Any admin worth his/her salt has a common set of tools and applications they use on a regular basis for managing whatever environment for which they are responsible. Managing the security of the environment is no exception. While this meager blog post makes no claims to aid you in performing a full scale security analysis or penetration test, there are some basic tools you can use to ensure that the most glaring problems are found and mitigated.
- NMap – This is one of the most popular port scanners found on the Internet, and the reason for this is because it’s, well, a great tool. With configuration options a mile long and a great development community behind it, it really does exactly what it says it will and not much more.
- Nessus – Nessus is a network vulnerability scanner that constantly updates a list of plugins and “checks” which it uses to evaluate a server for given vulnerabilities. While they did recently change their licensing model, replaced their free registered plugin feed with a feature-sparse “home” feed, and also changed from open to closed source, Nessus is still one of the premier vulnerability scanning tools available.
Read the full post »
Have you ever experienced resource contention on your server? If you have, a Windows feature called Windows System Resource Manager (WSRM) might help minimize the impact of those situations. WSRM allows you to control CPU and memory resource allocation to applications, terminal services users, and IIS Application pools when they are scarce.
CPU limits in WSRM kick in when CPU utilization exceeds 70%. Instead of limiting CPU usage, Windows ensures that processes receive at least the amount of processing power specified. You can think of it as a sort of QoS for processors. While being able to set process priority is a feature many people are aware of, it did not provide the level of granularity that many environments require. WSRM allows for different resource policies in different situations. For example, different policies might apply on the weekend than during the workday to allow your server’s priorities to match the priorities of the business.
In a Terminal Services environment, one user could potentially use all of the available processing power, causing other user sessions to become extremely slow. With WSRM, it is possible to guarantee a user a certain amount of processing power or divide it equally among users—all without wasting available resources. IIS application pools can be managed the same way, allowing administrators to prioritize websites similarly to applications.
Whether you have a misbehaving process you need to reign in, a power user slowing down a terminal server for other users, or just need a better way to manage your server’s resources, WSRM could be the tool that keeps your critical applications running smoothly.
What is URLScan? URLScan is a free tool provided by Microsoft that restricts certain kinds of HTTP requests that IIS will process. Though there are many different uses of URLScan, today I will only be covering SQL Injection blocking.
SQL Injections occur when attackers enter malformed SQL statements into data input fields. The attacker can modify or retrieve data from your database and, in some cases, they can even access data stored in your filesystem outside of SQL Server. If you find that you’re a victim of SQL Injection attacks and you’re not equipped to make all of the necessary changes to your application (or if the implementation of these changes could take a long time to implement) then URLScan may be a good fit for you until you can fix the root cause of the attack.
As of this writing, URLScan 3.1 is the latest edition and can be downloaded from Microsoft. A URLScan ISAPI filter is configured for all websites on your server after performing a default installation of URLScan. This ISAPI filter intercepts request for IIS and processes security rules defined in the URLScan.ini file against the requests.
The blocking of SQL injection attacks is handled by the DenyQueryStringSequences security rule. The rule matches IIS requests against a list of character sequences that you provide. If the request matches certain character sequences specified in the security rule, then the request is dropped, logged in the URLScan Logs, and a 404 status is returned. You can configure URLScan to only log requests that match your defined character sequences instead of blocking them. I would recommend starting off with the logging only mode so you can determine whether or not valid traffic may be blocked. If valid traffic is being blocked, you’ll need to modify the character sequences you are choosing to block.
Below is a configured DenyQueryStrinSequences security rule. I have added some of the most common SQL commands used in SQL Injection attacks:
Read the full post »
Do you know who your internet neighbors are?
Would you buy a lot, build a house, and move your family in if the next-door neighbor was a notorious drug kingpin? Of course not!
It’s important to consider that “where” your business “lives” online is just as important. I’m not talking about your URL or domain name; I’m talking about the Net block your IP addresses are assigned from, and who the company providing them is.
Spam, adult-oriented sites, and gambling sites generate lots of revenue. They can afford the same servers, support, and bandwidth your business can. They also attract a lot of negative attention in the form of Distributed Denial Of Service (DDOS) attacks, hacking attempts, and probably the worst: blocking and filtering from legitimate networks and mail servers.
When network operators and email system administrators see lots of spam or non-legitimate traffic from a given network, they’ll often block it. Sure, some legitimate traffic is blocked along with the bad, but it’s typically impossible or too costly to differentiate the good from the bad. If the owner of a Net block has a reputation for continuing to do business with clients that generate “negative attention”, an administrator will often block/filter all of the net blocks owned or operated by that provider.
This all happens behind the scenes and often completely unknown to you.
Read the full post »
SCVMM 2008 (or “System Center Virtual Machine Manager”) is Microsoft’s answer to a “unified, multi-vendor management solution for the virtual datacenter.” SCVMM R2 was released recently, and along with it came the ability to set up a Self-Service Portal. Using a Self-Service Portal, IT professionals can easily allow others to create, manage, and maintain virtual machines through a web-based interface.
Before setting up the Self-Service Portal, you’ll need a fully-configured SCVMM infrastructure. Luckily, that can be done with a single server or a whole server farm.
The primary constituents to setting up the Self Service Portal are:
Hosts and/or Host Groups
Hosts or Host Groups are servers that support running virtual machines within your infrastructure. Its primary requirement is that Hyper-V must be installed, and Self-Service Portals will need Hyper-V R2 installed.
Library Servers
The library servers are servers or file share locations that hold the required pieces for creating and managing virtual machines. Those bits and pieces consist of installation media (such as CD/DVD Images of operating systems), virtual hard drives, or VHDs, and potentially templates.
Templates
Templates are generic, off-line virtual machines that you can configure and redeploy as fully functional virtual machines. One could have a series of templates residing on the Library servers with a different specialization for each (web server, database, etc.).
Self Service Users
Self Service Users are users who are allowed to log into and use the Self-Service Portal. The administrator can define tasks users are allowed to perform, and can range anywhere from simply starting or stopping virtual machines to full control of creating and deleting them.
Read the full post »
