Presentation is loading. Please wait.

Presentation is loading. Please wait.

Common Security Mistakes

Published byVerity Dickerson Modified over 6 years ago

Similar presentations

Presentation on theme: "Common Security Mistakes"— Presentation transcript:

1

2 Common Security Mistakes
Security Awareness Incident Response Poor Password Management Bad administrative practices Over-privileged Users Unused Services Unsecured Servers Mis-configured Edge Devices Poor Auditing/Logging Practices Poor Data Access Control

3 Internal Users External Users SharePoint Server Anonymous

4 Windows Authentication
Anonymous Access Access to users without server accounts Enabled in IIS Disabled in SharePoint 2007 Windows Authentication Pluggable authentication Independent identity Custom code ASP .NET Authentication Pluggable authentication Independent identity Custom code

5 Administrator: Full Control over logs Ability to restore from backup Administrator: Full Control over data Full Control over logs Ability to restore from backup Busy Content Owner: Full Control over data Responsible for data Ability to restore from Recycle Bin Content Owner: Responsible for data

6 Second-level Recycle Bin
Site Collection Administrators Central Administrators Default full access Fix lockouts Second-level Recycle Bin Grant self-access Logged-on Event Log Unremoveable permissions

7 Owners Visitors Members
Full control access Visitors Read-only access Members Lists and libraries

8 Permission Levels Full Control Design Contribute Read Fine Grained
Owners Full Control Design Contribute Read Fine Grained Visitors Members

9 Author defines permissions to file.
Recipient Author defines permissions to file. Document is encrypted with symmetric key. RMS server encrypts the file with a public key and adds it to publishing license. Author distributes the file. Recipient opens a protected file RMS server validates permission and issues license to decrypt the file. File is opened. Recipient is limited to tasks defined by permissions Windows Server 2003 with RMS Database Server Active Directory Server

10 User Downloads Document
Role Matched to Library License to Decrypt Issued Permissions Granted

11

12 SQL Server 2005 Security Windows Server SQL Server Database Monitoring
Domain Policies SQL Server Connections Logins Database Schema Catalog Monitoring Triggers Notification SQL Server 2005 Security

13 Schema Object Permissions

14 ALTER ANY LINKED SERVER
Object SELECT Database CREATE TABLE Schema ALTER

15 Secure by default Surface Area Configuration Encryption HTTP Endpoints

16 Services and features off by default Local connections only
SAC to enable services / features Windows Server 2003 SQL Server 2005 Upgrade preserves settings Other services / features disabled SAC to enable services / features Windows Server 2003 SQL Server 2000 SQL Server 2005

17 “An Endpoint is a point of entry into SQL Server”
Shared Memory Named Pipes TCP Virtual Interface Adapter HTTP (Windows 2003 Only) HTTP Transport is not created by default HTTP Endpoints support 4 authentication types for web methods Anonymous access is not allowed Communications can be secured with SSL

18 Single shared key Very fast Not for module signing Symmetric Individual keys Slower than symmetric Used for module signing Asymmetric Includes Certificate Authority Validates encryption keys Used for module signing Certificate

19 Login and DDL Triggers Eventdata Function
Login triggers fire after login DDL triggers fire on alteration Server or database level Logging and auditing Login and DDL Triggers What fired a trigger Type, SPID, User, Time, Code Returns XML data Eventdata Function

20 Re-think content ownership and permissions
Understand changes in SharePoint data access Inventory applications using a database Secure connectivity to servers Virtual machines need the same attention

21 Daily Bi-Weekly Monthly
1. IT Pro Blogs Bi-Weekly 2. TechNet Flash Newsletter microsoft.ca/technet/tnflash/default.aspx Monthly 3. TechNet Security Newsletter microsoft.ca/technet/securitynewsletter

22 Q & A

23

Download ppt "Common Security Mistakes"

Similar presentations

Server 2012 R2 Essentials - What’s new ? Bart #techninebe Technine Group.

Server 2012 R2 Essentials - What’s new ? Bart #techninebe Technine Group.
Login dan Permission dfd, 2012. Jenis Login dfd, 2012 SQL Server Authentication Membutuhkan password Windows Authentication Mode Tidak membutuhkan password.

Login dan Permission dfd, Jenis Login dfd, 2012 SQL Server Authentication Membutuhkan password Windows Authentication Mode Tidak membutuhkan password.
Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.

Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)

Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Securing Microsoft® Exchange Server 2010

Securing Microsoft® Exchange Server 2010
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Key Management with the Voltage Data Protection Server Luther Martin IEEE P1619.3 May 7, 2007.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
Module 7: Fundamentals of Administering Windows Server 2008.

Module 7: Fundamentals of Administering Windows Server 2008.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.

Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.

Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.

Similar presentations

Ads by Google