patterns & practices Security Deployment Review Index

 

patterns & practices Developer Center

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan

Microsoft Corporation

August 2005

Summary

This page provides an index of the resources that will help you to perform deployment reviews for security. You can use deployment reviews to discover security vulnerabilities in application configuration or the deployment environment. The resources use configuration categories to help make deployment reviews for security systematic and repeatable. You can use these categories to break down your application deployment for further analysis and to help identify vulnerabilities. By using categories, you can systematically go through the deployment review process from start to finish or pick a particular category for further analysis.

Contents

Security Deployment Review Approach
How Tos
Checklists

Security Deployment Review Approach

When you review your security deployment, you can organize the precautions you must take and the settings you must configure into categories. By using these configuration categories, you can systematically review the securing process or pick a particular category and complete specific steps. The categories are shown in Figure 1.

Figure 1. Server configuration categories

Table 1 explains the various categories.

Table 1. Server Configuration Categories

Category	Practices
Patches and Updates	Patching and updating your server software is a critical first step.
Accounts	Accounts allow authenticated users to access a computer. These accounts must be audited. Configure accounts with least privilege to help prevent elevation of privilege. Remove any accounts that you do not need. Help to prevent brute force and dictionary attacks by using strong password policies, and then use auditing and alerts to detect logon failures.
Auditing and Logging	Auditing is one of your most important tools for identifying intruders, attacks in progress, and evidence of attacks that have occurred. Configure auditing for your server. Event and system logs also help you to troubleshoot security problems.
Files and Directories	Secure all files and directories with restricted permissions that only allow access to necessary services and accounts. Use auditing to allow you to detect when suspicious or unauthorized activity occurs.
Ports	Services that run on the server listen to specific ports so that they can respond to incoming requests. Audit the ports on your server regularly to ensure that a service that is not secured or that is unnecessary is not active on your server.
Protocols	Avoid using protocols that are inherently insecure. If you cannot avoid using these protocols, take the appropriate measures to provide secure authentication and communication.
Registry	Many security-related settings are stored in the registry. As a result, you must secure the registry. You can do this by applying restricted Windows access control lists (ACLs) and by blocking remote registry administration.
Services	If the service is necessary, secure and maintain the service. Consider monitoring any service to ensure availability. If your service software is not secure, but you need the service, try to find a secure alternative.
Shares	Remove all unnecessary file shares. Secure any remaining shares with restricted permissions.

How Tos

Use the following How To modules to help you perform security deployment reviews:

• How To: Perform a Security Deployment Review for ASP.NET 2.0
• Security Deployment Review for ASP.NET 1.1
• Security Deployment Review for IIS 5.0
• Security Deployment Review for Web Services (.NET Framework 1.1)
• Security Deployment Review for the Network
• Security Deployment Review for SQL Server 2000

Checklists

Use the following checklists to help ensure that your review is complete.

• Security Checklist: Network Security
• Security Checklist: IIS 5.1
• Security Checklist: SQL Server 2000

Feedback

Provide feedback by using either a Wiki or e-mail:

• Wiki. Security guidance feedback page at
  http://channel9.msdn.com/wiki/securityguidancefeedback/
• E-mail. Send e-mail to secguide@microsoft.com.

We are particularly interested in feedback regarding the following:

• Technical issues specific to recommendations
• Usefulness and usability issues

Contributors and Reviewers

• External Contributors and Reviewers: Jason Taylor, Security Innovation
• Microsoft Contributors and Reviewers: Shawn Veney (ACE); Don Willits
• Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
• Edit team: Nelly Delgado, Microsoft Corporation; Tina Burden McGrayne, TinaTech Inc.
• Release Management: Sanjeev Garg, Microsoft Corporation