slides - Nebraska Cold Fusion Users Group

Download Report

Transcript slides - Nebraska Cold Fusion Users Group 

Hardening and Optimizing
Windows CF Servers
MARK KRUGER, CFG
WWW.COLDFUSIONMUSE.COM
Hardening:
The Myth of Win Servers Instability
 Left over from NT and Windows 95
 There is no need to reboot your server constantly
 A Windows Server CAN be made Secure
 Not every patch is for you
 Take the simple steps and repeat them for every
server.
 Defense in Depth covers a multitude of sins
Hardening: Checklist
 Change the Defaults (This goes for everything!)



Administrator Account
Administrative Shares
Guest Account
 Disable Unneeded Services


Print Spooler
Fax, ICS, Intersite Message, Remote Registry, Telnet
 Add Auditing For Failed Attempts
 Segregate Data Carefully



C drive for system
D drive for Data
Each drive should have different permissions
Hardening: Checklist part 2
 Always use NTFS – it allows for extremely granular




and layered permissions.
Set Strong Password Policies
Set ACLs on file shares
Minimize “Everyone” group
Anti-Virus and Updates


Anti-virus is only as good as the frequency of update.
Real time scan or not is a judgment call (my view)
 Remove unneeded programs
 Office
Hardening: Checklist Part 3
 Separate DB from Code – if at all possible
 No File based (embedded) DBs
 Always install the SPs
 Judiciously install the patches
 Use the Baseline Security Analyzer.
 Build up the server block by block – add CF last.
 BOTTOM LINE: A “hardened” server does only the
things you specifically ask it to do.
Hardening: IIS Checklist
 Remove Unneeded File mappings
 Hdr
 Mdb
 Printer
 Support Technologies on a Site by Site basis
 Don’t Run CF on HTML sites. Don’t run PHP on CF sites etc.
 Don’t allow any old MIME type download.
 Use specific IP settings not catchall settings
 Secure Certificate – New standard is TLS/2048bit.
 Disable HTTPS 2.x and below.
 http://support.microsoft.com/kb/187498
Hardening Resources
 Microsoft Baseline Security Analyzer http://technet.microsoft.com/en-us/security/cc184923.aspx
 URLScan





http://www.microsoft.com/downloads/details.aspx?FamilyId=EE41818F-3363-4E249940-321603531989&displaylang=en
SQL Digger http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip
MS Win2000 Security checklist - http://technet.microsoft.com/enus/library/cc751389.aspx
Spath Win2003 sec checklist: http://www.servepath.com/support/win2003securitychecklist.php NOTE: Use the “TCP/IP Hardening” check list with great care. It’s
not a web server check list.
A security check list list :
http://www.securityfocus.com/archive/105/508808/30/150/threaded
Series by Mark Minasi
Troubleshooting (TBS)
 Scenario 1 – User complains that “JRUN is locking
up”.
 Scenario 2 – Server periodically crawls, then speeds
up again.
 Scenario 3 – a Web service refuses to work.
For each Scenario we are going to do triage. But first,
what do we have to work with?
TBS Resources
 Log Files
 CF Logs – usually in %cf home%/logs
 Jrun or JVM logs – usually in %cf home%/runtime/logs
 Hot Spot Logs – Sometimes found in the runtime/bin directory
 Web Logs – if sites are logging
 Windows Logs – System, Security, application
 Performance Monitor
 Web service counters
 Coldfusion Counters (if you can get them running)
 CFStat
 Jrun Metrics (http://kb2.adobe.com/cps/191/tn_19120.html)
 Server Monitor, Seefusion or Fusion Reactor
 Hard knocks and experience
 Networking Logs (SMTP, Firewall, SNMP)
 Database Logs and error reporting
TBS Scenario 1
JRUN is Locked Up
 Only means a JRUN error on a web page.



Could be a hot spot crash
Could be queuing threads (most likely)
Could be DoS or capacity issue
 Triage Steps








Watch Counters in CFSTAT, PerfMon or a monitor
Check for a hot spot log file
Check JVM Heap Sizes and GC settings
Watch “active” requests
Monitor the DB for Blocks or Locks
Enable “slow page logging” at a reasonable threshold
Ask the “predictable timing” question and examine client vars.
Check Network settings for other possibilities.
TBS Lockup
Most Likely Suspects (in order)
 DB or other external Service
 JVM Settings Issue (more in a moment)
 Client Vars in Registry
 Specific high traffic page(s) that is underperforming
 Server Resources (File I/O, Memory, Procs etc)
 Conflicting program (Virus scan in RT for example)
 3rd part jar or CFX Tag
 One of the 3 or 4 hot spot compiler bugs.
TBS and the JVM
 There is one thing that everyone can do – adjust your
JVM memory.
 The default is inadequate for anything but a test
desktop.
 Use a max and min that are the same or nearly so
 Use as much as you can


1.3 gigs on a 32 bit
6,8,16 gigs on a 64 bit (maybe more)
TBS Scenario 2
Server Crawls Periodically
This is usually due to an external resource.
 Check Client Vars and purge routine
 Check routines for backup, scanning etc.
 Try to “trap” the moment the crawl begins
 Think about the traffic patterns – login at market
open for example
 DB Indexing Tweaks
 GC issues
 Network Changes or re-negotiation
TBS Scenario 3
Web Service Issues
 Web services rely on domain resolution
 HOSTS file + DNS
 Internal External Networking
 Some resources are local
 Firewalls have a say
 Certificates that work for you may not work for your JVM
without some extra steps
 Web services use “stub generation” – they create a
‘wrapper’ class that encapsulates the class definition.
TBS Additional Resources
 www.coldfusionmuse.com – Rundowns of
troubleshooting adventures
 www.houseoffusion.com – CF-Talk
 www.cfbloggers.org – the best blog aggregator of CF
blogs
 http://www.carehart.org/cf411/ - Charlie Arehart
puts a great deal of work into this page.
Q and A
[email protected]