Web-based Programming Lanjut Pertemuan 13

Matakuliah : M0492 / Web-based Programming Lanjut Tahun : 2007

Bina Nusantara

Securing Your Server

• What is Security?– Problems on the Internet with Security– Security Policies

• Securing IIS• SQL Server and ODBC Security

Bina Nusantara

What is Security?

• Problems on the Internet with SecurityRanging from intercepting base-level packet data all the way through to accessing systems using bad passwords that are easily guessed.

Try and break into your ASP Web site while it’s still on the development server and hasn’t gone live yet.

Keep up to date with those sites which detail the latest hacking tools and automated attacks.• http://www.rootshell.com• http://www.hackers.com• http://www.dark-secrets.com

Bina Nusantara

What is Security?

• Problems on the Internet with Security

– Malicious Attacks/VandalismAttackers will steal passwords or find some other method to get into your system and then deface your Web sites.Vandals can also get into your system through FTP and telnet clients, so don’t enable either service unless it is a total must.

– Impersonation\IP SpoofingA ploy where attackers disguise themselves as someone else, usually with access to your system. This can be a fair problem for those servers using IP-based and/or user authentication.

Bina Nusantara

What is Security?

The most important layer to look at is the source host, which defines where our pieces of information – packet – have came from.

Attackers can fake the source host for your packet, make a machine believe that they came from somewhere that they did not. This technique known as IP spoofing.

Use a firewall to check if packets could actually have come from where they state their source host to be.

Layers Description

Source Host The machine the packet (unit of data) came from

Source Port The port the packet came from

Destination Host The destination of the packet

Destination Port The destination port of the packet

Bina Nusantara

What is Security?

• Security Policies

Keep and maintain an up-to-date security policy.The most dangerous person on your network is one who knows

what to do.Security policies must be set in place and enforced by the writers

of the policy itself.

– Anatomy of a Security Policy• User requirements• Managerial responsibilities• Administrator’s responsibilities

Bina Nusantara

What is Security?

– User Requirements• Which systems do users need access to?• What type of access will each user need? Full read/write

access or the least access possible? How about people on the Internet who use the system as the anonymous user?

• What time will users to access these system? Most security breaches take place out-of-hours so putting in restrictions based on the time of day would seem good sense.

• Do user require username and password authentication? If so, some rules on choosing passwords would be in order alongside the rules not to divulge them to anyone else or write them down in plain sight. Make plans for dial-up users accessing the system from home via modem or ISDN.

Bina Nusantara

What is Security?

– User Requirements (cont..)• Will user require IP-based authentication?• Do these particular users fit into a logical grouping? For

example, those users in accounts needing access to finance records, those in sales needing a certain level of product info, and those in supply logistics needing another type of product info.

• Will certain areas of the system that users visit require a certain level of encryption? It’s not necessary to secure book information on amazon.com, but it’s very necessary to offer an encrypted area where people can fill in their credit card information.

Bina Nusantara

What is Security?

– Managerial ResponsibilitiesPlace some of the responsibility for the network on the managers, by explaining what security measures are to be put in place and the security risks that can arise if they are not followed.

– Administrator Responsibilities • What action to take if a break in occurs.• What action to take if users violate the policy.• How to set up new user accounts, new user group

policies, file and directory permissions, etc.• Backup strategy. What kind of backup media to use.

When and what kind (full or incremental) of backup to perform. Where to store the backups and an emergency recovery plan should all go wrong.

Bina Nusantara

What is Security?

– Administrator Responsibilities (cont..)• Hardware maintenance. How up-to-date should your servers be?

When to upgrade them and what to upgrade? Bios? Network card? Other pieces of hardware?

• Software versions: if a new version, service pack, update or fix becomes available from the vendor, the administrator should be aware of it and make a reasoned decision whether or not to install it. A record should be kept of what has been installed on the servers.

• Operating System versions. As with software, any new version, upgrade or patch to the operating system needs to be rigorously tested on an isolated machine before it’s applied to the live servers.

• Log files should be checked on a daily basis to see that users are doing what they’re supposed to be doing. If not, action should then be taken

Bina Nusantara

Securing IIS• Install as few components as possible• Create a logical securable directory structure• Keep a wafer thin server

– The sample applications and IIS SDK located in C:\inetpub\iisamples\ are surplus baggage on a live server.

– Likewise, the Admin Scripts installed at C:\inetpub\adminScripts\ can be deleted.

– The Default Web Site in IIS is also a candidate for deletion as its physical root is usually on the server’s primary boot partition.

– If your online application do not make use of the scripting runtime library objects or the ASP server components, you can unregister them by choosing Run from the Start menu and typing :

• Shore up your RDS securityregsvr32 xxx.dll /u

Bina Nusantara

Securing IIS

• Don’t index your back-end code• Set up your web logs and secure them• Restrict access to the site by filtering IP addresses• Configure your web application with care

Bina Nusantara

SQL Server and ODBC Security

• Securing the sa Account

1. Launch SQL Server Enterprise Manager

2. Connect to the SQL Server that holds your database

3. Open the Security folder

4. Click on Logins.

5. Right-mouse click on the sa account and select Properties.

6. Replace password with a new password

7. Click on OK.

8. You will be prompted to re-enter the password for verification.

Bina Nusantara

SQL Server and ODBC Security

• Creating SQL Database Role in Enterprise Manager

– Open the folder for the database your pages work with.– Select Roles.– Right-mouse click in the open area and select New Database

Role.– Give the role a name in the text box and select OK.– Right-mouse click on the newly added role and select

Properties– Click on the Permission buttons.

The resulting dialog will allow you to specify access permissions for each of the database’s related objects.

Bina Nusantara

SQL Server and ODBC Security

• Creating an alternate account for database access

1. Open the Security folder.2. Select Logins.3. Right-mouse click in the open white area of the screen

and select New Login.4. Type the user ID in the Name text box.5. Click SQL Server Authentication and enter the password

in the Password text box.6. Change the default database to your database7. Click on the Database Access tab.8. Permit database access to your database.9. Permit database role access to the database role that

was created for the Web site/Web application.