designing security for web servers

Download Report

Transcript designing security for web servers 

1
Chapter 12
DESIGNING
SECURITY FOR
WEB SERVERS
Chapter 12: Designing Security for Web Servers
HARDENING IIS
 Upgrade to Windows Server 2003
 Select minimal application server role
components
 Use IP address restrictions
 Use SSL encryption
 Restrict Web-site permissions
 Use firewalls
2
Chapter 12: Designing Security for Web Servers
APPLICATION SERVER COMPONENTS
 Active Server Pages
 Application Server Console
 ASP.NET
 Background Intelligent Transfer Service
(BITS) Server Extension
 Common Files
3
Chapter 12: Designing Security for Web Servers
4
APPLICATION SERVER COMPONENTS (CONT.)
 Enable Network COM+ Access
 Enable Network Distributed Transaction
Coordinator (DTC) Access
 File Transfer Protocol (FTP) Service
 Microsoft FrontPage 2002 Server Extensions
 Internet Data Connector
Chapter 12: Designing Security for Web Servers
APPLICATION SERVER COMPONENTS (CONT.)
 Internet Information Services Manager
 Internet Printing
 Message Queuing
 Network News Transfer Protocol (NNTP)
Service
 Remote Administration (Hypertext Markup
Language, or HTML)
5
Chapter 12: Designing Security for Web Servers
APPLICATION SERVER COMPONENTS (CONT.)
 Remote Desktop Web Connection
 Server Side Includes
 Simple Mail Transport Protocol (SMTP)
Service
 WebDAV Publishing
 World Wide Web Service
6
Chapter 12: Designing Security for Web Servers
IIS AUTHENTICATION
 Anonymous access
 Basic authentication
 Digest authentication
 Integrated Windows authentication
 Client-certificates authentication
 Passport authentication
7
Chapter 12: Designing Security for Web Servers
CLIENT CERTIFICATE SCENARIOS
 Internal users with your internal CA
 External users with your internal CA
 External users with their internal CA
8
Chapter 12: Designing Security for Web Servers
9
ONE-TO-ONE CERTIFICATE MAPPING
 Maps each certificate to an Active Directory
account
 User authenticate with certificate has
permissions assigned to the account
 Enables restricting resources to users
 Enables security auditing
Chapter 12: Designing Security for Web Servers
MANY-TO-ONE CERTIFICATE MAPPING
 Maps types of certificates to an Active
Directory account:
 Issued by a specific CA
 With a specific organizational unit
 With a specific first and last name
10
Chapter 12: Designing Security for Web Servers
MANY-TO-ONE CERTIFICATE MAPPING
SCREENSHOT
11
Chapter 12: Designing Security for Web Servers
ASP.NET
 Popular IIS Web application framework
 Based on the .NET Framework
 Supports CAS
12
Chapter 12: Designing Security for Web Servers
ASP.NET AUTHENTICATION TYPES
 Anonymous access
 Windows authentication
 Forms authentication
 Passport authentication
13
Chapter 12: Designing Security for Web Servers
WEB.CONFIG FILES
 Contain per-application and per-directory
security settings
 Hierarchical:
 Computer Machine.config file
 Application Web.config file
 Per-folder Web.config files
14
Chapter 12: Designing Security for Web Servers
WEB.CONFIG HIERARCHY
15
Chapter 12: Designing Security for Web Servers
WEB.CONFIG SAMPLE
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authentication>
</system.web>
</configuration>
16
Chapter 12: Designing Security for Web Servers
PUBLISHING WEB CONTENT
 Test environment
 Staging environment
 Production environment
17
Chapter 12: Designing Security for Web Servers
CONTENT MANAGEMENT ARCHITECTURE
18
Chapter 12: Designing Security for Web Servers
MONITORING IIS
 Performance monitoring
 Fault monitoring
 Security auditing
19
Chapter 12: Designing Security for Web Servers
20
MICROSOFT OPERATIONS MANAGER (MOM)
 IIS Management Pack supports:
 Availability, health, and configuration
monitoring
 Automatic IP address blocking
 Trigger any alert based on repeated events,
such as a DOS attack
Chapter 12: Designing Security for Web Servers
21
SUMMARY
 Web servers are common targets, and warrant
extra security effort
 Client certificates provide ideal intranet and
extranet authentication
 ASP.NET applications provide an additional
layer of security
 Configure ASP.NET security by using
Web.config files
 Protect confidential information with a content
management strategy
 Monitor IIS to detect failures and compromises