Protecting your Key Asset

– Data Protection Best Practices

Protecting your Key Asset

– Data Protection Best Practices

Vinod Kumar MVinod Kumar MTechnology EvangelistTechnology Evangelist

Microsoft CorporationMicrosoft Corporation

www.ExtremeExperts.comwww.ExtremeExperts.com

AgendaAgenda

““Best Practices” is a broad areaBest Practices” is a broad area

This talk focuses on operational This talk focuses on operational taskstasks

Look at various Data aspectsLook at various Data aspects

“Security…But isn’t that the Admin’s Job?”“Security…But isn’t that the Admin’s Job?”

Understanding Basic SecurityUnderstanding Basic Security

Restricting user accessRestricting user access

Disabling services and restricting Disabling services and restricting service configurationservice configuration

Reducing the surface area of Reducing the surface area of attack for new featuresattack for new features

Defense in DepthDefense in Depth

Always design your Always design your countermeasures to have at countermeasures to have at least two levels of defenseleast two levels of defenseThis means that you put your This means that you put your defenses in serially rather than defenses in serially rather than in parallel; attackers needs to in parallel; attackers needs to overcome A overcome A andand B – not A B – not A oror B BUse all the available Use all the available countermeasures – technology, countermeasures – technology, process, peopleprocess, peopleCountermeasures and Countermeasures and vulnerabilities are really two vulnerabilities are really two sides of the same coinsides of the same coin

Data & Resources

Application Defenses

Host Defenses

Network Defenses

Perimeter Defenses

Assum

e Prio

r Laye

rs Fai

l

Incidents Reported Industry WideIncidents Reported Industry Wide

CERT/CC incident statistics 1988 through 2006CERT/CC incident statistics 1988 through 2006

Incident: single security issue grouping together all impacts Incident: single security issue grouping together all impacts of that that issueof that that issue

Issue: disruption, DOS, loss of data, misuse, damage, loss of Issue: disruption, DOS, loss of data, misuse, damage, loss of confidentialityconfidentiality

Source: http://www.cert.org/stats/cert_stats.htmlSource: http://www.cert.org/stats/cert_stats.html

0

20000

40000

60000

80000

100000

120000

160000

180000

'88

'90

'92

'94

'96

'98

'00

'02

Port ScannersPort Scanners

Black HatBlack HatCommunity SharingCommunity Sharing

Know Your EnemyKnow Your Enemy

Brute Force pwd Brute Force pwd

crackerscrackers

Dictionary Based pwd crackers

Dictionary Based pwd crackers

Network Sniffers

Network Sniffers

De-compilers

De-compilersDebuggers

Debuggers

Cracker Tools

Cracker Tools

Mobile Device – Security AspectMobile Device – Security Aspect

Mobile – Entry PointsMobile – Entry Points

Access to DeviceAccess to Device

Access to Store-DataAccess to Store-Data

Access to wireless networksAccess to wireless networks

Mobile – Security Practices Mobile – Security Practices

Risk AnalysisRisk Analysis

Make Security policiesMake Security policies

PasswordPassword

Anti-Virus SoftwareAnti-Virus Software

EncryptionEncryption

Need-to-know Data storeNeed-to-know Data store

Mobile – Security PracticesMobile – Security Practices

AuthenticationAuthentication

Perimeter SecurityPerimeter Security

EncryptionEncryption

Data Encryption – Pocket PC (SQL CE – 128 Data Encryption – Pocket PC (SQL CE – 128 bit encryption)bit encryption)

App Encryption – .NET CF & High App Encryption – .NET CF & High Encryption PackEncryption Pack

Information Service EncryptionInformation Service Encryption

Network EncryptionNetwork Encryption

Lock- Down FunctionalityLock- Down Functionality

Desktop Data SecurityDesktop Data Security

Where is Customer’s Data Stored?Where is Customer’s Data Stored?

Q: Where is the Q: Where is the biggest data biggest data

exposure risk?exposure risk?

SQL

ClientsClients

DocumentsDocumentsWhere do customers’Where do customers’ users keep their users keep their documents?documents?

User ProfileUser ProfileOutlook, Sharepoint, Desktop, Temp, IE…Outlook, Sharepoint, Desktop, Temp, IE…

per-machine dataper-machine dataSearch index, offline file cache, Search index, offline file cache, pagefile…pagefile…

Non-standard locationsNon-standard locations……ISV & in-house appsISV & in-house apps

What is EFS?What is EFS?What is EFS?What is EFS?

Encrypting File System Encrypting File System Encrypting File System Encrypting File System

Privacy of data that goes beyond Privacy of data that goes beyond access controlaccess control

Protect confidential data on Protect confidential data on laptops laptops Configurable approach to data Configurable approach to data recoveryrecovery

Integrated with core operating Integrated with core operating system components system components

Windows NT File System - NTFSWindows NT File System - NTFSCrypto API key managementCrypto API key managementLSA security policyLSA security policy

Transparent and very high Transparent and very high performanceperformance

What EFS is not…What EFS is not…What EFS is not…What EFS is not…

A way to protect local user A way to protect local user credentialscredentials

A way to protect data in transit A way to protect data in transit (think IPSec)(think IPSec)

A way to protect business A way to protect business transaction documents (think transaction documents (think Windows Rights Management)Windows Rights Management)

RNGRNG

Data decryptionData decryptionfield generationfield generation

(RSA)(RSA)

Data recoveryData recoveryfield generationfield generation

(RSA)(RSA)

DDFDDF

DRFDRF

User’sUser’spublicpublic key key

Recovery agent’sRecovery agent’spublicpublic key keyin recovery policyin recovery policy

Randomly-Randomly-generatedgeneratedfile encryption key file encryption key (FEK)(FEK)

EFS File EncryptionEFS File Encryption

File encryptionFile encryption(e.g. AES)(e.g. AES)

A quickA quick brown fox brown foxjumped...jumped...

*#$fjda^j*#$fjda^ju539!3tu539!3t

t389E *&t389E *&

*#$fjda^j*#$fjda^ju539!3tu539!3t

t389E *&t389E *&

DDFDDF

A quick A quick brown foxbrown foxjumped...jumped...

A quick A quick brown foxbrown foxjumped...jumped...

DDF extractionDDF extraction(RSA)(RSA)

File decryptionFile decryption(e.g. AES)(e.g. AES)

File encryptionFile encryptionkeykey

DDF is decrypted DDF is decrypted using the user’s using the user’s private keyprivate key to get the to get the file encryption keyfile encryption key

EFS File DecryptionEFS File Decryption

DDF contains file DDF contains file encryption key encryption key encrypted under encrypted under user’s user’s public keypublic key User’s User’s privateprivate

keykey

*#$fjda^j*#$fjda^ju539!3tu539!3t

t389E *&t389E *&

DRFDRF

A quick A quick brown foxbrown foxjumped...jumped...

A quick A quick brown foxbrown foxjumped...jumped...

DRF DRF extractionextraction(RSA)(RSA)

File decryptionFile decryption(e.g. AES)(e.g. AES)

File encryptionFile encryptionkeykey

DRFDRF is decrypted is decrypted using the using the DRADRA’s ’s private keyprivate key to get the to get the file encryption keyfile encryption key

EFS File RecoveryEFS File Recovery

DRFDRF contains file contains file encryption key encryption key encrypted under encrypted under DRADRA’s ’s public keypublic key DRADRA’s ’s privateprivate

keykey

EFS best practices: recoveryEFS best practices: recoveryEFS best practices: recoveryEFS best practices: recovery

No local Recovery AgentsNo local Recovery AgentsPrevents data comprise in “stolen laptop” scenarioPrevents data comprise in “stolen laptop” scenario

Prevents out-of-process data recovery… if Prevents out-of-process data recovery… if encrypted data needs to be recovered, it should encrypted data needs to be recovered, it should be an audited operationbe an audited operation

Have at least 2 Recovery Agents per domainHave at least 2 Recovery Agents per domain

Encrypt directories, not filesEncrypt directories, not filesEnsures that temp files created in process are also Ensures that temp files created in process are also encryptedencrypted

Prevents data recovery from free space on the file Prevents data recovery from free space on the file systemsystem

Encrypt CSC cache (Offline Files)Encrypt CSC cache (Offline Files)Protects temporary files that maybe written during Protects temporary files that maybe written during application executionapplication execution

Document ProtectionDocument Protection

Windows Rights Management Services (RMS)Windows Rights Management Services (RMS)

Information protection technology that Information protection technology that augments security strategiesaugments security strategies

Users can easily safeguard Users can easily safeguard sensitive information from sensitive information from unauthorized useunauthorized use

Organizations can centrally Organizations can centrally manage internal information manage internal information usage policiesusage policies

Uses RMS Server, RMS Client Uses RMS Server, RMS Client and RMS-enabled appsand RMS-enabled apps

RMS protects RMS protects information both information both online and online and offline, inside and offline, inside and outside of the outside of the firewall. firewall.

RMS Publishing Flow (“online”)RMS Publishing Flow (“online”)

File Recipient

File Author

RMServer

Author creates a file and defines Author creates a file and defines a set of rights and rules.a set of rights and rules.

Application encrypts file and sends Application encrypts file and sends unsigned “publishing license” to unsigned “publishing license” to RMS; Server signs and returns RMS; Server signs and returns publishing license.publishing license.

Author distributes file.Author distributes file.

Application renders file and Application renders file and enforces rights.enforces rights.

Recipient clicks file to open, the Recipient clicks file to open, the application calls to RMS which application calls to RMS which validates the user and the request validates the user and the request and issues the “use license”.and issues the “use license”.

Database Server

File Server

If I could choose one, which one would I choose when?If I could choose one, which one would I choose when?

EFS – to encrypt all local data EFS – to encrypt all local data files automatically, under my files automatically, under my domain account, to minimize risk domain account, to minimize risk of offline attackof offline attack

RMS – to share encrypted files RMS – to share encrypted files easily among a group of people, easily among a group of people, or send them encrypted over the or send them encrypted over the wire to any storage mediumwire to any storage medium

Database SecurityDatabase Security

What are Principals?What are Principals?

PrincipalsPermissions

Securables

Server RoleSQL Server Login

SQL ServerSQL Server

Windows GroupDomain User AccountLocal User AccountWindowsWindows

UserDatabase RoleApplication Role

GroupDatabaseDatabase

What are Securables?What are Securables?

PrincipalsPermissions

Securables

Server RoleSQL Server Login

SQL ServerSQL Server

Windows GroupDomain User AccountLocal User AccountWindowsWindows

UserDatabase RoleApplication Role

GroupDatabaseDatabase

FilesRegistry Keys

Server

Schema

Database

What are Permissions?What are Permissions?

PrincipalsPermissions

Securables

Server RoleSQL Server Login

SQL ServerSQL Server

Windows GroupDomain User AccountLocal User AccountWindowsWindows

UserDatabase RoleApplication Role

GroupDatabaseDatabase

FilesRegistry Keys

Server

Schema

Database

CREATEALTERDROPCONTROLCONNECTSELECTEXECUTEUPDATEDELETEINSERTTAKE OWNERSHIPVIEW DEFINITIONBACKUP

GRANT/REVOKE/DENYGRANT/REVOKE/DENY

ACL

Database SecurityDatabase Security

Surface Area ReductionSurface Area Reduction

Authentication ModeAuthentication ModePassword Policies enforcementPassword Policies enforcement

Administrative PrivilegesAdministrative Privileges

Catalog SecurityCatalog Security

EncryptionEncryption

AuditingAuditing

Demo …Demo …

SummarySummary

Security is integral part of all Security is integral part of all softwaresoftware

Maximize SQL Security to protect Maximize SQL Security to protect sensitive datasensitive data

Encryption is cool : Use it carefully Encryption is cool : Use it carefully thoughthough

Understand the password policies of Understand the password policies of organizationorganization

Block standard/un-used default portsBlock standard/un-used default ports

Lastly, Understand Lastly, Understand allall the entry the entry points to your applicationpoints to your application

QuestionsQuestions??

ResourcesResources

Encrypting File System in Windows XP and Encrypting File System in Windows XP and Windows Server 2003Windows Server 2003

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxcryptfs.mspx

Best practices for the Encrypting File SystemBest practices for the Encrypting File Systemhttp://support.microsoft.com/default.aspx?scid=kb;en-http://support.microsoft.com/default.aspx?scid=kb;en-

us;223316&sd=techus;223316&sd=tech

What's New in Security for Windows XP What's New in Security for Windows XP Professional and Windows XP Home EditionProfessional and Windows XP Home Edition

http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/xpsec.mspxxpsec.mspx

ResourcesResources

SQL Server : Security BlogSQL Server : Security Blog

http://blogs.msdn.com/lcris/http://blogs.msdn.com/lcris/

SQL Server Security and ProtectionSQL Server Security and Protectionhttp://www.microsoft.com/technet/prodtechnol/sql/2005/library/http://www.microsoft.com/technet/prodtechnol/sql/2005/library/

security.mspxsecurity.mspx

What's New in Security for Windows XPWhat's New in Security for Windows XPhttp://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/

xpsec.mspxxpsec.mspx