TNQ200-06. How To Implement Secure, Web-Based Business Solutions Based On Windows ® 2000 Server And...
-
Upload
penelope-wiggins -
Category
Documents
-
view
214 -
download
0
Transcript of TNQ200-06. How To Implement Secure, Web-Based Business Solutions Based On Windows ® 2000 Server And...
TNQ200-06TNQ200-06
How To Implement Secure, How To Implement Secure, Web-Based Business Solutions Web-Based Business Solutions Based On WindowsBased On Windows®® 2000 Server 2000 Server And Internet Information Server 5.0And Internet Information Server 5.0
NameNameTitleTitleMicrosoft CorporationMicrosoft Corporation
Session PrerequisitesSession Prerequisites
This session assumes that you This session assumes that you understand:understand: Basic knowledge of Internet Basic knowledge of Internet
Information ServerInformation Server Fundamentals of PKIFundamentals of PKI Fundamentals of Active DirectoryFundamentals of Active Directory
This is a level 300 sessionThis is a level 300 session
What You Will Learn TodayWhat You Will Learn Today
How to analyze a Web application How to analyze a Web application for security risksfor security risks
Correctly apply technology to Correctly apply technology to counter or mitigate these riskscounter or mitigate these risks
Secure Internet Information Server Secure Internet Information Server for the Internetfor the Internet
AgendaAgenda
What’s the problem?What’s the problem? Some ingredientsSome ingredients Baking a solutionBaking a solution
IP securityIP security CertificatesCertificates Smart cardsSmart cards KerberosKerberos Digest authenticationDigest authentication
What’s The Problem?What’s The Problem?
Building secure Web apps is Building secure Web apps is very difficultvery difficult Complex technologiesComplex technologies Difficult to implementDifficult to implement Difficult to hide complexity from usersDifficult to hide complexity from users Often “pasted” on after the factOften “pasted” on after the fact Lack of skills in the marketLack of skills in the market
What’s The Problem?What’s The Problem?
Building secure Web apps means:Building secure Web apps means: Analyzing your threatsAnalyzing your threats Designing a system to cope with the Designing a system to cope with the
threatsthreats Choosing the technologiesChoosing the technologies Finally, building the systemFinally, building the system
Weigh the risksWeigh the risks Especially the non-tangible like Especially the non-tangible like
“good faith” and your “name”“good faith” and your “name”
MasqueradingMasquerading Strong authenticationStrong authentication
CertificatesCertificatesSmartcardsSmartcards
SSL/TLSSSL/TLS(schannel)(schannel)
FirewallsFirewalls
Threats, Defenses, ToolsThreats, Defenses, Tools
EavesdroppingEavesdropping EncryptionEncryption
Data modificationData modification Message digestsMessage digests
Replay attacksReplay attacks Time stamps, sequence numbersTime stamps, sequence numbers
Denial of serviceDenial of service FilteringFiltering
RouterRouter RouterRouter
Internet
FIREWALLFIREWALL
Eth
ern
et
CorpNetwork
Intranet ServerIntranet Server
Internet ServerInternet Server
Eth
ern
et
How toauthenticate
Users?
How tosecure W eb
Access?
How toSecure theNetwork?
Eth
ernet
Typical Internet Information Typical Internet Information Server SettingServer Setting
Security And AuditingSecurity And Auditing Internet Information Server log Internet Information Server log
file formatsfile formats Internet Information Server log file formatInternet Information Server log file format NCSA common log file formatNCSA common log file format ODBC loggingODBC logging W3C extended log file formatW3C extended log file format
All logs configured per Web siteAll logs configured per Web site Windows NT event loggingWindows NT event logging Recommended log - W3C Recommended log - W3C
Tip: W3C logging is the defaultTip: W3C logging is the default
Security And AuditingSecurity And Auditing
Performance of loggingPerformance of logging Logging does not affect performanceLogging does not affect performance
Two benefits of logging and auditingTwo benefits of logging and auditing Intruder DetectionIntruder Detection Problem ResolutionProblem Resolution
Tip: When setting NT log file size, make it as big as Tip: When setting NT log file size, make it as big as possible.possible.
AuthenticationAuthentication
Anonymous accessAnonymous access Authenticated accessAuthenticated access
Basic authenticationBasic authentication Digest authenticationDigest authentication
Needs to run on a Domain ControllerNeeds to run on a Domain Controller Enable Encrypted Passwords CheckedEnable Encrypted Passwords Checked
Integrated Windows authenticationIntegrated Windows authentication
Tip: Digest authentication requires IE 5.0Tip: Digest authentication requires IE 5.0
AuthenticationAuthentication
TheThe packets arepackets arethe differencethe difference
IP HeaderIP Header
IP PayloadIP Payload
Clear TextClear Text
IP HeaderIP Header
IP PayloadIP Payload
Encrypted TextEncrypted Text
IP HeaderIP Header
IP PayloadIP Payload
RPCRPC
Encrypted TextEncrypted Text
TCP/IP PacketTCP/IP PacketClear TextClear Text
TCP/IP PacketTCP/IP PacketDigestDigest
TCP/IP PacketTCP/IP PacketNT RPCNT RPC
Needs to run on a DC and Needs to run on a DC and encrypted passwordsencrypted passwords
Recommended Log type?Recommended Log type? W3CW3C
Quiz: AuthenticationQuiz: Authentication
Name two requirements of Name two requirements of digest authentication?digest authentication?
Demo Demo Security and AuthenticationSecurity and Authentication
Demo of digest authenticationDemo of digest authentication Demo of setting logs in Demo of setting logs in
Internet Information ServerInternet Information Server
TCP/IP SecurityTCP/IP Security
Identify the protocols usedIdentify the protocols used Verify the ports required by protocolVerify the ports required by protocol Tools to help diagnose IP and Tools to help diagnose IP and
UDP portsUDP ports Port mapperPort mapper PingPing Internet services managerInternet services manager
Tip: TechNet CD contains a list of ports used by NTTip: TechNet CD contains a list of ports used by NT
TCP/IP SecurityTCP/IP Security
Well-known TCP/IP ports usedWell-known TCP/IP ports used FTP - TCP port 21FTP - TCP port 21 SMTP - IP port 25SMTP - IP port 25 HTTP - TCP port 80HTTP - TCP port 80 SSL - TCP port 443SSL - TCP port 443 LDAP - IP Port 389 or 636 (SSL)LDAP - IP Port 389 or 636 (SSL)
TCP/IP SecurityTCP/IP Security
TCP/IP security can applied via:TCP/IP security can applied via: IP address and domain name IP address and domain name
restrictions (dialog in Internet restrictions (dialog in Internet Information Server console)Information Server console)
TCP/IP filtering (advanced TCP/IP filtering (advanced TCP/IP settings)TCP/IP settings)
IP security policy snap inIP security policy snap in Security configuration tool setSecurity configuration tool set
Tip: Network hardware will need to support IPSECTip: Network hardware will need to support IPSEC
Port mapper, and Port mapper, and Internet Information Server snap inInternet Information Server snap in
Name two places where IP can Name two places where IP can be filteredbe filtered Network card and Network card and
Internet Information Server snap inInternet Information Server snap in
Quiz: TCP/IP SecurityQuiz: TCP/IP Security
Name two tools used to identify Name two tools used to identify open portsopen ports
ClientClientServerServer
Demo: Locking IP PortsDemo: Locking IP Ports
Demo TCP/IP portsDemo TCP/IP ports Discovering ports that are openDiscovering ports that are open Locking down TCP/IP ports using Locking down TCP/IP ports using
Internet Information Server consoleInternet Information Server console Locking down TCP/IP ports using Locking down TCP/IP ports using
TCP/IP filteringTCP/IP filtering
CertificatesCertificates
Four types of certificate authoritiesFour types of certificate authorities Enterprise certificate authorityEnterprise certificate authority Subordinate enterprise authoritySubordinate enterprise authority Stand-alone certificate authorityStand-alone certificate authority Subordinate certificate authoritySubordinate certificate authority
Certificate templates are found in Certificate templates are found in the CA snap Inthe CA snap In
Tip: Test certificates in a small group before Tip: Test certificates in a small group before deploying company widedeploying company wide
CertificatesCertificates Certificate mappingCertificate mapping
Performed via Internet Information Performed via Internet Information Server snap inServer snap in
Windows NT certificate Trust ListWindows NT certificate Trust List
Only one Certificate can be applied Only one Certificate can be applied to a siteto a site
Certificate UsageCertificate Usage AuthenticationAuthentication SchannelSchannel PermissionPermission
IPSECIPSEC AuthenticationAuthentication EFSEFS Basic EFSBasic EFS Domain ControllerDomain Controller Web ServerWeb Server ComputerComputer UserUser Subordinate CASubordinate CA
AdministrationAdministration User Signature OnlyUser Signature Only Smart CardSmart Card Smart Card LogonSmart Card Logon Code SigningCode Signing Trust List SigningTrust List Signing Enrollment AgentEnrollment Agent RouterRouter
CertificatesCertificates
Windows 2000 comes with Windows 2000 comes with templates for:templates for:
CertificatesCertificates
RecommendationsRecommendations Use a key length of 1024 or 2048Use a key length of 1024 or 2048 Remember the CN used to identify Remember the CN used to identify
the CA objectthe CA object Store CRL's in shared folder Store CRL's in shared folder
and directoryand directory Experiment before deployment!Experiment before deployment! Use CSP defaultsUse CSP defaults Use hash algorithm defaultsUse hash algorithm defaults
Enterprise and Stand-aloneEnterprise and Stand-alone
Name three uses of CertificatesName three uses of Certificates Authentication, Permissions, SchannelAuthentication, Permissions, Schannel
Quiz: CertificatesQuiz: Certificates
Name two types of CAsName two types of CAs
ClientClientServerServer
11
22
Demo: CertificatesDemo: Certificates
Certificate demoCertificate demo Demonstrate the Web enrollment wizard Demonstrate the Web enrollment wizard Apply security to a siteApply security to a site From client verifyFrom client verify
Securing The ChannelSecuring The Channel
Secured channel methodsSecured channel methods SSL - rides on top of the IP layerSSL - rides on top of the IP layer IPSEC - VPNIPSEC - VPN PPTP - VPNPPTP - VPN L2TP - VPNL2TP - VPN
Server (Request Only)Server (Request Only)
Server Request’s security Server Request’s security then negotiatesthen negotiates
ClientClientServerServer
Client (Respond Only)Client (Respond Only)
Client Request’s security Client Request’s security then negotiatesthen negotiates
ClientClientServerServer
Secure Server (Require Security)Secure Server (Require Security)
ClientClientServerServer
Require Security using Require Security using Kerberos Kerberos
Securing The ChannelSecuring The Channel
Securing The ChannelSecuring The Channel
IPSEC can be establishedIPSEC can be established Shared keyShared key KerberosKerberos CertificateCertificate
SSL SSL
IPSEC and PPTPIPSEC and PPTP
Name the schannel HTTP, SSL, TCP/IPName the schannel HTTP, SSL, TCP/IP SSLSSL
Quiz: SCHANNELQuiz: SCHANNEL
Name two VPN protocolsName two VPN protocols
ClientClientServerServer
11
22
Demo: Secure ChannelDemo: Secure Channel
Demo using SSLDemo using SSL
Scenario: SchannelScenario: Schannel
SSLSSL Secured communication with Secured communication with
diverse browsersdiverse browsers Dynamic connection environmentDynamic connection environment
PPTP, L2TPPPTP, L2TP VPN for corporate accessVPN for corporate access
IPSECIPSEC High level security requiredHigh level security required Communication is not using Internet Communication is not using Internet
protocolsprotocols
Scenario: AuthenticationScenario: Authentication
AnonymousAnonymous Public Web pagesPublic Web pages
DigestDigest Strong security in a lightweight fashionStrong security in a lightweight fashion
CertificatesCertificates Code signingCode signing E-commerceE-commerce
Tip: Business requirements will dictate the best Tip: Business requirements will dictate the best authentication technology for your companyauthentication technology for your company
Y2K Compliance Rating (all languages): Y2K Compliance Rating (all languages): will ship compliantwill ship compliant
Beta Product: testing ongoingBeta Product: testing ongoing Known Y2K Issues: noneKnown Y2K Issues: none
Y2K Readiness for Y2K Readiness for Windows 2000Windows 2000
Year 2000 Readiness Disclosure
Session ReviewSession Review
Name three threats, defenses and toolsName three threats, defenses and tools Name two ways to apply IP filteringName two ways to apply IP filtering Name two ways to create a schannelName two ways to create a schannel What are requirements for What are requirements for
digest authentication? digest authentication? Does logging adversely Does logging adversely
affect performance?affect performance?
For More InformationFor More Information
Refer to the TechNet Web site at Refer to the TechNet Web site at www.Microsoft.Com/TechNet/www.Microsoft.Com/TechNet/
Windows NT security (whitepapers, etc.)Windows NT security (whitepapers, etc.)http://www.Microsoft.com/windows/server/http://www.Microsoft.com/windows/server/Technical/security/default.aspTechnical/security/default.aspHttp://www.Microsoft.Com/windows/server/Http://www.Microsoft.Com/windows/server/technical/security/pki.Asptechnical/security/pki.AspHttp://www.Microsoft.Com/windows/server/Http://www.Microsoft.Com/windows/server/technical/security/pkiintro.Asptechnical/security/pkiintro.AspMicrosoft® Official CurriculumMicrosoft® Official Curriculum1443A-Windows2000Specialty-IIS5Upgrade1443A-Windows2000Specialty-IIS5Upgrade
DiscussionDiscussion
Session CreditsSession Credits
Author: Hank Voight Author: Hank Voight Program Manager: Andrew CushmanProgram Manager: Andrew Cushman Producer/editor: Jim StuartProducer/editor: Jim Stuart Thanks to our Microsoft technical field Thanks to our Microsoft technical field
personnel who reviewed this session:personnel who reviewed this session: Debra KennedyDebra Kennedy