mark kruger, cfg
DESCRIPTION
Hardening and Optimizing Windows CF Servers. MARK KRUGER, CFG WWW.COLDFUSIONMUSE.COM. Hardening: The Myth of Win Servers Instability. Left over from NT and Windows 95 There is no need to reboot your server constantly A Windows Server CAN be made Secure Not every patch is for you - PowerPoint PPT PresentationTRANSCRIPT
MARK KRUGER, CFGWWW.COLDFUSIONMUSE.COM
Hardening and Optimizing Windows CF
Servers
Hardening:The Myth of Win Servers Instability
Left over from NT and Windows 95There is no need to reboot your server
constantlyA Windows Server CAN be made SecureNot every patch is for youTake the simple steps and repeat them for
every server.Defense in Depth covers a multitude of sins
Hardening: Checklist
Change the Defaults (This goes for everything!) Administrator Account Administrative Shares Guest Account
Disable Unneeded Services Print Spooler Fax, ICS, Intersite Message, Remote Registry, Telnet
Add Auditing For Failed AttemptsSegregate Data Carefully
C drive for system D drive for Data Each drive should have different permissions
Hardening: Checklist part 2
Always use NTFS – it allows for extremely granular and layered permissions.
Set Strong Password PoliciesSet ACLs on file sharesMinimize “Everyone” groupAnti-Virus and Updates
Anti-virus is only as good as the frequency of update. Real time scan or not is a judgment call (my view)
Remove unneeded programs Office
Hardening: Checklist Part 3
Separate DB from Code – if at all possibleNo File based (embedded) DBsAlways install the SPsJudiciously install the patchesUse the Baseline Security Analyzer.Build up the server block by block – add CF
last.
BOTTOM LINE: A “hardened” server does only the things you specifically ask it to do.
Hardening: IIS Checklist
Remove Unneeded File mappings Hdr Mdb Printer
Support Technologies on a Site by Site basis Don’t Run CF on HTML sites. Don’t run PHP on CF
sites etc. Don’t allow any old MIME type download. Use specific IP settings not catchall settings
Secure Certificate – New standard is TLS/2048bit. Disable HTTPS 2.x and below. http://support.microsoft.com/kb/187498
Hardening Resources
Microsoft Baseline Security Analyzer - http://technet.microsoft.com/en-us/security/cc184923.aspx
URLScan http://www.microsoft.com/downloads/details.aspx?FamilyId=EE41818F-3363-4E24-9940-321603531989&displaylang=en
SQL Digger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip
MS Win2000 Security checklist - http://technet.microsoft.com/en-us/library/cc751389.aspx
Spath Win2003 sec checklist: http://www.servepath.com/support/win2003-securitychecklist.php NOTE: Use the “TCP/IP Hardening” check list with great care. It’s not a web server check list.
A security check list list : http://www.securityfocus.com/archive/105/508808/30/150/threaded
Series by Mark Minasi
Troubleshooting (TBS)
Scenario 1 – User complains that “JRUN is locking up”.
Scenario 2 – Server periodically crawls, then speeds up again.
Scenario 3 – a Web service refuses to work.
For each Scenario we are going to do triage. But first, what do we have to work with?
TBS Resources
Log Files CF Logs – usually in %cf home%/logs Jrun or JVM logs – usually in %cf home%/runtime/logs Hot Spot Logs – Sometimes found in the runtime/bin directory Web Logs – if sites are logging Windows Logs – System, Security, application
Performance Monitor Web service counters Coldfusion Counters (if you can get them running)
CFStatJrun Metrics (http://kb2.adobe.com/cps/191/tn_19120.html)
Server Monitor, Seefusion or Fusion ReactorHard knocks and experienceNetworking Logs (SMTP, Firewall, SNMP)Database Logs and error reporting
TBS Scenario 1JRUN is Locked Up
Only means a JRUN error on a web page. Could be a hot spot crash Could be queuing threads (most likely) Could be DoS or capacity issue
Triage Steps Watch Counters in CFSTAT, PerfMon or a monitor Check for a hot spot log file Check JVM Heap Sizes and GC settings Watch “active” requests Monitor the DB for Blocks or Locks Enable “slow page logging” at a reasonable threshold Ask the “predictable timing” question and examine client
vars. Check Network settings for other possibilities.
TBS LockupMost Likely Suspects (in order)
DB or other external ServiceJVM Settings Issue (more in a moment)Client Vars in RegistrySpecific high traffic page(s) that is
underperformingServer Resources (File I/O, Memory, Procs
etc)Conflicting program (Virus scan in RT for
example)3rd part jar or CFX Tag One of the 3 or 4 hot spot compiler bugs.
TBS and the JVM
There is one thing that everyone can do – adjust your JVM memory.
The default is inadequate for anything but a test desktop.
Use a max and min that are the same or nearly so
Use as much as you can 1.3 gigs on a 32 bit 6,8,16 gigs on a 64 bit (maybe more)
TBS Scenario 2Server Crawls Periodically
This is usually due to an external resource.
Check Client Vars and purge routineCheck routines for backup, scanning etc.Try to “trap” the moment the crawl beginsThink about the traffic patterns – login at
market open for exampleDB Indexing TweaksGC issuesNetwork Changes or re-negotiation
TBS Scenario 3 Web Service Issues
Web services rely on domain resolution HOSTS file + DNS Internal External Networking Some resources are local Firewalls have a say Certificates that work for you may not work for your
JVM without some extra steps
Web services use “stub generation” – they create a ‘wrapper’ class that encapsulates the class definition.
TBS Additional Resources
www.coldfusionmuse.com – Rundowns of troubleshooting adventures
www.houseoffusion.com – CF-Talk www.cfbloggers.org – the best blog
aggregator of CF blogshttp://www.carehart.org/cf411/ - Charlie
Arehart puts a great deal of work into this page.
Q and A