Series of Posts on Azure Security

My colleague Bruce Kyle has put together a view into how you can secure your application in Windows Azure. He’s pulled together information from hundreds of pages to provide you with a how-to guide on developing your application in a secure way on Windows Azure.

This six-part series describes the threats, how you can respond, what processes you can put into place for the lifecycle of your application, and prescribes a way for you to implement best practices around the requirements of your application. I’ll also show ways for you to incorporate user identity and some of services Azure provides that will enable your users to access your cloud applications in new says.

At first, the steps may seem lengthy. But as you will find, Windows Azure shares the responsibility to help secure your application. By using Windows Azure platform, you are able to take a deeper look into your application and take steps to make your application more secure.

Here are the links to each part in this series:

Part 1: The Challenges, Defense in Depth. This post describes the threat landscape and introduces the plan for your application to employ defense in depth in partnership with Windows Azure.

Part 2: What Azure Provides Out-of-the-Box.This is an overview that security with Windows Azure is a shared responsibility, and Windows Azure provides your application with important security features. But then again, it also exposes other vulnerabilities that you should consider. In addition, I’ll explore how Microsoft approaches compliance.

Part 3: Identifying Your Security Frame. This post explores how you can examine your application and identify attack surfaces. The idea of a Security Frame is a way for you to look at your application to determine treats and your responses, before you even begin coding. He point you to checklists that you can use when you are architecting your application.

Part 4: What Else You Need to Do. In addition to protecting your application from threats, there are additional steps you should take when you deploy your application. We provide a list of mitigations that you should employ in your application development and deployment.

Part 5: Claims-Based Identity, Single Sign On. User identification represents the keys to accessing data and business processes in your application. In this section, I describe how you can separate user identity and the roles of your user out of your application and make it easier to create single sign on applications.

Part 6: How Azure Services Extends Your App Security. Finally, he shows how other services in Windows Azure provide secure identity mapping, messaging, and connection to on premises application. This section suggests how you can use Windows Azure Active Directory, Windows Azure Connect, and Service Bus for your cloud applications, on premises applications, and hybrid applications.

Part 7: Tips, Tools, Coding Best Practices. here are a few more items you should consider in securing your Windows Azure application. Here are some tools, coding tips, and best practices: running on the operating system, error handling, and how to access to Azure Storage

The intent of this series is to provide a context for you to learn more and empower you to write great applications for the public cloud.

Learn more at Global Foundation Services Online Security. The Global Foundation Services team delivers trustworthy, available online services that create a competitive advantage for you and for Microsoft’s Windows Azure.

Attack Surface Analyzer BETA

Microsoft has released Attack Surface Analyzer. It is a Software Development Lifecycle verification tool for developers and IT professionals to identify whether newly developed or installed applications inadvertently change the attack surface of a Microsoft operating system.

Attack Surface Analyzer is developed by the Security Engineering group, building on the work of our Security Science team. It is the same tool used by Microsoft’s internal product groups to catalogue changes made to operating system attack surface by the installation of new software.
Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface.
This allows:

  • Developers to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
  • IT Professionals to assess the aggregate Attack Surface change by the installation of an organization’s line of business applications
  • IT Security Auditors evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
  • IT Security Incident Responders to gain a better understanding of the state of a systems security during investigations (if a baseline scan was taken of the system during the deployment phase)

The free tool is downloadable from Attack Surface Analyzer – Beta Download.

Data Security On Windows Azure

patternspractices_3 The patterns & practices team is writing Azure Security Guidance as a series of application scenarios and solutions. The goal is to show the most common application scenarios on the Microsoft Azure platform.

Patterns that described in the article include:

  • ASP.NET to Azure Storage
  • ASP.NET to SQL Azure
  • ASP.NET On-Site to SQL Azure Through WCF

Dealing with Security Issues

Guest Post  – by Heather Johnson

No sooner is one fixed than another turns up, and if you’re not careful, you could end up losing all the data on your computer and the money in your bank. Viruses, Trojan horses, worms and other malware that are floating around on the Internet are morphing into new forms each time someone comes up with an antidote for those that are discovered. Not everyone is savvy about protecting their systems from being breached by hackers who are some of the best in the business.

Security suites and anti virus software offer some form of protection, and as they are updated regularly as and when new virus signatures are discovered. But even if your security software is up to date and reliable, there are ways that hackers can get at your system if you are not careful.

  • Don’t log in to your computer as an administrator as this leaves your system vulnerable to attacks. When you surf the web and hit a strange or untrusted site, you could end up with a formatted hard disk. Hackers could also create their own user accounts with administrative privileges. When you need to perform tasks that require administrative privileges, you can log in temporarily as an administrator from a non administrative account.
  • Do not click on links in emails from strangers.
  • Do not open attachments without scanning them for malware.
  • Do not share your passwords with even friends and family.
  • Be up to date in applying security patches and system updates.
  • Log out of your accounts, email, bank and others, when done.
  • Do not use public computers to conduct sensitive transactions.
  • Use secure sites that offer encryption when using your credit card to order goods and services online.
  • Do not provide sensitive information online even if the request seems to come from trusted sources.
  • Do not enable file and print sharing.
  • Lock your computer or log out when leaving your desk.
  • Shut down your computer when done for the day.
  • Do not download software that is on offer from a source you cannot trust.
  • Remove programs and applications that you do not use.
  • Protect your home network from sniffers if you use a wireless router to connect.

By-line:

This article is contributed by Heather Johnson, who regularly writes on ATT Yahoo. She invites your questions and writing job opportunities at her personal email address: heatherjohnson2323 at gmail dot com.

How to prevent SQL injections

Many applications include code that looks like:

   1:  string sqlStmt = "SELECT * FROM USERS WHERE UserName= '" + un + "' AND Password='" + pwd + "'";

Admit it…it’s ugly, but you constructed SQL statements like this one.

The variables un,pwd are provided by the user. The problem with this SQL string is that the attacker can piggyback SQL statements in one of them.

What if the attacker enters this:

un = maor, pwd = 123456′ OR 1=1. The following malicious statement is built:

   1:  string sqlStmt = "SELECT * FROM USERS WHERE UserName= 'maor' AND Password='123456' OR 1=1";

The statement will return all columns for all rows…Bad!

And what if the attacker enters this:

un=maor , pwd = 123456′ DROP TABLE Users. The following malicious statement is built:

   1:  string sqlStmt = "SELECT * FROM USERS WHERE UserName= 'maor' AND Password='123456' DROP TABLE Users";

This builds SQL statement that queries for a user and then drops the users table.

What can you do prevent these attacks?

1. Quoting the input

Quoting the input is not a remedy, but its often proposed to solve the problem.

if we use the statement of:

   1:  string pwd;
   2:  pwd = pwd.Replace("'","''");

The code replaces single quotes with 2 single quotes in the input. The single quote is escaped and its render to invalid SQL statement. However its not perfect. If the statement has a integer field the attacker can use it to attack.

2. Use stored procedures

Many of us probably believe that the application is immune to SQL injection if we use stored procedures. WRONG!

When we enter the 123456′ OR 1=1 to a parameter the sp will fail cause we cannot perform join across a stored procedure call. However, performing data manipulation is valid.

   1:  exec sp_getUser 'maor','123456' INSERT INTO Users Values('123','123')

This command will fetch data about the user and then insert a new row into the users table! What we can do? secure the stored procedure. How?

  1. Use quotename function for object names. It’s built in T-SQL function that adds delimiters to object names to help nullify invalid characters.
  2. Use sp_executesql to execute sql statements built dynamically, instead of just concatenating a string. This makes sure no malformed parameters are passed along to the database server.

3. Never connect as sysadmin

If you see that your web application connects to the database as sysadmin account – its a BUG. Most of the web applications don’t need the capabilities of a sysadmin to run; If there is a bug in the SQL statements and the application connects as sysadmin account, the attacker can: delete any database or table in the server; delete any table data; change data; alter tables; deletes log; and more… The potential damage is unlimited.

4. Build secure SQL statements

Instead of dynamically building a string, as shown in the bad examples above, use parameters. Anything placed into a parameter will be treated as field data, not part of the SQL statement, which makes your application much more secure.

Using parameterized queries is a three step process:

  1. Construct the SqlCommand command string with parameters.
  2. Declare a SqlParameter object, assigning values as appropriate.
  3. Assign the SqlParameter object to the SqlCommand object’s Parameters property.

   1:  // 1. declare command object with parameter
   2:  SqlCommand cmd = new SqlCommand(
   3:      "SELECT * FROM USERS WHERE UserName= @UN AND Password= @PWD", conn);
   4:   
   5:  // 2. define parameters used in command object
   6:  SqlParameter param1 = new SqlParameter();
   7:  param1.ParameterName = "@UN";
   8:  param1.Value = userName;
   9:   
  10:  SqlParameter param2 = new SqlParameter();
  11:  param2.ParameterName = "@PWD";
  12:  param2.Value = password;
  13:   
  14:   
  15:  // 3. add new parameter to command object
  16:  cmd.Parameters.Add(param1);
  17:  cmd.Parameters.Add(param2);

Summary

  • Don’t trust the user’s input.
  • Be strict about what represent valid input and reject everything else. RegEx are your friend!!!
  • Use parameterized queries not string concatenation.
  • Connect to the database server by using a least-privilege account, not the sysadmin account.

Code secure!!!!

Technorati Tags: , , ,

Secure your application

Worried about security? Microsoft has published patterns & practices Security Checklists Index for .NET framework 1.1 & 2.0.

You can find there:

  • Architecture and Design Review Checklists
  • Code Review Checklists
  • Deployment Review Checklists

Take care…

%d bloggers like this: