWA ServerIIS Lockdown and URLScan integrated with IIS 6.0IIS Lockdown and URLScan integrated with IIS 6.0
Use application isolation modeUse application isolation mode
Aspects of Exchange Server Aspects of Exchange Server SecuritySecurity
Securing Access to Exchange ServerSecuring Access to Exchange ServerBlocking unauthorized accessBlocking unauthorized access
Securing CommunicationsSecuring CommunicationsBlocking and encrypting Blocking and encrypting communicationscommunications
Blocking SpamBlocking SpamFiltering incoming mailFiltering incoming mail
Relay restrictions: Don’t aid spammers!Relay restrictions: Don’t aid spammers!
Ability to customize Ability to customize authenticationauthentication
Wide client supportWide client support
Available with Exchange Server Available with Exchange Server 20032003
Securing CommunicationsSecuring Communications
Configure RPC encryptionConfigure RPC encryptionClient side settingClient side setting
Enforcement with ISA Server FP1Enforcement with ISA Server FP1
Firewall blockingFirewall blockingMail server publishing with ISA ServerMail server publishing with ISA Server
Configure HTTPS for OWAConfigure HTTPS for OWAUse S/MIME for message encryptionUse S/MIME for message encryptionOutlook 2003 EnhancementsOutlook 2003 Enhancements
Kerberos authenticationKerberos authentication
RPC over HTTPSRPC over HTTPS
Encrypting a MessageEncrypting a Message
Active DirectoryDomain Controller
Client 1 Client 2
SMTP VS1 SMTP VS 2
New messageNew message11
Locate Client 2’s public keyLocate Client 2’s public key22
Message sent using S/MIMEMessage sent using S/MIME44
Message encrypted with a shared keyMessage encrypted with a shared key33 Message arrives
encryptedMessage arrives encrypted55
Client 2’s private key is used to decrypt the shared key, and the shared key is used to decrypt the message
Client 2’s private key is used to decrypt the shared key, and the shared key is used to decrypt the message
Common Database Server Common Database Server Threats and Threats and CountermeasuresCountermeasures
SQL ServerSQL Server
BrowserBrowser Web AppWeb App
Unauthorized External Access
Unauthorized External Access
SQL Injection
SQL Injection
Network Eavesdropping
Network Eavesdropping
Network VulnerabilitiesFailure to block SQL ports
Configuration VulnerabilitiesOverprivileged service account
Week permissionsNo certificate
Web App VulnerabilitiesOverprivileged accounts
Week input validationInternal Firewall
Perimeter Firewall
Password Cracking
Password Cracking
Database Server Security Database Server Security CategoriesCategories
Patc
hes
and
Upd
ates
Ope
ratin
g Sy
stem Shares
Services
Accounts
Auditing and Logging
Files and Directories
Registry
Net
wor
k
Protocols Ports
SQL
Serv
er SQL Server Security
Database ObjectsLogins, Users, and Roles
Network SecurityNetwork Security
Restrict SQL to TCP/IPRestrict SQL to TCP/IP
Harden the TCP/IP stackHarden the TCP/IP stack
Restrict portsRestrict ports
Operating System SecurityOperating System Security
Configure the SQL Server service Configure the SQL Server service account with the lowest possible account with the lowest possible permissionspermissions
Delete or disable unused accountsDelete or disable unused accounts
Restrict access to required sharesRestrict access to required shares
Secure registry keys with ACLs Secure registry keys with ACLs
SQL SecuritySQL Security
Set Set authentication authentication to Windows onlyto Windows only
If you must use If you must use SQL Server SQL Server authentication, authentication, ensure that ensure that authentication authentication traffic is traffic is encryptedencrypted
SQL AuditingSQL Auditing
Log all failed Windows login Log all failed Windows login attempts attempts
Log successful and failed actions Log successful and failed actions across the file system across the file system
Enable SQL Server login auditingEnable SQL Server login auditing
Enable SQL Server general auditingEnable SQL Server general auditing
Restrict cmdExec access to the Restrict cmdExec access to the sysadmin rolesysadmin role
Using Views and Stored Using Views and Stored ProceduresProcedures
SQL queries may contain confidential SQL queries may contain confidential informationinformation
Use stored procedures whenever Use stored procedures whenever possiblepossible
Use views instead of direct table accessUse views instead of direct table access
Implement security best practices for Implement security best practices for Web-based applicationsWeb-based applications
Securing Web ApplicationsSecuring Web Applications
Validate all data inputValidate all data input
Secure authentication and Secure authentication and authorizationauthorization
Secure sensitive dataSecure sensitive data
Use least-privileged process and Use least-privileged process and service accountsservice accounts
Configure auditing and loggingConfigure auditing and logging
Use structured exception handlingUse structured exception handling
Top Ten Things to Protect Top Ten Things to Protect SQL ServerSQL Server
11Install the most recent service Install the most recent service packpack
22 Run MBSARun MBSA
33Configure Windows Configure Windows authenticationauthentication
44 Isolate the server and back it upIsolate the server and back it up
55 Check the sa passwordCheck the sa password
66 Limit privileges of SQL servicesLimit privileges of SQL services
77 Block ports at your firewallBlock ports at your firewall
88 Use NTFSUse NTFS
99Remove setup files and sample Remove setup files and sample databasesdatabases
1010 Audit connectionsAudit connections
Securing Small Business Securing Small Business ServerServer
IntroductionIntroduction
Protecting Exchange Server Protecting Exchange Server
Protecting SQL Server Protecting SQL Server
Securing Small Business ServerSecuring Small Business Server
Providing Data SecurityProviding Data Security
Recognizing ThreatsRecognizing Threats
Small Business Server plays Small Business Server plays many server rolesmany server roles
External threatsExternal threatsSmall Business Server is often Small Business Server is often connected to the Internetconnected to the Internet
Internal threatsInternal threatsAll components of Small Business All components of Small Business Server must be securedServer must be secured
Many settings secured by Many settings secured by defaultdefault
Protecting Against Protecting Against External ThreatsExternal Threats
Configure password policies to Configure password policies to require complex passwordsrequire complex passwords
Configure secure remote accessConfigure secure remote accessRemote Web WorkplaceRemote Web Workplace
Remote AccessRemote Access
Rename the Administrator accountRename the Administrator account
Implement Exchange and IIS security Implement Exchange and IIS security best practicesbest practices
Use a firewallUse a firewall
Using a FirewallUsing a Firewall
Included firewall features:Included firewall features:ISA Server 2000 in SBS 2000 and SBS ISA Server 2000 in SBS 2000 and SBS 2003, Premium Edition2003, Premium EditionBasic firewall functionality in SBS 2003, Basic firewall functionality in SBS 2003, Standard EditionStandard Edition
Consider a separate firewallConsider a separate firewallSBS 2003 can communicate with an SBS 2003 can communicate with an external firewall by using UPnPexternal firewall by using UPnPISA Server can provide application-layer ISA Server can provide application-layer protectionprotection
Internet Firewall LAN
Protecting Against Internal Protecting Against Internal ThreatsThreats
Implement an antivirus solutionImplement an antivirus solution
Implement a backup planImplement a backup plan
Run MBSARun MBSA
Control access permissionsControl access permissions
Educate usersEducate users
Do not use the server as a Do not use the server as a workstationworkstation
Physically secure the serverPhysically secure the server
Limit user disk spaceLimit user disk space
Update the softwareUpdate the software
Providing Data SecurityProviding Data Security
IntroductionIntroduction
Protecting Exchange Server Protecting Exchange Server
Protecting SQL Server Protecting SQL Server
Securing Small Business ServerSecuring Small Business Server
Providing Data SecurityProviding Data Security
Role and Limitations of Role and Limitations of File PermissionsFile Permissions
Role and Limitations of Role and Limitations of EFSEFS
Benefit of EFS encryptionBenefit of EFS encryptionEnsures privacy of informationEnsures privacy of information
Uses robust public key technology Uses robust public key technology
Danger of encryptionDanger of encryptionAll access to data is lost if the private All access to data is lost if the private key is lostkey is lost
Private keys on client computersPrivate keys on client computersKeys are encrypted with derivative of Keys are encrypted with derivative of user’s passworduser’s password
Private keys are only as secure as the Private keys are only as secure as the passwordpassword
Private keys are lost when user profile is Private keys are lost when user profile is lostlost
EFS ArchitectureEFS Architecture
Encrypted on-disk data storageEncrypted on-disk data storage
User mode
Kernel mode
Applications
NTFSNTFS
Win32 APIsWin32 APIs
EFS.sysEFS.sys
I/O ManagerI/O Manager
Crypto APICrypto API
EFS Service
EFS Differences Between EFS Differences Between Windows VersionsWindows Versions
Windows 2000 and newer Windows Windows 2000 and newer Windows versions support EFS on NTFS partitionsversions support EFS on NTFS partitions
Windows XP and Windows Server 2003 Windows XP and Windows Server 2003 include new features:include new features:
Additional users can be authorized Additional users can be authorized
Offline files can be encrypted Offline files can be encrypted
The triple-DES (3DES) encryption algorithm The triple-DES (3DES) encryption algorithm can replace DESX can replace DESX
A password reset disk can be usedA password reset disk can be used
EFS preserves encryption over WebDAVEFS preserves encryption over WebDAV
Data recovery agents are recommendedData recovery agents are recommended
Usability is enhancedUsability is enhanced
Implementing EFS: How to Implementing EFS: How to Do It RightDo It Right
Use Group Policy to disable EFS until Use Group Policy to disable EFS until ready for central implementationready for central implementation
Implement via Group PolicyImplement via Group Policy
Configuring EFSConfiguring EFS
Session SummarySession Summary
Protecting Applications and DataProtecting Applications and Data
Protecting Exchange Server Protecting Exchange Server
Protecting SQL Server Protecting SQL Server
Securing Small Business ServerSecuring Small Business Server
Providing Data SecurityProviding Data Security
Next StepsNext Steps
1.1. Stay informed about securityStay informed about securitySign up for security bulletins:Sign up for security bulletins:http://www.microsoft.com/security/http://www.microsoft.com/security/security_bulletins/security_bulletins/alerts2.aspalerts2.aspGet the latest Microsoft security guidance:Get the latest Microsoft security guidance:http://www.microsoft.com/security/guidance/http://www.microsoft.com/security/guidance/
2.2. Get additional security trainingGet additional security trainingFind online and in-person training seminars:Find online and in-person training seminars:http://www.microsoft.com/seminar/events/http://www.microsoft.com/seminar/events/security.mspxsecurity.mspxFind a local CTEC for hands-on training:Find a local CTEC for hands-on training:http://www.microsoft.com/learninghttp://www.microsoft.com/learning//
For More InformationFor More Information
Microsoft Security Site (all Microsoft Security Site (all audiences)audiences)http://www.microsoft.com/securityhttp://www.microsoft.com/security
TechNet Security Site (IT TechNet Security Site (IT professionals)professionals)http://www.microsoft.com/technet/http://www.microsoft.com/technet/
securitysecurity
MSDN Security Site (developers)MSDN Security Site (developers)http://msdn.microsoft.com/securityhttp://msdn.microsoft.com/security