Web Application Security Design Inspection Questions - Configuration Management

From Guidance Share

Jump to: navigation, search

- J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan


Contents

Configuration Management Vulnerabilities

Vulnerability

Implications

Insecure administration interfaces

Unauthorized users can reconfigure your application and access sensitive data.

Insecure configuration stores

Unauthorized users can access configuration stores and obtain secrets, such as account names and passwords, and database connection details.

Clear text configuration data

Anyone that can log in to the server can view sensitive configuration data

Too many administrators

This makes it difficult to audit and vet administrators.

Over-privileged process accounts and service accounts

This can allow privilege escalation attacks.


If your application provides an administration interface that allows it to be configured, examine how the administration interfaces are secured. Also examine how sensitive configuration data is secured.

Use the following questions to help validate the approach of your application design to configuration management:

  • Do you support remote administration?
  • Do you secure configuration stores?
  • Do you separate administrator privileges?


Do you support remote administration?

If your design specifies remote administration, then you must secure the administration interfaces and configuration stores because of the sensitive nature of the operations and the data that is accessible over the administration interface. Review the following aspects of your remote administration design:

  • Do you use strong authentication?

All administration interface users should be required to authenticate. Use strong authentication, such as Windows or client-certificate authentication.

  • Do you encrypt the network traffic?

Use encrypted communication channels, such as those provided by IPSec or virtual private network (VPN) connections. Do not support remote administration over insecure channels. IPSec allows you to limit the identity and number of client machines that can be used to administer the server.

Do you secure configuration stores?

Identify the configuration stores of your application and then examine your approach to restricting access to the stores and securing the data inside the stores.

  • Is your configuration store in the Web space?

Configuration data that is held in files in the Web space is considered less secure than data that is held outside the Web space. Host configuration mistakes or undiscovered bugs could potentially allow an attacker to retrieve and download configuration files over HTTP.

  • Is the data in the configuration store secure?

Make sure that key items of configuration data, such as database connection strings, encryption keys, and service account credentials, are encrypted inside the store.

  • How is access to the configuration store restricted?

Check that the administration interface provides the necessary authorization to ensure that only authenticated administrators can access and manipulate the data.


Do you separate administrator privileges?

If your administration interfaces support different functionalities — for example, site content updates, service account reconfiguration, and database connection details — verify that your administration interfaces support role-based authorization to differentiate between content developers and operators or system administrators. For example, the person who updates static Web site content should not necessarily be allowed to alter the credit limit of a customer or reconfigure a database connection string.

Personal tools