Restarting a Server correctly

if we are restarting a server, we should use the command prompt instead of the start menu.
At the command prompt you need to type:
shutdown /f /r
/f -> forces a shutdown, so if anything hangs it just kills it and shuts down anyway ( start menu way doesn’t enforce this, so u get logged out, but if something hangs, you cant log back in again. )
/r -> specifies to restart
With this there is a 30 second timeout before it shuts down.

Advertisements

mRemote, handy RDP tool for windows server

mRemote is a full-featured, multi-tab remote connections manager.

It allows you to store all your remote connections in a simple yet powerful interface.

Currently these protocols are supported:

RDP (Remote Desktop)
VNC (Virtual Network Computing)
ICA (Independent Computing Architecture)
SSH (Secure Shell)
Telnet (TELecommunication NETwork)
HTTP/S (Hypertext Transfer Protocol)
Rlogin (Rlogin)
RAW

Binary, as well as source packages are freely available from the downloads page.

Security configurations for MVC application & IIS 7

After Sony had been hacked earlier this year, they start taking security really serious now.

And recently I have been involved in a few Sony promotion projects that makes me learn a lot about how to make a website more securer from both web server configurations and application itself.

Go through a 50 pages configuration benchmark book is a pain, but there are some really simple steps people easily forget. Here are some highlights:

  1. Make sure web content is on non-system partition.
  2. Remove or rename well-known urls.
    %systemdrive%\inetpub\AdminScripts
    %systemdrive%\inetpub\scripts\IISSamples
    http://localhost/iissamples
    http://localhost/iishelp
    http://localhost/printers
    http://localhost/iisadmpwd
  3. Require a host headers on all sites. Don’t bind http:/*:80 to any site.
  4. Disable directory browsing
  5. Set default application pool identity to least privilege principal.
  6. Ensure application pools run under unique identities, and unique application pools for different sites.
  7. Config anonymous user identity to use application pool identity, this will greatly reduce the number of accounts needed for websites.
    open applicationHost.config and make sure you set the userName attribute of the anonymousAuthentication tag is set to a blank string.

    <system.webServer><security><authentication><anonymousAuthentication userName = ""/></authentication></security></system.webServer>
  8. Configure authentications,

    a. Ensure sensitive site features is restricted to authenticated principals only.

    <system.webServer><security><authorization><remove users="*" roles="" verbs="" /><add accessType="Allow" roles="administrators" />
    
    </authorization></security></system.webServer></configuration>

    b. Require SSL in forms authentications and configure forms authentication to use cookies.

    <pre><system.web><authentication><forms cookieless="UseCookies" requireSSL="true" /></authentication></system.web></pre>

    c. Configure cookie protection mode for forms authentication.

    <pre><system.web><authentication><forms cookieless="UseCookies" protection="All" /></authentication></system.web></pre>

    d. Never save password in clear format!!

  9. Asp.net configurations.

    a. Set deployment method to retail, modify machine.config

    <system.web>  <deployment retail="true" /></system.web>

    b. Turn debug off.

    <system.web><compilation debug="false" /></system.web></configuration>

    c. Ensure custom error messages are not off.

    <customErrors mode="RemoteOnly"/> or <customErrors mode = "On"/>

    d. Ensure failed request tracing is not enabled.

    – Open IIS.

    – Go to Connections pane, select server connection, site, application or directory.

    – In actions pane, click failed request tracing… make sure the checkbox is not checked.

    e. Configure to use cookies mode for session state in web.config

    <system.web><sessionState cookieless="UseCookies" /></system.web>

    f. Ensure cookies are set with HttpOnly attribute in web.config. This will stop client side script access to cookies.

    <configuration><system.web><httpCookies httpOnlyCookies="true" /></system.web></configuration>

    g. Set global .NET trust level. Open IIS, in the features view, double click .NET Trust Levels.

  10. Request filtering & restrictions in web.config, set maxAllowedContentLength, maxUrl, maxQueryStringallowHighBitCharacters (setting to dis-allow non-ASCII characters) & allowDoubleEscaping.
    <system.webServer><security><requestFiltering allowHighBitCharacters="false" allowDoubleEscaping = "false"><requestLimits maxAllowedContentLength="30000000" maxUrl="4096" maxQueryString="1024" /></requestFiltering></security></system.webServer></configuration>
  11. Disallow unlisted file extensions in web.config.
    <system.webServer><security><requestFiltering><fileExtensions allowUnlisted="false" ><add fileExtension=".asp" allowed="true"/>
    
    <add fileExtension=".aspx" allowed="true"/><add fileExtension=".html" allowed="true"/></fileExtensions></requestFiltering></security></system.webServer></configuration>