"Stay Safe" Cyber Security Blog

Protecting your family, identity & computers against cyberthreats & hackers

Secure Web Applications - The Microsoft Way

Secure Web Applications - The Microsoft Way

  • Comments 4
  • Likes

A question came up this week on how to Secure Web Applications the Microsoft way.

Microsoft has extensive prescriptive guidance that applies to secure online applications.

 

Defense in Depth

1.       Start by building on a Secure Platform:

·         Windows Server 2003 with latest Service Pack - http://www.microsoft.com/windowsserver2003/default.mspx

·         Windows SQL Server 2005 with Latest Service Pack http://www.microsoft.com/sql/default.mspx

·         Implement Microsoft Best Practice Security Guidance for Servers - http://www.microsoft.com/technet/security/guidance/serversecurity.mspx

2.       Build the application using best practice Secure Coding techniques

·         Secure Coding Guidelines - http://msdn2.microsoft.com/en-us/library/d55zzx87.aspx

·         Writing Secure Code - http://msdn2.microsoft.com/en-us/security/aa570401.aspx

3.       Be aware of common threats to Applications and avoid SQL Injection & Cross Site Scripting attacks:

·         “Stop SQL Injection Attacks Before They Stop You” - http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection

·         “How To: Protect From SQL Injection in ASP.NET” - http://msdn2.microsoft.com/en-us/library/ms998271.aspx

·         “How to Prevent Cross Site Scripting” - http://support.microsoft.com/kb/252985

·         “Anti-Cross Site Scripting Library” - http://msdn2.microsoft.com/en-us/security/aa973814.aspx

4.       Use Network based Firewall at the perimeter –Forefront Edge: ISA 2006

·         Secure remote access - http://www.microsoft.com/forefront/edgesecurity/sra.mspx

·         Network protection against Floods & Attacks - http://www.microsoft.com/technet/isa/2006/flood_resiliency.mspx

5.       Access the Application securely by Publishing through the Firewall & using appropriate security

·         Publish Site using Forefront Edge Internet Application Gateway (IAG) with Application Layer Firewall - http://www.microsoft.com/forefront/edgesecurity/iag/default.mspx

·         IAG Secure Remote Access White Papers - http://www.microsoft.com/forefront/edgesecurity/iag/whitepapers.mspx

·         Use the practice of Least Privilege account access - http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx

6.       Audit your Firewall, Application and Operating System Logs

·         Audit Active Directory - http://support.microsoft.com/kb/814595

·         Audit Policy - http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch03n.mspx

·         Audit ISA - http://www.microsoft.com/technet/isa/2006/security_guide.mspx

7.       Use Secure Authentication Mechanisms (IAG can use AD, Kerberos, RADIUS, LDAP etc…)

·         IIS Authentication - http://support.microsoft.com/kb/324274

·         Kerberos Authentication in Windows Server 2003 http://www.microsoft.com/windowsserver2003/technologies/security/kerberos/default.mspx

8.       Use Host based Antivirus & Antimalware protection on Clients and Servers

·         Forefront Client Security - http://www.microsoft.com/forefront/clientsecurity/default.mspx

9.       Keep all systems patched with latest Security Patches using Microsoft Update or WSUS

·         Microsoft Windows Server Update Services (WSUS) - http://technet.microsoft.com/en-us/wsus/default.aspx

·         How to keep your Windows up-to-date - http://support.microsoft.com/kb/311047

·          Patch 3rd party products that are not managed by Microsoft

o   Backup Software

o    Zip or Compression Utilities

o    Antivirus

o    IE Plug-ins

o   Management Software

o   etc….

Note:  A System that is Fully Patched with Microsoft Updates can be vulnerable by un-patched vulnerable software with a driver or running with administrator privileges. 

 

10.   Remember the CIA Triad of security of Confidentiality, Integrity, and Availability

There are a number of other considerations to consider as well focusing on these 3

·         Backups of Server 2003 & SQL 2005 Database

a.       http://www.microsoft.com/technet/prodtechnol/sql/2005/bkupssas.mspx

b.      http://technet.microsoft.com/en-us/library/aa998799.aspx

c.    http://technet.microsoft.com/en-us/library/ms175477.aspx

·         Load Balancing & Clustering

a.       http://technet2.microsoft.com/WindowsServer/en/Library/1611cae3-5865-4897-a186-7e6ebd8855cb1033.mspx?mfr=true

b.      http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/2d5977cf-06b7-4d4b-8e8c-ce083ac8a6ee.mspx?mfr=true

·         High Availability & Disaster Recovery

a.       http://www.microsoft.com/technet/security/guidance/disasterrecovery.mspx

b.      http://www.microsoft.com/technet/windowsserver/sharepoint/V2/reskit/c2861881x.mspx

c.       http://technet.microsoft.com/en-us/sqlserver/bb331801.aspx

·         File Encryption (EFS & BitLocker)

a.       http://www.microsoft.com/technet/security/guidance/cryptographyetc/efs.mspx

b.      http://technet.microsoft.com/en-us/windowsvista/aa905065.aspx

Note: BitLocker will be available in Windows Server 2008  http://technet2.microsoft.com/WindowsVista/en/library/58358421-a7f5-4c97-ab41-2bcc61a58a701033.mspx?mfr=true

·         Rights Management Services (RMS)  

a.       http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx

b.      http://www.microsoft.com/windowsserver2003/techinfo/overview/rm.mspx

Case Study

The Infrastructure of www.microsoft.com, Microsoft Update, and the Download Center

 http://download.microsoft.com/download/6/2/b/62bae197-0d3d-4dbb-913a-acd21c57a2c7/DRJ_MSCom_Design_for_Resilience_FINAL.ppt 

 

Conclusion

These are a few things to consider, but the key is to thinking about Defense in Depth and end-to-end security of the Data, Systems, Network Infrastructure, and Application.

 

You need to know first how to secure the application, but then you need to know how to identify threats when security is being tested and/or compromised and how to respond to those threats.

 

Comments
  • PingBack from http://amdtalk.com/1969/secure-web-applications-the-microsoft-way/

  • Did you see the post at blogs.technet.com

  • The Staysafe blog has some great resources, including my fav: " Why Social Engineering Always Works".

  • According to a study done by the Computer Security Institute and the FBI, 97% of interviewed companies

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment