AS-8-DISCUSSIONS Please Read the Instructions Carefully in the body of this post. Also Attached the required ppt slides for reference Discussion-1 4 -

AS-8-DISCUSSIONS
Please Read the Instructions Carefully in the body of this post.
Also Attached the required ppt slides for reference

Discussion-1 400 words minimum (topic :Security in SDLC Versus Agile):
APA Format, need References
You learned about the traditional SDLC (waterfall) and agile methods of software development. Where SDLC is known for distinct, rigid phases, the agile method has smaller, flexible development cycles (sprints).
Answer the following question(s):

Don't use plagiarized sources. Get Your Custom Assignment on

AS-8-DISCUSSIONS Please Read the Instructions Carefully in the body of this post. Also Attached the required ppt slides for reference Discussion-1 4

From as Little as $13/Page

In your opinion, does the SDLC or agile method ensure greater success in incorporating adequate security into an applications code? Why?

Discussion-2 400 words minimum (topic :Emerging Threats ):
APA Format, need References
You learned about the following emerging threats that are likely to shape the security landscape in the future:

Social engineering
Mobile devices used as bots
Scams by questionable security consulting or software firms that use fear tactics to get users to purchase their product to remove security problems
Data-focused attacks
Cloud computing
Expansion of malware

Answer the following question(s):
In your opinion, which threat poses the greatest risk to Microsoft Windows applications? Why?

Security Strategies in Windows Platforms and Applications

Lesson 14
Microsoft Windows and the
Security Life Cycle

2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Cover image Sharpshot/Dreamstime.com

Page #
Security Strategies in Windows Platforms and Applications
2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Learning Objective(s)
Implement security controls to protect Microsoft Windows systems and networks.
Describe techniques for protecting Windows application software.

Page #
Security Strategies in Windows Platforms and Applications
2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Key Concepts
System life cycle phases
Agile software development
Microsoft Windows operating system and application software security management
Microsoft Windows operating system and application software secure development
Microsoft Windows operating system and application software revisions and change management

Page #
Security Strategies in Windows Platforms and Applications
2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Understanding Traditional System Life Cycle Phases

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Software Development Life Cycle (SDLC)
Formal model for the process of creating software.

Agile software development
Based on small project iterations, or sprints, instead of long project schedules.

Software Development Life Cycle (SDLC)

Agile software development

Software Development Life Cycle (SDLC)
Commonly implemented as a waterfall approach in the past
Breaks down software development process into a number of phases with the goal of standardizing and simplifying software development management
Specific start and end dates with deliverables

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

An SDLC with 10 Phases

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Agile Software Development
Based on small project iterations, or sprints, instead of long project schedules
Produces smaller deliverables more frequently

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Agile Development Cycle

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

10/17/2019
(c) ITT Educational Services, Inc.
8

Managing Microsoft Windows OS and Application Software Security

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Create one project to develop a complete software application.

Create a new project for each individual program.

Create a project for a group of related software programs.

Use the agile method for each project.

Microsoft Security Development Lifecycle (SDL)

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Developing Secure Microsoft Windows OS and Application Software
Building Security in Maturity Model (BSIMM)
Framework developed by a consortium of organizations to help you design a development process
Defines 116 unique activities, along with frequency
Software Security Framework (SSF)
Framework of the 116 activities, that groups 12 practices into four domains

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

The Software Security Framework (SSF)

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Process of Developing
Secure Software, Simplified
Provide training in secure development
Include security from the beginning
Use secure programming techniques
Test for vulnerabilities

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Common Pitfalls for Code

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Lack of input validation

Information leakage through poor error handling

Sloppy authentication or encryption

Remote system access or code execution

Dynamic code execution

Implementing, Evaluating, and Testing Windows OS and Application Software Security
Purpose of formal testing is to evaluate how well your application meets overall performance, functionality, and security goals
Every goal from original specification should have at least one corresponding testing scenario
Testing scenario evaluates whether the application satisfies the goal
Testing activities can be manual or automated

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Possible Problems of Faulty Code
Inconsistent code and schema changes
Inconsistent interfaces with other programs
Faulty installation procedure

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Maintaining the Security of Microsoft Windows OS and Application Software
Keep development environment and tools up to date
Ensure OSs on software development computers have the latest security patches
Address vulnerabilities discovered in your application software as quickly as possible

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Maintaining the Security of Microsoft Windows OS and Application Software
Document changes and have a plan to reconcile production changes with testing as soon as possible
Check that all maintenance procedures protect your datas security

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Microsoft Windows OS and Application Software Revision and Change Management

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Software Development Areas of Difficulty

Phase identification

Software Control

Change control

Phase transition

Activity coordination

Baseline identification

Communication

Repeatable processes

Software Configuration Management (SCM)

Configuration identification

Configuration control

Configuration auditing

Configuration status accounting

Best Practices
Incorporate security early and often.
Adopt a software development model to help define your organizations development activities and flow.
Define activities for each phase in your model.
Ensure all developers are trained to develop secure applications.
Validate your software product at the end of every phase.

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Best Practices (Cont.)
Create separate software projects for each related group of programs or program changes.
Do not begin a software development project by writing codeplan and design first.
Keep the three SDL core concepts in focuseducation, continuous improvement, and accountability.
Develop tests to ensure each component of your application meets security requirements.

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Best Practices (Cont.)
Study the most common application vulnerabilities and develop programming standards to ensure you dont include the vulnerabilities in your application.
Identify and store programs, files, and schema definitions in a centralized, secure repository.
Control and audit changes to programs, files, and schema definitions.
Organize versioned programs, files, and schema definitions into versioned components.

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Best Practices (Cont.)
Organize versioned components and subsystems into versioned subsystems.
Create baselines at project milestones.
Record and track requests for change.
Organize and integrate consistent sets of versions using activities.
Maintain stable and consistent workspaces.
Ensure reproducibility of software builds.

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Summary
System life cycle phases
Agile software development
Microsoft Windows operating system and application software security management
Microsoft Windows operating system and application software secure development
Microsoft Windows operating system and application software revisions and change management

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

24 Security Strategies in Windows Platforms and Applications

Lesson 15
Best Practices for Microsoft Windows and Application Security

2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Cover image Sharpshot/Dreamstime.com

Page #
Security Strategies in Windows Platforms and Applications
2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Learning Objective(s)
Describe Microsoft Windows and application security best practices.

Page #
Security Strategies in Windows Platforms and Applications
2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Key Concepts
Microsoft Windows security best practices
Microsoft Windows security management trends

Page #
Security Strategies in Windows Platforms and Applications
2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Administrative Best Practices

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Develop and maintain policies to implement each of the best practices in this section.
Educate users.
Establish incident response capabilities.
Ensure that you know which business functions are critical to your organization. Then, take whatever steps necessary to protect these functions in case of interruptions or disasters.
Develop a plan to continue all critical business functions in case of an interruption. This business continuity plan (BCP) should cover all aspects of your organization.
Define recovery time objectives (RTO) for each critical resource. Identify resources required for the recovery process. Youll need to identify which parts of your recovery plan are sequential and which ones you can work on simultaneously.
Develop a backup plan for each resource that minimizes the impact on performance while keeping secondary copies of data as up to date as possible. Explore various options, including alternate sites and virtualization.
Document all backup and recovery procedures. Train all primary and backup personnel on all procedures.
Test all recovery procedures rigorously. Conduct at least one full interruption recovery test each year.

Develop and maintain policies.

Educate users.

Establish incident response.

Identify/protect critical business functions.

Develop a BCP.

Define recovery time objectives (RTOs).

Develop a backup plan.

Document backup and recovery procedures.

Test all recovery procedures.

Administrative Best Practices (Cont.)

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Review your complete recovery plan quarterly (or more frequently), and adjust for any infrastructure changes.
Update old password policies. Consult current National Institute of Standards and Technology (NIST) guidelines (https://pages.nist.gov/800-63-3/) for recommendations.
Do not write down passwords. Use passwords you can remember. When you write down passwords, they are easier for an attacker to find and use.
Never encrypt individual filesalways encrypt folders. This keeps any sensitive data from ever being written to the disk in plaintext.
Designate two or more recovery agent accounts per organizational unit. Designate two or more computers for recovery, one for each designated recovery agent account.
Avoid using print spool files in your print server architecture, or make sure that print spool files are generated in an encrypted folder. This keeps sensitive information from being stored in plaintext on a print server.
Require strong passwords for all virtual private network (VPN) connections.
Trust only certificates from certificate authorities (CAs) or trusted sites. Train users to reject certificates from unknown or untrusted sites.
Require two-factor authentication (2FA) for access requests to sensitive information.

Review recovery plan regularly.

Update old password policies.

Do not write down passwords.

Encrypt folders, not files.

Designate recovery agent accounts.

Avoid using print spool files.

Require strong passwords.

Trust only certificates from (CAs) or trusted sites.

Require two-factor authentication (2FA).

Technical Best Practices

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Install anti-malware software on all computers.
Enable all real-time scanning (shield) options.
Update signature databases and software daily.
Perform a complete scan of all hard drives and Solid State Drives (SSDs) at least weekly.
Perform a quick scan after installing or updating any software.
Enable boot-time virus checking, including boot sector and memory scan at startup options.

Install anti-malware software.

Enable real-time scanning (shield) options.

Update signature databases and software daily.

Perform a complete scan at least weekly.

Perform a quick scan after installing or updating any software.

Enable boot-time virus checking.

Technical Best Practices (Cont.)

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Remove administrator rights from all normal users.
Apply software and OS security patches.
Block outbound network connections that are not required for your applications.
Automate as many backup operations as possible. Create logs and reports that make problems with backup operations easy to recognize.
Verify all backup operations. A secondary copy of data with errors may be no better than damaged primary copy data.
Export all encryption recovery keys to removable media and store the media in a safe place. Physically store your Encrypting File System (EFS) or BitLocker recovery information in a separate, safe location.
7

Remove administrator rights from all normal users.

Apply software and OS security patches.

Block outbound network connections.

Automate backup operations.

Verify all backup operations.

Export encryption recovery keys to removable media.

Technical Best Practices (Cont.)

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Encrypt the My Documents folder for all users. Since most people use My Documents for most document files, encrypting this folder will protect the most commonly used file folder.
Use multifactor authentication when using BitLocker on OS volumes to increase volume security.
Store recovery information for BitLocker in Active Directory Domain Services (AD DS) to provide a secure storage location.
Disable standby mode for portable computers that use BitLocker. BitLocker protection is in effect only when computers are turned off or in hibernation.
When BitLocker keys have been compromised, either format the volume or decrypt and encrypt the entire volume to remove the BitLocker metadata.
8

Encrypt the My Documents folder.

Use multifactor authentication.

Store recovery information for BitLocker in AD DS.

Disable standby mode for portable computers that use BitLocker.

When BitLocker keys have been compromised, remove BitLocker metadata.

Technical Best Practices (Cont.)

Page #
Security Strategies in Windows Platforms and Applications
2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Use the strongest level of encryption that your situation allows for VPNs.
Use Secure Socket Tunneling Protocol (SSTP) IKEv2 for VPNs when possible. IKEv2 is the newest VPN protocol from Microsoft.
Disable Service Set Identifier (SSID) broadcasting for wireless networks.
Never use Wired Equivalent Privacy (WEP) for wireless networksuse only Wi-Fi Protected Access (WPA/WPA2/WPA3).

Use strong encryption for VPNs.

Use SSTP IKEv2 for VPNs when possible.

Disable SSID broadcasting for wireless networks.

Never use WEP for wireless networks.

Audit and Remediation Cycles

PlanEstablish your objectives and processes to meet a stated goal. In the context of routine
auditing, the goal should be to assess specific security controls.

DoImplement the process you planned in the previous step.

CheckMeasure the effectiveness of the new process and compare the results against
the expected results from your plan. Youll compare the expected results of your auditing
information with a baseline.

ActAnalyze the differences between expected results and measured results. Determine
the cause of any differences. Then, proceed to the Plan process to develop a plan to
improve the performance.

Check

Act

Plan

Audit and Remediation Cycles
Maintain current backups of all audit information.
Do not enable Read or List auditing on any object unless you really need the information.
Do not enable Execute auditing on binary files.
Limit enabling all auditing actions to files, folders, programs, and certain other resources.

Maintain current backups of all audit information so, you can recover historical audit
information in the case of a disaster.
Do not enable Read or List auditing on any object unless you really need the information.
Read/List access auditing can create a tremendous amount of information.
Do not enable Execute auditing on binary files except for administrative utilities that
attackers commonly use. Do turn auditing on for these utilities to help monitor their use.
Limit enabling all auditing actions to files, folders, programs, and other resources that are
important to your business functions. Dont be afraid to enable auditing for any object
just ensure you need the information youll be saving.

Audit and Remediation Cycles (Cont.)
Enable auditing for all change actions for your Windows install folder and any folders you use in normal business operation.
Audit all printer actions.
Ignore Read and Write actions for temporary folders but audit Change Permissions, Write Attributes, and Write Extended Attributes actions.

Enable auditing for all change actions for your Windows install folder and any folders you
use in normal business operation. It is also a good idea to audit changes to the Program
Files folder.
Audit all printer actions. You may need to know who printed a document that found its
way into the wrong hands.
Ignore Read and Write actions for temporary folders but audit Change Permissions,
Write Attributes, and Write Extended Attributes actions. These actions can help identify
attacker activities.
12

Audit and Remediation Cycles (Cont.)
Develop Windows policies and Group Policy Objects (GPOs) that are as simple as possible and still satisfy your security policy.
Develop clear guidelines to evaluate each element of your security policy.
Know what you will be looking for before you search through lots of audit data.

Develop Windows policies and Group Policy Objects (GPOs) that are as simple as possible
and still satisfy your security policy. Complex policies are difficult to verify.
Develop clear guidelines to evaluate each element of your security policy. An audit should
be a structured process to verify your security policy, not an unorganized hunt for problems.
Know what you will be looking for before you search through lots of audit data.
13

Security Policy Conformance Checks

Define organizational units (OUs) that reflect your organizations functional structure.
Create OU GPOs for controls required in your security policy.
Use meaningful names for GPOs to make maintenance and administration easier.
Deploy GPOs in a test environment before deploying to your live environment.
Use security filtering and Windows Management Instrumentation (WMI) filters to restrict settings when necessary.
Back up your GPOs regularly.
Do not modify the default policiesinstead, create new GPOs.
Use the Group Policy Settings Reference spreadsheets for more information on available GPO settings. You can find these spreadsheets by visiting the website http://www.microsoft.com/downloads, and searching for Group Policy Settings Reference. Microsoft provides several versions to cover different Windows releases.
Acquire the Windows Server Security Compliance Management resource from Microsoft to help design, deploy, and monitor your server baselines.
Acquire the Windows 10 Security Compliance Management resource from Microsoft to help design, deploy, and monitor your workstation baselines.
Use the Local Policy Tool (LPT) to automatically deploy recommendations from the Security Compliance Management toolkits.
14

Group Policy

Develop comprehensive Group Policy; use it to apply settings and ensure settings are correct

Important component of secure Windows environments

Helps centralize settings that ensure conformance with security policy

Security Baseline Analysis

Valuable for showing known values

Valuable for showing compliance

Security Baseline Guidelines
Create initial baselines.
Use tools such as Security Configuration and Analysis (SCA) and Microsoft Baseline Security Analyzer (MBSA).
Schedule scans using batch files.

Create initial baselines that represent a secure starting point for each computer. Develop
security templates in Security Configuration and Analysis (SCA) that contain the security
settings for each type of workstation and server. Change the templates as needed and use
them when building new computers. You can apply up-to-date templates to new Windows
installations to quickly configure a new computer to your security standards.

Run SCA/Microsoft Baseline Security Analyzer (MBSA) using command-line interface
options to compare computer settings and configurations with your standards. Schedule
scans to run periodically (weekly or monthly), and review the resulting output files for
any identified problems.

Develop batch files to run scans and collect ongoing operational information. Collect information
using a set daily, weekly, or monthly schedule and archive collected data files.

OS and Application Checks and Upkeep

Deploy security controls

Harden operating systems

Harden applications

Network Management Tools and Policies
Identify and protect sensitive data.
Establish unique domain user accounts.
Enforce strong passwords.
Limit rights and permission for services.
Dont allow services to run as a domain admin user.
Use Kerberos.
Install firewalls to create a DMZ.
Use encryption.
Establish firewall rules.

Network Management Tools and Policies (Cont.)
Install anti-malware software.
Update software and signature databases daily.
Use WPA, WPA2, or WPA3.
Disable SSID broadcasts.
Disable Wi-Fi Protected Setup (WPS).
Do not enable wireless or mobile broadband cards while connected to your organizations internal network.
Dont allow visitors to roam facilities using wireless LAN.
Avoid connecting to Wi-Fi public networks.
Install a separate wireless access point for guests.
Disable or uninstall any services you dont need.

Software Testing, Staging, and Deployment

Do not begin a software development project by writing codeplan and design first.
Keep the three Security Development Lifecycle (SDL) core concepts in focuseducation, continuous improvement, and accountability.
Develop tests to ensure each component of your application meets security requirements.
Study the most common application vulnerabilities and develop programming standards to ensure you dont include the vulnerabilities in your application.
Identify and store programs, files, and schema definitions in a centralized, secure repository.
Control and audit changes to programs, files, and schema definitions.
Organize versioned programs, files, and schema definitions into versioned components.
Organize versioned components and subsystems into versioned collections.
Create baselines at project milestones.
Record and track requests for change.
Organize and integrate consistent sets of versions using activities.
Maintain stable and consistent workspaces.
Ensure reproducibility of software builds.

Adopt

Define

Ensure

Validate

Create

Adopt a software development model to help define your organizations development activities and flow.

Define activities for each phase in your model.

Ensure all developers are trained on developing secure applications.

Validate your software product at the end of every phase.

Create separate software projects for each related group of programs or program changes.

Compliance/Currency Tests on Network Entry
Accounts
Global groups
Universal groups
Local groups
Permissions

To maintain secure access for remote clients, check this list of best practices:
Map your proposed remote access architecture, including redundant and backup connections. Use one of the several available network mapping software products to make the process easier. Update the network map any time you make physical changes to your network.
Install at least one firewall between your VPN endpoint and your internal network.
Select a VPN provider that your clients can easily access. If you select a vendor-specific VPN solution, develop a method to distribute and maintain the VPN client software to your users.
Use global user accounts whenever possible: Use strong authentication for all user accounts.
Create a limited number of administrative accounts with permissions for remote administration.
Develop a backup and recovery plan for each component in the Remote Access Domain. Do not ignore backing up and recovering configuration settings for network devices.
Implement frequent update procedures for all OSs, applications, and network device software and firmware in the Remote Access Domain.
Monitor VPN traffic for performance and suspicious content.
Carefully control any configuration setting changes or physical changes to domain nodes. Update your network map after any changes.
Require encryption for all communication in the Remote Access Domain.
Enforce anti-malware minimum standards for all remote computers as well as server computers in the Remote Access Domain. Ensure all anti malware software and signature databases remain up to date.

Trends in Microsoft Windows OS and Application Security Management

Scams by questionable security consulting or software firms that use fear tactics to get users to purchase their product to remove security problems

Social engineering

Mobile devices used as bots

Scams

Related Questions:

Related questions