Issue:
Security checklist e-Synergy
Solution:
Configuration of the network environment:
1) No physical
access to the Internet Information Servers (IIS) and SQL server
2) Use a separate NT Domain for the
external users. (Resellers, customers and public users) and configure
this domain in an external network seperated from the internal network. Do
not trust the domain for the internal users with the domain for the external
users. Configure only a one way trust so the external domain trusts the internal
domain. Now it is possible to login as internal user via a webserver of the external domain. An one way trust can only be configured between 2 separate Active Directories. Within 1 Active Directory, domains always have a 2 way trust.
3) Use separate IIS servers for external users and configure these IIS servers in the external network. External users uses another virtual directory than internal users. This is needed because customers and public users needs an anonymous connection. All internal users are forced to use Integrated Windows Authentication or Basic authentication.
4) Configure a firewall between the internal and external network. Close all ports except port 80 and port 443 for the HTTP and HTTPS traffic between e-Synergy and the website. For the replication of financial data configure the firewall to have access over port 1433 for all networkadress where the local financial database are stored.
5) To access e-Synergy from the outside world by employees and other authorized users (internal users), use an secure protocol (HTTPS) to avoid network sniffing. This makes it impossible to read the data traffic within e-Synergy or use Virtual Private Networking (VPN), configure the VPN server in the external network.
6) Disable the guest account on all servers.
7) Disable all not used local NT logins on your IIS and SQL server. For instance TsInternetUser. This account is used by Terminal server.
8) Force users to change password every month.
9) Keep virus scanners up to date. Virus
scanners frequently identify infected files by scanning for a signature that is
a known component of a previously identified virus. The scanners keep these
virus signatures in a signature file, which is usually stored on the local hard
disk. Because new viruses are discovered frequently, this file should also be
updated frequently for the virus scanner to easily identify all current viruses.
Configuration of the SQL server:
1) Keep all software patches up to date. Software patches
provide solutions to known security issues. Check software provider Web sites
periodically to see if there are new patches available for software used in your
organization.
2) Disable all unnecessary services. See the list at the end of this document
3) Change the default empty password of System administrator of SQL server (SA).
4) Check the SQL logins for people or groups that do not need direct access to the SQL server via a SQL login.
5) Remove if installed other applications software and development tools from the servers.
6) Use NTFS. The
NTFS file system is more secure than the FAT or FAT32 file
system.
Configuration of the IIS server:
1)
Keep all software patches up to
date. Software patches provide solutions to known security issues. Check
software provider Web sites periodically to see if there are new patches
available for software used in your organization.
2) Disable all unnecessary services. See the list at the end of this document
3) Install e-Synergy on a NTFS partition.
4) Properties of the virtual directory for internal users on the internal IIS servers:
a. Disable anonymous authentication.
b. Enable Basic authentication if employees must be validated through a firewall via proxy server.
c. Enable Integrated Windows Authentication to validate employees.
d. Define read rights. (No write, script source access, directory browsing)
e. Execute permissions: Scripts Only
f. Application Protection: Medium (Pooled) or High (Isolated)
5) Properties of the virtual directory for external users on the external IIS servers:
a. Enable anonymous authentication for all public users.
b. Enable Basic
authentication if resellers and customers must be validated through a firewall via proxy server.
c. Enable Integrated Windows Authentication to validate resellers and customers.
d. Define read rights. (No write, script source access, directory browsing)
e. Execute permissions: Scripts Only
f. Application Protection: Medium (Pooled) or High (Isolated)
6) Define only read access to the e-Synergy directory for all users. Only system administrators have full control and can do an installation, update and batch to batch conversion of e-Synergy.
7) Disable or remove all sample applications. Samples are just that, samples; They should never be installed on a production server. Note that some samples install so that they can be accessed only from http://localhost, or 127.0.0.1; however, they should still be removed. Some sample examples:
Sample |
Virtual directory |
Location |
IIS Samples |
\IISSamples |
c:\inetpub\iissamples |
IIS Documentation |
\IISHELP |
c:\winnt\help\iishelp |
Data Access |
\MSADC |
c:\program files\common files\system\msadc |
8) Install e-Synergy on a member server. So no copy of the directory database of the domain is available on the server. Only local accounts are available.
9) Remove if installed other applications software and development tools from the servers.
10) Enable Logging
Logging is paramount when you want to determine whether your server is being attacked. You should use W3C Extended Logging format by following this procedure:
- Load the Internet Information Services tool.
- Right-click site in question, and choose Properties from the context menu.
- Click the Web Site tab.
- Check the Enable Logging check box.
- Choose W3C Extended Log File Format from the Active Log Format drop-down list.
- Click Properties.
- Click the Extended Properties tab, and set the following properties:
- Client IP Address
- User Name
- Method
- URI Stem
- HTTP Status
- Win32 Status
- User Agent
- Server IP Address
- Server Port
The latter two properties are useful only if you host multiple Web servers on a single computer. The Win32 Status property is useful for debugging purposes. When you examine the log, look out for error 5, which means access denied. You can find out what other Win32 errors mean by entering net helpmsg err on the command line, where err is the error number you are interested in.
11) Set Appropriate IIS Log File Access Control Lists (ACL)
Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are
- Administrators (Full Control)
- System (Full Control)
- Everyone (RWC)
This is to help prevent malicious users deleting the files to cover their tracks.
Configuration of the e-Synergy application:
1) Define all your IIS servers in the Server access application. The current e-Synergy database can only be accessed by the e-Synergy application from these IIS servers. Otherwise you can connect to the e-Synergy SQL server database using another e-Synergy environment. To define all your IIS servers in the Server access application, start e-Synergy as a user who has the role administrator wtih level corporate. Select System, Maintenance, Security, Server. Add all IIS servers. When no IIS servers are defined in the server access application, no check is done via which IIS server you connect to the e-Synergy database.
2) Check if the SQL login Baco has no additional
server roles or database access rights. This SQL login is created to connect to SQL
server. All necessary rights in the database are supplied by the application
role Baco which is part of the database.
Services needed to run IIS and MS SQL Server: Event Log, IIS Admin Service, License Logging Service, MSDTC, Protected Storage, Remote Procedure Call, (RPC) Service, Server, Windows NT Server or Windows NT Workstation, Windows NTLM Security Support, Provider, Workstation, World Wide Web Publishing Service, MSSQLServer, SQL Server agent
Services may be needed on the server: Certificate Authority (required to issue certificates), Content Index (required if using Index Server), FTP Publishing Service (required if using FTP service; it's highly recommended that FTP and Web services run on different servers), NNTP Service (required if using NNTP Service), Plug and Play (recommended, but not required), Remote Access Services (required if you use dial-up access), RPC Locator (required if doing remote administration), Server Service (can be disabled, but required to run User Manager), SMTP Service (required if using SMTP Service), Telephony Service (required if access is by dial-up connection), Uninterruptible Power Supply (UPS) (optional; but it is recommended that you use a UPS), Workstation (optional; important if you have UNC virtual roots)
Services mostly not needed on the server: Alerter, ClipBook Server, Computer Browser, DHCP Client, Messenger, NetBIOS Interface, Net Logon, Network DDE & Network DDE DSDM, Network Monitor Agent, NWLink NetBIOS, NWLink IPX/SPX Compatible Transport (not required unless you don't have TCP/IP or another transport), Simple TCP/IP Services, Spooler, TCP/IP NetBIOS Helper, WINS Client (TCP/IP)
It is possible that you needed other services. This depends on your network environment. For instance WINS and DHCP
For a complete list of needed services see HTTP://MSDN.MICROSOFT.COM
See Secure internet Information Services 5 Checklist for a IIS5 checklist of
Microsoft.
Related Topics