CHAPTER
Microsoft Application Security
12
O
nce your operating system is secure, you can focus on securing the
software that runs in the operating system. Operating system software
is different from application software. Regardless of how secure your
operating system is, one vulnerable application can put your organization’s data
at risk. This chapter will teach you about the most popular Microsoft applications.
You will also find out how to make each one more secure to protect your
organization’s data.
Chapter 12 Topics
This chapter covers the following topics and concepts:
• What the principles of Microsoft application security are
• How to secure key Microsoft client applications
• How to secure key Microsoft server applications
• What you can learn from case studies in Microsoft application security
• What best practices for securing Microsoft Windows applications are
Chapter 12 Goals
When you complete this chapter, you will be able to:
• Describe the principles of Microsoft application security
• Secure Microsoft client applications
• Secure Microsoft server applications
• Apply lessons learned from application security case studies
279
280
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
Principles of Microsoft Application Security
Application security covers all activities related to securing application software
throughout its lifetime. Application software is any computer software that allows
users to perform specific tasks. Examples of these tasks are sending and receiving
e-mail, browsing the Web, creating a document or spreadsheet, or entering orders for
materials. Ensuring application software security includes ensuring security during
design, development, testing, deployment, maintenance, and retirement. All too often,
organizations view application security as a deployment issue. Security must begin
earlier in the design and development process. In this chapter, you’ll study how to
harden software after it has been completed or acquired by your organization.
A secure application is one that protects each of the three C-I-A properties of
data security at all times. The three C-I-A properties are confidentiality, integrity, and
availability. Check that your software, whether developed in-house or licensed, makes
the data it manages available to authorized users on demand while denying access to
unauthorized users. This chapter applies to any application software running on a server
or client computer. Your applications provide access to data. They must also make certain
that only authorized users can view or modify data based on your organization’s specific
security restrictions. In short, application security is all about ensuring that your applications add at least one more layer of controls between users and your data.
Common Application Software Attacks
Understanding the basic principles of securing applications starts with understanding
how attackers damage applications. Hackers have many ways to harm applications.
Several approaches are more common and deserve the most attention. The more
common types of attacks include:
• Malformed input—This is one of the most common types of attack. Computer
criminals provide input to an application that is designed to cause results the
developers did not intend. They use malformed input to crash programs, disclose
or modify data, or hijack connections.
• Privilege escalation—Privilege escalation adds more authority to the current
session than the process should possess. There are several methods to escalate
privileges, and all compromise the access control lists (ACLs) you have in place
to limit data and resource access.
• DoS—Denial of service attacks focus on either making the application or network
slow enough that it can’t respond to user requests in a timely manner or crashing
the application. Either way, users can’t get to the data they need.
• Identity spoofing—This means assuming the identity of another user. Spoofing
means masquerading as another person or process. In most cases, the other user
is one who possesses more privileges, and this greater access allows an attacker
to get into more data and resources. In some cases, hackers use identity spoofing
just to hide their own identities—not to escalate privileges.
CHAPTER 12 | Microsoft Application Security
Many options are available to harden applications. One resource is the Open Web Application
Security Project (OWASP). OWASP is a not-for-profit organization that focuses on improving
application security. OWASP offers many valuable resources related to application security.
You can find many informational videos and the latest Top 10 Web Application Security Risks
list. Although primarily focused on Web applications, information on this site applies to all
application security topics. The OWASP Web page is located at http://www.owasp.org.
• Extra-application data access—This means accessing your application’s data outside
the application. This could be from the operating system or from another program,
or by just taking or copying backup media.
Each of these attacks is preventable. Some of the controls to stop attacks, such as
processing malformed input, for example, depend on the application’s design. You can
implement controls to stop other attacks. Put extra-application data access into operation
outside your application. Just as operating systems need to be hardened to be as secure
as possible, follow steps to harden each application you run on any computer.
Hardening Applications
Hardening applications generally follows several steps. The specific actions differ from
application to application, but the overall strategy remains the same. Here are the
general steps to hardening applications:
• Install the application using only the options and features you plan to use.
• After installing the application, remove any default user accounts and sample data,
along with any unneeded files and features.
• Configure the application according to the principle of least privilege.
• Ensure your application has all of the latest available security patches applied.
• Monitor application performance to verify that your application adheres
to security policy.
Keep general guidelines in mind and follow the recommendations for each type of
application software. You’ll end up with a far more secure environment than when
you started.
12
Microsoft
Application Security
• Direct file or resource access—This refers to exploiting holes in access controls
that allow a user to directly access files or other resources. If your application allows
direct object access, users may be able to bypass normal access controls.
281
282
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
Securing Key Microsoft Client Applications
Many applications tend to run as either client or server components. Clients generally
initiate connections and request services from servers. Servers generally listen for
incoming connection and service requests. Your approach to securing each type of
application software will be different. Client applications are often targets because many
workstations, laptops, and mobile devices are not aggressively hardened. With so many
personal computers that are insecure and contain client applications, common applications are attractive to attackers who want to compromise an organization’s data. If an
attacker can compromise a client application that an organization uses to access a server
application, that hacker is one step closer to your data. In this section, you’ll learn about
how to secure, or harden, several of the most popular Microsoft client applications.
Web Browser
Arguably, the most popular and frequently used client application is the Web browser.
A Web browser allows a user to access content from Web servers across a network.
In most cases, users access resources and applications using the Internet. Web browsers
are attractive targets because they are the primary client of Web applications. A compromised Web browser can make it easy for an attacker to access stored server connections
by means of stored credentials. Hackers can even compromise your organization’s data
without attacking the Web browser directory but by intercepting the information your
Web browser sends to the Web server.
Web browsers are attractive targets for several types of attacks, including:
• Infect with malware—Several default Web browser settings allow Web browsers
to run helper programs, such as ActiveX controls or Java applets, to enhance the
user experience. Although many helper programs are useful, attackers can provide
substitute programs that are actually malware.
• Intercept communication—Authorized users can access sensitive organizational
data, often using a Web browser. Any device or computer that sits between the client
and the server sees all traffic passing back and forth between the two. An attacker
who places a proxy server between a Web browser and a Web server can see and
collect all of the traffic, including sensitive data that is intended only for the authorized user. This type of attack is often called a man-in-the-middle attack.
• Harvest stored data—Some versions of Web browsers have vulnerabilities that allow
Web pages to collect information stored on the client computer. This information
includes usernames, passwords, account numbers, and local copies of sensitive
data. This stored information can appear in cookies, application files, and settings.
Criminals can look for this type of information and tell your Web browser to send
it to any location.
CHAPTER 12 | Microsoft Application Security
283
Table 12-1 Securing a Web browser.
Description
Set the security level of the
Internet zone to High from
the Security tab.
Setting the security zone to High in Internet Explorer (IE)
automatically enables many features that block most known
vulnerabilities. Setting the security zone to High will also likely
reduce the Web browser’s functionality.
Add specific sites you trust
as Trusted Sites from the
Security tab.
When you are visiting sites defined as trusted, Internet Explorer
relaxes the restrictions placed on general Internet sites. This
setting allows ActiveX and Java application components to run.
Change the cookie settings
from the Privacy tab. On the
Advanced dialog box, select
to prompt for first-party and
third-party cookies.
This setting will alert you any time a Web site attempts to
access any cookies. This requires user interaction each time
a Web site wants to access a cookie. It gives you the chance
to deny cookie access. You can also add any sites from which
you want to accept all cookies to the list of allowed sites.
You won’t be prompted for cookie access from the listed sites.
You can also select the Delete Browsing History on Exit check
box on the General tab to have IE delete all cookies
and other browsing history each time you exit IE.
Uncheck Enable Third-Party
Browser Extensions from
the Advanced tab.
This setting limits the potential of browser helpers from
disclosing private data.
Check Always Show
Encoded Addresses from
the Advanced tab.
This setting makes it harder to spoof Internet addresses.
Uncheck Play Sounds
in Web Pages from the
Advanced tab.
This setting prevents an attacker from infecting your computer
using a sound file.
These are just a few of the many types of Web browser attacks. You can, however,
harden each Web browser to resist attacks. Some of the hardening suggestions may
reduce the Web browser’s flexibility and functionality, but it will be more secure.
Change settings in any Web browser by opening the settings or options page. Most
of the following suggestions apply to all Web browsers, but the actions in the following
table are specifically oriented toward Internet Explorer. Table 12-1 lists steps to secure
a Web browser.
Figure 12-1 shows the Internet Options dialog box for Internet Explorer.
12
Microsoft
Application Security
Action
284
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
Access the Internet Options dialog box by using either of these procedures:
1. Inside Internet Explorer, select Tools > Internet Options.
2. From Windows, launch Control Panel, and then select Network and Internet >
Internet Options.
Figure 12-1
Internet Options
dialog box in
Internet Explorer 8.
Many more settings are available, but the settings in Table 12-1 will harden your
Web browser and will limit the damage an attacker can do using your Web browser.
E-mail Client
E-mail clients are another popular type of client software. Most of today’s e-mail clients
connect to a mail server and either display or download e-mail messages. One of the
most popular e-mail clients is Microsoft Office Outlook. As with Web browsers, there are
other popular e-mail clients.
CHAPTER 12 | Microsoft Application Security
Some attacks on your computer are intended to turn your computer into a zombie.
A zombie may also be called a bot. It is a computer that follows the instructions sent from
another computer. Attackers often use zombies to send spam or malware to all the e-mail
addresses in a zombie’s address book. Outbound malware scanning will catch many of
these attacks.
12
Microsoft
Application Security
Generally, the key to hardening e-mail clients is to limit any malicious code that
may be attached to e-mail messages. Next, take steps to ensure e-mail message privacy.
The first step requires additional software. You should already have anti-malware software
installed on each computer. Select anti-malware software that integrates with your e-mail
client. Many current anti-malware software packages work with e-mail clients to scan all
incoming and outgoing messages for malware. It is important to scan incoming messages
to detect any malware before it infects your computer. It is also important to scan
outgoing messages to ensure your computer is not sending malware to other destinations.
The enterprise solution from Microsoft is Microsoft Forefront. This product fully integrates
with existing Microsoft application software.
The second step to securing an e-mail client is to safeguard message privacy. Require
the use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) when connecting
to your mail server to make certain that all message exchanges are encrypted. This
option will work only if your mail server supports it and is properly configured to handle
encrypted connections. The main drawback is that once your message reaches your mail
server, the message is decrypted and sent on its way. Alternatively, you can encrypt each
message to guarantee your message stays encrypted all the way from your e-mail client
to the recipient’s e-mail client.
Unfortunately, there is no automatic method to encrypt e-mail messages for generic
recipients. Microsoft Office Outlook includes Secure/Multipurpose Internet Mail
Extensions (S/MIME) encryption as long as the recipient has your public key. Several
add-on products work with most e-mail clients to encrypt messages as well. For example,
OpenPGP, GPG, and S/MIME are all examples of e-mail message encryption methods.
Before using any of the methods or software, confirm that the recipient of your e-mail
message uses the same method. Additionally, his or her e-mail client must be capable
of receiving and decrypting the message. Since you have to take special steps for each
recipient to whom you send e-mail, encrypting e-mail messages is not used extensively
for sending messages to large groups of people. It does work very well in situations where
you know you’ll be sending several private messages to the same person or persons.
Most general hardening recommendations are appropriate for other e-mail clients.
The following specific recommendations apply directly to Microsoft Office Outlook 2007
and newer versions. Table 12-2 lists steps to make your e-mail client more secure.
285
286
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
Table 12-2 Securing an e-mail client.
Action
Description
Install anti-malware software
that integrates with your e-mail
client.
Integrated anti-malware software should scan each
incoming and outgoing message. Have a plan to keep
all anti-malware software and data up to date.
Enable the junk filter function.
Configure your e-mail client to filter suspicious messages
and put them in a junk messages folder. Keep them
separate from your regular messages.
If your mail server supports
secure connections, force your
e-mail client to use only secure
connections when retrieving
or sending e-mail.
Although this setting will encrypt all e-mail messages
between your e-mail client and the mail server, messages
that travel beyond your mail server will be transmitted
in the clear.
Do not preview messages.
Many attackers embed malicious code in images or other
e-mail content. Train users to never open an e-mail message
from an unknown source. Since many types of malware
send e-mail messages using the sender’s address book,
users shouldn’t open any attachment they aren’t expecting.
Change the default mail format
to plaintext.
Plaintext does not contain embedded commands that could
result in malware infections. HTML messages are much
more visually appealing but more dangerous as well.
Use an Encrypting File System
(EFS) or BitLocker to encrypt
the folder or drive that contains
your e-mail data files and
attachments.
Keeping your e-mail messages and attachment folders
encrypted makes it harder for attackers to access the
contents of your e-mail messages without encountering
operating system access controls.
If you need to exchange
private e-mail messages
with a number of recipients,
either use Microsoft’s
e-mail encryption or acquire
additional software to use
another solution.
Ensure both sides of the e-mail exchange use the same
encryption method. Also, each recipient must have the
sender’s public key. In most cases, this is accomplished by
first sending a digitally signed message to the recipient.
The recipient receives the message and adds the public key
to the address book. The recipient can now receive and
decrypt encrypted messages from the sender.
CHAPTER 12 | Microsoft Application Security
287
Productivity Software
Most workstation computers and even mobile devices have some type of productivity
software installed. Productivity software is any software enabling users to accomplish
general work more efficiently. Productivity software may be installed as several separate
programs or as a collection, or suite, of software. Common productivity software
programs include the following, along with Microsoft’s product for each solution:
Word processing—Microsoft Word
Spreadsheet—Microsoft Excel
Lightweight database—Microsoft Access
Presentation—Microsoft PowerPoint
Project scheduling/management—Microsoft Project
Publishing—Microsoft Publisher
Productivity software packages are also targets for attackers, especially the more popular
programs. The main goals for compromising productivity software are malware infection
and private data disclosure. Many types of malware infect computers when users open
infected files. Infected documents, spreadsheets, presentations, and databases can exploit
vulnerabilities in your productivity software and launch malware that infects your
computer. Many successful attacks still introduce malware to computers using productivity software document types that appear to be harmless.
Table 12-3 Securing productivity software.
Action
Description
Install anti-malware software
that integrates with your
productivity software.
Integrated anti-malware software should scan each file
before opening it. Make sure you have a plan to keep
all anti-malware software and data up to date.
Use EFS or BitLocker to encrypt
the folder or drive that contains
your productivity software
documents and databases.
Keeping your document folders encrypted makes it harder
for attackers to access the contents of your documents
without encountering operating system access controls.
Never open a file unless you
trust the source.
Many malware infections depend on a user opening
an infected file.
Ensure your productivity
software has the latest security
patches installed.
New vulnerabilities are discovered daily. Unpatched
software is at risk.
12
Microsoft
Application Security
•
•
•
•
•
•
288
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
The standard file extensions also identify potential content types to attackers.
If a criminal is looking for private data that is likely stored in an Access database, any
files with the extension .accdb are good candidates. Table 12-3 lists the general steps
to help secure your productivity software.
File Transfer Software
One of the earliest uses of networks was to transfer files from one computer to another.
Users still transfer files routinely between computers, sometimes over large distances.
Every file download or upload is a file transfer. Unfortunately, the protocols most
commonly used to transfer files send the contents of each file in the clear, which means
unencrypted. The reason for sending data in the clear is that it is much faster than
encrypting the data first. However, security is a greater concern than efficiency for
private data. Do not use standard file transfer methods for any files that contain private
data. Use a secure transfer method.
The most common method of transferring files across a network is the File Transfer
Protocol (FTP). FTP uses the Transmission Control Protocol/Internet Protocol (TCP/IP)
suite to decompose a file into small messages and send the file to a recipient where the file
is reassembled. The process is solid but insecure. As security has become more and more
important, additional methods have been introduced, including FTP over a Secure Shell
(SSH) and Secure FTP (SFTP). Virtual private networks (VPNs) are also a good choice for
transferring files. Use unencrypted FTP within a secure VPN to achieve very good privacy.
Regardless of the specific choice you use, both ends of the network connection must
agree on the methods. The main point of securing file transfer software is to ensure all
files that contain private data are transferred using some type of encryption.
AppLocker
Microsoft introduced a new feature in Windows that allows you to restrict program
execution using Group Policy. This new feature, called AppLocker, is included with
Windows Server 2008 R2, Windows Server 2012, Windows 7 (Ultimate and Enterprise
editions), and Windows 8 (Professional and Enterprise editions). Prior to AppLocker,
Microsoft provided basic software restriction capabilities through the Software Restriction
Policies (SRP) in previous Windows versions. SRP is still in newer Windows versions but
is harder to use in a larger enterprise than AppLocker. Define rules using Group Policy to
restrict which applications workstation computers can run using these types of rules:
• Path rules—SRP and AppLocker allow you to define specific paths from which
users can execute applications. Any application located in paths not approved
by these Windows features cannot run. Unless you carefully restrict users from
common installation folders, they can just copy new applications into a common
folder and essentially bypass the path rule restriction.
CHAPTER 12 | Microsoft Application Security
289
Access AppLocker settings in the Group Policy Management Console (GPMC) on Windows
Server 2008 R2 by following these steps:
1. Choose Start > Administrative Tools > Group Policy Management.
2. Select a Group Policy Object (GPO) or create a new GPO.
3. Open the context menu for the selected GPO and select Edit.
• Hash rules—SRP and AppLocker allow you to create a cryptographic hash
for each executable to distribute to workstation computers. Windows validates
that the executable program matches the approved hash value each time you
run a program. This type of rule is more secure than a path rule, but it requires
that you update the hash value each time you distribute a program update.
• Publisher rules—AppLocker makes application security easier than SRP by introducing a new type of rule. Publisher rules use digital signatures provided by application
publishers. Use these signatures with additional criteria, such as minimum version
to define allowable applications. For example, you could allow Microsoft Word to run
on a workstation only if it has a valid publisher certificate and is at least version 12.0.
Although AppLocker publisher rules are slightly similar to SRP certificate rules,
AppLocker has added a lot of features and made defining rules much easier.
In addition to the additional features AppLocker provides with Publisher Rules, AppLocker
makes it easy to define rules for any number of users employing Group Policy.
Securing Key Microsoft Server Applications
Server applications are designed to listen for requests and provide some service. They
commonly run in the background on server computers, listen to one or more defined ports,
and process requests on behalf of clients. Server applications often interact with centralized
data and will likely have access to private data. All three properties in the C-I-A triad are of
concern in server applications. A secure application is available to respond to client requests,
and enforces the integrity and confidentiality of the data it manages. Several types of server
applications are common in organizations and each has its own specific security concerns.
One of the most useful features of both Windows Server 2008 R2 and Windows Server
2012 is the definition of server roles. When you select a server role, Windows installs only
the services you’ll likely need to fill that role. The first step in securing any server software
is to secure the server computer. One of the best ways to secure a server computer is to limit
the roles you install. Install only roles that are necessary for each server to fulfill its purpose.
12
Microsoft
Application Security
4. Expand Computer Configuration\Policies\Windows Settings\Security Settings\
Application Control Policies\AppLocker.
290
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
Table 12-4 Individual parts of a URL.
Description
Value
Protocol
http—The protocol the Web server will use for this exchange
Separator
://—Standards separator between the protocol and the host name
or address
Host name or address
www.MicrosoftApplicationSecurityChapter12.com—The name
or IP address where the Web server is running
Web server command
Scripts/wsisa.dll/WService=catlookup?isbn=076372677X—
The rest of the URL contains information the Web server uses
to interpret the client’s request. In this case, the Web server
would attempt to execute wsisa.dll in the scripts folder.
Web Server
A Web server is a software program that monitors a specific port, normally port 80 or 443,
for Web requests and provides content for a Web client. Web servers support many types
of requests and apply various protocols to respond to requests. The two most common
protocols that Web servers use for normal Web traffic are the Hypertext Transfer Protocol
(HTTP) and Hypertext Transfer Protocol Secure (HTTPS). The Web server receives a message
from the inbound port in the form of a request that includes a uniform resource locator (URL).
The URL contains information for the Web server to know how to handle the request.
For example, suppose you are running a Web server at the address
www.MicrosoftApplicationSecurityChapter12.com. Your Web server may receive a URL that
looks like this:
http://www. MicrosoftApplicationSecurityChapter12.com/scripts/wsisa.dll/
WService=catlookup?isbn=076372677X
Table 12-4 describes the individual parts of a URL.
The Web server receives the message and evaluates the Web server command.
The Web server command tells the Web server what to do. If your Web server executes
a command without taking any precautions, any anonymous user can tell it to do
many malicious things, such as return private data, delete files, or shut down the server.
Any of these actions would violate the server’s security.
Since you don’t want any Web server blindly executing commands, you need
to restrict what the Web server accepts and what it can do. Make a Web server more
secure by following a few simple strategies. Table 12-5 lists some of the main strategies
for securing any Web server.
The strategies in Table 12-5 represent a few of the tasks necessary to fully secure
a Web server. Since Web servers are often exposed to the Internet and provide an interface
into your network, they are attractive targets. Make sure you spend the time securing
each Web server you deploy.
CHAPTER 12 | Microsoft Application Security
291
Table 12-5 Strategies to secure a Web server.
Description
Disable unused protocols/services.
Web servers can support many more protocols than
HTTP and HTTPS. Each protocol gives attackers additional
methods to compromise a server. If you don’t need a
particular protocol, such as File Transfer Protocol (FTP),
disable it in the Web server configuration and ensure
the corresponding service is disabled as well.
Remove samples, help, and
administration scripts.
Some Web servers install additional components you
don’t need on a production server and may be vulnerable
to attacks.
Disable scripts for types you
don’t need.
Web servers recognize many different types of file
extensions and will attempt to interpret scripts and
programs it receives. Hackers use this knowledge
to send attack scripts to exploit vulnerabilities.
Deny directory traversal
and listing.
Stop Web clients from sending paths or commands that
access resources outside the Web server path. Also, don’t let
anyone see a directory listing of directories on your server.
Criminals use information to plan more attacks.
Enable auditing of failed logon
attempts and failed resource
requests.
Auditing can provide information to identify attacks
or reconnaissance on your Web server.
Put all Web content on a disk drive
that is separate from the operating
system or any private data.
Separating Web server files from system files and private
data reduces the damage an attacker can do if your
Web server is compromised.
Require secure connections for
any private data exchange.
SSL/TLS connections encrypt traffic between the Web server
and the Web browser, keeping messages private.
Use operating system access
controls to limit access for Web
users.
Operating system access controls can limit the objects
any user can access, including Web users.
Disable any Web server
authentication methods your
application does not need.
Some Web server authentication methods, such as digest
authentication, are vulnerable and should not be used.
Remove any unused encryption
ciphers.
Many Web servers install several encryption ciphers
to support as many types of encryption as possible.
Remove any ciphers that are weaker than your minimum
requirements. This stops clients from negotiating
a weaker encryption algorithm with the Web server.
12
Microsoft
Application Security
Strategy
292
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
You can add a role to a Windows Server 2008 R2 server from the Server Manager window.
Follow these steps to add a new role to a server:
1. From the Windows desktop, choose Start > Administrative Tools > Server Manager.
2. Select Roles > Add Roles.
3. Select Next to see the roles you can add to the current server.
4. Check the Web Server (IIS) box and choose Next.
Microsoft’s Web server, Internet Information Services (IIS), has long been a familiar
component in Windows environments. The latest version of IIS that ships with Windows
Server 2008 R2 or Windows Server 2012 represents Microsoft’s most secure Web server
to date. Microsoft learned many lessons from previous versions of IIS and made the latest
version secure from the beginning. If you take the time to install IIS with only the options
you need, it doesn’t require much additional work to create a secure Web server.
Figure 12-2
Add Roles Wizard for adding Web Server (IIS) role to Windows Server 2008 R2.
CHAPTER 12 | Microsoft Application Security
293
12
Microsoft
Application Security
Figure 12-3
Select Role Services for adding Web Server (IIS) role to Windows Server 2008 R2.
The starting point for installing IIS is a Windows Server 2008 R2 or Windows Server
2012 server. Install IIS to a standard Windows server or a Windows Core Server installation.
You’ll learn about adding IIS to a standard server in this chapter. You install IIS by adding
an additional role to the server.
Figure 12-2 shows the Add Roles Wizard windows for adding the Web Server (IIS)
role to Windows Server 2008 R2.
Notice in Figure 12-2 that Windows provides several resources to help you add IIS to
your server. Read through an overview of the new role services Microsoft introduced in IIS
starting with version 7.5. These services allow you to pick and choose just the services your
Web server needs to run your Web sites and applications. This saves you the time and effort
of having to disable unneeded services after installation. Microsoft also provides detailed
checklists to help you install IIS with the features and security you want. After reviewing
the help and documentation, proceed to the role services selection window.
Figure 12-3 shows the Select Role Services window for adding the Web Server (IIS) role
to Windows Server 2008 R2.
294
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
Windows lets you select the services your Web server will need before it installs
anything. This is the step that can make your Web server lean and secure. Carefully
review each selection before checking any box. Once you have all of the desired
services selected, continue installing IIS. Although IIS installs in a fairly secure state,
you should still review the server and the Web server software to ensure the highest
level of security possible.
E-mail Server
Another common server you’ll find in many organizations is an e-mail server.
Microsoft’s e-mail server is Microsoft Exchange Server. An e-mail server provides
e-mail services to clients. Clients connect to the e-mail server and either receive e-mail
messages from the server or send e-mail messages to the server. One connection could
include both operations. Clients can either download messages to read locally or
read messages directly from the e-mail server. If you allow it, each client can choose
between remote or local message storage.
When considering e-mail server security, cover all three properties of the C-I-A
triad. Your e-mail server must be available. One of the most frustrating situations for
users to encounter is an e-mail server that is unavailable. E-mail is such an integral
part of daily tasks that access to it is expected. Your e-mail server must also ensure
private messages are private and no message changes in transit. While the confidentiality and integrity properties are important for some messages, the overhead
generally doesn’t warrant securing all messages.
It is important to secure all e-mail that is stored on your e-mail server. Your e-mail
server may store messages for very short periods of time or for months, or even years.
Double-check that both your e-mail server software and the operating system protect
e-mail message data using file, folder, or drive encryption. Since many people rely
on the practice of storing e-mail messages on the e-mail server, have a solid disaster
recovery plan (DRP) and business continuity plan (BCP). These plans protect your
e-mail in case of data loss.
Unlike IIS, Exchange Server is a separate commercial product. Once you purchase
a license, you can acquire and install Exchange Server on your Windows Server
computer. During installation, you specify many of the characteristics to secure your
e-mail server. Exchange Server 2010 allows you to select from several roles that define
whether the server will store messages, provide client access to messages, transport
messages to other e-mail servers, or even perform a combination of roles. The specific
role your e-mail server plays tells the installation process how to configure the
software for the most functionality and highest security.
An e-mail server must deal with several vulnerabilities to support secure e-mail
exchange. When securing an e-mail server, address these issues:
CHAPTER 12 | Microsoft Application Security
E-mail servers are frequent participants in spreading malware. Good anti-malware software,
along with strong access controls, can reduce the potential for your e-mail server spreading
malware. Requiring encryption of all connections will greatly increase the overall security of
messages exchanged within your organization. Remember that messages that travel outside
your organization are not encrypted by default. It is the responsibility of the e-mail clients
to agree and encrypt messages. Microsoft Exchange Server goes a long way toward ensuring
your e-mail messages are as secure as possible.
Database Server
Nearly every application needs some type of stored data on which to operate. Some
applications use their own internal data storage techniques. The majority of applications
use separate database management products to store data. Application developers write
application software that interfaces with one or more databases to maintain the data each
application needs. Today’s databases are getting larger. It is not uncommon to see database
sizes in excess of many terabytes. As applications rely on database management systems
more and more to provide access to data, organizations are isolating databases on separate
servers. These specially configured database servers are efficient platforms for applications
and attractive targets for attackers.
Database management systems routinely store application data for rapid and secure
retrieval on demand. Databases can store private and public data. They handle each
type of data differently. Separating all of an organization’s data to a database server
gives the organization greater control over how to secure that data. Securing a database,
like securing any other server software, depends on a secure operating system first.
After the basic security needs of the underlying platform have been addressed, databases
can help ensure the confidentiality, integrity, and availability of stored data.
12
Microsoft
Application Security
• Limit operating system logons and administrator rights—Only a limited number
of user accounts should have administrator access to the e-mail server computers.
• Enforce strong e-mail user authentication—Require strong authentication
for all e-mail clients.
• Use encrypted connections for all communication between Exchange servers—
This is the default behavior.
• Enable only the protocols your e-mail clients require—Post Office Protocol version 3
(POP3) and Internet Message Access Protocol 4 (IMAP4) are older protocols and are
disabled by default. Enable them if necessary, but Exchange allows these connections
only if they are encrypted.
• Patch all Exchange Server instances—Frequently check for security updates
and install them to all your Exchange servers.
• Use anti-malware software on each server—Microsoft Forefront is one enterprise
solution.
• Encrypt folders or drives that store e-mail messages—Use Encrypting File System
(EFS) or BitLocker.
• Plan for high availability—Develop a solid BCP and DRP that ensure maximum uptime.
295
296
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
Current database management systems have several options and strategies to provide
maximum availability. Take frequent backups, archive transactions logs, or implement
data replication. Most current database products also provide configuration options
that are specific to high availability. One configuration option is using failover clustering
to protect from hardware failure. Regardless of the options you choose, research your
database management system’s capabilities and deploy the configuration that fits your
budget and provides the greatest availability.
The ability of a database management system to provide confidentiality and integrity
depends on the quality of the authentication, access controls, and query preprocessing.
First, use strong authentication for all database queries. In the database world, a query
is any statement that accesses data. A query can read, write, create, or delete data.
Each query requests access to data on behalf of a specific
user or process. Enforce unique user accounts and strong
! WARNING
authentication. Legacy database applications often allowed
If your organization deploys
generic user accounts that multiple users shared. While this
a distributed application, make
practice is acceptable for public data, it is not acceptable for
sure all connections from the client
databases that contain sensitive data. Do not allow this practice
to the database are encrypted.
for databases that contain sensitive data. Each user should have
Many applications force secure
a unique account. Unique user accounts make it possible to
connections just from the client to
grant access privileges to specific users and audit activity more
the Web server. While this strategy
precisely. Just as with hardening the operating system, require
protects data transmitted across
the strongest authentication method your clients support.
the Internet, data is decrypted
The next security property is confidentiality. Database
and transmitted in the clear from
management
systems use encryption to support confidentiality.
the Web server to the application
To
make
database
access as secure as possible, enforce encrypted
servers and database servers.
connections any time you transfer private data. You can enforce
Encrypt all connections.
this using VPNs or individual connection encryption. Make sure
no private data is transmitting in the clear.
Databases also use encryption to store data. Data at rest has several different
encryption options. This list of options includes:
• EFS or BitLocker—While encrypting a file, folder, or volume does store data
encrypted, most database administrators prefer more control over what gets
encrypted. Encrypting data at the operating system level may lead to far more
data being encrypted than what an organization needs.
• Transparent Data Encryption (TDE)—Current database management systems
generally offer an option to encrypt either selected database objects or even an
entire database. Transparent Data Encryption (TDE) encrypts all data without
requiring any user or application action.
• Application encryption—The most fine-grained control is for the application
to decide what data to store encrypted and carry out the encryption process
directly. This last option provides the most control over encrypted data but
at the cost of substantial software development effort.
CHAPTER 12 | Microsoft Application Security
• Secure the operating system—Always start with a secure operating platform.
• Install the latest patches—Check that you have the latest security patches
and develop a plan to acquire and install all released patches.
• Require strong authentication—Require authentication of all users before
processing a query and force the strongest authentication method your clients
can support.
12
Microsoft
Application Security
The last major security property that database management systems protect is data
integrity. Although database vendors go to great lengths to ensure internal data integrity,
integrity in a security context has a slightly different meaning. To support both confidentiality and integrity, database management systems make certain that no unauthorized
user can view or modify data. To enforce these two properties, the database management
system must know the identity of the user who submitted the query. Positive identification
and authentication provide a trusted user account. The next step is to authorize a user
to carry out a data operation. Most of the commercial database management systems
support the Structured Query Language (SQL) to access data in a database. SQL defines
a security model that grants or revokes access privileges to specific pieces of data.
The database management system evaluates each field, or column of data, based
on the permissions defined for the current user.
SQL security is quite good. The problem is that it can be cumbersome to manage.
SQL security is based on users, and granting data access to anonymous users can allow
anyone to access your data. As long as you have unique user accounts, you can secure
data in your database at a very detailed level. Doing so requires substantial effort in
verifying that all permissions are current and accurate.
One common problem arises with storing secure data in a database. Most database
products interpret SQL queries at run time. In other words, the query statement isn’t
evaluated until it is time to execute the statement. Many attackers have learned how to
trick the database query processor into doing more than intended. It is possible to add SQL
statements to input data, and if an attacker is crafty and careful, he or she can make a
database server respond to nearly any command. Adding SQL statements to data for the
purpose of sending commands to a database management system is called SQL injection.
The best defense against an SQL injection attack is to validate all input before sending
it to the SQL query processor. Have your client application validate each input field to
ensure it meets your input standards, but make your server validate input as well. Recall
that man-in-the-middle attacks sometimes use proxy servers. They also use these servers
in injection attacks. If an attacker can intercept network traffic, he or she can also modify
the traffic. That means a computer criminal can modify any data that already passed
validation on the client. For that reason, never trust data from a client—always validate
all input on the server. By validating all input, your database server can detect and remove
illegal input such as injected SQL statements.
Keeping all these points in mind, here are the general steps to securing a database
server:
297
298
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
Let Microsoft Handle Your Database
Microsoft offers another option for organizations that use Microsoft SQL Server.
Microsoft SQL Azure provides SQL Server database services as a subscription. Your
database no longer resides in your environment but resides and is managed in Microsoft’s
cloud environment. The advantages to this approach are that Microsoft handles all
of the patching, high availability, and basic security tasks for you. You can find more
information on Microsoft SQL Azure at http://www.windowsazure.com/en-us/home/
features/data-management/.
• Use separate user accounts for database administration—These are separate
system administrators, database administrators, and database user accounts.
• Install only necessary components—Do not install database services
or components you don’t need. Review the installation process and remove
unneeded components.
• Remove or disable default users—Most database management systems install
default user accounts. Attackers know which default users exist in most databases.
Remove or disable all of these default accounts.
• Use auditing—Enable auditing for failed logon attempts and possibly access
to critical data. Be aware that auditing any data access can create a large number
of log entries.
• Change default ports—Never use the default ports to access database
services. Attackers know these default ports. Select alternate ports for all
database accesses.
• Revoke any developer access to production environments—Developers should
have access only to development and testing environments.
• Encrypt private data—Select an encryption method that secures private data.
• Develop and maintain plans for business continuity and disaster recovery—
Plan for disruptions and know how to minimize your downtime.
• Validate all input—Never evaluate a database query without validating
the query first to ensure that no extra data is in the query.
• Monitor performance—Monitor how well the database is executing queries
and be prepared to respond if performance degrades.
These steps will help you create a database environment that supports your data’s
security.
CHAPTER 12 | Microsoft Application Security
299
ERP Software
• Create unique user accounts—Securing shared data depends on uniquely
identifying users. Don’t allow users to share accounts.
• Enforce strong authentication—Since data security depends on user- or group-based
authorization, choose the strongest authentication type your application allows.
• Restrict access to application components—Use application security options
to restrict function access by user or group.
• Develop ERP acceptable use policy (AUP)—Develop acceptable use policies
for the ERP software. Train all users on current AUPs.
• Secure workstations—Follow recommendations for securing any workstation
that accesses your ERP application.
• Require encrypted connections—Require secure VPN or other encrypted
connection to access the ERP application.
Line of Business Software
ERP applications address mostly generic business needs. Some organizations have specific
business processes that are unique to their market or organization. Many organizations
either develop or acquire specialized application software to help them conduct business.
Software applications that are specific to a particular process in an organization are called
line of business (LOB) software. For example, line of business software can include any
of these applications:
• Enterprise project management
• Workflow control
• Service technician tracking and scheduling
LOB software isn’t necessarily unique to an organization, but it isn’t needed by all organizations. The security concerns are the same ones as with ERP applications. The workforce
depends on the application’s operation and the data’s security. The application must be
available, responsive, and dependable. Follow the same recommendations as in the ERP
application section, and you’ll have a secure LOB application.
12
Microsoft
Application Security
Enterprise Resource Planning (ERP) software is an integrated collection of software
programs. It manages many aspects of a business, including finances, human resources,
assets, and business processes. ERP software generally serves to unite different users and
organizational units by sharing and combining data. ERP software provides centralized
data storage and functional software capabilities that streamline business processes.
The security concern of ERP software is that a large portion of an organization’s data
is centralized. Most, if not all, of the users in the organization access the ERP software
as part of their normal business function. That means many users have access to the
application and the database. Each software vendor provides specific recommendations
for its product, but many strategies to secure ERP software are common among vendors.
Follow these guidelines to secure any ERP software application:
300
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
Case Studies in Microsoft Application Security
When learning new concepts, it often helps to see examples. The best examples are
real-life examples. In this section, you’ll learn about three real-life organizations that
encountered IT security issues and solved them in a Microsoft Windows environment.
These examples show that few problems have quick fixes and are often related to
other issues. All security problems take time and effort to resolve. Here is how three
organizations resolved their challenges.
Sporton International
Sporton International is based in Taiwan. It certifies hardware devices that use electromagnetic current, including computers and mobile phones. Sporton provides certification
and testing services for IT leaders such as Apple, HP, and Nokia. The company has access
to its customers’ sensitive trade secrets and product prototypes and must ensure that these
remain secure. To safeguard customers’ data, Sporton worked toward more complete
documentation and control of its security infrastructure. It deployed Microsoft Forefront
security products, which work with the Microsoft products Sporton was already using,
to manage risk and empower people across the enterprise. Using a product that integrated
with Microsoft applications already in use lowered software licensing costs by at least
US$15,000 a year. The company now automatically enforces security compliance,
proactively blocks noncompliant e-mail messages before an attacker can compromise data,
and uses reporting and documentation features to more easily meet security regulations.
Sporton demonstrated that changing software isn’t always the best answer. In its
case, Sporton was able to add an additional layer of software, Microsoft Forefront, which
maintained the company’s existing integration and provided the documentation it
required. One of the features of Microsoft Forefront is advanced anti-malware protection
for an enterprise. This feature protects all application software from potential infection.
Monroe College
Monroe College is a private college with its main campus in New York City. It has
two additional campuses in New Rochelle, New York, and St. Lucia. The college offers
degrees in a variety of professional career-oriented areas of study. It has an IT staff of
30 full-time professionals who are responsible for maintaining and protecting more than
1,800 computers, 70 physical servers, and 100 virtual servers. They are also in charge
of providing secure college network access for students, who bring their own laptops
and mobile devices to the campuses.
The IT staff tried two previous solutions to manage the security of their computers.
The first attempt didn’t properly secure the desktop and laptop computers and left them
vulnerable to Internet viruses and spyware. These infections resulted in multiple outages
and much downtime. The second product reduced the number of outages but was difficult
to maintain. The Monroe IT group had to struggle to keep security updates current.
On the third attempt, Monroe College turned to Microsoft Forefront Client Security.
CHAPTER 12 | Microsoft Application Security
301
Since installing Microsoft Forefront Client Security, Monroe College has experienced
no disruptions resulting from a virus or malicious software. The IT staff also has Microsoft
Forefront at its disposal to simplify system administration to make software updates easy
to deploy.
Dow Corning
Best Practices for Securing Microsoft Windows Applications
A little research on securing applications will yield many resources. You can find
tutorials, how-to guides, and complete reference works with detailed instructions
to follow. While there are many details necessary to make your applications as secure
as possible, several general guidelines will address the most important security needs.
Although each application and each organization is different, they all share
common strategies to establish good security controls and foil attackers. The following
recommendations come from practical experience with many organizations and
applications. They are the strategies that produce the best results. These best practices
will help you establish a solid foundation for securing your applications:
•
•
•
•
•
•
•
Harden the operating system first.
Install only the services necessary.
Use server roles when possible.
Use SCW to apply least privilege principle to applications.
Remove or disable unneeded services.
Remove or disable unused user accounts.
Remove extra application components.
12
Microsoft
Application Security
Dow Corning is a global chemical manufacturer that is jointly owned by the Dow
Chemical Company and Corning. Dow Corning provides more than 7,000 silicone-based
products and serves more than 25,000 customers worldwide. More than half of the
company’s annual sales are outside the United States.
Dow Corning’s goals were to consolidate and extend identity management workflows.
The company also needed to move toward a more secure, well-managed, and dynamic
core IT infrastructure capable of protecting their sensitive data as it moved through e-mail
and collaboration systems. Dow Corning planned to migrate its e-mail infrastructure
to Microsoft Exchange Server 2007 but was unable due to restrictions in its existing
provisioning scripts. Dow Corning decided to deploy Microsoft Forefront Identity Manager
2010 to replace custom user provisioning scripts that could not support the upcoming
migration to Microsoft Exchange Server 2007 or additional Active Directory domains.
With Forefront Identity Manager 2010, the company should increase efficiency through
password synchronization and reduce work for the help desk staff. As of this writing,
Dow Corning also plans to extend messaging and collaboration beyond the enterprise
to business partners, who will also be supported by the Microsoft identity-based
access solution.
302
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
•
•
•
•
•
•
•
•
•
•
•
•
Open only the minimum required ports at the firewall.
Define unique user accounts.
Use strong authentication.
Use encrypted connections for all communication.
Encrypt files, folders, or volumes that contain private data.
Develop and maintain a BCP and DRP.
Disable any unneeded server features.
Ensure every computer has up-to-date anti-malware software and data.
Never open any content or files from untrusted sources.
Validate all input received at the server.
Audit failed logon and access attempts.
Conduct penetration tests to discover vulnerabilities.
These best practices apply to most server applications and ensure you are protecting
your data at the server level.
CHAPTER SUMMARY
Securing applications is an integral part of an overall security plan. The most secure
environment is not very secure if the servers aren’t hardened as well. Attackers know
that servers store an organization’s valuable data and the programs that manipulate
that data. Your servers will be targets. Your clients will be targets, too. In many cases,
attackers will attempt to compromise clients to get to your servers. Have a plan
for foiling assaults at both the client and server levels. That plan should start with
hardening your applications to make them as secure as possible.
In this chapter, you learned how to secure several types of application software.
You found out how to secure both client and server applications and why each one
is important. You also reviewed best practices that will provide a solid foundation
for a secure application environment.
CHAPTER 12 | Microsoft Application Security
303
Key Concepts and Terms
Privilege escalation
Query
Spoofing
SQL injection
Structured Query Language
(SQL)
Transparent Data Encryption
(TDE)
Uniform resource locator
(URL)
Zombie
Chapter 12 Assessment
1. The main focus when securing application
software is confidentiality.
A. True
B. False
2. Which type of application attack attempts
to add more authority to the current process?
A. Privilege spoofing
B. Identity escalation
C. Privilege escalation
D. Identity spoofing
3. Which of the following is the best first step
in securing application software?
A. Install all of the latest patches.
B. Harden the operating system.
C. Configure application software using
least privilege.
D. Perform penetration tests to evaluate
vulnerabilities.
4. A ________ is an attractive target because
it is the primary client of Web applications.
5. Why are ActiveX controls potential security risks?
A. ActiveX controls can contain malware
and run on the client.
B. ActiveX controls can contain malware
and run on the server.
C. ActiveX controls require that you divulge
sensitive authentication details.
D. ActiveX controls are outdated and generally
used by older Web applications.
12
Microsoft
Application Security
Application software
Enterprise Resource Planning
(ERP)
File Transfer Protocol (FTP)
Hypertext Transfer Protocol
Secure (HTTPS)
Man-in-the-middle attack
6. Enabling secure connections ensures e-mail
messages are encrypted between sender
and recipient.
A. True
B. False
7. Which of the following is a simple step to make
e-mail clients more secure?
A. Use EFS/BitLocker to store e-mail messages
on the server.
B. Install third-party message encryption.
C. Turn off message preview.
D. Remove e-mail clients and use server-based
e-mail access.
8. Which of the following steps can increase
the security of all application software?
A. Install anti-malware software.
B. Use whole disk encryption on client
workstations.
C. Run SCW on workstations.
D. Require SSL/TLS for connections
to a Web server.
9. You use Windows server roles to configure
each Windows server computer to perform
only one task.
A. True
B. False
304
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
10. A URL can contain commands the Web server
will execute.
A. True
B. False
11. How do you install IIS on a Windows Server
2008 R2 computer?
A.
B.
C.
D.
Purchase IIS and install it.
Download IIS for free and install it.
Add the Web Server (IIS) role to a server.
Install IIS from the Windows install DVD.
12. A ________ is any statement that accesses data
in a database.
13. ________ encrypts all data in a database
without requiring user or application action.
14. SQL injection attacks are possible only against
popular Microsoft SQL Server databases.
A. True
B. False
15. Is requiring secure connections between your
Web server and your application server worth
the overhead and administrative effort?
A. No, because both the Web server
and application server are inside your
secure network.
B. Yes, because your Web server is in the DMZ
and is Internet-facing.
C. No, because secure connections between
high-volume servers can dramatically
slow down both servers.
D. Yes, because your application server
is in the DMZ and is Internet-facing.
Purchase answer to see full
attachment