"Eight" propositions for application Security management (i)

In the BYOD, cloud computing, large data flooded era, the application is still an enterprise information security can not be ignored dangerous zone, office, business, process, data are inseparable from the application. As a result, all system administrators should take the management of your application and its security as their primary priority. Applications can provide multiple perspectives and systematic management by configuring application security, installing applications into non-standard directories and ports, locking applications, securing Peer-to-peer services, and ensuring code security for your application programmer.

1. Configure the application securely

The application should be configured according to the manufacturer's recommended security settings. The three most common Windows applications that exploit exploits are Microsoft's Outlook (Express language), Internet Explorer, and Microsoft Office suite. These applications may belong to end user workstations, and people need them to work, but they may not belong to your organization's servers. If your server requires high security, remove these applications. Because of the risk of a common vulnerability attack, you should not install e-mail clients such as Outlook or Microsoft Office on your server.

In the end user's PC environment, if you want to keep the application and minimize the risk at the same time. You can apply security patches through regular updates, and if you don't have a higher level of security, be sure to configure them according to the manufacturer's recommended settings. You should have your own security zone settings restrictions in Outlook and Outlook Express. Internet Explorer's Internet zone should be set to medium-high or high. Office provides administrative templates (named ADM files) that you can configure and deploy to use System policy or Group Policy. These can be downloaded from Microsoft's Web site or found in the Office Resource Kit.

Other applications typically use the default security settings, and you can access the vendor's technical support resources to learn more about your security options. Unfortunately, many software vendors do not attach importance to security issues. At this point, you need to use the concepts and practices you learned from this article, and you may need to do some research. If a vulnerability to your application is known, it usually appears on common security sites and mailing lists. One of the sites that contains the most vulnerability messages is sans (www.sans.org). Sans's weekly vulnerability list almost affects all operating system platforms, including Windows, Unix, Linux, Macintosh, FreeBSD, and so on.

2. Protect email

E-mail worms are still the number one threat to computer systems, especially windows that run Outlook or Outlook Express. Most worms are either file attachments or embedded scripts executed as end users. Obviously, you can significantly reduce the exposure risk of your network by protecting e-mail. This can be done by disabling HTML content and blocking potentially malicious file attachments.

All e-mail messages that exceed plain text can be used to maliciously attack the computer. For this reason, it is important to restrict e-mail messages only to plain text, or use pure HTML encoding only if you must use e-mail messages other than plain text. You should disable scripting languages and active content such as ActiveX controls, Java, and VBScript objects. Typically, it's simple to check the e-mail client's checkbox to force all incoming e-mail messages to be rendered in plain text format. Some customers deal with this problem more gracefully than others, and html-only messages can be badly mangled or appear blank during the conversion process. Outlook and Outlook Express allow the active content of an e-mail message to open in an area that is inaccessible to the Internet, which disables content that is beyond the pure HTML format encoding. This is the default setting for Microsoft's newest e-mail client. Earlier clients were more relaxed and could open e-mail messages in the Internet security zone.

If you can block active content execution, then you need to worry about the end user clicking on the malicious HTML link or opening the file attachment. If they have access to the Internet, it is difficult to prevent users from clicking on malicious HTML links. In a Windows environment, you can use Group Policy, the Internet Explorer Management Kit (IEAK), or some other type of Proxy Server filter to allow only end users access to pre-approved sites, but beyond that, you can only rely on end-user education.

3. Prevent dangerous file types

Blocking dangerous file attachments is the best way to prevent attacks and is the preferred method for current e-mail viruses and worms. The big question is "what constitutes a dangerous file type?" The fact is that almost all file types can be used maliciously, and the better question is "what is a commonly used malicious file type?" Table 1 shows the types of Windows files that are typically blocked by organizations that are worried about the various popular attacks that use these file types as vectors. These are popular email server block lists. The list is not small.

Table 1 Common blocked file extensions

As large as table 1, many readers may be able to add other files to the list based on their own experience. Only you can tell what file extensions have an acceptable cost/benefit ratio and are allowed to enter your network. However, there may be a security breach for each file to be extended to your network. For example, the Visual basic script (. vbs) file is one of the most common malicious file types for e-mail worms and viruses. While it is rare for people to send a. vbs file to each other for legitimate reasons, it makes sense to prevent the. vbs file from automatically entering your network when the worm and virus always do so.

A dangerous file name extension can be blocked on an Internet gateway device, an e-mail server, or an e-mail client. A large number of commercial and open source projects exist to prevent file attachments from being on gateways and e-mail servers. In addition, most antivirus vendors offer e-mail server antivirus solutions.