Security Content Overview
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
On This Page
As everyone in the IT industry is aware, recent months have seen a sharp increase in criminal attacks on the world’s computer systems. The nature of the risk is changing quickly and becoming more and more serious. Criminal hackers are becoming more sophisticated, and the proliferation of high-speed broadband connections—a very positive development in all other respects—creates an environment in which a virus or worm can spread incredibly fast, affecting businesses and consumers more quickly and significantly than ever before.
While no software is immune from these criminal attacks, computers can be set up and maintained in ways that minimize risk—but to date, it has been too difficult, complicated, or challenging to manage the existing security tools (both those from Microsoft and those from third parties), many of which are, when appropriately implemented, highly effective at preventing or mitigating the impact of computer attacks.
We recognize that Microsoft is in a unique position: we need to continue to invest and deliver against security at a higher level, and we need to simplify security and drive the intelligence of security protections deeper into our software to reduce the demands on users and IT administrators. Customers tell us that they expect us to do more, and we’re listening: we’re working in multiple ways to innovate and address the problem. One of these efforts is providing additional deep technical guidance around security.
With the increasing popularity of the Internet and the prevalence of borderless networks, understanding information system security and implementing effective countermeasures is becoming ever more important. Attackers and virus writers are constantly on the prowl for new system and organizational process weaknesses that can be exploited. Exploitation of these vulnerabilities can lead to substantial losses. Types of losses that can arise out of poor security include: the cost to rebuild, repair, or replace damaged systems; the loss of business assets, such as intellectual property or trade secrets; the productivity cost from unplanned downtime; liability and possible fines associated with the failure to comply with information protection laws and regulations; and the erosion of confidence and trust from customers, partners, and associates.
According to The National Strategy to Secure Cyberspace report, published in September 2002, “A digital disaster strikes some enterprise every day. Infrastructure disruptions have cascading impacts, multiplying their cyber and physical effects.” Every organization should regularly undergo a security assessment of their information system’s design and vulnerabilities. What is presumed secure today may not be secure enough tomorrow, and so information system security should be viewed not as a final destination, but as a continuing journey.
This paper provides an overview of the prescriptive security documentation that is currently available from Microsoft. To provide the most thorough summary, the paper is organized around a security model that represents our overall content strategy. A limited number of links will guide the reader to the most authoritative content that is currently available for each element of the model. You will notice that there are only a small number links to white papers, Knowledge Base articles, or product documentation.
During the past couple of years, we have heard our customers tell us that while documents that explain how a feature or technology works are great, we also need to publish guides that are actionable and can be put to use immediately. We have also heard that the prescriptive guides we have been publishing are extremely useful, but that they are often large and complex. For these reasons, as we move forward, Microsoft will publish three basic types of security documents:
Technology summary documents that focus on a product, product feature, or class of product. These summary documents direct you to additional information that includes more detail about how to most effectively use the technology.
Step-by-step guides on how to implement a security feature or technology. These documents explain how to set up or configure features or products.
Prescriptive guides that include detailed planning and deployment information. In addition to explaining how to implement security features and technologies, they include information regarding why each recommendation was made, what kinds of problems you might encounter when implementing the recommendations, and how you can troubleshoot them.
Currently, we do not have all of the security guidance that our customers are requesting, but we are working to fill the gaps that we have identified to date. Additional links will be added to relevant guidance in the future. These documents will be updated as changes occur and new challenges appear. Microsoft wants to create the tools and guidance that best suites your needs. Please feel free to send Microsoft an e-mail regarding your comments and suggestions: firstname.lastname@example.org.
Audience for this Document
This paper is primarily intended for consultants, security specialists, systems architects, and IT professionals who are responsible for the planning, deployment, or management of business services that rely on information technology. These roles include the following common job descriptions:
Architects and planners who are responsible for driving the architecture efforts for their organizations
IT security specialists who are focused purely on providing security across platforms within an organization
IT Technical Decision Makers (TDMs), whose focus is to determine what technology should be used to solve certain business problems
Business analysts and business decision makers (BDMs) who have critical business objectives and requirements that need IT support
Consultants, both Microsoft Services and partners, who need knowledge transfer tools for enterprise customers and partners
Other readers involved in infrastructure projects may find that this paper contains relevant and useful information.
Malicious computer programs that spread themselves automatically have become a frustrating fact of life for organizations doing business today. Belligerent yet talented programmers are creating and releasing software that exploits vulnerabilities in popular operating systems and applications. Sometimes these dangerous programs manifest themselves as viruses such as Sobig or ILoveYou, and sometimes they appear in the form of self-propagating worms such as Blaster and Slammer. There are other types of attackers who are more sophisticated and potentially much more dangerous to large organizations: those who want to remain undetected while they pilfer data or damage business applications. These stealthy attackers could be disgruntled employees, agents of hostile governments, or unethical competitors.
An organization can reduce the risks associated with all of these threats by assessing the vulnerabilities and threats present in their systems and implementing appropriate countermeasures. A defense-in-depth approach involves applying countermeasures at every layer of the computer network, from the perimeter routers and firewalls to users' personal computers running Microsoft Windows.
The defense-in-depth conceptual model is illustrated in Figure 1. Imagine your organization's information technology (IT) infrastructure as a series of interconnected layers. At the base of the model are security policies and procedures. Your formal security policies dictate the basic requirements and goals in a technology agnostic way. The procedures are more specific because they formally define how to properly perform specific tasks on specific devices such as how to install a new router or how to configure a new Web server. For these reasons, policies and procedures affect every other defense-in-depth layer. Physical security wraps around the remaining layers, which are similar to the 7-layer OSI reference model for networking. Information that traverses your information technology infrastructure moves up and down the 5 core layers.
Figure 1: Defense in Depth Security Model
The following example explains the practical application of the defense-in-depth model. An account executive, named Bob, is working remotely and needs to modify the record of one of your organization's clients. Bob starts up his laptop computer and logs into Windows XP. This action is an example of a client host. Bob uses a dial-up connection to connect to the Internet, and then uses a VPN to connect to the corporate network. In other words, the client host connects to the network through the perimeter. Bob then opens the enterprise resource planning (ERP) client software that your organization uses and connects to the ERP server. At this point, the client host has connected to the server host and then the server application. After the ERP client software connects to the server, Bob is able to select the client's record and make the desired modifications; that is, Bob is able to view and modify the data.
An effective security plan must address every layer, it must address every person, device, and application involved in the business transaction. Microsoft uses this defense-in-depth concept to help model IT security, and to help organize the security guidance available through the Security Best Practices Web site (http://www.microsoft.com/technet/security/default.mspx). Microsoft provides information on a wide range of security issues. Much of it was learned through the development of our products, in the process of securing our own corporate network, and while working with our partners and customers who were deploying and managing our technology. However, Microsoft realizes that there are other organizations that know more about specific pieces of the defense-in-depth model. Microsoft wants to provide broad and complete information to customers to help secure their computing infrastructure. When appropriate, Microsoft will direct you to third-party websites for solutions or additional information. This paper focuses purely on the technology-specific layers in the defense-in-depth model. It does not discuss policy or physical security, nor does it cover every option for securing your environment, but it does focus on specific actions that you can use to help prevent many of today's most common security exploits.
Your network perimeter is the point where your organization's managed network interfaces with untrusted networks. Many people assume that this only means the connection between their internal network and the Internet, but that definition is too narrow. From a defense-in-depth perspective, the network perimeter encompasses every point where the internal network is connected to networks and hosts that are not managed by the organization’s IT team. This includes connections to the Internet, business partners, virtual private networks (VPN), and dial-up connections. The types of devices found in the perimeter include VPN clients and VPN servers, remote access servers (RAS) and RAS clients, border routers, firewalls, network intrusion detection systems (NIDS), and proxy servers.
Properly configured firewalls and border routers are the cornerstone for perimeter security, but all of the devices listed earlier must be properly secured because the entire network is put at risk when any one of them is compromised. That means that organizations must invest time and resources into securing not only the VPN and RAS servers, but the mobile computers that are used to connect to those servers. To do business on and through the Internet, organizations have to make some of their business applications and data accessible through the Internet. Traditional packet-filtering firewalls are great at blocking network ports and computer addresses, but ports must be opened for the business applications; this means that your organization needs firewalls or proxy servers that are application-aware and capable of filtering network traffic at the application layer.
For additional prescriptive guidance, see Chapter 15, "Securing Your Network," a part of the Improving Web Application Security: Threats and Countermeasures guide that is available online at: http://msdn2.microsoft.com/en-us/library/Aa302431.
The next two subsections of this paper take a brief look at specific technologies that can be used to protect your network perimeter from several different threats.
Network Access Quarantine Control
A VPN is a logical network that combines several computer network technologies: tunneling, authentication, and encryption. VPNs can be used for many different purposes. The most common purpose is to provide mobile users access to internal network resources when they are not directly connected to the corporate network. VPNs make it possible to establish private and secure connections that transit untrusted networks. VPNs have exposed a destructive, pernicious entry point for malicious mobile code—such as viruses and worms—in many organizations. Even those organizations that have done a good job at securing their network and servers while implementing a broad and proactive antivirus strategy have not escaped the risks exposed by mobile computers that have become infected while away from the office.
Network Access Quarantine Control, a new feature in the Microsoft Windows Server™ 2003 family, helps reduce the risk of infection from mobile systems by delaying normal remote access to a private network until the configuration of the remote access client has been examined and validated by an administrator-provided script. When a remote access client initiates a connection to a remote access server, the user is authenticated and the remote access client is assigned an IP address. However, the connection is placed in quarantine mode, and network access is limited. The administrator-provided script is run on the remote access client. When the script completes successfully, it runs a component that notifies the remote access server that the remote access client complies with current network policies. The remote access server then removes quarantine mode and the remote access client is granted normal remote access.
More information about Network Access Quarantine Control information can be found in the following documents:
The Network Access Quarantine Control in Windows Server 2003 whitepaper is available at: http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx.
The Virtual Private Networking with Windows Server 2003: Overview whitepaper is available at: http://www.microsoft.com/windowsserver2003/techinfo/overview/vpnover.mspx.
Detailed prescriptive guidance in this area is forthcoming.
Personal Firewalls for Remote Laptops
An Internet firewall can help prevent attackers and network worms from compromising your mobile users through the Internet. The use of this technology is critical in preventing remote or traveling users from unknowingly transmitting malicious programs. Windows XP includes a built-in firewall called the Internet Connection Firewall (ICF) that provides this functionality. By default, it is disabled. Microsoft originally designed ICF for home users instead of businesses, but for many organizations ICF can provide an additional layer of protection against network-based attacks, such as worms and denial-of-service attacks.
Because it was designed for the home environment, there are some limitations to ICF that organizations must consider before enabling it throughout their enterprise. ICF does not have the rich feature set provided by many third-party products. This is because ICF is intended only as a basic intrusion prevention feature. ICF prevents people from gathering data about the personal computer and blocks unsolicited connection attempts. ICF does not provide filtering of outbound network traffic. Controlling outbound network traffic can stop spyware from transmitting sensitive information and slow down or stop the spread of worms.
When deployed in a business environment, the default settings in ICF may affect some enterprise management tools, such as Microsoft Systems Management Server (SMS) or the Microsoft Baseline Security Analyzer. ICF will also cause network browsing and viewing My Network Neighborhood to fail because the Master Browser computer is unable to connect back to the client computer to send the Browse list. Other problems with network applications are likely to appear when ICF is enabled. Organizations will have to calculate the benefit of increased security with reduced flexibility for end users.
Many of these difficulties are addressed by implementing a third-party distributed firewall (DFW), which is discussed in the "Distributed Firewall" section of this paper. While these limitations with ICF can be challenging, for organizations with no DFW, ICF can significantly reduce the risk of network-based attacks.
A well-designed and properly implemented network architecture provides highly available, secure, scalable, manageable, and reliable services. A network segment consists of two or more devices that communicate with each other on the same physical or logical section of the network. If the segments are logical, they are referred to as virtual local area networks (VLANs). LANs are created by connecting either multiple network hosts or multiple network segments using the appropriate network devices. Organizations can take a number of steps to protect their internal network by using a defense-in-depth approach. Techniques include securing wireless LANs, Internet Protocol Security (IPSec), and network segmentation.
Securing Wireless LANs
Many organizations have tested the use of wireless LANs (WLANs), but many have refrained from large deployments or banned the use of WLANs altogether. Despite the many productivity and technology benefits of wireless networking, its poor security record has kept a large number of organizations from deploying WLANs. The guide, Securing Wireless LANs with Certificate Services, is aimed at those organizations wanting to deploy wireless networks with a high degree of confidence in their security. It has been written as a prescriptive guide (covering design, deployment, and management) and is based on the secure WLAN deployment at Microsoft.
The solution is based on the Institute of Electrical and Electronic Engineers (IEEE) 802.1X standard and requires a RADIUS (Remote Authentication Dial–In User Service) infrastructure and a Public Key Infrastructure (PKI). It uses a flexible design and is suited for organizations of several hundred to many thousands of wireless network users. The RADIUS and PKI components were intentionally designed to be reusable in other network applications (for example, remote access VPN) and other security applications (for example, Encrypting File System). The solution was built and tested using Microsoft Windows XP clients and Microsoft Windows Server™ 2003 servers (including Microsoft Active Directory domain controllers), although it also assists in an environment based on Windows 2000 domain controllers and Windows 2000 and earlier clients.
For prescriptive guidance, see the Securing Wireless LANs with Certificate Services guide available online at: http://go.microsoft.com/fwlink/?LinkId=14843.
Internet Protocol Security (IPSec) protects networks from active and passive attacks by securing IP packets through the use of packet filtering, cryptography, and the enforcement of trusted communication. IPSec is useful in host-to-host, VPN, site-to-site (also known as gateway-to-gateway or router-to-router), and secure server scenarios. IPSec can be managed by using Group Policy or scripted by using command-line tools. There are two IPSec protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP). Depending on which protocol is used, the entire original packet can be encrypted, encapsulated, or both.
AH uses digital signatures to accomplish two goals: it ensures that data is not altered while in transit and it ensures that systems only communicate with other authorized systems. The data is readable and it is protected from modification. AH usually has a minimal effect on overall system performance. ESP also uses digital signatures to ensure data integrity and authentication, and it also provides confidentiality by encrypting the data portion of each network packet. By itself, ESP does not ensure the integrity of the IP header. To protect the entire packet, you have to combine ESP with AH. ESP can have a noticeable impact on system performance, especially systems that use the network extensively. Organizations should select AH, ESP, or both based on their particular requirements.
More information about IPSec deployment is available in the following documents:
"Overview of IPSec Deployment," part of the Microsoft Windows Server 2003 Deployment Kit, is available online at: http://technet2.microsoft.com/WindowsServer/en/library/5d81ea85-ebf7-40e9-8acd-8bab1182dff81033.mspx.
The Using Microsoft Windows IPSec to Help Secure an Internal Corporate Network Server white paper is available online at: http://www.microsoft.com/downloads/details.aspx?FamilyID=a774012a-ac25-4a1d-8851-b7a09e3f1dc9&DisplayLang=en.
Detailed prescriptive guidance in this area is forthcoming.
Network segments are created to control the flow of traffic between hosts on different segments. A properly designed segmented network improves both performance and security by ensuring only appropriate traffic is forwarded between segments. For example, performance can be increased by reducing broadcast traffic. This can be done by creating smaller IP address subnets. Security can be increased by implementing basic port filtering on the routers and switches. Security can be further increased by installing application-aware firewalls between the network segments where the most sensitive hosts reside and the rest of the internal network and by preventing hosts from communicating other than with a few well-defined, mission critical, protocols.
For a more extensive discussion of network segmentation and the issues a solid network design can address, take a look at Switch and Router Design for the CDC Scenario, available online at: http://www.microsoft.com/technet/itsolutions/wssra/raguide/NetworkDevices/igndpg_2.mspx.
For prescriptive guidance on securing internal networks with firewalls, see the Microsoft Systems Architecture Internal Firewall Service Design for the CDC Scenario, available online at: http://www.microsoft.com/technet/itsolutions/wssra/raguide/FirewallServices/igfspg_4.mspx.
Hosts come in two varieties: clients and servers. Securing both effectively requires that you strike a balance between degree of security and the level of usability. Although there are exceptions to the following general rule, it is often true that as the security of a computer increases, its usability decreases. Host defenses can include items such as operating system hardening, patch management, antivirus, distributed firewall, and effective auditing.
Most current operating systems, such as Windows 2000, Windows XP, and Windows Server 2003, include security features at their core, including unique names and passwords for each user, access control lists, and auditing. The first step to take when increasing security on computers running these operating systems is to determine what security settings can be modified without negatively affecting your organization's capability to do business. Other steps to take include ensuring that patches are kept up-to-date, that antivirus software is installed and up-to-date, and that a distributed firewall is installed. These topics are covered in the subsections that follow.
Legacy Microsoft operating systems, such as Windows 95, Windows 98, and Windows ME, were designed for use on small networks and for home users; they were not designed for the type of continuous Internet connectivity that today's business users demand. As such, they do not include the basic features required in a securable operating system and, therefore, should not be present on your organization's network. If you have computers running one of those operating systems, the best action you can take to improve their security is to replace them with computers running Windows XP. Installing distributed firewall software and antivirus software will help protect them, but there are many types of attacks that can bypass the protection provided by these tools.
Microsoft strongly recommends the use of group policy as a way to distribute security settings to clients and servers. While security settings can be applied locally if necessary, the use of group policy provides a manageable infrastructure to maintain the client's security on an ongoing basis. Domain-based group policy settings are stored in Group Policy Objects (GPOs) on domain controllers. GPOs are linked to containers, sites, domains, and OUs within the Active Directory structure. Microsoft Windows XP Professional computers also have a local group policy (LGPO). Most group policy settings can also be applied locally through the LGPO.
Settings that can be managed through group policies include account lockout policies, password policies, security options, Internet Explorer security settings, and Office macro security settings.
The Windows XP Security Guide v2 (updated for Service Pack 2) includes security templates that can be imported into a group policy to apply many of the settings to clients and servers; others can be configured through the administrative templates portion of group policy.
Software restriction policies are a key security feature of Windows XP that can be used to lower the risk of users installing or running unauthorized software, including potentially dangerous viruses or other types of malicious software. Microsoft also recommends that organizations give their users the minimum privileges that they need to perform their job functions. Users with administrative rights may be able to bypass many of the security countermeasures you put in place.
The Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses is available online at: http://go.microsoft.com/fwlink/?linkid=19453.
Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP is a reference for the major security settings and features included with Windows Server 2003 and Windows XP. It is intended to provide detailed background information for use with the Windows XP Security Guide v2 (updated for Service Pack 2). It is available online at: http://go.microsoft.com/fwlink/?LinkId=15159.
For prescriptive guidance on securing Windows XP, see the Windows XP Security Guide v2 (updated for Service Pack 2), available online at: http://go.microsoft.com/fwlink/?LinkId=14839.
The Windows Server 2003 Security Guide and the Windows 2000 Security Hardening Guide include security templates that can be imported into a group policy to apply many of the settings to servers; others can be configured through the administrative templates portion of group policy.
Server hardening guidance is provided for a group of distinct server roles. The countermeasures described and the tools provided assume that each server will have a single role. If you need to combine roles for some of the servers in your environment, you can customize the security templates included with this guide so that the appropriate combination of services and security options are configured for the servers with multiple roles. The roles covered by this guide include
Internet Information Services (IIS) servers
Internet Authentication Services (IAS) servers
Certificate Services servers
For prescriptive guidance on securing Windows Server 2003, see theWindows Server 2003 Security Guide, available online at: http://go.microsoft.com/fwlink/?LinkId=14845.
Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP is a reference for the major security settings and features included with Windows Server 2003 and Windows XP. It is intended to provide detailed background information for use with the Windows Server 2003 Security Guide. It is available online at: http://go.microsoft.com/fwlink/?LinkId=15159.
For prescriptive guidance on securing Windows 2000 servers, see the Windows 2000 Security Hardening Guide, available online at: http://www.microsoft.com/downloads/details.aspx?FamilyID=15E83186-A2C8-4C8F-A9D0-A0201F639A56&DisplayLang=en.
Information about hardening application servers, such as Microsoft Exchange Server, IIS, and Microsoft SQL Server™, are available in the "Application Defense" section of this paper.
Security patch management is a necessary process on all platforms—every major software vendor that is committed to security will release security patches in response to newly identified vulnerabilities. There is no operating system or application that is immune from attackers who spend their time trying to locate vulnerabilities to exploit. Patch management consists of the tools, utilities, and processes for keeping computers current with new software updates that are developed after a software product is released.
Proactive security patch management is a requirement for keeping your technology environment secure and reliable. As part of maintaining a secure environment, organizations should have a process for identifying security vulnerabilities and responding quickly. This process involves applying software updates, configuration changes, and countermeasures to eliminate vulnerabilities from the environment and mitigate the risk of computers being attacked. The nature of many attacks requires only a single vulnerable computer on your network, so this process should be as comprehensive as possible. The Security Guidance for Patch Management explains how to plan for and effectively manage the installation of Microsoft security patches across an enterprise using established risk management processes, software deployment processes, and technologies that help to automate the processes, such as Microsoft Systems Management Server, Windows Software Update Services, and Microsoft Software Update Services.
For prescriptive guidance on patch management, see the Security Guidance for Patch Management, available online at: http://go.microsoft.com/fwlink/?LinkId=16284.
Antivirus software protects computer systems from hostile code such as computer viruses, Trojans, and worms. The primary method this type of software uses to detect malicious software is signature-based scanning. The software vendor maintains a database that contains a signature for each piece of known dangerous computer code. The vendor makes this database available for download on their Web site, and their software automatically downloads updates on a regular basis. Most enterprises will want to control the download and installation of these updates on their computers, so antivirus software vendors who cater to the enterprise market segment typically offer products that allow organizations to manage the software on their client and server systems from a central location. One of the features typically offered include the capability to host a signature update server internally. Another common feature for antivirus software is the capability to control the settings for the antivirus software on the clients and servers running it. Some well-known software vendors who offer enterprise ready antivirus solutions include:
Symantec, available online at: http://www.symantec.com/enterprise/index.jsp.
McAfee Security, available online at:http://www.mcafee.com/us.
Trend Micro, Inc., available online at: http://www.trendmicro.com/en/partners/alliances/profiles/profiles/microsoft.htm.
Computer Associates International, available online at: http://www3.ca.com/Solutions/Product.asp?ID=156.
A full list of Microsoft partners who offer antivirus software is available online at: http://www.windowsmarketplace.com/category.aspx?bcatid=326&tabid=2.
Distributed firewall software, often referred to as host-based firewalls or personal firewalls, can help prevent attackers and network worms from compromising your client and server systems. Distributed firewalls are software firewalls installed on each individual system, but they use a centralized access policy. Depending on the software you choose, a host-based firewall can offer features beyond those of network firewalls, such as protecting computers from spyware and Trojan horses. Internet Connection Firewall (ICF) is included with Windows XP. Microsoft originally designed ICF for home users instead of businesses, but for many organizations ICF can provide an additional layer of protection against network-based attacks, such as worms and denial-of-service attacks. ICF is designed to provide basic intrusion prevention, but it doesn’t include the rich features of a third-party firewall application. Windows XP Service Pack 2 does allow for managing ICF, now called the Windows Firewall, via Group policy. For more information, see http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/default.mspx. Most third-party firewalls protect computers from software that could violate your users' privacy or allow an attacker to misuse their computers—features not found in ICF. Popular distributed firewall products are available from many software vendors, including:
Symantec, available online at: http://www.symantec.com/enterprise/index.jsp.
McAfee Security, available online at: http://www.mcafee.com/us.
ZoneAlarm, available online at: http://www.zonelabs.com/store/content/home.jsp.
Tiny Personal Firewall, available online at: http://www.tinysoftware.com/home/tiny2?la=EN.
Internet Security Systems’ BlackICE PC Protection, available online at: http://blackice.iss.net/.
In the context of this paper, an application refers to both client and server network applications. Client applications typically run on end user computers while server applications are usually hosted on dedicated server computers. Examples of common server applications include Web servers, messaging servers, and database servers. Some common client applications are e-mail software such as Microsoft Outlook, the Microsoft Office suite, and instant messaging software. Server applications have the potential to be compromised by several different methods, including buffer overflow attacks, password guessing attacks, directory traversal attacks, and poorly configured network applications that expose data to unauthorized users. Most client applications do not listen to network ports, so they usually are not susceptible to remote network attacks. But with the rise of chat software, instant messaging tools, and peer-to-peer networking, many applications that are installed on end-user systems behave just like traditional server applications, and they are therefore exposed to the same kinds of attacks. Client applications also may be attacked by sending the client bad data, such as an e-mail message or Web page that includes hostile code that is executed when the user views the message or page. Sometimes, the user has to actually open an attachment or click a confirmation dialog box in order for the hostile code to execute, but occasionally attackers will exploit vulnerabilities that require little or no interaction from the user. The following subsections discuss methods for securing server applications.
Microsoft Internet Information Services (IIS) provides a highly reliable, manageable, and scalable Web application infrastructure. IIS helps organizations increase Web site and application availability while lowering system administration costs. To properly secure IIS servers, each Web site and the applications running on them must be properly configured to protect them from malicious users and hostile code. You should only install and enable the features of IIS that your Web sites and applications actually use; you should restrict access to each site so that only authorized users can browse them; and you should configure permissions on the files and folders where the content exists as restrictively as possible. Securing IIS properly does not end there though; the content developers and software engineers who build the websites and applications that run on your organization's Web servers must ensure that their content and applications are secure and reliable. All of the hard work that your IT team undertakes to protect your information systems at the perimeter, network, and host layers could be easily bypassed if your organization's internally developed applications are easily compromised by malicious users.
Chapter 9 of the Windows Server 2003 Security Guide includes prescriptive guidance on securing IIS 6.0. It is available online at: http://go.microsoft.com/fwlink/?LinkId=14845.
The Internet Information Services (IIS) 6.0 Resource Kit includes prescriptive, task-based, and scenario-based guidance to help you design an IIS 6.0 solution and then deploy that solution—be it a new installation, upgrade, or migration—within your organization.
The IIS Lockdown Tool is free from Microsoft and it can be used interactively or as part of an automated script to configure security options in IIS 4.0, IIS 5.0, and IIS 5.1. More information is available online, including a link to the download site at: http://www.microsoft.com/technet/Security/tools/locktool.mspx.
The solution guide, Improving Web Application Security: Threats and Countermeasures, provides you with a solid foundation for designing, building, and configuring secure ASP.NET Web applications. Whether you have existing applications or are building new ones, you can apply the guidance to help you make sure that your Web applications are hack-resilient. It is available online at: http://msdn2.microsoft.com/en-us/library/ms994921.
The Building Secure ASP .NET Applications guide presents a practical, scenario-driven approach to designing and building secure ASP.NET applications for Windows 2000 and Version 1.0 of the .NET Framework. It focuses on the key elements of authentication, authorization, and secure communication within and across the tiers of distributed .NET Web applications. It is available online at: http://msdn2.microsoft.com/en-us/library/Aa302415.
Microsoft Exchange servers provide electronic messaging services to individuals or organizations. They commonly provide both intra-company and Internet-based messaging capabilities and can provide quick transfer of messages, documents, and files worldwide. E-mail servers must be properly secured because their availability and integrity is often considered mission critical. E-mail servers often contain sensitive information and are a common point of attack for intruders.
The Exchange 2000 Security Guide provides prescriptive guidance on securing Microsoft Exchange Servers. It is available online at: http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=d286e9a7-fe36-4a02-a0f8-75d4f9eb8d2d.
Database servers provide database storage, maintenance, and record search capabilities. They commonly house databases that contain thousands or even millions of records and allow near-instantaneous data retrieval. Database servers should be secured to ensure that any sensitive data stored on them remains confidential. The server should be resistant to malicious attacks and configuration alterations. A properly configured database server is resistant to unauthorized use and protects the integrity of its data. Effectively securing SQL server requires the developers who build the applications that run on your organization's database servers ensure that their applications are secure and reliable. All of the hard work that your IT team undertakes to protect your information systems at the perimeter, network, and host layers could be easily bypassed if your organization's internally developed applications are easily compromised by malicious users.
Chapter 18 of the Improving Web Application Security: Threats and Countermeasures solution guide includes prescriptive guidance on securing SQL Server. It is available online at: http://msdn2.microsoft.com/en-us/library/Aa302434.
Business data is one of the most valuable resources in many organizations. If data were to be irreparably damaged, lost, or exposed to competitors, many organizations would be adversely affected, and perhaps even driven out of business. For client hosts, protecting data can be particularly daunting because laptop computers can be stolen from mobile users, and backing up data for mobile users is very difficult. Protecting data stored on servers is a still a significant challenge, but for most organizations it is one that is achievable. For these reasons, many companies require their end users to store their critical data on servers managed by their IT organization. Data can be protected through the use of access control lists (ACLs) on files and folders, with encryption, and through an effective backup and restore strategy.
For prescriptive guidance on backing up data on Windows 2000 networks, refer to the Windows 2000 Server Backup and Restore Solution guide that is available online at: http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/backuprest/default.mspx.
For step-by-step instructions on how to implement EFS, refer to Data Protection: Implementing the Encrypting File System in Windows 2000, which is available online at: http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/dataprot/w2kadm21.mspx.