General Guiding Principles
The following lists some general guiding principles for security enhancement. Compliance with these rules usually makes the system and applications more secure, and vice versa.
(1) perform accurate and single positioning for servers. It is often seen that a server has multiple roles. It must provide Web services, support emails, DNS servers, and other roles. This approach is extremely insecure. First, if a server must support multiple roles, the configuration will be more complex, and the complicated things are the natural enemies of security. Second, if a weakness is found in components that allow system-level access, the security of all other services on the same computer will be compromised. Once again, if many features are configured in a server, the server will lose multiple network services due to some reasons.
(2) Minimize the software and services on the server. After determining the role of the server in the network, you should delete all software and services that do not belong to this role. Especially those services that open ports and process network information packets. This method makes the configuration of the entire system easier. As long as you update the actually used service, the patch is greatly simplified. At the same time, this can reduce potential and vulnerable code and programs.
(3) set the minimum permissions. That is to say, each user or process in the system must have the necessary permissions to complete the work. In addition, Web applications should always run in a secure environment with minimum permissions and only access the resources they need to access. This may involve a built-in network service account or a Custom User Account. Do not use a high-permission account, such as an administrator or SYSTEM account.
(4) Install patches in a timely and comprehensive manner. All components on the server (such as the operating system, database, and Microsoft. NET Framework) should install the latest security patches in a timely manner. The necessity and importance of this approach are obvious.
(5) Configure multiple defense entities. This means that multiple defense measures should always be maintained. For example, install firewall, anti-virus software, and information package filters. Even if maintenance personnel have configured such defense measures, they cannot think that everything is fine. Maybe when the maintenance staff is proud, those who are not well-intentioned are also sneering.
(6) focus on defense and protect the most vulnerable connections. Identifies the most vulnerable connections in an application or system and puts additional defense measures around it. For example, the login page in ASP. NET or the Remote Access Gateway on the network. Because these regions are preferred attack targets and difficult to defend, more monitoring and defense measures must be added.
(7) provides powerful authentication functions. If an application or system is accessed through authentication, this authentication should always be powerful. For example, setting a mandatory password policy and high password complexity. At the same time, you should consider using MFA or alternative technologies, such as using a one-time password.
Enhance Operating System Security
According to the general guiding principles, the first thing to do is to list all requirements and services that must be provided to new servers when they are installed. In this regard, Windows Server 2003 is the first operating system to install basic system components and services based on initial installation settings. I wonder if Windows Server 2008 adopts the same policy. After doing a good job in this area, pay attention to the following security measures.
(1) Enable the automatic update function. After installing all necessary components (for example, IIS and ASP. NET), you should confirm the latest security patches. The Windows operating system provides the automatic update service, which can regularly check for new important patch updates. You can enable this function by enabling the automatic update option in the control panel. In this way, all security patches will be automatically downloaded. Remember that the operating system is at the most vulnerable stage between initial installation and installation of all necessary patches. In this case, popular worms and other viruses can rapidly infect the new system. During installation, do not directly connect the server to a public or untrusted network.
(2) Disable services and protocols. After learning about the services required by the server, you can terminate other services and protocols. The most difficult thing is to find out which services are needed and which can be safely terminated. For simple Web server roles (only HTTP (s) services are provided, and the Remote Desktop function is only used for management), services that can be aborted include: computer Browser, DHCP Client, Distributed File System, Distributed Link Tracking Client, Distributed Transaction Coordinator, Error Reporting Service, Help and Support, Print Spooler, Remote Registry, Secondary Logon, Server, TCP /IP NetBIOS Helper, Wireless Configuration, Workstation, Application Management, File Replication, Portable Media Serial Number Servic E. Remote Access Auto Connection Manager, Remote Access Connection Manager, Remote Desktop Help Session Manager, Resultant Set of Policy Provider, Smart Card, Special Administration Console Helper, Telephony, Upload Manager, and Windows Installer, WinHTTP Web Proxy Auto-Discovery Service, File and print sharing, NetBIOS over TCP/IP, etc. By default, many services are enabled in the operating system, which are not required by Web servers. If you stop these services, the performance, free memory, and stability can be improved, and the server is more vulnerable to attacks. This is the result of minimizing the software and service rules on the server.
(3) configure and implement packet filtering. You can close most open ports by disabling all unnecessary services. This can greatly reduce the attack surface of the server. However, some ports cannot be closed, such as TCP/135, which is RPC, and Windows operating systems are very dependent on this protocol. In addition, some other ports should only target some networks. For example, remote management and Terminal Services. Generally, remote management is only allowed from a LAN, a specific subnet, or a specific IP address, but is not open to the Internet. In this case, you need to install an information package filter locally on the Web server to add an additional in-depth security protection entity. The Windows operating system has two built-in information package filters: Windows Firewall and Internet Protocol Security (IPSec ). Windows Firewall provides a simple interface to close the port, but it does not limit external connections. IPSec can control internal and external communication, but the settings are complex.
(4) Configure Windows file sharing. Few people know that the data shared by Windows files has no protection measures. By default, data is not encrypted or fully protected. Administrators can enable the built-in signature mechanism for communication support, which makes it more difficult for malicious users to modify network information packets. However, if you use the Windows file sharing protocol to transmit sensitive data, therefore, additional encrypted communication should be performed. The administrator can enable the signature in "Local Security Policy. If you want to keep it confidential, we recommend that you use IPSec to set the Transport Layer Security for the computer that exchanges protected data.
(5) enable the review function. The audit function is provided in the Windows operating system. It enables the operating system to record successful or failed login, Policy Modification, and resource access. You can enable audit in two steps. First, you must enable system-level audit and specify the resources to be reviewed. The Security Configuration Wizard automatically performs these two steps. In addition, the operating system allows the Administrator to manually modify the configuration. The administrator can manually configure the configuration in the Local Security Policy window.
Strengthen Database Server Security
Most Web applications involve databases. Therefore, it is important to strengthen the security of database servers. In addition to the preceding security measures, consider the following:
(1) A database is usually composed of multiple services (such as database engines, full-text searches, and messages), some of which are required, while others are not required. For example, the Attack Surface Wizard in Microsoft SQL Server 2005 can be used to select the service to be enabled.
(2) Most databases involve architecture concepts and create an independent architecture for applications and their data. The application account and its users should only access the architecture of the application. This makes access management easier, and also prevents applications from accessing system data or data in other architectures.
(3) If possible, do not directly grant access to tables to applications or users. Package all database functions of the application into the stored procedure, and grant the Execute Permission to these stored procedures. Then, you can delete the access to the base table. This greatly simplifies access permission management and reduces the number of attacks on the database.
(4) If possible, restrict access to metadata. For example, SQL injection attacks rely on applications that allow querying metadata, such as databases, tables, and column names.
(5) try to use the Integrated Identity audit method. In this way, passwords are not stored in the configuration file or code.
(6) most databases transmit data in plain text format. Administrators should check the Transmission Security Configuration methods enabled in the database system. For example, the SQL Server supports Secure Sockets Layers (SSL ). If the database system does not have a built-in Transmission security service, you can use IPSec to manage database communication.
Improve Web server security
Improving Web server security involves a lot of content, but there is nothing to fear. The key for administrators is to find out which types of activities are permitted, the security environment for running applications, and the resources that these applications should access. Specifically, you can improve security from the following aspects.
(1) configure the application pool. The application pool represents the Worker Process in IIS 6. Each application pool contains a w3wp.exe instance that carries CLR, ASP. NET, and applications. Administrators can configure many aspects of this workflow, such as recycle settings and status monitoring, to improve security.
(2) configure appropriate Web service extensions. Web service extensions are a strange name, but their settings define the activity content allowed on the server. In short, this is a global list that displays the ISPAI extensions and CGI gateways that can be called. Administrators should only allow the server technologies they really need, such as ASP. NET.
(3) Delete unnecessary Web content from the server. For example, the sample application, product description file, or unused application. The reason is that the more executable code on the server, the more likely it is to be exploited for attacks. In particular, the sample application has long been a vulnerable aspect. Similarly, move the Web application directory to a non-system partition. This prevents all types of directory traversal attacks.
(4) Is it necessary to delete the HTTP header configured in IIS. For example, delete X-Powered through ASP. NET. You can find this setting in iis mmc in the Web site Properties dialog box under HTTP Headers.
(5) Configure logs for each site. By default, the Referer field is not recorded. To analyze the users referenced to the site, you must manually enable this method. Note: Place logs in an independent partition and regularly back up the logs. When recording logs, remember to use tools to analyze logs, for example, using LogParser.
(6) check incoming requests. You can use URLScan to complete this task. URLScan is an ISAPI filter that defines rules by using a whitelist or blacklist, such as extensions, predicates, URL sequences, and headers that are allowed or denied. In addition, you can specify the maximum length of the entity, query string, and header, and delete the server header from the HTTP response.
(7) Adjust the access control list. The Administrator must adjust the ACLs in three different directories, which can be achieved by using the Aspnet_regiis tool. However, you are advised to manually adjust the minimum permission configuration. Adjustments include Web Application Files, temporary assembly directories, and Temp directories.
(8) Enable SSL. If sensitive data is processed in an application, always enable and use SSL. This has two advantages: first, SSL can identify the server and ensure that the session object is the correct server before the user enters any sensitive data (such as a password. Second, after Server Authentication, all transmitted data is encrypted and integrity is protected.
(9) set an appropriate verification method. The Administrator must be very clear about the authentication method settings. In the diagnostic toolbox of IIS, you can find the tool AuthDiag, which can check the authentication methods, ACL and process permissions.
Strengthen ASP. NET Configuration
After implementing the security mentioned above, we need to use some configuration to improve ASP. NET security. In this regard, management personnel should pay attention to locking ASP. NET configuration, security-related configuration items and pre-compilation.
(1) Locking configuration. ASP. NET uses a hierarchical Configuration System. In this system, the lower-level settings automatically inherit the upper-level settings. Therefore, you can adjust configuration settings based on servers, sites, or applications. Related configuration files such as Inetpub \ wwwroot \ web. config, Web in the application root or subdirectory. config file, and Windows \ Microsoft. NET \ Framework \ version \ Config \ web. config and machine. config. Managers need to understand the roles of related configuration items in these files and make correct and effective adjustments according to the actual situation. For example, security-related configuration attributes allowDefinition and requirePermission.
(2) Pay attention to security-related configuration items. The web. config file introduced in the previous section contains many security-related configuration items. Due to space limitations, I will only list these configuration items. For more information, see MSDN. Security-related configuration items are <deployment>,
(3) pre-compile. By default, ASP. NET applications are compiled using commands. That is, pages and controls are compiled when they are not used. Implicitly, all code that makes up an application must apply ASP. NET at runtime, including pages, code hiding, and App_Code classes. Obviously, this does not apply to the actual release environment. If you pre-compile the application before deployment, you can only deploy the binary value and configuration file. We recommend that you use the Web Deployment Project, a new append of Visual Studio, to provide some additional options that are effective. There are many pre-compilation methods to choose from, which are also issues that developers and managers need to seriously consider.
Summary
Most of the content in this article is equivalent to a checklist. Developers and managers can use it for comparative check during deployment and configuration. Of course, security cannot be generalized. It is usually determined according to the environment, but I believe that the guiding principles in this article can be a good foundation. Following these principles and implementing certain measures can eliminate many serious security problems.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
