Presented By:

Bryan Miller
CCIE, CISSP
Introduction


    Threats


    Attack Vectors


    General Best Practices


    Web Server Security


    Database...
Biography




      25+ Years in Information Technology
    
     Positions at VCU, Circuit
      City, DiVX, Cabletron...
Web and database servers continue to grow in

    complexity.
    Applications are generally written with security as an
...
Common web server vulnerabilities




      SQL Injection
    
     Cross Site Scripting (XSS)
     Cookie tampering
 ...
Common database server vulnerabilities




        Incorrect permissions
    
        Account management
    
        D...
Start with the operating system




         Develop a hardening procedure with checklists
    
         When building ...
Start with the operating system




         Develop a hardening procedure with checklists
    
         Ensure that al...
Start with the operating system




         Develop a hardening procedure with checklists
    
         Configure logg...
Moving on to the Application




      After installing the web or database server
    
      application, ensure that a...
Moving On to the Application




        Modify the host-based IDS/IPS if necessary to
    
        accommodate the new ...
Moving On to the Application




      Enable logging of critical security events.
    
     Test the application from ...
Don’t forget about the network




        Control access to the servers using ACL’s where
    
        appropriate
    ...
Some general best practices




        Install the web application data (the web site) on a
    
        different driv...
Some general best practices




        Remove all demo programs and any unnecessary
    
        components of the web ...
IIS specific best practices




      Where possible, use the latest version of the web
    
      server software.
    ...
IIS specific best practices




        Remove Internet printing (IPP).
    
        Remove all sample/help directories....
Apache specific best practices




      Whenever possible, compile the application from
    
      known source code. A...
Apache specific best practices




        Change the “Server:” token in the HTTP response
    
        header to disgui...
Apache specific best practices



        Remove all unnecessary directories and set proper
    
        file permission...
MS SQL Best Practices




        Ensure the SA account has a non-blank password.
    
        This also applies to MSDE...
MySQL Best Practices




        Always set a password for the “root” account.
    
        Apply application patches as...
MySQL Best Practices




        If remote access is not needed, disable TCP/IP
    
        support.
        Chroot the...
Oracle Best Practices

        Always change the account passwords for the
    
        default Oracle accounts, especia...
Oracle Best Practices




      Set the proper permissions for low-privilege
    
      accounts such as dbsnmp
     Re...
Oracle Best Practices



      Configure a password in the Listener service.
    
     Configure appropriate logging on...
PHP Best Practices



      Run only the latest versions of PHP.
    
     Make sure you validate all user input.
    ...
PHP Best Practices



      Be very careful with global variables.
    
     Make sure “magic_quotes_gpc ” support is d...
Operating System




        Microsoft Baseline Security Analyzer
    
        Microsoft Windows Server Update Services
...
Web Servers




        URLScan 3.1 (IIS 5.1-7)
    


        IISLockdown 2.1 (IIS < 6.0)
    


        Nikto (Perl)
...
Web Servers



        Nessus
    


        Wget
    


        THCSSLCheck
    


        Proxies: Achilles, Paros, ...
Database Servers




        MS SQL
    


         Cain/Abel
         SQLDict
         SQLForce
         SQLPing3

...
Database Servers



        Oracle
    


         Cain/Abel
         TNSCMD (Perl)
         WinSID
         CheckPW...
Database Servers



        MySQL
    


         Cain/Abel




                      Copyright 2009 Syrinx Technologie...
Thank You Very Much for Your
      Time and Attention!




       Copyright 2009 Syrinx Technologies   35
Upcoming SlideShare
Loading in …5
×

Web Database Server Best Practices

1,632 views

Published on

Some best practices for building and securing web and database servers, including IIS, Apache, Oracle, MS SQL and MySQL.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,632
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Web Database Server Best Practices

  1. 1. Presented By: Bryan Miller CCIE, CISSP
  2. 2. Introduction  Threats  Attack Vectors  General Best Practices  Web Server Security  Database Security  Free Tools  Questions  Copyright 2009 Syrinx Technologies 2
  3. 3. Biography  25+ Years in Information Technology   Positions at VCU, Circuit City, DiVX, Cabletron, Dataline, SyCom Technologies, Packet360  CCIE, CISSP, M.S. in Computer Science  President, Syrinx Technologies LLC Copyright 2009 Syrinx Technologies 3
  4. 4. Web and database servers continue to grow in  complexity. Applications are generally written with security as an  afterthought. New vulnerabilities are discovered every day in  operating systems, application servers and in the applications themselves. Exploits have become very easy to obtain and use.  Copyright 2009 Syrinx Technologies 4
  5. 5. Common web server vulnerabilities  SQL Injection   Cross Site Scripting (XSS)  Cookie tampering  Directory traversals  Privilege escalation  Session hijacking  Web defacements Copyright 2009 Syrinx Technologies 5
  6. 6. Common database server vulnerabilities  Incorrect permissions  Account management  Data theft (Confidentiality)  Data manipulation (Integrity)  Denial of service (Availability)  Copyright 2009 Syrinx Technologies 6
  7. 7. Start with the operating system  Develop a hardening procedure with checklists   When building the server, always apply the latest patches and update as needed.  Remove all unnecessary services, protocols, accounts, applications, etc.  Where possible, install some form of host-based intrusion detection/prevention (IDS/IPS) software. Copyright 2009 Syrinx Technologies 7
  8. 8. Start with the operating system  Develop a hardening procedure with checklists   Ensure that all system account passwords are not easily guessed, cannot be found in dictionaries and comply with all applicable password policies.  Always hardcode TCP/IP configuration information.  Ensure that proper file permissions are configured correctly on all critical directories/files. Copyright 2009 Syrinx Technologies 8
  9. 9. Start with the operating system  Develop a hardening procedure with checklists   Configure logging on critical system events, such as failed logon attempts.  Ensure that appropriate anti-virus software is installed and configured properly.  Whenever possible, install and configure the server in a lab environment without direct access to the corporate network or the Internet. Copyright 2009 Syrinx Technologies 9
  10. 10. Moving on to the Application  After installing the web or database server  application, ensure that any hotfixes, security patches or other necessary updates are installed.  Ensure that any application-layer account passwords are not left blank, at their defaults or set to anything that can be easily guessed using brute-force tools.  Ensure proper application-layer permissions are set at every layer of the application. Copyright 2009 Syrinx Technologies 10
  11. 11. Moving On to the Application  Modify the host-based IDS/IPS if necessary to  accommodate the new application. If any remote access or control components are  installed, ensure that they use some form of robust encryption (not Telnet!). Put procedures in place to ensure that any  application patches are installed along with operating system patches. Copyright 2009 Syrinx Technologies 11
  12. 12. Moving On to the Application  Enable logging of critical security events.   Test the application from a security perspective before loading any test or live data.  Encrypt data whenever possible – “at rest” and “in motion” Copyright 2009 Syrinx Technologies 12
  13. 13. Don’t forget about the network  Control access to the servers using ACL’s where  appropriate Only open the minimum ports and protocols  necessary Use both ingress and egress filters where  appropriate Copyright 2009 Syrinx Technologies 13
  14. 14. Some general best practices  Install the web application data (the web site) on a  different drive than the operating system. This eliminates a class of attacks called “directory traversals”. Make sure to change all default application-layer  passwords. Copyright 2009 Syrinx Technologies 14
  15. 15. Some general best practices  Remove all demo programs and any unnecessary  components of the web server application. Run as many security testing programs as possible  before releasing the server for daily use. Copyright 2009 Syrinx Technologies 15
  16. 16. IIS specific best practices  Where possible, use the latest version of the web  server software.  Unmap any application mappings not being used.  Where possible, limit the HTTP verbs that specific pages will accept.  For static pages, limit all access to HTTP GET only. Copyright 2009 Syrinx Technologies 16
  17. 17. IIS specific best practices  Remove Internet printing (IPP).  Remove all sample/help directories.  Rename O/S Administrator account.  Copyright 2009 Syrinx Technologies 17
  18. 18. Apache specific best practices  Whenever possible, compile the application from  known source code. Always check the MD5 or PGP checksums.  Chroot the server so directory traversal attacks are eliminated.  Run the web server process as a non-root user. Copyright 2009 Syrinx Technologies 18
  19. 19. Apache specific best practices  Change the “Server:” token in the HTTP response  header to disguise the web server type. Lock the password for this user and disable shell  access. Disable any unnecessary modules.  Copyright 2009 Syrinx Technologies 19
  20. 20. Apache specific best practices  Remove all unnecessary directories and set proper  file permissions. Create appropriate startup, reload and shutdown  scripts. Copyright 2009 Syrinx Technologies 20
  21. 21. MS SQL Best Practices  Ensure the SA account has a non-blank password.  This also applies to MSDE-based applications Never configure the SA password to be the same as  any other account, especially the O/S Administrator password. Remove all unnecessary stored  procedures, especially “xp..cmdshell”. Copyright 2009 Syrinx Technologies 21
  22. 22. MySQL Best Practices  Always set a password for the “root” account.  Apply application patches as appropriate.  Always run the database server process as a non-  root user whenever possible. Delete the “test” database and the default “user”  account. Copyright 2009 Syrinx Technologies 22
  23. 23. MySQL Best Practices  If remote access is not needed, disable TCP/IP  support. Chroot the database process if possible.  Copyright 2009 Syrinx Technologies 23
  24. 24. Oracle Best Practices  Always change the account passwords for the  default Oracle accounts, especially the following:  sys  system  dbsnmp  outln  ctxsys  ordsys  mtssys  mdsys  wksys Copyright 2009 Syrinx Technologies 24
  25. 25. Oracle Best Practices  Set the proper permissions for low-privilege  accounts such as dbsnmp  Remove the “scott/tiger” account.  Disable all unnecessary accounts. Copyright 2009 Syrinx Technologies 25
  26. 26. Oracle Best Practices  Configure a password in the Listener service.   Configure appropriate logging on security-related events.  Apply application patches as appropriate. Copyright 2009 Syrinx Technologies 26
  27. 27. PHP Best Practices  Run only the latest versions of PHP.   Make sure you validate all user input.  Use session info instead of cookies.  Avoid using variables in Include statements.  Turn off the display of error messages. You can still log them to a file. Copyright 2009 Syrinx Technologies 27
  28. 28. PHP Best Practices  Be very careful with global variables.   Make sure “magic_quotes_gpc ” support is disabled.  Set “safe mode on” – test before production.  Set file extension for all include files to “.PHP”.  Store include files outside of the document root directory. Copyright 2009 Syrinx Technologies 28
  29. 29. Operating System  Microsoft Baseline Security Analyzer  Microsoft Windows Server Update Services  Nessus  Nmap  Foundstone SuperScan 4  Metasploit  Copyright 2009 Syrinx Technologies 29
  30. 30. Web Servers  URLScan 3.1 (IIS 5.1-7)  IISLockdown 2.1 (IIS < 6.0)  Nikto (Perl)  N-Stalker (free and commercial)  Copyright 2009 Syrinx Technologies 30
  31. 31. Web Servers  Nessus  Wget  THCSSLCheck  Proxies: Achilles, Paros, WebScarab  Copyright 2009 Syrinx Technologies 31
  32. 32. Database Servers  MS SQL   Cain/Abel  SQLDict  SQLForce  SQLPing3 Copyright 2009 Syrinx Technologies 32
  33. 33. Database Servers  Oracle   Cain/Abel  TNSCMD (Perl)  WinSID  CheckPWD Copyright 2009 Syrinx Technologies 33
  34. 34. Database Servers  MySQL   Cain/Abel Copyright 2009 Syrinx Technologies 34
  35. 35. Thank You Very Much for Your Time and Attention! Copyright 2009 Syrinx Technologies 35

×