MARK KRUGER, CFGWWW.COLDFUSIONMUSE.COM

Hardening and Optimizing Windows CF

Servers

Hardening:The Myth of Win Servers Instability

Left over from NT and Windows 95There is no need to reboot your server

constantlyA Windows Server CAN be made SecureNot every patch is for youTake the simple steps and repeat them for

every server.Defense in Depth covers a multitude of sins

Hardening: Checklist

Change the Defaults (This goes for everything!) Administrator Account Administrative Shares Guest Account

Disable Unneeded Services Print Spooler Fax, ICS, Intersite Message, Remote Registry, Telnet

Add Auditing For Failed AttemptsSegregate Data Carefully

C drive for system D drive for Data Each drive should have different permissions

Hardening: Checklist part 2

Always use NTFS – it allows for extremely granular and layered permissions.

Set Strong Password PoliciesSet ACLs on file sharesMinimize “Everyone” groupAnti-Virus and Updates

Anti-virus is only as good as the frequency of update. Real time scan or not is a judgment call (my view)

Remove unneeded programs Office

Hardening: Checklist Part 3

Separate DB from Code – if at all possibleNo File based (embedded) DBsAlways install the SPsJudiciously install the patchesUse the Baseline Security Analyzer.Build up the server block by block – add CF

last.

BOTTOM LINE: A “hardened” server does only the things you specifically ask it to do.

Hardening: IIS Checklist

Remove Unneeded File mappings Hdr Mdb Printer

Support Technologies on a Site by Site basis Don’t Run CF on HTML sites. Don’t run PHP on CF

sites etc. Don’t allow any old MIME type download. Use specific IP settings not catchall settings

Secure Certificate – New standard is TLS/2048bit. Disable HTTPS 2.x and below. http://support.microsoft.com/kb/187498

Hardening Resources

Microsoft Baseline Security Analyzer - http://technet.microsoft.com/en-us/security/cc184923.aspx

URLScan http://www.microsoft.com/downloads/details.aspx?FamilyId=EE41818F-3363-4E24-9940-321603531989&displaylang=en

SQL Digger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip

MS Win2000 Security checklist - http://technet.microsoft.com/en-us/library/cc751389.aspx

Spath Win2003 sec checklist: http://www.servepath.com/support/win2003-securitychecklist.php NOTE: Use the “TCP/IP Hardening” check list with great care. It’s not a web server check list.

A security check list list : http://www.securityfocus.com/archive/105/508808/30/150/threaded

Series by Mark Minasi

Troubleshooting (TBS)

Scenario 1 – User complains that “JRUN is locking up”.

Scenario 2 – Server periodically crawls, then speeds up again.

Scenario 3 – a Web service refuses to work.

For each Scenario we are going to do triage. But first, what do we have to work with?

TBS Resources

Log Files CF Logs – usually in %cf home%/logs Jrun or JVM logs – usually in %cf home%/runtime/logs Hot Spot Logs – Sometimes found in the runtime/bin directory Web Logs – if sites are logging Windows Logs – System, Security, application

Performance Monitor Web service counters Coldfusion Counters (if you can get them running)

CFStatJrun Metrics (http://kb2.adobe.com/cps/191/tn_19120.html)

Server Monitor, Seefusion or Fusion ReactorHard knocks and experienceNetworking Logs (SMTP, Firewall, SNMP)Database Logs and error reporting

TBS Scenario 1JRUN is Locked Up

Only means a JRUN error on a web page. Could be a hot spot crash Could be queuing threads (most likely) Could be DoS or capacity issue

Triage Steps Watch Counters in CFSTAT, PerfMon or a monitor Check for a hot spot log file Check JVM Heap Sizes and GC settings Watch “active” requests Monitor the DB for Blocks or Locks Enable “slow page logging” at a reasonable threshold Ask the “predictable timing” question and examine client

vars. Check Network settings for other possibilities.

TBS LockupMost Likely Suspects (in order)

DB or other external ServiceJVM Settings Issue (more in a moment)Client Vars in RegistrySpecific high traffic page(s) that is

underperformingServer Resources (File I/O, Memory, Procs

etc)Conflicting program (Virus scan in RT for

example)3rd part jar or CFX Tag One of the 3 or 4 hot spot compiler bugs.

TBS and the JVM

There is one thing that everyone can do – adjust your JVM memory.

The default is inadequate for anything but a test desktop.

Use a max and min that are the same or nearly so

Use as much as you can 1.3 gigs on a 32 bit 6,8,16 gigs on a 64 bit (maybe more)

TBS Scenario 2Server Crawls Periodically

This is usually due to an external resource.

Check Client Vars and purge routineCheck routines for backup, scanning etc.Try to “trap” the moment the crawl beginsThink about the traffic patterns – login at

market open for exampleDB Indexing TweaksGC issuesNetwork Changes or re-negotiation

TBS Scenario 3 Web Service Issues

Web services rely on domain resolution HOSTS file + DNS Internal External Networking Some resources are local Firewalls have a say Certificates that work for you may not work for your

JVM without some extra steps

Web services use “stub generation” – they create a ‘wrapper’ class that encapsulates the class definition.

TBS Additional Resources

www.coldfusionmuse.com – Rundowns of troubleshooting adventures

www.houseoffusion.com – CF-Talk www.cfbloggers.org – the best blog

aggregator of CF blogshttp://www.carehart.org/cf411/ - Charlie

Arehart puts a great deal of work into this page.

Q and A

mkruger@cfwebtools.com