patterns & practices Security Deployment Review Index
Retired Content |
---|
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
patterns & practices Developer Center
J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan
Microsoft Corporation
August 2005
Summary
This page provides an index of the resources that will help you to perform deployment reviews for security. You can use deployment reviews to discover security vulnerabilities in application configuration or the deployment environment. The resources use configuration categories to help make deployment reviews for security systematic and repeatable. You can use these categories to break down your application deployment for further analysis and to help identify vulnerabilities. By using categories, you can systematically go through the deployment review process from start to finish or pick a particular category for further analysis.
Contents
Security Deployment Review Approach
How Tos
Checklists
Security Deployment Review Approach
When you review your security deployment, you can organize the precautions you must take and the settings you must configure into categories. By using these configuration categories, you can systematically review the securing process or pick a particular category and complete specific steps. The categories are shown in Figure 1.
Figure 1. Server configuration categories
Table 1 explains the various categories.
Table 1. Server Configuration Categories
Category | Practices |
---|---|
Patches and Updates | Patching and updating your server software is a critical first step. |
Accounts | Accounts allow authenticated users to access a computer. These accounts must be audited. Configure accounts with least privilege to help prevent elevation of privilege. Remove any accounts that you do not need. Help to prevent brute force and dictionary attacks by using strong password policies, and then use auditing and alerts to detect logon failures. |
Auditing and Logging | Auditing is one of your most important tools for identifying intruders, attacks in progress, and evidence of attacks that have occurred. Configure auditing for your server. Event and system logs also help you to troubleshoot security problems. |
Files and Directories | Secure all files and directories with restricted permissions that only allow access to necessary services and accounts. Use auditing to allow you to detect when suspicious or unauthorized activity occurs. |
Ports | Services that run on the server listen to specific ports so that they can respond to incoming requests. Audit the ports on your server regularly to ensure that a service that is not secured or that is unnecessary is not active on your server. |
Protocols | Avoid using protocols that are inherently insecure. If you cannot avoid using these protocols, take the appropriate measures to provide secure authentication and communication. |
Registry | Many security-related settings are stored in the registry. As a result, you must secure the registry. You can do this by applying restricted Windows access control lists (ACLs) and by blocking remote registry administration. |
Services | If the service is necessary, secure and maintain the service. Consider monitoring any service to ensure availability. If your service software is not secure, but you need the service, try to find a secure alternative. |
Shares | Remove all unnecessary file shares. Secure any remaining shares with restricted permissions. |
How Tos
Use the following How To modules to help you perform security deployment reviews:
- How To: Perform a Security Deployment Review for ASP.NET 2.0
- Security Deployment Review for ASP.NET 1.1
- Security Deployment Review for IIS 5.0
- Security Deployment Review for Web Services (.NET Framework 1.1)
- Security Deployment Review for the Network
- Security Deployment Review for SQL Server 2000
Checklists
Use the following checklists to help ensure that your review is complete.
- Security Checklist: Network Security
- Security Checklist: IIS 5.1
- Security Checklist: SQL Server 2000
Feedback
Provide feedback by using either a Wiki or e-mail:
- Wiki. Security guidance feedback page at
https://channel9.msdn.com/wiki/securityguidancefeedback/ - E-mail. Send e-mail to secguide@microsoft.com.
We are particularly interested in feedback regarding the following:
- Technical issues specific to recommendations
- Usefulness and usability issues
Contributors and Reviewers
- External Contributors and Reviewers: Jason Taylor, Security Innovation
- Microsoft Contributors and Reviewers: Shawn Veney (ACE); Don Willits
- Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
- Edit team: Nelly Delgado, Microsoft Corporation; Tina Burden McGrayne, TinaTech Inc.
- Release Management: Sanjeev Garg, Microsoft Corporation
Retired Content |
---|
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |