What can you expect from this document:
This document covers some basic security best practices that, if combined with other security best measures, increases the overall security of your system.
What is the threat?
The increased information sharing through social networking and the adoption of the Web as a means of doing business create new opportunities for hackers. Nowadays, websites are often attacked directly. Hackers either seek to compromise the server or the end-users accessing the website by subjecting them to drive-by downloading.
The majority of web application attacks occur through cross-site scripting (XSS) and SQL injection which typically result from flawed coding, and failure to cleanse input to and output from the web application.
How to mitigate the threat?
The threats are application specific, so it is not possible to give any general advice. However, if you deploy a third party application:
- Address the application vendors website for secure deployment advise or ask the vendors for guidance.
- Search for known vulnerabilities of your application. They are a good indicator on how to proceed. E.g. a good point to start your search is this.
- Use a vulnerability scanning tool to identify known vulnerabilities.
- Perform a penetration test, to identify vulnerabilities that the scanner may have missed.
- As a result of rule 2, try only to deploy applications without known vulnerabilities.
- Deploy the application using best practices to limit the effect of a potential damage. E.g., you can use the principle of least privilege or isolation.
Additional considerations for your own applications:
Apply SDL methodologies to the application, for example Threat Modelling.
This will help you to identify and manage vulnerabilities in the design and development stage of your application. You can find more on SDL here.
To gain a solid understanding on this subject, it is highly recommended to read the articles listed in the section below.
- Application Security: https://en.wikipedia.org/wiki/Application_security
- Web Application Security: https://en.wikipedia.org/wiki/Web_application_security
- Securing Windows Server 2012R2: https://technet.microsoft.com/en-us/library/hh831360.aspx
- Hardening / Secure Application Resources:
- Web Applications: https://www.nsa.gov/ia/_files/factsheets/Hardening_Deployed_WebApplications11182013.pdf
- OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
- Secure Development Lifecycle: https://www.microsoft.com/en-us/sdl/
The contribution provided by Microsoft is intended to serve general information purposes and the content is AS IS without any express or implied warranties of any kind with respect to the accuracy, correctness or reliability. The information is provided without any warranty of fitness for a particular purpose. The information is compiled with the necessary care, however no liability is assumed in this respect, in particular with regard to the absence of errors, topicality with regard to the specific state of knowledge or use as the basis for the responsible decisions of the user.