Contents
Overview 1
Lesson: Why Build Secure Web
Applications? 2
Lesson: Using the STRIDE Model to
Determine Threats 17
Lesson: Implementing Security: An
Overview 26
Review 38

Module 1: Introduction
to Web Security

Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or

After completing this module, students will be able to:
!
Describe why it is essential to consider security during Web application
development.
!
Explain the STRIDE model.
!
Identify the technologies and best practices that can be used to build a
secure environment for running Web applications.

To teach this module, you need Microsoft
®
PowerPoint
®
file 2300A_01.ppt.
To prepare for this module:
!
Read all of the materials for this module.
!
Complete the practices.
!
Read Module 11, “Configuring Internet Access for a Network,” in Course
2153, Implementing a Microsoft Windows 2000 Network Infrastructure.
!
Read the TechNet article, “Secure Internet Information Services 5
Checklist,” which is available at http://www.microsoft.com/technet/
security/tools/iis5chk.asp.
!
Read the available information about current worms and viruses, which is
available on the http://www.microsoft.com/technet/security/virus/

You can also receive recent virus information at http://www.ntbugtraq.com,
which is a mailing list for the discussion of security exploits.
To find information about the cost of not securing a Web application and being
attacked, search the Internet for “cost virus.” According to many articles,
billions of dollars were lost in 2001.
Here are some virus examples from 2002:
!
DoubleTap virus
A Microsoft SQL Server
™
virus was found on May 20, 2002. The virus,
named DoubleTap or Spida.a.worm, targets SQL Server Web sites that have
the system administrator account, sa, set to blank. The virus, written in
JavaScript, adds the guest account to the administrator group and then
changes the password of the administrator. Finally, this virus sends the
server’s password list to an e-mail address on a central service.
!
Benjamin virus
A virus known as Benjamin, found in May 2002, is initiating itself from the
KaZaa music file swapping service. The virus masquerades as popular
songs, videos, and games. Upon infecting a computer, Benjamin creates a
new directory, opens that directory to the KaZaa network, and then tries to
entice others to download it. The virus is interesting because its author
apparently hoped to make money from its propagation. Infected computers
are instructed to visit a Web page that is clearly designed to register
advertising hits.
!
Code Red Internet Information Services (IIS) worm
A malicious piece of code, operating as a computer worm, exploits
unpatched IIS servers on the Internet. This worm, called Code Red, exploits

• File shares. Infected computers will search for computers that have been
configured to allow anyone to add files to these computers and, upon
finding such a computer, will insert infected files onto it.
!
VBS/Loveletter virus
The VBS/Loveletter virus circulates through e-mail. If run, the virus
attempts to overwrite .jpg, .mp3, and other file types, and to send a copy of
itself to everyone in the recipient’s address book. The e-mail message that
contains the virus typically carries a subject line of “ILOVEYOU.” Inside
the e-mail message is a short text message that says “Kindly check the
attached LOVELETTER coming from me” and an attachment named
LOVE-LETTER-FOR-YOU.txt.vbs. The attachment is the virus payload. It
is important to note that the virus payload cannot run by itself. For the
payload to run, the recipient must open the e-mail message, launch the
payload by double-clicking it, and click Yes in a dialog box that warns of
the dangers of running untrusted programs.

This topic discusses some of the challenges that businesses face when
implementing security. One of the major issues is that security is often
considered only after the Web application is complete, instead of during the
initial design process. Relegating security to an afterthought often makes Web
applications more costly to develop and less secure.
Define the term threat and then discuss the different types of Web-accessible
assets: tangible and intangible.
Note that attackers do not always come from outside the organization. Attackers
are sometimes internal to the organization and can take the form of either
ignorant or disgruntled employees. Discuss the different skill levels of novice,
intermediate, and advanced attackers.
Discuss attacker motivation, justification, and opportunity.
Ask students to think of examples of each type of attack. Students may have

authenticated user are sent in clear text over the Internet. If an attacker
obtains the user name and password, the attacker can pose as the
authenticated user and access the system.
!
Tampering with data: The “loveletter” virus changes all .jpg files into
copies of itself.
!
Repudiability: Attackers often delete event logs after they attack a system so
that there is no record of the attackers accessing the system.
!
Information disclosure: IIS version 4.0 had a weakness that allowed
Uniform Resource Locators (URLs) ending in special characters (a trailing
"." or a trailing "::$DATA") to return the script source of Active Server
Pages (ASP).
!
Denial of Service: The Code Red virus attacked unpatched IIS Web servers
and installed Denial of Service tools.
!
Elevation of privilege: The DoubleTap SQL Server virus adds the guest
account to the Administrator group and then changes the password of the
administrator. By doing this, attackers can log on as a guest and have the
access privileges of the Administrators group.

This practice provides an opportunity for students to apply the STRIDE model
to some common scenarios. The scenarios are actual vulnerabilities that were
found in earlier versions of IIS.
Students will learn more about the STRIDE model in the context of designing
secure Web applications and will apply this model to the design of the lab
solution in Module 2, “Planning for Web Application Security,” in Course
2300, Developing Secure Web Applications.

Overview
Best Practices in
Building Secure Web
Applications
Enabling Logging
Practice: Securing the
IIS Default Installation

Module 1: Introduction to Web Security 1 Overview
!
Why Build Secure Web Applications?
!
Using the STRIDE Model to Determine Threats
!
Implementing Security: An Overview

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
This module provides an overview of the terms and concepts of, along with the
justification for, Web security. This information forms the basis for the
presentation of Web security, which will be expanded upon throughout the rest
of Course 2300, Developing Secure Web Applications.
This module also provides an overview of the technologies and best practices
that can be used to build a secure solution for Web applications. This overview

!
How Do Attacks Occur?
!
Common Types of Vulnerabilities

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
This lesson defines the term security as it applies to Web-accessible assets.
Security can be separated into several categories, and each will be defined and
explained in this lesson. This lesson also presents the concepts of
vulnerabilities, threats, and attacks, and explains how these concepts interrelate.
Finally, you will learn why security is so important by looking at some of the
reasons that motivate attackers to attack a Web application, and the
corresponding consequences of inadequate Web application security.
After completing this lesson, you will be able to:
!
Describe the importance of securing a Web application.
!
Identify the challenges that are involved in implementing Web application
security.
!
Describe some of the motivations for attacker intrusion and the
consequences of inadequate Web security.
!
Define the terms threat, attack, and vulnerability, and explain the
interrelationship among them.


have become victims at some point to damaging security breaches, such as
e-mail viruses, financial fraud, network sabotage, and more.
Even as the amount of money that is spent on securing corporate networks
increases, so do the losses that are accrued by businesses in terms of stolen
intellectual property, system downtime, lost productivity, damage to reputation,
and lost consumer confidence.
If a business has an Internet presence, with either a business-to-business or
business-to-consumer e-commerce Web site, the business is twice as likely to
have its Web servers attacked as businesses that do not participate in
e-commerce.
It is possible, however, to defend your business’s Web application in this
hostile environment by adding the appropriate authentication and authorization
schemes, ensuring data integrity with encryption, and performing data
validation.
Introduction
4 Module 1: Introduction to Web Security Challenges Involved in Implementing Security
# Developers and management think that
security does not add any business value
# Managers do not build time for security
implementation into schedule
# Secure systems become harder to use
# Complex and strong passwords are difficult
to remember
# Users prefer simple passwords
# Attacker needs to understand one
vulnerability; defender needs to secure all
entry points

2000,
Internet Information Services (IIS), Microsoft SQL Server
™
, and COM+
components. Implementing security into this system involves several
challenges, such as the following:
!
An attacker needs to find only one weak point to enter the system;
correspondingly, a defender needs to make sure that all possible entry points
are defended.
!
The usability of a system is inversely proportional to its security.
!
Security is often added to a Web application as an afterthought, after the
Web application development is complete.

You can secure your system by employing several security mechanisms, such
as firewalls, proxies, secure channels, and authentication schemes. However, all
it takes for a security breach is for an attacker to find one weak point to access
your system. Securing all of the possible entry points to the system makes
security a complex proposition. Securing your system requires you to keep
abreast of the environment, risks, business drivers, and the state-of-the-art
security attacks that may affect your system. Failure to have this security-
related knowledge will render your Web applications vulnerable to attack.
Introduction
Attackers vs. defenders
Module 1: Introduction to Web Security 5 As a system becomes more secure, it also becomes harder to use. The common

Identity, privacy, reputation, and name

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
A threat is a possibility that poses danger to business assets, such as privacy or
data integrity. An example of a threat is the possibility that an unauthorized
person might get access to confidential company data or maliciously adjust
account details. All threats are determined in relation to business risk. The
greater the risk—that is, the greater the impact on the business should the threat
be realized—the greater the threat. High-risk outcomes from threats that have
been realized include public embarrassment, loss of credibility or good will,
death or injury, and loss of money.
Every business has assets, such as money, business plans, source code, ideas,
and reputation, which it wants to protect against attacks. Some assets are
tangible and have a monetary value. Other assets are intangible, but are still
valuable, such as a organization’s reputation. Business assets are more prone to
attack when businesses partake in e-business. Securing a Web application
involves protecting the tangible and intangible assets from attackers:
!
Tangible assets
Tangible assets have a monetary value associated with them, and therefore,
these assets should be protected from any type of attack. Tangible assets
include money (actual or electronic), source code, data, business plans, and
ideas.
!
Intangible assets
It is easy to understand the need for protecting the tangible assets, because

Attacker

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Attacks on Web applications and networks can come from both nonemployees
and employees. Security threats posed by humans can be broadly divided into
the following two categories:
!
Internal attackers
!
External attackers

Internal threats consist of possible attacks by employees or former employees.
Employees are the people who are most familiar with an organization’s network
and applications, and they are also the people who are most likely to know what
actions might cause the most damage. Internal threats are posed by two kinds of
employees:
!
Malicious employees
Malicious employees are those who are disgruntled with the organization
and want to cause harm to it. Attacks by such employees are often the most
dangerous because these employees know many of the codes and security
measures that are in place to protect the assets. Such employees are likely to
have specific goals and objectives for attack, and they also have legitimate
access to the system. Some of the possible attacks caused by malicious
employees can include:
• Planting viruses, Trojan horses, or worms.

user and the organization, and then copying these packets to in order to
obtain access to the organization in the same way.
!
Exploiting known security weaknesses
As hackers and security consultants find bugs in operating system and
application software, they publish the security hole. If an organization is not
quick about applying patches, other hackers can discover the software
running and exploit known bugs.

External attackers
Module 1: Introduction to Web Security 9 In general, there are three types of attackers: novice attackers, intermediate
attackers, and advanced, attackers. Each of these attackers presents a unique
challenge to Web application security:
!
Novice attackers
Novice attackers, also frequently called script kiddies, do not possess
significant programming skills. These attackers generally use the tools and
exploits that are developed by more experienced and skilled attackers.
Novice attackers present a significant danger to Web applications because
they are large in number. Most of the attacks that are originated by novice
attackers are not meant to cause harm to businesses, but for the attacker to
merely have fun.
!
Intermediate attackers
Intermediate attackers possess more programming skills than novice
attackers, but to a certain extent, these attackers still depend on the tools and
exploits that are developed by more experienced attackers. Intermediate

Publicity
"
Monetary gain
"
Exposure of vulnerabilities
"
Personal satisfaction

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
An attack is a threat that is brought to fruition through the exploitation of a
vulnerability (or vulnerabilities) in the system.
For an attack to take place, the following must occur:
!
The attacker must have a motive.
For example, an attacker might attack your business’s Web application
because he or she dislikes your stance on trade policy. Other attack
motivations include revenge, espionage, publicity, monetary gain, exposure
of vulnerabilities, and personal satisfaction.
!
The attacker must be able to justify the attack.
For example, an attacker might believe that by attacking your Web
application with antitrade policy graffiti, he or she will heighten awareness,
among the public, of your policies. The justification might also be as simple
as “because I can” in the case of script kiddies.
!
An opportunity must arise.

network access
Organizational
Attacks
Social
Engineering
Automated
Attacks
Denial of
Service (DoS)
User
Connection Fails
Blocks access to data
or services
DoSDoS
Organizational
Attacks
Social
Engineering
Denial of
Service (DoS)
Automated
Attacks
Viruses,
Trojan Horses,
and Worms
Harmful code, malicious
programs, self replicating
Organizational
Attacks
Social

3
3
2
2

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Attacks can range from nontechnological attacks to technological attacks:
!
Nontechnological attacks use deception to gain access to a network and
include ocial engineering or attacks from another organization.
!
Technological attacks include denial of service (DoS) attacks, automated
computer attacks, viruses, worms, Trojan horses, and accidental breaches in
security.

Organizational attacks include attacks by a competitor to acquire confidential
information to gain a business or competitive advantage.
Social engineering is a common form of password cracking and it can be used
by both outsiders and by people within an organization. Social engineering is an
attacker term for deceiving people into revealing their password or some form
of security information. For example, an attacker can pose as a support
engineer, call a company employee, and ask for the employee’s password. A
trusting employee might disclose a password, thereby allowing an attacker to
access a organization’s resources.
Automated attacks come from scripts that are launched at network computers
that have known vulnerabilities. The scripts can install viruses that