M0194
Web-based Programming Lanjut
Session 13
 2004 Tau Yenny, SI - Binus
2
Securing Your Server

What is Security?




Problems on the Internet with Security
Security Policies
Securing IIS
SQL Server and ODBC Security
 2004 Tau Yenny, SI - Binus
3
What is Security?

Problems on the Internet with Security
Ranging from intercepting base-level packet data all the way
through to accessing systems using bad passwords that are
easily guessed.
Try and break into your ASP Web site while it’s still on the
development server and hasn’t gone live yet.
Keep up to date with those sites which detail the latest hacking
tools and automated attacks.
 http://www.rootshell.com
 http://www.hackers.com
 http://www.dark-secrets.com
 2004 Tau Yenny, SI - Binus
4
What is Security?

Problems on the Internet with Security

Malicious Attacks/Vandalism
Attackers will steal passwords or find some other method to
get into your system and then deface your Web sites.
Vandals can also get into your system through FTP and
telnet clients, so don’t enable either service unless it is a
total must.

Impersonation\IP Spoofing
A ploy where attackers disguise themselves as someone
else, usually with access to your system. This can be a fair
problem for those servers using IP-based and/or user
authentication.
 2004 Tau Yenny, SI - Binus
5
What is Security?
Layers
Description
Source Host
The machine the packet (unit of data) came from
Source Port
The port the packet came from
Destination Host
The destination of the packet
Destination Port
The destination port of the packet
The most important layer to look at is the source host, which defines
where our pieces of information – packet – have came from.
Attackers can fake the source host for your packet, make a machine
believe that they came from somewhere that they did not. This
technique known as IP spoofing.
Use a firewall to check if packets could actually have come from
where they state their source host to be.
 2004 Tau Yenny, SI - Binus
6
What is Security?

Security Policies
Keep and maintain an up-to-date security policy.
The most dangerous person on your network is one who
knows what to do.
Security policies must be set in place and enforced by the
writers of the policy itself.

Anatomy of a Security Policy



User requirements
Managerial responsibilities
Administrator’s responsibilities
 2004 Tau Yenny, SI - Binus
7
What is Security?

User Requirements




Which systems do users need access to?
What type of access will each user need? Full read/write
access or the least access possible? How about people on the
Internet who use the system as the anonymous user?
What time will users to access these system? Most security
breaches take place out-of-hours so putting in restrictions
based on the time of day would seem good sense.
Do user require username and password authentication? If so,
some rules on choosing passwords would be in order
alongside the rules not to divulge them to anyone else or write
them down in plain sight. Make plans for dial-up users
accessing the system from home via modem or ISDN.
 2004 Tau Yenny, SI - Binus
8
What is Security?

User Requirements (cont..)



Will user require IP-based authentication?
Do these particular users fit into a logical grouping? For
example, those users in accounts needing access to
finance records, those in sales needing a certain level of
product info, and those in supply logistics needing
another type of product info.
Will certain areas of the system that users visit require a
certain level of encryption? It’s not necessary to secure
book information on amazon.com, but it’s very
necessary to offer an encrypted area where people can
fill in their credit card information.
 2004 Tau Yenny, SI - Binus
9
What is Security?

Managerial Responsibilities
Place some of the responsibility for the network on the
managers, by explaining what security measures are to be
put in place and the security risks that can arise if they are
not followed.

Administrator Responsibilities




What action to take if a break in occurs.
What action to take if users violate the policy.
How to set up new user accounts, new user group policies, file
and directory permissions, etc.
Backup strategy. What kind of backup media to use. When
and what kind (full or incremental) of backup to perform.
Where to store the backups and an emergency recovery plan
should all go wrong.
 2004 Tau Yenny, SI - Binus
10
What is Security?

Administrator Responsibilities (cont..)




Hardware maintenance. How up-to-date should your servers
be? When to upgrade them and what to upgrade? Bios?
Network card? Other pieces of hardware?
Software versions: if a new version, service pack, update or fix
becomes available from the vendor, the administrator should
be aware of it and make a reasoned decision whether or not to
install it. A record should be kept of what has been installed on
the servers.
Operating System versions. As with software, any new
version, upgrade or patch to the operating system needs to be
rigorously tested on an isolated machine before it’s applied to
the live servers.
Log files should be checked on a daily basis to see that users
are doing what they’re supposed to be doing. If not, action
should then be taken
 2004 Tau Yenny, SI - Binus
11
Securing IIS



Install as few components as possible
Create a logical securable directory structure
Keep a wafer thin server
 The sample applications and IIS SDK located in
C:\inetpub\iisamples\ are surplus baggage on a live
server.
 Likewise, the Admin Scripts installed at
C:\inetpub\adminScripts\ can be deleted.
 The Default Web Site in IIS is also a candidate for deletion as its
physical root is usually on the server’s primary boot partition.
 If your online application do not make use of the scripting runtime
library objects or the ASP server components, you can unregister
them by choosing Run from the Start menu and typing :
regsvr32 xxx.dll /u

Shore up your RDS security
 2004 Tau Yenny, SI - Binus
12
Securing IIS




Don’t index your back-end code
Set up your web logs and secure them
Restrict access to the site by filtering IP
addresses
Configure your web application with care
 2004 Tau Yenny, SI - Binus
13
SQL Server and ODBC Security

Securing the sa Account
1.
2.
3.
4.
5.
6.
7.
8.
Launch SQL Server Enterprise Manager
Connect to the SQL Server that holds your database
Open the Security folder
Click on Logins.
Right-mouse click on the sa account and select Properties.
Replace password with a new password
Click on OK.
You will be prompted to re-enter the password for
verification.
 2004 Tau Yenny, SI - Binus
14
SQL Server and ODBC Security
Creating SQL Database Role in Enterprise Manager







Open the folder for the database your pages work with.
Select Roles.
Right-mouse click in the open area and select New Database
Role.
Give the role a name in the text box and select OK.
Right-mouse click on the newly added role and select
Properties
Click on the Permission buttons.
The resulting dialog will allow you to specify access permissions for
each of the database’s related objects.
 2004 Tau Yenny, SI - Binus
15
SQL Server and ODBC Security
Creating an alternate account for database access

1.
2.
3.
4.
5.
6.
7.
8.
9.
Open the Security folder.
Select Logins.
Right-mouse click in the open white area of the screen and
select New Login.
Type the user ID in the Name text box.
Click SQL Server Authentication and enter the password in the
Password text box.
Change the default database to your database
Click on the Database Access tab.
Permit database access to your database.
Permit database role access to the database role that was
created for the Web site/Web application.
 2004 Tau Yenny, SI - Binus