Matakuliah : M0492 / Web-based Programming Lanjut
Tahun
: 2007
Web-based Programming Lanjut
Pertemuan 13
Securing Your Server
• What is Security?
– Problems on the Internet with Security
– Security Policies
• Securing IIS
• SQL Server and ODBC Security
Bina Nusantara
What is Security?
• Problems on the Internet with Security
Ranging from intercepting base-level packet data all the way through to
accessing systems using bad passwords that are easily guessed.
Try and break into your ASP Web site while it’s still on the development server
and hasn’t gone live yet.
Keep up to date with those sites which detail the latest hacking tools and
automated attacks.
• http://www.rootshell.com
• http://www.hackers.com
• http://www.dark-secrets.com
Bina Nusantara
What is Security?
• Problems on the Internet with Security
– Malicious Attacks/Vandalism
Attackers will steal passwords or find some other method to get into your
system and then deface your Web sites.
Vandals can also get into your system through FTP and telnet clients, so don’t
enable either service unless it is a total must.
– Impersonation\IP Spoofing
A ploy where attackers disguise themselves as someone else, usually with
access to your system. This can be a fair problem for those servers using IPbased and/or user authentication.
Bina Nusantara
What is Security?
Layers
Description
Source Host
The machine the packet (unit of data) came from
Source Port
The port the packet came from
Destination Host
The destination of the packet
Destination Port
The destination port of the packet
The most important layer to look at is the source host, which defines where our
pieces of information – packet – have came from.
Attackers can fake the source host for your packet, make a machine believe that
they came from somewhere that they did not. This technique known as IP
spoofing.
Use a firewall to check if packets could actually have come from where they
state their source host to be.
Bina Nusantara
What is Security?
• Security Policies
Keep and maintain an up-to-date security policy.
The most dangerous person on your network is one who knows what to do.
Security policies must be set in place and enforced by the writers of the policy
itself.
– Anatomy of a Security Policy
• User requirements
• Managerial responsibilities
• Administrator’s responsibilities
Bina Nusantara
What is Security?
– User Requirements
• Which systems do users need access to?
• What type of access will each user need? Full read/write access or the
least access possible? How about people on the Internet who use the
system as the anonymous user?
• What time will users to access these system? Most security breaches take
place out-of-hours so putting in restrictions based on the time of day
would seem good sense.
• Do user require username and password authentication? If so, some rules
on choosing passwords would be in order alongside the rules not to divulge
them to anyone else or write them down in plain sight. Make plans for dialup users accessing the system from home via modem or ISDN.
Bina Nusantara
What is Security?
– User Requirements (cont..)
• Will user require IP-based authentication?
• Do these particular users fit into a logical grouping? For example, those
users in accounts needing access to finance records, those in sales
needing a certain level of product info, and those in supply logistics
needing another type of product info.
• Will certain areas of the system that users visit require a certain level of
encryption? It’s not necessary to secure book information on amazon.com,
but it’s very necessary to offer an encrypted area where people can fill in
their credit card information.
Bina Nusantara
What is Security?
– Managerial Responsibilities
Place some of the responsibility for the network on the managers, by
explaining what security measures are to be put in place and the security risks
that can arise if they are not followed.
– Administrator Responsibilities
• What action to take if a break in occurs.
• What action to take if users violate the policy.
• How to set up new user accounts, new user group policies, file and
directory permissions, etc.
• Backup strategy. What kind of backup media to use. When and what kind
(full or incremental) of backup to perform. Where to store the backups and
an emergency recovery plan should all go wrong.
Bina Nusantara
What is Security?
– Administrator Responsibilities (cont..)
• Hardware maintenance. How up-to-date should your servers be? When to
upgrade them and what to upgrade? Bios? Network card? Other pieces of
hardware?
• Software versions: if a new version, service pack, update or fix becomes
available from the vendor, the administrator should be aware of it and
make a reasoned decision whether or not to install it. A record should be
kept of what has been installed on the servers.
• Operating System versions. As with software, any new version, upgrade or
patch to the operating system needs to be rigorously tested on an isolated
machine before it’s applied to the live servers.
• Log files should be checked on a daily basis to see that users are doing
what they’re supposed to be doing. If not, action should then be taken
Bina Nusantara
Securing IIS
• Install as few components as possible
• Create a logical securable directory structure
• Keep a wafer thin server
– The sample applications and IIS SDK located in
C:\inetpub\iisamples\ are surplus baggage on a live server.
– Likewise, the Admin Scripts installed at
C:\inetpub\adminScripts\ can be deleted.
– The Default Web Site in IIS is also a candidate for deletion as its physical root
is usually on the server’s primary boot partition.
– If your online application do not make use of the scripting runtime library
objects or the ASP server components, you can unregister them by choosing
Run from the Start menu and typing :
• Shore up your RDS security
regsvr32 xxx.dll /u
Bina Nusantara
Securing IIS
•
•
•
•
Don’t index your back-end code
Set up your web logs and secure them
Restrict access to the site by filtering IP addresses
Configure your web application with care
Bina Nusantara
SQL Server and ODBC Security
•
Securing the sa Account
1. Launch SQL Server Enterprise Manager
2. Connect to the SQL Server that holds your database
3. Open the Security folder
4. Click on Logins.
5. Right-mouse click on the sa account and select Properties.
6. Replace password with a new password
7. Click on OK.
8. You will be prompted to re-enter the password for verification.
Bina Nusantara
SQL Server and ODBC Security
•
Creating SQL Database Role in Enterprise Manager
–
–
–
–
–
–
Open the folder for the database your pages work with.
Select Roles.
Right-mouse click in the open area and select New Database Role.
Give the role a name in the text box and select OK.
Right-mouse click on the newly added role and select Properties
Click on the Permission buttons.
The resulting dialog will allow you to specify access permissions for each of the
database’s related objects.
Bina Nusantara
SQL Server and ODBC Security
•
Creating an alternate account for database access
1.
2.
3.
4.
5.
6.
7.
8.
9.
Bina Nusantara
Open the Security folder.
Select Logins.
Right-mouse click in the open white area of the screen and select New Login.
Type the user ID in the Name text box.
Click SQL Server Authentication and enter the password in the Password text
box.
Change the default database to your database
Click on the Database Access tab.
Permit database access to your database.
Permit database role access to the database role that was created for the
Web site/Web application.