Security checklist for Exact Synergy Enterprise
Issue
Security checklist for Exact Synergy Enterprise.
Solutions
The following topics can help to tighten the security of the Exact Synergy Enterprise implementation:
Configuration of the Network Environment
- No physical access to the Internet Information Servers (IIS) and SQL server.
- Use a separate NT Domain for the external users, such as resellers, customers, and public users, and configure this domain in an external network separated from the internal network. Do not give trust to the domain for the internal users with the domain for the external users. Configure only a one way trust so the external domain trusts the internal domain. Now it is possible to log in as an internal user via a web server from the external domain. A one-way trust can only be configured between two separate active directories. If there is only one active directory, the domain will always have a two-way trust.
- Use separate IIS servers for external users, and configure these IIS servers in the external network. External and internal users use different virtual directory. This is required because customers, and public users need an anonymous connection. All internal users are forced to use Integrated Windows Authentication, or Basic Authentication (only with secure protocol, such as HTTPS).
- Configure a firewall between the internal, and external network. Close all the ports except for port 80, and port 443 for the HTTP, and HTTPS traffic between Exact Synergy Enterprise, and the website. For the replication of financial data, configure the firewall so that it will have access to port 1433 for all the network addresses where the local financial databases are stored.
- To access Exact Synergy Enterprise from anywhere besides the office by the employees, and other authorized users (internal users), use a secure protocol (HTTPS) for security. This makes it impossible to read the data traffic within Exact Synergy Enterprise, or use Virtual Private Networking (VPN). Configure the VPN server in the external network.
- Disable the guest account on all the servers.
- Disable all the local NT logins on your IIS, and SQL server that are not used. For example, TsInternetUser. This account is used by the terminal server.
- Force users to change their password every month.
- Keep virus scanners up-to-date. Virus scanners frequently identify infected files by scanning for a signature that is a known component of a previously identified virus. The scanners keep these virus signatures in a signature file, which is usually stored on the local hard disk. Because new viruses are discovered frequently, this file should also be updated frequently for the virus scanner to easily identify all the current viruses.
Top
Configuration of the Microsoft SQL Server
- Keep all the software patches up-to-date. Software patches provide solutions for the security issues. Check the software provider websites frequently to see if there are new patches available for the software used in your organization.
-
The new process model in IIS 6.0 includes process recycling, which means an administrator can easily install the IIS patches, and new employees can process the DLLs without any service interruption. -
Auto update version 1.0 provides three options for the customers, such as notify them when new patches are available, download patch(es), and notify them when the patches are downloaded, and schedule the installer. For more information, see Windows Automatic Updates in Windows Help.
- Disable all the unnecessary services. Refer to the list at the end of this document.
- Change the default empty password of the system administrator for the SQL server (SA).
- Check the SQL login for the people, or groups that do not need direct access to the SQL server via a SQL login.
- Remove the installed application software, and development tools from the servers.
- Use NTFS. The NTFS file system is more secure than the FAT, or FAT32 file system.
Top
Configuration of the IIS Server
- Keep all the software patches up-to-date. Software patches provide solutions for the security issues. Check the software provider websites frequently for new patches for the software used in your organization.
-
The new process model in IIS 6.0 includes process recycling. This means an administrator can easily install most of the IIS patches, and new employees can process the DLLs without any service interruption. -
Auto update version 1.0 provides three options to the customers such as notify them when there are new patches, download patch, and notify when the patches are downloaded, and schedule the installer. For more information, see Windows Automatic Updates in Windows Help.
- Disable all the unnecessary services. Refer to the list at the end of this document.
- Install Exact Synergy Enterprise on a NTFS partition.
- Properties of the virtual directory for the internal users on the internal IIS servers:
a. Disable the anonymous authentication.
b. Enable the basic authentication if employees must be validated through a firewall via the proxy server.
c. Enable the Integrated Windows Authentication to validate the employees.
d. Define read rights (no write, script source access, and directory browsing).
e. Execute permissions (scripts only).
f. Application protection, such as medium (pooled), or high (isolated). - Properties of the virtual directory for the external users on the external IIS servers:
a. Enable the anonymous authentication for all the public users.
b. Enable the basic authentication if resellers, and customers must be validated through a firewall via the proxy server.
c. Enable the Integrated Windows Authentication to validate resellers, and customers.
d. Define read rights (no write, script source access, and directory browsing).
e. Execute permissions (scripts only).
f. Application protection such as medium (pooled), or high (isolated). - Configure new validation and decryption keys. For more information, see Exact Synergy Enterprise: Installation manual.
- Define read-only access to the Exact Synergy Enterprise directory for all the users. Only system administrators have full control, and can do an installation, update, and batch to batch conversion of Exact Synergy Enterprise.
- Disable, or remove all the sample applications. Samples should never be installed on a production server. Make sure the samples that are installed can only be accessed from http://localhost, or 127.0.0.1. However, they should still be removed. Some sample examples are:
Sample |
Virtual directory |
Location |
IIS Samples |
\IISSamples |
c:\inetpub\iissamples |
IIS Documentation |
\IISHELP |
c:\winnt\help\iishelp |
Data Access |
\MSADC |
c:\program files\common files\system\msadc | - Install Exact Synergy Enterprise on a member server so that there is no copy of the directory database of the domain on the server. Only local accounts are available.
- Remove all the other installed application software, and development tools from the servers.
- Enable the log. Logs are important if you want to determine whether your server is being attacked. You should use W3C Extended Logging format based on the following procedure:
- Load the Internet Information Services tool.
- Right-click Site in question, and select Properties from the context menu.
- Click the Web Site tab.
- Select the Enable Logging check box.
- Select W3C Extended Log File Format from the Active Log Format drop-down list.
- Click Properties.
- Click the Extended Properties tab, and set the following properties:
- Client IP Address
- User Name
- Method URI Stem
- HTTP Status
- Win32 Status
- User Agent
- Server IP Address
- Server Port
The last two properties are useful only if you host multiple web servers on a single computer. The Win32 Status property is useful for debugging purposes. When you examine the log, look out for error 5, which means access denied. You can find out what the other Win32 errors mean by typingnet helpmsg err on the command line, whereby "err" is the error number. - Set Appropriate IIS Log File Access Control Lists (ACL). Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are:
Top
Other configurations relating to Exact Synergy Enterprise
- Define all your IIS servers in the Server access application. The current Exact Synergy Enterprise database can only be accessed by the Exact Synergy Enterprise application from these IIS servers. Otherwise, you can connect to the Exact Synergy Enterprise SQL server database using another Exact Synergy Enterprise environment. To define all your IIS servers in the server access application, start Exact Synergy Enterprise as a user who has the administrator role on the corporate level. Select System, Maintenance, Security, and Server. Add all the IIS servers. When no IIS servers are defined in the server access application, no check will be done via the IIS server that you connect to the Exact Synergy Enterprise database.
- Check if the SQL login Baco has no additional server roles, or database access rights. This SQL login is created to connect to the SQL server. All necessary rights in the database are supplied by the application role Baco, which is part of the database.
-
Services needed to run IIS and MS SQL Server: Event Log, IIS Admin Service, License Logging Service, MSDTC, Protected Storage, Remote Procedure Call, (RPC) Service, Server, Windows NT Server or Windows NT Workstation, Windows NTLM Security Support, Provider, Workstation, World Wide Web Publishing Service, MSSQLServer, and/or SQL Server agent. -
Services needed on the server: Certificate Authority (required to issue certificates), Content Index (required if using Index Server), FTP Publishing Service (required if using FTP service; it is highly recommended that FTP, and Web services run on different servers.), NNTP Service (required if using NNTP Service), Plug and Play (recommended, but not required), Remote Access Services (required if you use dial-up access), RPC Locator (required if doing remote administration), Server Service (can be disabled, but required to run User Manager), SMTP Service (required if using SMTP Service), Telephony Service (required if access is by dial-up connection), Uninterruptible Power Supply (UPS) (optional but it is recommended that you use a UPS), and/or Workstation (optional but important if you have UNC virtual roots). -
Services not needed on the server: Alerter, ClipBook Server, Computer Browser, DHCP Client, Messenger, NetBIOS Interface, Net Logon, Network DDE & Network DDE DSDM, Network Monitor Agent, NWLink NetBIOS, NWLink IPX/SPX Compatible Transport (not required unless you do not have TCP/IP, or another transport), Simple TCP/IP Services, Spooler, TCP/IP NetBIOS Helper, and/or WINS Client (TCP/IP).
It is possible that you need other services. This depends on your network environment. For example, WINS and DHCP.
Top
For a complete list of required services, see http://msdn.microsoft.com.
For more information on Internet Information Services 5 checklist for Microsoft, see http://technet.microsoft.com/en-us/library/cc750569.aspx.
For more information on managing Internet Information Services 6 security solution, see http://technet.microsoft.com/en-us/library/cc787186(v=ws.10).aspx.
For more information on configuring Web Server Security for Internet Information Services 7, see http://technet.microsoft.com/en-us/library/cc731278(v=ws.10).aspx.
For more information on Windows 2003 server security guide, see http://www.microsoft.com/download/en/details.aspx?id=8222.
For more information on Windows 2008 server security guide, see http://technet.microsoft.com/en-us/library/cc264463.aspx.
|
|