Transcript SP24_Eli-Robillard-Secure-SharePoint-Development

#SP24S045
Secure SharePoint Development
Eli Robillard
SharePoint Server MVP
Canada, EDT (GMT -5:00)
April 16th /17th, 2014
#SP24S045
Join the conversation! #SP24S045 @erobillard
#SP24S045
Eli is a ten-time Microsoft MVP (2x ASP.NET, 8x SharePoint Server)
and Senior Manager of MNP’s SharePoint Consulting Practice.
E-mail
[email protected]
Twitter
@erobillard
Blog
weblogs.asp.net/erobillard
As a thought leader and community builder, Eli co-founded the
ASPInsiders, launched the Toronto SharePoint User Group in 2005,
launched the first free Saturday event in 2007, co-authored
Professional SharePoint 2007 Development and served as
technical editor of Professional Professional SharePoint 2010
Development (Wrox Press).
For over 65 years, MNP LLP has forged strong relationships with
businesses across Canada through its consulting, advisory, and
accounting practices.
#SP24S045
Forrester Research – “…those practicing SDL specifically
reported visibly better ROI results than the overall population.”
Aberdeen Group – “…realized a very strong 4.0-times return on
their annual investments” “…higher than that of both the find
and fix and defend and defer approaches.”
Ponemon Institute – “…a decrease in revenue that results from
both the loss of customer trust and loyalty and the inability to
deliver services and products.”
Roadmap to Secure Energy Delivery Systems – “…Vendors should
employ best product development practices, such as the security
development lifecycle (SDL) created by Microsoft in 2002.”
http://nvd.nist.gov/
30
27
Vulnerabilities disclosed
25
21
19
20
15
11
9
10
5
7
7
4
2
3
1 1
1 1 1
1 1
1
0
4Q11
MySQL 5
1Q12
Oracle 11
2Q12
SQL Server 2005
3Q12
SQL Server 2008
4Q12
1Q13
SQL Server 2012
#SP24S045
Clear
Concise
Actionable
Simplified Implementation of SDL Guidance
• 17 pages of process guidance and Application Security Controls
Training
1. Core Security
Training
Requirements
2. Establish Security
and Privacy
Requirements
3. Create Quality
Gates/Bug Bars
4. Perform Security and
Privacy Risk
Assessments
27034-1
Design
5. Establish Design
Requirements
6. Perform Attack
Surface
Analysis/Reduction
7. Use Threat Modeling
Implementation
8. Use Approved Tools
9. Deprecate Unsafe
Functions
10. Perform Static
Analysis
Verification
Release
11. Perform Dynamic
Analysis
14. Create an Incident
Response Plan
12. Perform Fuzz
Testing
15. Certify Release and
Archive
13. Conduct Attack
Surface Review
16. Certify Release and
Archive
• 45 pages of process and framework guidance
• 16 page case study in Annex A aligning Simplified SDL and ISO/IEC 27034
Response
17. Execute Incident
Response Plan
Business
Context
• Application
Security
Policies
• Standards
• Best Practices
Business Context
• Context of the
application in
the business
Regulatory
Context
• Professional
Standards
• Laws
• Regulations
Regulatory
Context
• Applicable
standards, laws,
and regulations
Technical
Context
• Platforms,
Technologies
• Methodologies
Specifications
• Functional
Requirements
• Service
Catalogue
Technical Context
Specifications
• SharePoint
• ASP.NET and IIS
• Windows Server
• Integration
points
• Network
Services:
• Context of the
Application in
the Service
Catalogue
• Security
Requirements
• Security
Roles
• Roles
• Responsibilities
• Qualifications
Roles
• Governance
Model
Processes
• Processes
related to
application
security
Processes
• ONF Processes
relevant to the
application
• Peer Review
• Automated
Testing
• Penetration
Testing
Application
Security Controls
• Catalogue of
Threats and
Countermeasures
Application
Security Controls
• Training
• Requirements
• Design
• Implementation
• Verification
• Release
• Checklists and
Review
Documents
Where should you start?
Reactive and Ad Hoc
Apply some Simplified SDL
practices
Systematic application of SDL
process
Continuously Improving
Standardize with policy and
tools
Validate with 27034-1
Simplified
Guidance
Business Context
Regulatory Context
Technical Context
Specifications
Roles
Processes
ASC Library
ContextSpecific
Guidance
Business Context
• SDL Chronicles
• Secure Software Trends in
Healthcare
Regulatory Context
• SDL and PCI DSS/PA-DSS
• SDL and HIPAA
• BITS Framework
A conforming 27034
process =
Organization Normative
Framework (ONF)
Org
Application Security Lifecycle
Reference Model
Simplified SDL Guidance
•
•
•
•
•
Process Guidance
Roles
Technical Context
17 Practices (ASCs)
Lifecycle Aligned to 27034
Management Process
Application Normative Framework
(ANF)
App
Application Security
Management Process
+ Implementation
Informed by context,
• Regulatory/Business/Tech
Instantiated through
• Approved policies
• Internal communications
Results in
• Centralized ASC store
• Compliance workflow + tools
• Compliance Tracking Process
Requirements
• Practices that map to ASMP
#SP24S045
#SP24S045
Cross-site scripting (XSS), SQL
Injection
Secure App configuration, IFRAME awareness, Input validation for custom web endpoints
Cookie replay attacks, network
eavesdropping
Authentication: Configure secure channels, Require SSL, Disable deprecated SSL versions, Encrypt cookies
Elevation of privilege, Data
tampering, Luring attacks
Authorization: Check permissions at the gate, Check request against valid execution contexts, Educate users
Over-privileged accounts, access to
admin interfaces
Configuration management, Least-privilege accounts for Services and Operations
Access to data at-rest, data
tampering
Session hijacking, session replay,
Man-in-the-middle attacks
Poor key management
Protect sensitive data, SQL Encryption (TDE), Least-privilege accounts
Session Management: Validate form digest, Configure time-out for claims, Explicitly log users out
Encrypt secrets, Manage credentials in the Secure Store
Form field, cookie, and query string
manipulation
Validate all parameters and input
Errors reveal implementation, Denialof-service attacks
Manage exceptions, Emit Correlation IDs, Monitor requests at the border
User denies accountability, attackers
cover their tracks
Manage Auditing and Logging, Protect ULS logs, Protect SQL logs
#SP24S045
Compartmentalize
• Attacks should be contained to the scope of the attack
Use least privilege
• A breach should not lead to a greater breach
Apply defense in depth
• Use multiple gatekeepers, do not allow a single point of failure
Do not trust user input
• Assume all input is malicious until proven safe
Check at the gate
Fail securely
Secure the weakest link
Create secure defaults
Reduce the attack surface
• Authenticate and authorize as early in the process as possible
• Do not provide details to help an attacker understand the mechanism
• Is the network, host or application the weakest link?
• Standards, open libraries, and automation all help
• If you don't use it, remove or disable it
#SP24S045
It is easy to identify SharePoint sites
• Promiscuous headers
• Identifiable UI Elements
SharePoint is susceptible to known ASP.NET exploits
• Be aware, some need faster action than others
• JavaScript injection is most common
• IFRAME click-jacking is possible by default
SharePoint is susceptible to known SharePoint exploits
•
•
•
•
•
Files, pages, cookies and history may be cached on the user's system
Static assets in the SharePoint hive do not require authorization
Any code – i.e. any web part – in the GAC can be used on any site
Any application page in the hive is accessible from every application and site
Web and WCF services are visible for all sites
#SP24S045
http://technet.microsoft.com/en-us/security/bulletin
http://technet.microsoft.com/enus/security/bulletin/ms13-024
Walkthrough: MS 10-070
#SP24S045
http://technet.microsoft.com/en-us/security/advisory/2416728
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
http://sharepoint.microsoft.com/blog/Pages/BlogPost.aspx?PageType=4&ListId={72C1C85B-1D2D-4A4A-90DECA74A7808184}&pID=941
http://weblogs.asp.net/erobillard/archive/2010/09/21/how-to-protect-sharepoint-servers-from-the-asp-netvulnerability.aspx
#SP24S045
#SP24S045
#SP24S045
#SP24S045
#SP24S045
Console / PowerShell
•Member of Farm Administrators group
•SharePoint Installer account
Timer Jobs
•Farm account
SP Services
•User impersonation
•Application Pool Identity of the Service Application
•Managed Account
Client-side code
•User impersonation
Full Trust Code
•User Impersonation
•Application Pool Identity
Custom CAS Policies
•User Impersonation
•Application Pool Identity
Sandbox (Deprecated)
•Application Pool Identity
Apps
•User-only Policy
•User + App Policy
•App-only Policy
Keeping SharePoint
Secure
SPWeb web = site.OpenWeb();
// do stuff with web
SPWeb web = site.OpenWeb();
// do stuff with web
myWeb.Dispose();
using (SPWeb web = site.OpenWeb())
{
// do stuff with web
}
if (HttpContext.Current == null)
{
// This isn’t being called in a web application
}
if (web.DoesUserHavePermissions(SPBasePermissions.ManageLists))
{
// Backup list(s) to OneDrive
}
http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions.aspx
///
AntiXss.HtmlEncode(myString)
AntiXss.URLEncode(myString)
// Is the ItemId parameter an Int32?
if(!Int32.TryParse(Request.QueryString["ItemId"],out ItemId))
{
// Exit with an invalid parameter error
}
// Is the ListId parameter a GUID?
RegexStringValidator val = new RegexStringValidator(@"^\{?[\dA-Faf]{8}-[\dA-Fa-f]{4}-[\dA-Fa-f]{4}-[\dA-Fa-f]{4}-[\dA-Faf]{12}\}?$");
// If invalid, this will throw a System.ArgumentException
val.Validate(Request.QueryString["ListId"]);
Guid ListId = new Guid(Request.QueryString["ListId"]);
LayoutsPageBase
SPUtility.ValidateFormDigest()
AllowUnsafeUpdates
if (HttpContext.Current == null)
{
// parmAbsUrl is an absolute URL in the format "http://server/sites/mySite/"
using (SPSite site = new SPSite(parmAbsoluteUrl))
{
using (SPWeb web = site.OpenWeb(parmAbsoluteUrl))
{
web.AllowUnsafeUpdates = true;
// Update SharePoint objects here
web.AllowUnsafeUpdates = false;
}
}
}
else // HttpContext.Current has a value
{
SPUtility.ValidateFormDigest();
// Update SharePoint objects here
}
[DllImport("advapi32.dll")]
public static extern uint EventActivityIdControl(uint controlCode, ref Guid
activityId);
public const uint EVENT_ACTIVITY_CTRL_GET_ID = 1;
// …
// And then use it in code like this:
try { // code block goes here }
catch {
Guid g = Guid.Empty;
EventActivityIdControl(EVENT_ACTIVITY_CTRL_GET_ID, ref g);
this.Controls.Add(new Label {
Text = string.Format("An error occurred with Correlation ID {0}", g)
});
}
public string NumberArray {
// Require format: 1,2,3,4
get{return _numberArray;}
set{
string [] arr = value.split(',');
foreach (string item in arr) {
int i;
if(!int.TryParse(item,out i))
throw new WebPartPageUserException("\""+item+"\" is not a valid number");
}
_numberArray=value;
}
}
SPWeb web = SPContext.Current.Web;
try
{
// Verify this is a postback from a valid Application Page
SPUtility.ValidateFormDigest();
// Verify that the user has a valid permission before elevating
if (web.DoesUserHavePermissions(SPBasePermissions.ManageWeb))
{
SPSecurity.RunWithElevatedPrivileges(delegate()
{
// Read data using the SharePoint Object Model here
});
}
}
// Update a SharePoint property
using (SPSite elevatedSite =
LitwareSecurity.SharePoint.Security.GetElevatedSite(web.Site)
{
// Update data using SharePoint object model here.
}
The secret sauce: GetElevatedSite first tries
site.SystemAccount.UserToken.
If that doesn’t work it falls back to RWEP() to
GetSystemToken().
It then returns an elevated SPSite using this token.
Get the source: http://www.danlarson.com/elevated-privilege-with-spsite/
// Call a non-SharePoint resource
using (HostingEnvironment.Impersonate())
{
// Call an external resource using the credentials of
// the Application Pool ID here
}
App Web
Remote Web
All
or
nothing
<?xml version="1.0" encoding="utf-8" ?>
<App xmlns=http://schemas.microsoft.com/sharepoint/2012/app/manifest
ProductID="{4a07f3bd-803d-45f2-a710-b9e944c3396e} "
Version="1.0.0.0"
SharePointMinVersion="15.0.0.0"
Name="MySampleApp">
<Properties>
<Title>My Sample App</Title>
<StartPage>http://ContosoApps/default.aspx/?SPHostUrl={HostUrl}</StartPage>
<SupportedLocales>
<SupportedLocale CultureName="en-US" />
</SupportedLocales>
</Properties>
<AppPermissionRequests>
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write">
<Property Name="BaseTemplateId" Value="101"/>
</AppPermissionRequest>
</AppPermissionRequests>
<AppPrincipal>
<RemoteWebApplication ClientId="1ee82b34-7c1b-471b-b27e-ff272accd564" />
</AppPrincipal>
</App>
Scope
Pertains To
Site Collection *
A SharePoint Site Collection
Web *
A SharePoint Web Site
List *
A SharePoint list
Search
The SharePoint Search Service
Workflow
The Windows Azure Workflow Service
Taxonomy
The SharePoint Taxonomy Service
BCS
Read access to BCS service data sources
App
permission name
SharePoint
permission name
Permissions
Read
Reader
View Items, Open Items, View Versions, Create
Alerts, Use Self-Service Site Creation, View Pages
Write
Contributor
Read-Only permissions, plus:
Add Items, Edit Items, Delete Items, Delete
Versions, Browse Directories, Edit Personal User
Information, Manage Personal Views,
Add/Remove Personal Web Parts, Update
Personal Web Parts
Manage
Designer
Write permissions, plus:
Manage Lists, Add and Customize Pages, Apply
Themes and Borders, Apply Style Sheets
FullControl
Full Control
All permissions.
Policy
Conditions
User-only Policy
Content database authorization checks succeed if the User has
sufficient permissions to perform the action.
App-only Policy
Content database authorization checks succeed if the App has
sufficient permissions, whether or not the current user (if there is a
current user) has the same permissions.
User and App Policy
Content database authorization checks succeed only if both the
current User and the App have sufficient permissions to perform the
actions that the App is designed to perform.
This is required to act on behalf of the user when the App is hosted in
a Remote Web and not an App Web.
#SP24S045
#SP24S045
#SP24S045
E-mail
[email protected]
Twitter
@erobillard
Blog
weblogs.asp.net/erobillard
#SP24S045
#SP24S045