AS-7-DISCUSSIONS,ASSIGNMENTS
Colin Horn
winsec3e_ppt_ch12.pptxSecurity Strategies in Windows Platforms and Applications
Lesson 12
Microsoft Application Security
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Cover image © Sharpshot/Dreamstime.com
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective(s)
Describe threats to Microsoft Windows and applications.
Describe techniques for protecting Windows application software.
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Principles of Microsoft application security
Procedures for securing Microsoft client applications
Procedures for securing Microsoft server applications
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Principles of Microsoft Application Security
Application security
Covers all activities related to securing application software throughout its lifetime
Application software
Any computer software that allows users to perform specific tasks
Examples: sending and receiving email, browsing the web, creating a document or spreadsheet
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Principles of Microsoft Application Security (Cont.)
Ensuring application software security includes ensuring security during:
Design
Development
Testing
Deployment
Maintenance
Retirement
Protects C-I-A of data
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Client Application Software Attacks
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
6
Malformed input
Inputs that application doesn’t expect
Privilege escalation
Adds more authority to current session than the process should possess
Denial of service (DoS)
Slows application
Inputs that can cause unexpected results
Assuming another user’s identity
Identity spoofing
Direct file or resource access
Extra-application data access
Exploits holes in access controls
Accesses application’s data outside the application
Crashes applications
Application Hardening Process
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Install the application using only the options and features you plan to use.
After installing the application, remove any default user accounts and sample data, along with any unneeded files and features.
Configure the application according to the principle of least privilege.
Ensure your application has all of the latest available security patches applied.
Monitor application performance to verify that your application adheres to security policy.
7
Minimal install
Unneeded accounts and files
Least privilege
Security patches
Monitoring
Securing Key Microsoft Client Applications
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8
Web browser
Internet Explorer
Outlook
Productivity software
Microsoft Office
Email client
File transfer software
File Transfer Protocol/Internet Protocol (TCP/IP)
AppLocker
Software Restriction Policies (SRP)
Group Policy
Web Browser
Web browser attacks:
Infect with malware
Intercept communication
Harvest stored data
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Web browser–This program allows users to access World Wide Web resources. Some application software have embedded web browser capability but stand-alone web browsers are by far the most common. Popular web browsers are:
Microsoft Internet Explorer
Mozilla Firefox
Google Chrome
Apple Safari
Opera
9
Web Browser
Set Internet zone security level to High
Add specific, trusted sites to Trusted Sites list
Configure setting to prompt for first- party and third-party cookies
Disable third-party browser extensions
Enable show encoded addresses setting
Disable playing of sounds in web pages
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
Internet Options Dialog Box in Internet Explorer 11
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
11
Email Client
Limit malicious code that may be attached to email messages
Install anti-malware software on each computer
Will scan all incoming and outgoing messages for malware
Safeguard message privacy by requiring use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) when connecting to your mail server to ensure message exchanges are encrypted
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Email client–This program allows clients to send and receive email. Depending on the type of mail server connection and protocol used, the email client may store email locally on the client. Microsoft Outlook is an example of an email client.
12
Productivity Software
Install anti-malware software that integrates with productivity software
Use EFS or BitLocker to encrypt folder or drive that contains productivity software documents and databases
Never open a file unless the source is trusted
Ensure productivity software has the latest security patches installed
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Productivity software–Software that supports many office functions. Most workstations allow users to perform some administrative of creative functions and productivity software supports these efforts. Productivity software includes these functions:
Word processing-Microsoft Word
Spreadsheet-Microsoft Excel
Lightweight database-Microsoft Access
Presentation-Microsoft PowerPoint
Project scheduling/management-Microsoft Project
Publishing-Microsoft Publisher
13
File Transfer Software
File Transfer Protocol (FTP) is insecure
Use:
FTP over a Secure Shell (SSH)
Secure FTP (SFTP)
Virtual private network (VPN)
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
14
AppLocker
A feature in Windows that allows you to restrict program execution using Group Policy
Provides ability to whitelist applications
Define path rules, hash rules, and publisher rules using Group Policy to restrict which applications computers can run
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
15
Securing Client Applications
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
16
Update software to the latest patch
Remove or disable unneeded features
Use principle of least privilege
Use encrypted communication
Common Server Applications
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
17
Web server
Internet Information Services (IIS)
Exchange
Database server
Structured Query Language (SQL) server
Email server
Common Server Applications (Cont.)
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
18
Enterprise Resource Planning (ERP) software
Enterprise project management
Unique user accounts
Strong authentication
Restricted access
Encrypted connections
Line of Business (LoB) software
Workflow control
Service technician tracking and scheduling
Securing Server Applications
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
19
Use server roles in Windows Server
Update software to the latest patch
Remove or disable unneeded services
Filter network traffic
Encrypt communication
Add Roles Wizard, Windows Server
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Add Roles Wizard for adding Web Server (IIS) role to Windows Server
20
Select Role Services, Windows Server
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Select Role Services for adding Web Server (IIS) role to Windows Server
21
Cloud-Based Software
Microsoft cloud-based products: Microsoft Office 365, Microsoft Azure, and Microsoft OneDrive
Many issues related to securing applications are the same on-premises and in the cloud
To secure cloud applications:
Review options and settings, and configure software to run the way you need it to run
Harden software
Do not assume cloud-based software is secure by default
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
22
Best Practices for Securing Microsoft Windows Applications
Harden the operating system.
Install only necessary services.
Use server roles when possible.
Use SCT to adhere to Microsoft baseline guidelines.
Remove or disable unneeded services.
Remove or disable unused user accounts.
Remove extra application components.
Open only the minimum required ports at the firewall.
Define unique user accounts.
Use strong authentication.
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
23
Best Practices for Securing Microsoft Windows Applications (Cont.)
Use encrypted connections for all communication.
Encrypt files, folders, or volumes that contain private data.
Develop and maintain a BCP and DRP.
Disable any unneeded server features.
Ensure every computer has up-to-date anti-malware software and data.
Never open any content or files from untrusted sources.
Validate all input received at the server.
Audit failed logon and access attempts.
Conduct penetration tests to discover vulnerabilities.
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
24
Summary
Principles of Microsoft application security
Procedures for securing Microsoft client applications
Procedures for securing Microsoft server applications
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
25
