1 / 16

MARK KRUGER, CFG WWW.COLDFUSIONMUSE.COM

Hardening and Optimizing Windows CF Servers. MARK KRUGER, CFG WWW.COLDFUSIONMUSE.COM. Hardening: The Myth of Win Servers Instability. Left over from NT and Windows 95 There is no need to reboot your server constantly A Windows Server CAN be made Secure Not every patch is for you

bat
Télécharger la présentation

MARK KRUGER, CFG WWW.COLDFUSIONMUSE.COM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hardening and Optimizing Windows CF Servers MARK KRUGER, CFG WWW.COLDFUSIONMUSE.COM

  2. Hardening:The Myth of Win Servers Instability • Left over from NT and Windows 95 • There is no need to reboot your server constantly • A Windows Server CAN be made Secure • Not every patch is for you • Take the simple steps and repeat them for every server. • Defense in Depth covers a multitude of sins

  3. Hardening: Checklist • Change the Defaults (This goes for everything!) • Administrator Account • Administrative Shares • Guest Account • Disable Unneeded Services • Print Spooler • Fax, ICS, Intersite Message, Remote Registry, Telnet • Add Auditing For Failed Attempts • Segregate Data Carefully • C drive for system • D drive for Data • Each drive should have different permissions

  4. Hardening: Checklist part 2 • Always use NTFS – it allows for extremely granular and layered permissions. • Set Strong Password Policies • Set ACLs on file shares • Minimize “Everyone” group • Anti-Virus and Updates • Anti-virus is only as good as the frequency of update. • Real time scan or not is a judgment call (my view) • Remove unneeded programs • Office

  5. Hardening: Checklist Part 3 • Separate DB from Code – if at all possible • No File based (embedded) DBs • Always install the SPs • Judiciously install the patches • Use the Baseline Security Analyzer. • Build up the server block by block – add CF last. • BOTTOM LINE: A “hardened” server does only the things you specifically ask it to do.

  6. Hardening: IIS Checklist • Remove Unneeded File mappings • Hdr • Mdb • Printer • Support Technologies on a Site by Site basis • Don’t Run CF on HTML sites. Don’t run PHP on CF sites etc. • Don’t allow any old MIME type download. • Use specific IP settings not catchall settings • Secure Certificate – New standard is TLS/2048bit. • Disable HTTPS 2.x and below. • http://support.microsoft.com/kb/187498

  7. Hardening Resources • Microsoft Baseline Security Analyzer - http://technet.microsoft.com/en-us/security/cc184923.aspx • URLScan http://www.microsoft.com/downloads/details.aspx?FamilyId=EE41818F-3363-4E24-9940-321603531989&displaylang=en • SQL Digger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip • MS Win2000 Security checklist - http://technet.microsoft.com/en-us/library/cc751389.aspx • Spath Win2003 sec checklist: http://www.servepath.com/support/win2003-securitychecklist.php NOTE: Use the “TCP/IP Hardening” check list with great care. It’s not a web server check list. • A security check list list : http://www.securityfocus.com/archive/105/508808/30/150/threaded • Series by Mark Minasi

  8. Troubleshooting (TBS) • Scenario 1 – User complains that “JRUN is locking up”. • Scenario 2 – Server periodically crawls, then speeds up again. • Scenario 3 – a Web service refuses to work. For each Scenario we are going to do triage. But first, what do we have to work with?

  9. TBS Resources • Log Files • CF Logs – usually in %cf home%/logs • Jrun or JVM logs – usually in %cf home%/runtime/logs • Hot Spot Logs – Sometimes found in the runtime/bin directory • Web Logs – if sites are logging • Windows Logs – System, Security, application • Performance Monitor • Web service counters • Coldfusion Counters (if you can get them running) • CFStat • Jrun Metrics (http://kb2.adobe.com/cps/191/tn_19120.html) • Server Monitor, Seefusion or Fusion Reactor • Hard knocks and experience • Networking Logs (SMTP, Firewall, SNMP) • Database Logs and error reporting

  10. TBS Scenario 1JRUN is Locked Up • Only means a JRUN error on a web page. • Could be a hot spot crash • Could be queuing threads (most likely) • Could be DoS or capacity issue • Triage Steps • Watch Counters in CFSTAT, PerfMon or a monitor • Check for a hot spot log file • Check JVM Heap Sizes and GC settings • Watch “active” requests • Monitor the DB for Blocks or Locks • Enable “slow page logging” at a reasonable threshold • Ask the “predictable timing” question and examine client vars. • Check Network settings for other possibilities.

  11. TBS LockupMost Likely Suspects (in order) • DB or other external Service • JVM Settings Issue (more in a moment) • Client Vars in Registry • Specific high traffic page(s) that is underperforming • Server Resources (File I/O, Memory, Procs etc) • Conflicting program (Virus scan in RT for example) • 3rd part jar or CFX Tag • One of the 3 or 4 hot spot compiler bugs.

  12. TBS and the JVM • There is one thing that everyone can do – adjust your JVM memory. • The default is inadequate for anything but a test desktop. • Use a max and min that are the same or nearly so • Use as much as you can • 1.3 gigs on a 32 bit • 6,8,16 gigs on a 64 bit (maybe more)

  13. TBS Scenario 2Server Crawls Periodically • This is usually due to an external resource. • Check Client Vars and purge routine • Check routines for backup, scanning etc. • Try to “trap” the moment the crawl begins • Think about the traffic patterns – login at market open for example • DB Indexing Tweaks • GC issues • Network Changes or re-negotiation

  14. TBS Scenario 3 Web Service Issues • Web services rely on domain resolution • HOSTS file + DNS • Internal External Networking • Some resources are local • Firewalls have a say • Certificates that work for you may not work for your JVM without some extra steps • Web services use “stub generation” – they create a ‘wrapper’ class that encapsulates the class definition.

  15. TBS Additional Resources • www.coldfusionmuse.com – Rundowns of troubleshooting adventures • www.houseoffusion.com – CF-Talk • www.cfbloggers.org – the best blog aggregator of CF blogs • http://www.carehart.org/cf411/ - Charlie Arehart puts a great deal of work into this page.

  16. Q and A mkruger@cfwebtools.com

More Related