According to Microsoft, applications are one of the five biggest areas that you should concentrate on when securing your network. Applications often contain bugs and other vulnerabilities that attackers can exploit to gain unauthorised access to your network. Here are some steps that you can take to secure your network against such attacks. In-house vs. canned applications
There are two main types of applications: in-house and "canned." Your in-house programming team develops your in-house apps. Canned apps are purchased from a vendor. There are some big differences in how you treat these two types of applications. As I go along, I'll point out which techniques are appropriate for each type of application. Staying up to date
If your company uses applications that were developed in-house, the best recommendation that I can make is to keep your applications -- and your developers' skills -- up to date. To see why this is so important, consider this: One of my consulting clients uses several in-house applications. These apps are little more than front-end applications to Fox Pro databases. The problem is that the company is using an ancient version of Fox Pro. Further complicating the situation is the fact that everyone at the company has read and write access to the directory containing the database. Because of this, it would be easy for anyone with a little computer experience to hack the database and possibly extract sensitive data or modify critical information, such as salaries, within the database. So what can this company do to prevent its extreme vulnerability? For starters, it could migrate its database to something more current and secure, such as SQL 2000. The company should also look at recoding the front-end application in Visual Studio .Net, which allows developers to integrate operating system-level security into the applications they write. By staying up to date, they could avoid a lot of security problems. Service accounts
Service accounts are frequently used when an application needs a higher level of access to the system than is granted to the users who are running the application. Typically, the service account receives administrative or even Enterprise Admin privileges. Although some applications require it, assigning such a high level of access to a service account is generally a bad idea. Remember that service accounts seldom, if ever, require password changes. Furthermore, if the application does have a security hole and is running under the service account, then anyone who exploits that hole will have service account privileges. Therefore, you should check out exactly what privileges the service account needs and assign only those privileges. If the service account really does require administrative privileges, you can increase security by assigning the service account an explicit deny to all directories and resources that you know it will never need to access. Hot fixes for canned apps
The need to stay current isn't limited to in-house applications. Canned applications tend to be more vulnerable to attacks than in-house applications. This is because canned applications are so widespread that it's easy for hackers to get their hands on a copy and test it for weaknesses. There are some things that you can do to avoid a security breach due to a canned application. Again, the most important thing is to keep your applications up to date. This doesn't mean that you have to upgrade to the newest version the minute it hits the street. We all know that new products tend to have the most bugs. Instead, focus on trying not to fall more than one or two versions behind the latest releases.