Best Practices for Securability
The following best practices, which are presented in no particular order, are recommended for creating securable applications.
Develop applications using the .NET Framework
The .NET Framework provides the best platform for building, deploying, maintaining, and running applications while addressing the critical concerns of security and privacy. When attempting to access a protected resource, the permissions of all code in the call chain are checked to ensure they are authorized access. Essentially, the behavior of code is constrained by the least trustworthy component in the call chain. For more information, see Securing Applications and Assembly Security Considerations.
Exercise constant vigilance
It is often said that the price of security is constant vigilance. Part of being vigilant is performing timely audits of the security log to identify patterns of abuse and potential security breaches. Constant vigilance is the only line of defense against unforeseen or unmitigated risks. For more information, see Staying Secure.
Establish and follow security policies
To ensure secure operation of your application, security policies should be established, such as:
- Password length and expiration period
- Logon policies and auditing
- Intruder prevention processes
- Ownership/responsibility for user accounts
- Methods for key encryption
Design your application security policies to achieve realistic goals at a reasonable cost. Although applications will differ from each other, they will share some fundamental goals relating to strength of security, its cost, and the means of achieving a secure application.
By using Internet Information Services (IIS) 5.0 and Microsoft SQL Server, you leverage the security model of Microsoft Windows 2000 Server. By using Microsoft Component Services, you automatically gain the data protection and operational integrity provided by a distributed transaction coordinator.
Select technologies that use encryption to protect user privacy and data integrity across the network. Set a protocol standard for your site that is supported across the Internet community, such as:
- Secure Sockets Layer (SSL)
- Transport Layer Security (TLS)
- Internet Protocol Security (IPSec)
If you must create your own cryptography and protocols, get all such code inspected by a cryptography expert.
Use access control mechanisms
These mechanisms limit access to resources based on users' identities and their membership in various predefined groups. Access control is used typically to control user access to network resources such as servers, directories, and files. For more information, see Access Control.
Use the least-access approach
Likewise, a least-access approach to security means that you should lock down, turn off, or remove online assets that do not require online access. Furthermore, you should limit resource access to those who truly require it.
This approach tends to greatly reduce such calamities as loss of data and denial of service that are due to the unwitting actions of users who wandered into areas in which they did not belong. It also minimizes the number of potential easy entry points for unauthorized users. For example, you might want to open only Transmission Control Protocol (TCP) ports 80 (HTTP) and 443 (HTTPS) for access to your Web services and turn off the others. Other examples include disabling guest user accounts as well as restricting anonymous users to read-only access in well-defined areas of the site.
Most of your effort should be spent securing assets that are potentially under threat and to which Information Technology staff or users need access. This requires that you prioritize threats by assigning the highest security needs to those assets whose loss could most damage the organization.
Enable strong authentication
Use authentication schemes that are integrated with your network operating systems and that use Internet standard protocols. Examples:
- Network authentication protocols — such as the Kerberos v5 authentication protocol, a feature of Microsoft Windows 2000 Server security — distribute tickets that limit the exposure of passwords and that authenticate users for network-wide access to resources. The Kerberos v5 protocol is a widely used Internet standard for network-wide authentication.
- Public-key client certificate authentication allows users to communicate across the Internet with your site without exposing passwords or data that would be vulnerable to easy interception. While certificates alone do not provide encryption, they are instrumental in establishing a secure channel of communication.
You might also need to support special functions, such as smart-card authentication or server certificates with public keys that allow users to authenticate your servers as trusted sources.
Strong authentication can be used to mitigate DoS attacks by ignoring anonymous packets. However, since authentication utilizes system resources, excessive, unsuccessful authentication requests can also result in an effective DoS attack.
Microsoft Internet Security and Acceleration (ISA) Server features an integrated intrusion detection mechanism. This identifies when an attack is attempted against your network. For more information, see Internet Security and Acceleration Server (http://www.microsoft.com/ISAServer/).
Encourage the use of strong passwords
If you develop your own password mechanism, discourage users from using weak passwords. Strong passwords contain seven or more characters, are case sensitive, include numbers and punctuation marks, and are not found in a dictionary. Provide support for long passwords.
Use system-integrated authorization
To control access to resources, use system-integrated authorization (access control) standards. Do not rely on application-level access to resources. Instead, use network-wide authorization services such as discretionary access control lists (DACLs) in Windows 2000 Server.
Network-wide authorization makes it easy for authenticated employees and customers to use the resources they need and for you to efficiently control access to valuable resources.
Avoid buffer overflows
Buffer overruns present an enormous threat to security. Applications that listen on a socket or I/O port are targets for attack. When writing data to buffers, it is imperative that developers not write more to the buffer than it can possibly hold. If the amount of data being written exceeds the buffer space that has been allocated, a buffer overflow occurs. When a buffer overflow occurs, data is written into parts of memory that may be allocated for other purposes. A worst-case scenario is when the buffer overflow contains malicious code that is then executed. Buffer overflows account for a large percentage of security vulnerabilities.
Require minimal privileges
Applications that are designed to run in the user space should not require administrator privileges to execute. An exploited buffer overflow in an application running with administrator privileges can allow an attacker to wreak havoc on the entire system.
Layer your application
Dividing an application into discrete layers improves the securability of your application. At the core of your application should be the part you wish to secure the most, typically the application's data store. Communication from one layer to the next should only occur through specific channels. Each layer adds an additional barrier to entry by an attacker.
Validate user input
Always hold user input suspect until it has been validated. Any input provided by a user has the potential to harm a system. Always inspect and verify that such input is correct and correctly formed before acting upon it. When validating data, remember that it is sometimes easier to identify bad information than it is to verify good information, such as searching for illegal characters.
Develop contingency plans (Design for failure)
When defending against attack it is wise to have a contingency plan to fall back on when that defense fails. The steps that should be taken in the event an intruder is able to break down your application's defense should be clearly outlined for operations personnel. Such plans should seek to minimize damage and determine the extent your application has been compromised.
Conduct scheduled backups
Attacks that cause denial of service to users — such as crashing a server system — are difficult to prevent or even to predict. Develop security policies that mandate clustering and solid backup practices to provide the most availability to your users at the lowest possible cost. A routine backup is one of the most important mechanisms of a disaster recovery plan.
Monitor not-found errors
The Web Service performance object includes a counter that displays not-found errors. Not-found errors are client requests that could not be satisfied because they included a reference to a Web page or a file that did not exist. (These errors are sometimes described by their HTTP status code number, which is 404.)
Read Designing Secure Web-Based Applications for Microsoft Windows 2000
Howard, Michael, et al. Designing Secure Web-Based Applications for Microsoft Windows 2000. Redmond, WA: Microsoft Press, 2000.
This book provides an authoritative, end-to-end view of the major Windows 2000 security services. It gives you a solid foundation in Microsoft Windows 2000, Internet Explorer, Internet Information Services, SQL Server™, and COM+ security concepts. It explains the key software design considerations for various categories and levels of security and shows how isolated security "islands" interact. This book also explains core security issues such as risk analysis, threats, authentication, authorization, and privacy, and it shows how you can mitigate risks by applying the appropriate security to your environment and applications.
Use a perimeter network to protect your internal network
A perimeter network (also known as DMZ, demilitarized zone, and screened subnet) consists of front-end servers, back-end servers, and firewalls. The firewalls protect the front-end servers from the public network and filter traffic between the corporate network and back-end servers. A perimeter network provides a multi-layer protection system between the Internet and the internal network of an organization.
To provide protection, the perimeter network comprises:
- A firewall that protects the front-end servers from Internet traffic.
- A set of "security hardened" servers that support the services provided by the application. These servers are set up so that dangerous Internet services, such as file sharing and telnet, are disabled.
- A firewall that separates the back-end servers from the corporate networks and that enables communication between the back-end servers and a few servers within the corporate network.
A perimeter network is an important element for securing a site. You need to take additional security measures to protect data stored by the back-end servers. You can also store extremely sensitive data or data that is needed elsewhere in your enterprise outside the perimeter network, although doing so has negative performance implications and runs the risk, however small, of opening your corporate network to hacking.
Review the Ten Immutable Laws of Security
Over the years, Microsoft has developed a list of issues based on real security problems, that it calls the Ten Immutable Laws of Security. For more information, see (http://www.microsoft.com/technet/security/10imlaws.asp).
Follow the Secure Internet Information Services 5 Checklist
This document lists some recommendations and best practices to secure a server on the Web running Microsoft Windows 2000 and Internet Information Services (IIS) 5. The settings err on the side of security over functionality, and hence it is important that you carefully review the suggestions and use them to derive your own corporate settings.
For more information, see (http://www.microsoft.com/technet/security/iis5chk.asp).
Review the Best Practices for Enterprise Security found on the Microsoft TechNet site
Subscribe to the Microsoft Security Notification Service
You can stay abreast of Microsoft-related security issues and fixes by subscribing to the Microsoft Security Notification Services (http://www.microsoft.com/technet/security/notify.asp). By subscribing, you will receive automatic notification of security issues by e-mail.