Welcome to Portal Experts | Vishwak.com |Blogs

E Ravi

September 2007 - Posts

Webcasts on IIS 7.0 in October 2007

October is full of learning opportunities around IIS 7.0. Throughout the entire month we’ll be producing webcasts covering IIS 7.0 in its entirety starting with what’s new to troubleshooting and diagnostics. This is a great way to get ramped up and ready to deploy IIS 7.0

 ·         What’s New in Microsoft Internet Information Services 7.0 for IT ProfessionalsTuesday, October 02, 2007 11:30 AM Pacific Time (US & Canada) ·         Microsoft Internet Information Services 7.0 Diagnostics & TroubleshootingThursday, October 04, 2007 9:30 AM Pacific Time (US & Canada) ·         Securing and Tuning Microsoft Internet Information Services 7.0Tuesday, October 09, 2007 11:30 AM Pacific Time (US & Canada) ·         Deploying and Managing Web FarmsThursday, October 11, 2007 9:30 AM Pacific Time (US & Canada)·         Secure, Simplified Web Publishing using Microsoft Internet Information Services 7.0Tuesday, October 16, 2007 11:30 AM Pacific Time (US & Canada)·         Securely Delegating Remote Web Site Administration With Internet Information Services 7.0Thursday, October 18, 2007 9:30 AM Pacific Time (US & Canada) ·         Windows SharePoint Services and Windows Server 2008Tuesday, October 23, 2007 11:30 AM Pacific Time (US & Canada)·         Automating Microsoft Internet Information Services 7.0Thursday, October 25, 2007 9:30 AM Pacific Time (US & Canada) 

 

Share this post: email it! | del.icio.us! | digg it! | newsVine!
Posted: Sep 27 2007, 08:59 AM by eravi | with no comments
Securing Your Web Server - IIS and windows 2003

Secure your web server.

Patches and Updates,IISLockdown,Services,Protocols,Accounts,Files and Directories,Shares,Ports,Registry,Auditing and Logging,Sites and Virtual Directories,Script Mappings,ISAPI Filters,IIS Metabase,Server Certificates,Machine.config,Code Access Security,Other Check Points,Dos and Don'ts

Patches and Updates

  1. MBSA is run on a regular interval to check for latest operating system and components updates.
  2. The latest updates and patches are applied for Windows, IIS server, and the .NET Framework. (These are tested on development servers prior to deployment on the production servers.)

 IISLockdown

  1. IISLockdown has been run on the server.
  2. URLScan is installed and configured.

Services

  1. Unnecessary Windows services are disabled.
  2. Services are running with least-privileged accounts.
  3. FTP, SMTP, and NNTP services are disabled if they are not required.
  4. Telnet service is disabled.
  5. ASP .NET state service is disabled and is not used by your applications.

Protocols

  1.   WebDAV is disabled if not used by the application OR it is secured if it is required. For more information, see Microsoft Knowledge Base article 323470, "How To: Create a Secure WebDAV Publishing Directory."
  2.   TCP/IP stack is hardened.
  3.   NetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445)

Accounts

  1.   Unused accounts are removed from the server.
  2.   Windows Guest account is disabled.
  3.   Administrator account is renamed and has a strong password..
  4.   IUSR_MACHINE account is disabled if it is not used by the application.
      If your applications require anonymous access, a custom least-privileged anonymous account is created.
  5.   The anonymous account does not have write access to Web content directories and cannot execute command-line tools.
  6.   ASP.NET process account is configured for least privilege. (This only applies if you are not using the default ASPNET account, which is a least-privileged account.)
  7.   Strong account and password policies are enforced for the server.
      Remote logons are restricted. (The "Access this computer from the network" user-right is removed from the Everyone group.)
  8.   Accounts are not shared among administrators.
  9.   Null sessions (anonymous logons) are disabled.
  10.   Approval is required for account delegation.
  11.   Users and administrators do not share accounts.
  12.   No more than two accounts exist in the Administrators group.
  13.   Administrators are required to log on locally OR the remote administration solution is secure.

Files and Directories

  1.   Files and directories are contained on NTFS volumes.
  2.   Web site content is located on a non-system NTFS volume.
  3.   Log files are located on a non-system NTFS volume and not on the same volume where the Web site content resides.
  4.   The Everyone group is restricted (no access to \WINNT\system32 or Web directories).
  5.   Web site root directory has deny write ACE for anonymous Internet accounts.
  6.  Content directories have deny write ACE for anonymous Internet accounts.
  7.   Remote IIS administration application is removed (\WINNT\System32\Inetsrv\IISAdmin).
  8.   Resource kit tools, utilities, and SDKs are removed.
  9.   Sample applications are removed (\WINNT\Help\IISHelp, \Inetpub\IISSamples).

Shares

  1. All unnecessary shares are removed (including default administration shares).
  2. Access to required shares is restricted (the Everyone group does not have access).
  3. Administrative shares (C$ and Admin$) are removed if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).

Ports

  1. Internet-facing interfaces are restricted to port 80 (and 443 if SSL is used).
  2.   Intranet traffic is encrypted (for example, with SSL) or restricted if you do not have a secure data center infrastructure.

Registry

  1. Remote registry access is restricted.
  2. SAM is secured (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash). This applies only to standalone servers.

Auditing and Logging

  1. Failed logon attempts are audited.
  2. IIS log files are relocated and secured.
  3. Log files are configured with an appropriate size depending on the application security requirement.
  4. Log files are regularly archived and analyzed.
  5. Access to the Metabase.bin file is audited.
  6. IIS is configured for W3C Extended log file format auditing.

Sites and Virtual Directories

  1. Web sites are located on a non-system partition.
  2. "Parent paths" setting is disabled.
  3. Potentially dangerous virtual directories, including IISSamples, IISAdmin, IISHelp, and Scripts virtual directories, are removed.
      MSADC virtual directory (RDS) is removed or secured.
      Include directories do not have Read Web permission.
  4. Virtual directories that allow anonymous access restrict Write and Execute Web permissions for the anonymous account.
  5. There is script source access only on folders that support content authoring.
  6. There is write access only on folders that support content authoring and these folder are configured for authentication (and SSL encryption, if required).
  7. FrontPage Server Extensions (FPSE) are removed if not used. If they are used, they are updated and access to FPSE is restricted.
    Script Mappings
    Check Description
      Extensions not used by the application are mapped to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer).
  8. Unnecessary ASP.NET file type extensions are mapped to "HttpForbiddenHandler" in Machine.config.

ISAPI Filters

  1. Unnecessary or unused ISAPI filters are removed from the server.
    IIS Metabase
    Check Description
  2. Access to the metabase is restricted by using NTFS permissions (%systemroot%\system32\inetsrv\metabase.bin).
  3. IIS banner information is restricted (IP address in content location disabled).

Server Certificates

  1.  Certificate date ranges are valid.
  2. Certificates are used for their intended purpose (for example, the server certificate is not used for e-mail).
  3. The certificate's public key is valid, all the way to a trusted root authority.
  4. The certificate has not been revoked.

Machine.config

  1. Protected resources are mapped to HttpForbiddenHandler.
      Unused HttpModules are removed. 
  2. Tracing is disabled <trace enable="false"/>
  3. Debug compiles are turned off.
     Copy Code <compilation debug="false" explicit="true" defaultLanguage="vb">

Code Access Security

  1. Code access security is enabled on the server.
  2. All permissions have been removed from the local intranet zone.
  3. All permissions have been removed from the Internet zone.

Other Check Points

  1. IISLockdown tool has been run on the server.
  2. HTTP requests are filtered. URLScan is installed and configured.
  3. Remote administration of the server is secured and configured for encryption, low session time-outs, and account lockouts.

Dos and Don'ts

  1. Do use a dedicated machine as a Web server.
  2. Do physically protect the Web server machine in a secure machine room.
  3. Do configure a separate anonymous user account for each application, if you host multiple Web applications,
  4. Do not install the IIS server on a domain controller.
  5. Do not connect an IIS Server to the Internet until it is fully hardened.
  6. Do not allow anyone to locally log on to the machine except for the administrator

E.Ravi
Share this post: email it! | del.icio.us! | digg it! | newsVine!
Posted: Sep 20 2007, 10:31 AM by eravi | with 1 comment(s)
SQL Server tools from Microsoft

MS has additional information/downloads that you can take advantage of the SQL server..tools on this page.

Below is a list of some tools that will be really useful on SQL END - END. The below list has tools for SQL Server 2000 or SQL Server 2005.

Tool Description
Read80Trace Read80Trace is a command line utility for processing trace files generated by SQL Server 2000. As output, it generates RML files and/or a database populated with normalized data that can be useful for analyzing the performance of the system. Read80Trace requires that the destination database also run SQL Server 2000 or later.
OSTRESS OSTRESS is a multithreaded ODBC-based query tool. It reads its input from a command line parameter, RML file(s) produced by read80trace, or standard go-delimited .SQL scripts. In stress mode one thread is created for each connection and all threads run as fast as possible with no synchronization among the threads. This mode is quite useful for generating a specific type of stress load on the server. The replay mode provides a means to synchronize events by ensuring that they play back in the correct sequence that they originally happened, with the same relative duration between events, or both. Three key features provided by OSTRESS replay that are not in the Profiler replay tool are the ability to replay RPC events as remote procedure calls, replay attentions, and replay DTC transactions. It is also command line based so that it can be run as part of an automated process or test script.
PSSDiag PSSDiag is a diagnostic data collector for Microsoft SQL Server. It can simultaneously collect Perfmon/Sysmon logs, Profiler traces, event logs, SQLDIAG reports, and detailed blocking information. It is commonly used by Microsoft Product Support Services engineers to collect diagnostic data from end-user installations and can also be used by end-users to troubleshoot and monitor their own SQL Server installations.
SQLIO SQLIO is a tool provided by Microsoft which can also be used to determine the I/O capacity of a given configuration.
SQLH2 The Microsoft SQL Server Health and History Tool (SQLH2) allows you to collect information from instances of SQL Server, store this information, and run reports against the data in order to determine how SQL Server is being used.
SQLH2 Performance Collector The SQLH2 Performance Collector is a stand-alone service of Microsoft Windows that collects and stores performance counter data from selected servers. You should install this optional component if you are interested in collecting performance counters along with system information. The SQLH2 Collector gathers the data that this service collects and stores this data in the repository when you run the SQLH2 Collector.
SQLH2 Reports SQL Server Health and History Tool (SQLH2) Reports
SQL 2000 Sample Databases Northwind and pubs Sample Databases for SQL Server 2000
SQL 2000 JDBC Driver The Microsoft SQL Server 2000 Driver for JDBC is a Type 4 JDBC driver that provides highly scalable and reliable connectivity for the enterprise Java environment. This driver provides JDBC access to SQL Server 2000 through any Java-enabled applet, application, or application server.
SQL Server 2000 Best Practices Analyzer Microsoft SQL Server Best Practices Analyzer is a database management tool that lets you verify the implementation of common Best Practices. These best practices typically relate to the usage and administration aspects of SQL Server databases and ensure that your SQL Servers are managed and operated well.
SQL 2000 Critical Update:
SQL Critical Update scans the computer on which it is running for instances of SQL Server 2000 and MSDE 2000 that are vulnerable to the Slammer worm, and updates the affected files.
SQL 2000 Scan
SQL Scan scans an individual computer, a Windows domain, or a range of IP addresses for instances of SQL Server 2000 and MSDE 2000, and identifies instances that may be vulnerable to the Slammer worm.
SQL 2000 Check
SQL Check scans the computer on which it is running for instances of SQL Server 2000 and MSDE 2000 that are vulnerable to the Slammer worm. SQL Check also identifies vulnerable SQL Server 2000 clusters, but does not disable them.
SQL 2000 Management Pack The Microsoft SQL Server 2000 Management Pack provides both proactive and reactive monitoring of SQL Server 2000 in an enterprise environment. Availability and configuration monitoring, performance data collection, and default thresholds are built for enterprise-level monitoring. Both local and remote connectivity checks help ensure database availability.
SQL 2005 JDBC Driver The Microsoft SQL Server 2005 JDBC Driver is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs) available in J2EE (Java2 Enterprise Edition).
SQL 2005 Express Edition Samples SQL Server 2005 Express Edition Documentation and Samples
SQL 2005 Sample Databases SQL Server 2005 Samples and Sample Databases
SQL 2005 Upgrade Advisor Microsoft SQL Server 2005 Upgrade Advisor analyzes instances of SQL Server 7.0 and SQL Server 2000 in preparation for upgrading to SQL Server 2005. Upgrade Advisor identifies feature and configuration changes that might affect your upgrade, and it provides links to documentation that describes each identified issue and how to resolve it.
SQL 2005 Mobile SDK Microsoft SQL Server 2005 Mobile Edition (SQL Server Mobile) is the compact database for rapidly developing applications in both native mode and the .NET Compact Framework that extend enterprise data management capabilities to mobile devices.
SQL 2005 Everywhere
Microsoft SQL Server 2005 Everywhere Edition CTP is the compact database for rapidly developing applications in both native and the managed environment that extend enterprise data management capabilities to desktop applications
SQL 2005 Express Utility SQL Server 2005 Express Utility allows you to perform various admin functions
SQL 2005 Report Packs SQL Server 2005 Reporting Services Report Packs are add in reports for Reporting Services

 

E.Ravi

Share this post: email it! | del.icio.us! | digg it! | newsVine!
Posted: Sep 14 2007, 09:51 PM by eravi | with no comments