patterns & practices Security Deployment Review Index

 

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

patterns & practices Developer Center

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan

Microsoft Corporation

August 2005

Summary

This page provides an index of the resources that will help you to perform deployment reviews for security. You can use deployment reviews to discover security vulnerabilities in application configuration or the deployment environment. The resources use configuration categories to help make deployment reviews for security systematic and repeatable. You can use these categories to break down your application deployment for further analysis and to help identify vulnerabilities. By using categories, you can systematically go through the deployment review process from start to finish or pick a particular category for further analysis.

Contents

Security Deployment Review Approach
How Tos
Checklists

Security Deployment Review Approach

When you review your security deployment, you can organize the precautions you must take and the settings you must configure into categories. By using these configuration categories, you can systematically review the securing process or pick a particular category and complete specific steps. The categories are shown in Figure 1.

Ff648510.serverconfigcategories(en-us,PandP.10).gif

Figure 1. Server configuration categories

Table 1 explains the various categories.

Table 1. Server Configuration Categories

Category Practices
Patches and Updates Patching and updating your server software is a critical first step.
Accounts Accounts allow authenticated users to access a computer. These accounts must be audited. Configure accounts with least privilege to help prevent elevation of privilege. Remove any accounts that you do not need. Help to prevent brute force and dictionary attacks by using strong password policies, and then use auditing and alerts to detect logon failures.
Auditing and Logging Auditing is one of your most important tools for identifying intruders, attacks in progress, and evidence of attacks that have occurred. Configure auditing for your server. Event and system logs also help you to troubleshoot security problems.
Files and Directories Secure all files and directories with restricted permissions that only allow access to necessary services and accounts. Use auditing to allow you to detect when suspicious or unauthorized activity occurs.
Ports Services that run on the server listen to specific ports so that they can respond to incoming requests. Audit the ports on your server regularly to ensure that a service that is not secured or that is unnecessary is not active on your server.
Protocols Avoid using protocols that are inherently insecure. If you cannot avoid using these protocols, take the appropriate measures to provide secure authentication and communication.
Registry Many security-related settings are stored in the registry. As a result, you must secure the registry. You can do this by applying restricted Windows access control lists (ACLs) and by blocking remote registry administration.
Services If the service is necessary, secure and maintain the service. Consider monitoring any service to ensure availability. If your service software is not secure, but you need the service, try to find a secure alternative.
Shares Remove all unnecessary file shares. Secure any remaining shares with restricted permissions.

How Tos

Use the following How To modules to help you perform security deployment reviews:

Checklists

Use the following checklists to help ensure that your review is complete.

Feedback

Provide feedback by using either a Wiki or e-mail:

We are particularly interested in feedback regarding the following:

  • Technical issues specific to recommendations
  • Usefulness and usability issues

Contributors and Reviewers

  • External Contributors and Reviewers: Jason Taylor, Security Innovation
  • Microsoft Contributors and Reviewers: Shawn Veney (ACE); Don Willits
  • Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
  • Edit team: Nelly Delgado, Microsoft Corporation; Tina Burden McGrayne, TinaTech Inc.
  • Release Management: Sanjeev Garg, Microsoft Corporation

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.