M0194 Web-based Programming Lanjut Session 13 2004 Tau Yenny, SI - Binus 2 Securing Your Server What is Security? Problems on the Internet with Security Security Policies Securing IIS SQL Server and ODBC Security 2004 Tau Yenny, SI - Binus 3 What is Security? Problems on the Internet with Security Ranging from intercepting base-level packet data all the way through to accessing systems using bad passwords that are easily guessed. Try and break into your ASP Web site while it’s still on the development server and hasn’t gone live yet. Keep up to date with those sites which detail the latest hacking tools and automated attacks. http://www.rootshell.com http://www.hackers.com http://www.dark-secrets.com 2004 Tau Yenny, SI - Binus 4 What is Security? Problems on the Internet with Security Malicious Attacks/Vandalism Attackers will steal passwords or find some other method to get into your system and then deface your Web sites. Vandals can also get into your system through FTP and telnet clients, so don’t enable either service unless it is a total must. Impersonation\IP Spoofing A ploy where attackers disguise themselves as someone else, usually with access to your system. This can be a fair problem for those servers using IP-based and/or user authentication. 2004 Tau Yenny, SI - Binus 5 What is Security? Layers Description Source Host The machine the packet (unit of data) came from Source Port The port the packet came from Destination Host The destination of the packet Destination Port The destination port of the packet The most important layer to look at is the source host, which defines where our pieces of information – packet – have came from. Attackers can fake the source host for your packet, make a machine believe that they came from somewhere that they did not. This technique known as IP spoofing. Use a firewall to check if packets could actually have come from where they state their source host to be. 2004 Tau Yenny, SI - Binus 6 What is Security? Security Policies Keep and maintain an up-to-date security policy. The most dangerous person on your network is one who knows what to do. Security policies must be set in place and enforced by the writers of the policy itself. Anatomy of a Security Policy User requirements Managerial responsibilities Administrator’s responsibilities 2004 Tau Yenny, SI - Binus 7 What is Security? User Requirements Which systems do users need access to? What type of access will each user need? Full read/write access or the least access possible? How about people on the Internet who use the system as the anonymous user? What time will users to access these system? Most security breaches take place out-of-hours so putting in restrictions based on the time of day would seem good sense. Do user require username and password authentication? If so, some rules on choosing passwords would be in order alongside the rules not to divulge them to anyone else or write them down in plain sight. Make plans for dial-up users accessing the system from home via modem or ISDN. 2004 Tau Yenny, SI - Binus 8 What is Security? User Requirements (cont..) Will user require IP-based authentication? Do these particular users fit into a logical grouping? For example, those users in accounts needing access to finance records, those in sales needing a certain level of product info, and those in supply logistics needing another type of product info. Will certain areas of the system that users visit require a certain level of encryption? It’s not necessary to secure book information on amazon.com, but it’s very necessary to offer an encrypted area where people can fill in their credit card information. 2004 Tau Yenny, SI - Binus 9 What is Security? Managerial Responsibilities Place some of the responsibility for the network on the managers, by explaining what security measures are to be put in place and the security risks that can arise if they are not followed. Administrator Responsibilities What action to take if a break in occurs. What action to take if users violate the policy. How to set up new user accounts, new user group policies, file and directory permissions, etc. Backup strategy. What kind of backup media to use. When and what kind (full or incremental) of backup to perform. Where to store the backups and an emergency recovery plan should all go wrong. 2004 Tau Yenny, SI - Binus 10 What is Security? Administrator Responsibilities (cont..) Hardware maintenance. How up-to-date should your servers be? When to upgrade them and what to upgrade? Bios? Network card? Other pieces of hardware? Software versions: if a new version, service pack, update or fix becomes available from the vendor, the administrator should be aware of it and make a reasoned decision whether or not to install it. A record should be kept of what has been installed on the servers. Operating System versions. As with software, any new version, upgrade or patch to the operating system needs to be rigorously tested on an isolated machine before it’s applied to the live servers. Log files should be checked on a daily basis to see that users are doing what they’re supposed to be doing. If not, action should then be taken 2004 Tau Yenny, SI - Binus 11 Securing IIS Install as few components as possible Create a logical securable directory structure Keep a wafer thin server The sample applications and IIS SDK located in C:\inetpub\iisamples\ are surplus baggage on a live server. Likewise, the Admin Scripts installed at C:\inetpub\adminScripts\ can be deleted. The Default Web Site in IIS is also a candidate for deletion as its physical root is usually on the server’s primary boot partition. If your online application do not make use of the scripting runtime library objects or the ASP server components, you can unregister them by choosing Run from the Start menu and typing : regsvr32 xxx.dll /u Shore up your RDS security 2004 Tau Yenny, SI - Binus 12 Securing IIS Don’t index your back-end code Set up your web logs and secure them Restrict access to the site by filtering IP addresses Configure your web application with care 2004 Tau Yenny, SI - Binus 13 SQL Server and ODBC Security Securing the sa Account 1. 2. 3. 4. 5. 6. 7. 8. Launch SQL Server Enterprise Manager Connect to the SQL Server that holds your database Open the Security folder Click on Logins. Right-mouse click on the sa account and select Properties. Replace password with a new password Click on OK. You will be prompted to re-enter the password for verification. 2004 Tau Yenny, SI - Binus 14 SQL Server and ODBC Security Creating SQL Database Role in Enterprise Manager Open the folder for the database your pages work with. Select Roles. Right-mouse click in the open area and select New Database Role. Give the role a name in the text box and select OK. Right-mouse click on the newly added role and select Properties Click on the Permission buttons. The resulting dialog will allow you to specify access permissions for each of the database’s related objects. 2004 Tau Yenny, SI - Binus 15 SQL Server and ODBC Security Creating an alternate account for database access 1. 2. 3. 4. 5. 6. 7. 8. 9. Open the Security folder. Select Logins. Right-mouse click in the open white area of the screen and select New Login. Type the user ID in the Name text box. Click SQL Server Authentication and enter the password in the Password text box. Change the default database to your database Click on the Database Access tab. Permit database access to your database. Permit database role access to the database role that was created for the Web site/Web application. 2004 Tau Yenny, SI - Binus