Module 1: Introduction to Web Security Contents Overview Lesson: Why Build Secure Web Applications? Lesson: Using the STRIDE Model to Determine Threats 17 Lesson: Implementing Security: An Overview 26 Review 38 Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2002 Microsoft Corporation All rights reserved Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries The names of actual companies and products mentioned herein may be the trademarks of their respective owners Module 1: Introduction to Web Security Instructor Notes Presentation: 75 minutes Lab: 00 minutes This module provides students with an overview of the terms and concepts of, along with the justification for, Web security This explanation includes an introduction of the STRIDE model, which can be used to categorize threats to Web applications This module also provides an overview of the technologies and best practices that can be used to build a secure solution for Web applications After completing this module, students will be able to define the basic principals of, and motivations for, Web security After completing this module, students will be able to: ! Describe why it is essential to consider security during Web application development ! Explain the STRIDE model ! Identify the technologies and best practices that can be used to build a secure environment for running Web applications Required materials To teach this module, you need Microsoft® PowerPoint® file 2300A_01.ppt Preparation tasks To prepare for this module: ! Read all of the materials for this module ! Complete the practices ! Read Module 11, “Configuring Internet Access for a Network,” in Course 2153, Implementing a Microsoft Windows 2000 Network Infrastructure ! Read the TechNet article, “Secure Internet Information Services Checklist,” which is available at http://www.microsoft.com/technet/ security/tools/iis5chk.asp ! Read the available information about current worms and viruses, which is available on the http://www.microsoft.com/technet/security/virus/ default.asp Web site ! Read about the current security issues on the http://www.securityfocus.com Web site ! For information about the monetary loss incurred by companies from viruses, search the Internet for “cost virus.” ! Read Hacking Exposed Windows 2000: Network Security Secrets & Solutions by Joel Scambray and Stuart McClure (New York, Osborne/McGraw-Hill), 2001 iii iv Module 1: Introduction to Web Security How to Teach This Module This section contains information that will help you to teach this module Lesson: Why Build Secure Web Applications? This section describes the instructional methods for teaching each topic in this lesson Why Is Security So Important? Begin the lesson with a story about a recent security scare or virus You can learn about current worms and viruses at http://www.microsoft.com/ technet/security/virus/default.asp You can also receive recent virus information at http://www.ntbugtraq.com, which is a mailing list for the discussion of security exploits To find information about the cost of not securing a Web application and being attacked, search the Internet for “cost virus.” According to many articles, billions of dollars were lost in 2001 Here are some virus examples from 2002: ! DoubleTap virus A Microsoft SQL Server™ virus was found on May 20, 2002 The virus, named DoubleTap or Spida.a.worm, targets SQL Server Web sites that have the system administrator account, sa, set to blank The virus, written in JavaScript, adds the guest account to the administrator group and then changes the password of the administrator Finally, this virus sends the server’s password list to an e-mail address on a central service ! Benjamin virus A virus known as Benjamin, found in May 2002, is initiating itself from the KaZaa music file swapping service The virus masquerades as popular songs, videos, and games Upon infecting a computer, Benjamin creates a new directory, opens that directory to the KaZaa network, and then tries to entice others to download it The virus is interesting because its author apparently hoped to make money from its propagation Infected computers are instructed to visit a Web page that is clearly designed to register advertising hits ! Code Red Internet Information Services (IIS) worm A malicious piece of code, operating as a computer worm, exploits unpatched IIS servers on the Internet This worm, called Code Red, exploits a security vulnerability in the Microsoft Windows NT® version 4.0 and Microsoft Windows® 2000 Index Services, and may result in one of several outcomes, including Web site defacement and installation of Denial of Service (DoS) tools The defaced Web page may contain the words “Hacked by Chinese!” and a link to http://www.worm.com, whereas the DDoS code appears to prepare the system to launch an attack against www.whitehouse.gov Upon comprising the system, the worm attempts to propagate itself to other unpatched IIS systems on the Internet A patch for this vulnerability was released on June 18th, 2001, and it is discussed in Microsoft Security Bulletin MS01-033 Module 1: Introduction to Web Security ! v Nimda worm The official name of the worm is W32/Nimda@MM, but it is generally referred to as the “Nimda” worm This virus attempts to spread through three different means: • E-mail Infected computers attempt to spread the infection to other users by sending copies of the worm through e-mail • Web servers Infected computers attempt to pass the infection to Web servers by either locating an already compromised server, or by exploiting a known security vulnerability in IIS After it is infected, a Web server will attempt to infect the computers of any users that visit it • File shares Infected computers will search for computers that have been configured to allow anyone to add files to these computers and, upon finding such a computer, will insert infected files onto it ! VBS/Loveletter virus The VBS/Loveletter virus circulates through e-mail If run, the virus attempts to overwrite jpg, mp3, and other file types, and to send a copy of itself to everyone in the recipient’s address book The e-mail message that contains the virus typically carries a subject line of “ILOVEYOU.” Inside the e-mail message is a short text message that says “Kindly check the attached LOVELETTER coming from me” and an attachment named LOVE-LETTER-FOR-YOU.txt.vbs The attachment is the virus payload It is important to note that the virus payload cannot run by itself For the payload to run, the recipient must open the e-mail message, launch the payload by double-clicking it, and click Yes in a dialog box that warns of the dangers of running untrusted programs Challenges Involved in Implementing Security This topic discusses some of the challenges that businesses face when implementing security One of the major issues is that security is often considered only after the Web application is complete, instead of during the initial design process Relegating security to an afterthought often makes Web applications more costly to develop and less secure Threats to WebAccessible Assets Define the term threat and then discuss the different types of Web-accessible assets: tangible and intangible Who Are Attackers? Note that attackers not always come from outside the organization Attackers are sometimes internal to the organization and can take the form of either ignorant or disgruntled employees Discuss the different skill levels of novice, intermediate, and advanced attackers What Are Attacks? Discuss attacker motivation, justification, and opportunity Common Types of Attacks Ask students to think of examples of each type of attack Students may have heard about attacks in the news or through a security bulletin, or they may have experienced attacks at their own organizations vi Module 1: Introduction to Web Security How Do Attacks Occur? If you have an Internet connection in the classroom, you can go to the MSNBC Web site and run the interactive video that demonstrates how a “honey pot” was used to watch an attacker hacking into a system Go to http://www.msnbc.com/ news/437641.asp and click //HACK You can learn more about the HoneyNet project at the http://project.honeynet.org Web site Common Types of Vulnerabilities Note that students will learn how to address only a few of these vulnerabilities during class Solutions for some vulnerabilities are discussed in the topic “Best Practices in Building Secure Web Applications,” which appears later in this module Lesson: Using the STRIDE Model to Determine Threats This lesson provides an overview of the STRIDE model Define each category of threat and provide examples of each category: ! ! Tampering with data: The “loveletter” virus changes all jpg files into copies of itself ! Repudiability: Attackers often delete event logs after they attack a system so that there is no record of the attackers accessing the system ! Information disclosure: IIS version 4.0 had a weakness that allowed Uniform Resource Locators (URLs) ending in special characters (a trailing "." or a trailing "::$DATA") to return the script source of Active Server Pages (ASP) ! Denial of Service: The Code Red virus attacked unpatched IIS Web servers and installed Denial of Service tools ! Practice: Identifying Threats Using STRIDE Spoofing identity: If Basic authentication is used in IIS without requiring Secure Sockets Layer (SSL), the user name and password of an authenticated user are sent in clear text over the Internet If an attacker obtains the user name and password, the attacker can pose as the authenticated user and access the system Elevation of privilege: The DoubleTap SQL Server virus adds the guest account to the Administrator group and then changes the password of the administrator By doing this, attackers can log on as a guest and have the access privileges of the Administrators group This practice provides an opportunity for students to apply the STRIDE model to some common scenarios The scenarios are actual vulnerabilities that were found in earlier versions of IIS Students will learn more about the STRIDE model in the context of designing secure Web applications and will apply this model to the design of the lab solution in Module 2, “Planning for Web Application Security,” in Course 2300, Developing Secure Web Applications Module 1: Introduction to Web Security vii Lesson: Implementing Security: An Overview Security Technology Overview This topic introduces the technologies that support the various security technology fields: authentication, authorization, auditing, privacy, integrity, and nonrepudiation Students will learn more about these technologies throughout Course 2300, Developing Secure Web Applications Best Practices in Building Secure Web Applications In addition to the coding best practices that the students will learn about in class, there are also best practices that typically fall under the Information Technology (IT) Professional job category The purpose of this topic is to identify a few IT Professional best practices that can be employed immediately to increase the security of existing Web applications Enabling Logging Another best practice that the students should be aware of is event logging and auditing These tools provide defense against nonrepudiation threats Practice: Securing the IIS Default Installation In this practice, students will make their default installation of IIS more secure by disabling some unneeded subcomponents Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware There are no labs in this module, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization Module 1: Introduction to Web Security Overview ! Why Build Secure Web Applications? ! Using the STRIDE Model to Determine Threats ! Implementing Security: An Overview *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This module provides an overview of the terms and concepts of, along with the justification for, Web security This information forms the basis for the presentation of Web security, which will be expanded upon throughout the rest of Course 2300, Developing Secure Web Applications This module also provides an overview of the technologies and best practices that can be used to build a secure solution for Web applications This overview of technologies and best practices is the foundation for further discussions throughout the rest of Course 2300, Developing Secure Web Applications Objectives After completing this module, you will be able to: ! Describe why it is essential to consider security during Web application development ! Explain the STRIDE model ! Identify the technologies and best practices that can be used to build a secure environment for Web applications Module 1: Introduction to Web Security Lesson: Why Build Secure Web Applications? ! Why Is Security So Important? ! Challenges Involved in Implementing Security ! Threats to Web-Accessible Assets ! Who Are Attackers? ! What Are Attacks? ! Common Types of Attacks ! How Do Attacks Occur? ! Common Types of Vulnerabilities *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This lesson defines the term security as it applies to Web-accessible assets Security can be separated into several categories, and each will be defined and explained in this lesson This lesson also presents the concepts of vulnerabilities, threats, and attacks, and explains how these concepts interrelate Finally, you will learn why security is so important by looking at some of the reasons that motivate attackers to attack a Web application, and the corresponding consequences of inadequate Web application security Lesson objectives After completing this lesson, you will be able to: ! Describe the importance of securing a Web application ! Identify the challenges that are involved in implementing Web application security ! Describe some of the motivations for attacker intrusion and the consequences of inadequate Web security ! Define the terms threat, attack, and vulnerability, and explain the interrelationship among them 26 Module 1: Introduction to Web Security Lesson: Implementing Security: An Overview ! Security Technology Overview ! Best Practices in Building Secure Web Applications ! Enabling Logging ! Practice: Securing the IIS Default Installation *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction To protect Web applications against the various threat categories, you must have security measures and controls in place This lesson provides an overview of the technologies that can be used to build a secure solution for running a Web application This lesson also covers some of the recommended best practices that help in minimizing vulnerabilities and in preventing attacks After completing this lesson, you will be able to: ! Identify the technologies that can be used to be to build a secure Web application ! Describe the best practices that help in minimizing vulnerabilities ! Enable event logging and auditing in Windows 2000, IIS, and SQL Server and describe the purpose of custom logging Module 1: Introduction to Web Security 27 Security Technology Overview User Services Business Services Data Services Authentication Authorization Authorization Authentication Authorization Authorization 2 3 # Windows 2000 ACLs # Password Authentication #Authentication Windows Certificate # Digital 2000 User Account Privileges # Smart Card # Permissions # Role-based Security # Role Checking in COM+ *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Security can be grouped into six main technology fields: authentication, authorization, auditing, privacy, integrity, and nonrepudiation Authentication Authentication is the process by which an entity verifies that another entity (or principal) is indeed who or what it claims to be A principal can be a user, some executable code, or a computer Authentication requires evidence in the form of credentials; evidence can be in one or more of the following forms: ! Something known (such as a password or a secret) ! Something possessed (such as a smart card or a digital certificate) ! Something unique about the principal (for example, in the case of humans, a signature) Authentication can occur in many places in a Web application When a user connects to a Web application, the Web server can authenticate the user If a Web page in the Web application accesses a COM+ component, the component can also authenticate the user Also, if the Web page or COM+ component accesses a database, the database server can authenticate the user again By placing authentication in as many locations in your Web application, you minimize the risk of security threats 28 Module 1: Introduction to Web Security Authorization After a principal is authenticated, the principal will want to access resources, such as files, registry keys, Active Directory® directory service attributes, and databases The authenticating entity determines access by performing an access check to see if the principal has access to the resource being requested This process is called authorization Access is determined by comparing information about the principal with access control information that is associated with the resource Examples of authorization mechanisms include: ! Windows 2000 access control lists (ACLs) An ACL describes the capabilities (such as read, write, execute) of an entity on a specific resource ! Windows 2000 user account access privileges Windows 2000 user account access privileges, such as the ability to debug or log on across the network ! Permissions Permissions, such as the ability to create, read, update, and delete records in the database ! Role-based security A role-based security model uses authenticated identity information about the user to make decisions about security authorization ! Role checking in a COM+ component Role checking is the ability to programmatically determine whether an entity can perform an action based on the entity’s membership in an administratively-defined role Module 1: Introduction to Web Security 29 Security Technology Overview (continued) Nonrepudiation User Services Business Services Authorization Auditing Integrity Privacy Authorization Auditing Integrity Privacy 2 3 Data Services Auditing Auditing # Windows 2000 ACLs # WindowsTLS SSL and SSL/TLS Log Privacy Privacy # Windows 2000 User # IIS Log IPSec Cryptography Account Privileges # SQL Server Log Crytography Integrity # Permissions # Digital certificates Integrity # Role-based Security # Role Checking in COM+ *****************************ILLEGAL FOR NON-TRAINER USE****************************** Auditing The aim of auditing, also called logging, is to collect information about successful and failed attempts to access objects, the use of access privileges, and other important security actions The auditing information is logged in a file for later analysis Logging also aids in debugging Web applications, because without logging, you can only guess why someone was denied access to a resource Examples of audit logs include: ! Windows 2000 Security Event log The Windows 2000 Security Event log contains data about who logged on, which files were accessed, which COM+ objects were accessed, and so on ! IIS 5.0 log The IIS 5.0 log contains data about Web page hits, how long the access took, and from which Internet Protocol (IP) address the request came from IIS also writes to the Windows 2000 Security Event log files ! SQL Server log The SQL Server log contains information about who logged on and off SQL Server SQL Server uses the Windows 2000 log files, in addition to its own custom text files, for auditing purposes You will learn more about audit logs later in this lesson 30 Module 1: Introduction to Web Security Privacy Privacy, sometimes referred to as confidentiality, is a means of hiding information from invalid users and it is usually performed by using encryption By using privacy technologies, a user can send a secret message to another user, and no other user can see that message, even by using a network protocol analyzer, such as Microsoft Network Monitor Examples of privacy technology include: ! Secure Sockets Layer (SSL) or Transport Layer Security (TLS) Both SSL and TLS use encryption algorithms to scramble data as it moves across nonsecure networks such as the Internet ! Internet Protocol Security (IPSec) IPSec is an Internet Engineering Task Force (IETF) standard and a security feature in Windows 2000 that provides data encryption to low-level IP packets ! Cryptography By using cryptography, you can programmatically encrypt or hash data before sending it to a user, or before storing it on the Web server or in a database Integrity Integrity refers to the ability to protect data from being deleted or changed, either maliciously or by accident Integrity also ensures that the data has not been altered in transit, and it assures the recipient that the originator of the message is who he or she claims to be Examples of integrity technology include: ! SSL and TLS Both SSL and TLS use Message Authentication Code (MAC) algorithms to verify that data is not tampered with during transmission ! IPSec IPSec provides integrity checking of low-level IP packets ! Cryptography (programmatically signing data) The originator of the data can programmatically create a hash of the data and then send the hash along with the original data If the received data matches the hash, the receiver knows that the data has not changed ! Digital certificates Both the user and the Web server can use digital certificates to sign messages so that the receiver always knows that the data came from the specified source Nonrepudiation Nonrepudiation is a technique that can be used for providing proof that an action occurred to prevent a principal from fraudulently reneging on a transaction For example, if Alice purchases an item, she might need to sign for the item upon receipt The vendor can then use the signed receipt as evidence that Alice received the package A complete nonrepudiation plan requires providing authentication, authorization, auditing, and data integrity Nonrepudiation also requires the vendor to inform the user that the action that he or she is about to take is legally binding Nonrepudiation is extremely important for e-commerce Module 1: Introduction to Web Security 31 Best Practices in Building Secure Web Applications ! Install the latest security patches " ! Stay current on patches, updates, and hotfixes Use strong passwords " " Enforce password policy through group policies " ! Use passwords with seven or more characters that include letters, numbers, and symbols Do not allow saving a password Run with least privileges " Give least amount of privileges to services *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction There are some recommendations and best practices that can be followed to minimize the risk of security threats against Web applications Install the latest security patches Software often has vulnerabilities and is in a continuous state of development Feature improvements, design improvements, and bug fixes are generally released until the software is outdated Because software is constantly changing, it is imperative for an organization’s IT employees to stay current on patches, updates, and hotfixes to the software that is running on their computers Hotfixes and security patches are updates to software that resolve a known issue or provide a workaround for the known issue in the software Hotfixes and security patches help in eliminating security vulnerabilities Failure to update software puts the attacker at an advantage To stay current with hotfixes, go to http://www.microsoft.com/technet/ security/Default.asp To stay current with security bulletins, subscribe to security newsgroups, communities, and forums For example, you can subscribe to the NTBugtraq mailing list at http://www.ntbugtraq.com, view the vulnerability database at http://www.securityfocus.com, and subscribe to the Microsoft Security Notification Service at http://www.microsoft.com/technet/security/ bulletin/notify.asp Microsoft Product Support Services also provides free telephone support for virus-related issues You can call (866) PC-SAFETY (United States only) Note To obtain the Microsoft Security Toolkit and to obtain information about security bulletins and tools, go to http://www.microsoft.com/security 32 Module 1: Introduction to Web Security Use strong passwords Strong passwords provide a more secure system environment Even the most secure system will fail if the weakest point in a system is an easy-to-guess administrator password To enforce strong passwords within your organization or system, you can implement the following guidelines: ! ! Use passwords with a minimum of seven characters made up of letters, numbers, and symbols ! Do not enable any functionality to save a password ! Enforce a reasonable lockout policy—for example, locking out an account for 15 minutes after five invalid password attempts ! Do not use a password that is easy to guess, such as your name, date of birth, or names of family members ! Run with least privileges Enforce password policy through group policy or local policy Do not share your password with anyone Services need a certain level of access to perform their specific tasks within the context of the system When installing or troubleshooting these services, it may be tempting to grant more access than necessary to achieve functionality quickly Services must be granted the least amount of access privileges to maintain a secure system System administrators who configure service privileges and Web application developers who create service dependencies must ensure that they grant least privileges of the services Module 1: Introduction to Web Security 33 Best Practices in Building Secure Web Applications (continued) ! Turn off unnecessary components of IIS " ! Default installation enables more services than required Use the IIS Lockdown Tool " Makes the IIS server less accessible to attackers by turning off the unnecessary features *****************************ILLEGAL FOR NON-TRAINER USE****************************** Turn off unnecessary IIS components The default installation of IIS often enables more services than are necessary for operation For example, documentation and Simple Mail Transfer Protocol (SMTP) are installed by default These additional services provide more opportunities for potential attacks, and therefore, they must be disabled In addition, consider filtering all of the traffic to a Web server by placing the Web server behind a firewall or behind an intrusion detection system Use the IIS Lockdown Tool The IIS Lockdown Tool provides protection against attacks to the IIS server by making it difficult for attackers to access the IIS server The IIS Lockdown Tool works by turning off unnecessary features, thereby reducing attack opportunities that are available to attackers The IIS Lockdown Tool is a wizard tool that provides you with an Advanced option, which allows you to choose the settings that you want to make The wizard also provides the Rollback changes option to revert the changes You can install the IIS Lockdown Tool from http://www.microsoft.com/ Downloads/Release.asp?ReleaseID=33961 Note For more information about the IIS Lockdown Tool, go to http://www.microsoft.com/technet/security/tools/locktool.asp 34 Module 1: Introduction to Web Security Enabling Logging ! Maintain a log of activities that are performed on the system by the users and Web applications " Windows logs " IIS logs " SQL Server logs " Custom logs *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction It is important to maintain a log of activities that are performed on the system by the users and by Web applications The Windows operating system, IIS, and SQL Server maintain their own logs for collecting security-related information about the operating system, Web server, and database, respectively You can also create custom logs to work with the needs of your Web applications Windows logs The Windows operating system maintains three types of logs: application, security, and system System and application logging start automatically when you start the computer Logging stops when an event log becomes full and cannot overwrite itself, either because it has been set for manual clearing or because the first event in the log is not old enough To define logging parameters for each kind of log: Click Start, point to Settings, and then click Control Panel Double-click Administrative Tools Double-click Event Viewer In the Event Viewer console tree, right-click the type of log Click Properties On the General tab, you can set the maximum size of the log and specify whether the events are overwritten or stored for a certain period of time The default logging policy is to overwrite logs as needed, provided events are at least seven days old You can customize this policy for different logs Module 1: Introduction to Web Security IIS logs 35 You can use IIS logs to collect information about the activities that users perform on the Web server You enable logging for all Web applications on a Web server by setting properties for the Default Web Site in IIS You can disable logging for individual Web applications by clearing the Log visits check box in the Properties dialog box for that Web application in IIS A log can be one of many formats The World Wide Web Consortium (W3C) Extended Log File Format permits fine-grained control of the log entries and is recommended You can use the Properties dialog box for the file format to select which attributes to log and to set where the log files appear By default, the log files appear in %WinDir%\System32\LogFiles SQL Server logs Microsoft SQL Server 2000 has a fully functional audit mechanism that allows you to track any permissions usage of any kind within SQL Server 2000 SQL Server logs events to the SQL Server error log and to the Windows application log To enable logon auditing for both successful and failed logon attempts to a SQL Server Web application, run SQL Server Enterprise Manager, open the SQL Server Properties dialog box for the SQL Server Web application, and then on the Security tab, click the appropriate option under Audit level Custom logs You can programmatically add entries to the Windows 2000 event logs or to a custom log in a Microsoft Visual Studio® NET application by using the EventLog object For example, on the logon page of a Web application, you should log all failed attempts and why they failed 36 Module 1: Introduction to Web Security Practice: Securing the IIS Default Installation ! Students will: " ! Turn off any unnecessary IIS subcomponents Time: " minutes *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In this practice, students will look at the default IIS installation in Windows 2000 Server and turn off any unnecessary IIS subcomponents ! Turn off any unnecessary IIS subcomponents On the Start menu, open Control Panel Double-click Add/Remove Programs Click Add/Remove Windows Components In the Windows Components Wizard, click Internet Information Services, and then click Details What subcomponents of IIS are installed by default? Common Files, Documentation, FrontPage 2000 Server Extensions, Internet Information Services Snap-In, Internet Services Manager (HTML), SMTP Service, World Wide Web Server Which of these subcomponents are not needed by most Internet sites? Documentation, FrontPage 2000 Server Extensions, Internet Services Manager (HTML), SMTP Service Module 1: Introduction to Web Security Clear the check boxes for the IIS subcomponents that you not need, and then click OK Continue with the Windows Components Wizard to finish uninstalling the subcomponents Close Control Panel 37 38 Module 1: Introduction to Web Security Review ! Why Build Secure Web Applications? ! Using the STRIDE Model to Determine Threats ! Implementing Security: An Overview *****************************ILLEGAL FOR NON-TRAINER USE****************************** What are the three types of attackers? Novice, intermediate, advanced Why is it harder to secure against an attacker than for an attacker to get into a system? An attacker needs to find only one weak point to enter the system; a defender needs to make sure that all possible entry points are defended What is the difference between a threat and a vulnerability? A threat is a possibility that poses danger to business assets, such as privacy or data integrity A vulnerability is a weakness in a Web application that an attacker can exploit to achieve a goal List the categories of threats in the STRIDE model Spoofing, tampering with data, repudiability, information disclosure, Denial of service, elevation of privilege Module 1: Introduction to Web Security What is the difference between authentication and authorization? Authentication is the process of identifying a user Authorization is the process of granting the authenticated user access to resources What is the difference between internal and external threats? Internal threats consist of possible attacks by employees or former employees External threats are caused by outsiders who want to acquire information to cause harm to the business 39 THIS PAGE INTENTIONALLY LEFT BLANK ... only) Note To obtain the Microsoft Security Toolkit and to obtain information about security bulletins and tools, go to http://www.microsoft.com /security 32 Module 1: Introduction to Web Security. .. practices that can be used to build a secure environment for Web applications 2 Module 1: Introduction to Web Security Lesson: Why Build Secure Web Applications? ! Why Is Security So Important?... will render your Web applications vulnerable to attack Module 1: Introduction to Web Security Usability vs security As a system becomes more secure, it also becomes harder to use The common