Secure Web Applications – The Microsoft Way

A question came up this week on how to Secure Web Applications the Microsoft way.

Microsoft has extensive prescriptive guidance that applies to secure online applications.


Defense in Depth

1.       Start by building on a Secure Platform:

·         Windows Server 2003 with latest Service Pack -

·         Windows SQL Server 2005 with Latest Service Pack

·         Implement Microsoft Best Practice Security Guidance for Servers -

2.       Build the application using best practice Secure Coding techniques

·         Secure Coding Guidelines -

·         Writing Secure Code -

3.       Be aware of common threats to Applications and avoid SQL Injection & Cross Site Scripting attacks:

·         “Stop SQL Injection Attacks Before They Stop You” -

·         “How To: Protect From SQL Injection in ASP.NET” -

·         “How to Prevent Cross Site Scripting” -

·         “Anti-Cross Site Scripting Library” -

4.       Use Network based Firewall at the perimeter –Forefront Edge: ISA 2006

·         Secure remote access -

·         Network protection against Floods & Attacks -

5.       Access the Application securely by Publishing through the Firewall & using appropriate security

·         Publish Site using Forefront Edge Internet Application Gateway (IAG) with Application Layer Firewall -

·         IAG Secure Remote Access White Papers -

·         Use the practice of Least Privilege account access -

6.       Audit your Firewall, Application and Operating System Logs

·         Audit Active Directory -

·         Audit Policy -

·         Audit ISA -

7.       Use Secure Authentication Mechanisms (IAG can use AD, Kerberos, RADIUS, LDAP etc…)

·         IIS Authentication -

·         Kerberos Authentication in Windows Server 2003

8.       Use Host based Antivirus & Antimalware protection on Clients and Servers

·         Forefront Client Security -

9.       Keep all systems patched with latest Security Patches using Microsoft Update or WSUS

·         Microsoft Windows Server Update Services (WSUS) -

·         How to keep your Windows up-to-date -

·          Patch 3rd party products that are not managed by Microsoft

o   Backup Software

o    Zip or Compression Utilities

o    Antivirus

o    IE Plug-ins

o   Management Software

o   etc….

Note:  A System that is Fully Patched with Microsoft Updates can be vulnerable by un-patched vulnerable software with a driver or running with administrator privileges. 


10.   Remember the CIA Triad of security of Confidentiality, Integrity, and Availability

There are a number of other considerations to consider as well focusing on these 3

·         Backups of Server 2003 & SQL 2005 Database




·         Load Balancing & Clustering



·         High Availability & Disaster Recovery




·         File Encryption (EFS & BitLocker)



Note: BitLocker will be available in Windows Server 2008

·         Rights Management Services (RMS)  



Case Study

The Infrastructure of, Microsoft Update, and the Download Center 



These are a few things to consider, but the key is to thinking about Defense in Depth and end-to-end security of the Data, Systems, Network Infrastructure, and Application.


You need to know first how to secure the application, but then you need to know how to identify threats when security is being tested and/or compromised and how to respond to those threats.


Comments (5)
  1. Anonymous says:

    The Staysafe blog has some great resources, including my fav: " Why Social Engineering Always Works".

  2. Anonymous says:

    According to a study done by the Computer Security Institute and the FBI, 97% of interviewed companies

  3. Anonymous says:

    Did you see the post at

  4. ipsol@ccie security training says:

    I think this is very useful information.thanks for sharing .

Comments are closed.

Skip to main content