Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
GP Admin Best Practices
Security, Maintenance & and Disaster Recovery
IISInternet Information Services
IIS Security and Best Practices
IIS Security and Best Practices
Securing your IIS installation
IIS Security and Best Practices
Install the appropriate IIS modules
IIS Security and Best Practices
Disable the OPTIONS method
Can reduce hacker reconnaissance information
IIS Security and Best Practices
IIS Security and Best Practices
Enable Dynamic IP Restrictions
• Reduce the chances of a Denial of Service attack by dynamically
blocking requests from malicious IP addresses
• Minimize the possibilities of Brute-force-cracking of the passwords of
your Web Server
IIS Security and Best Practices
• Installing IP and Domain Restrictions in Windows Server 2012 R2
• Done in Server Manager, Roles and Features.
IIS Security and Best Practices
Setting Dynamic IP restrictions
IIS Security and Best Practices
IIS Security and Best Practices
12
Enable and configure Request Filtering Rules
Restricts types of HTTP requests
IIS Security and Best Practices
IIS Security and Best Practices
Enable logging
• Logs HTTP requests
• Aids in troubleshooting
• Can be used to monitor performance
IIS Security and Best Practices
IIS Security and Best Practices
Security Configuration Wizard (SCW)
Security Compliance Manager (SCM)
• Microsoft tools for testing IIS security.
• Not in IIS Manager - downloadable.
IIS Security and Best Practices
Security and Best Practice Tips• Use an AD user or machine account to control access to SQL
databases rather than store a SQL login in the web.config.
• Ensure NTFS permissions are locked down.
• During IIS installation, by default, the InetPub folder is created on the system partition. It is recommended to move InetPub to another partition.
• Do not install unneeded services. (FTP, SMTP)
• If possible, install IIS and SQL on separate servers for better security and performance.
IIS Security and Best Practices
Security and Best Practice Tips• Monitor systems with application such as System Center
Operations Manager (SCOM) or LabTech.
• Ensure antivirus is installed and up to date with latest definitions.
• Updates - The majority of hacks affecting IIS occur on unpatched servers. This demonstrates how important it is to always keep your web server up to date. Ensure that your server is current with the latest updates and security patches. The simple act up performing updates are one of the easiest steps you can take to improve your server’s performance and security.
IIS Security and Best Practices
Please remember to fill out your evaluation form.
Contact CAL:
Call: (860) 485-0910 ext. 3
Email: [email protected]
Online: www.calszone.com
Follow-up forms are available at the back of the room.
Thank you for coming.
Q & A
20
Disaster Recovery
Protecting your data from the unpredictable
Disaster Recovery
Disaster Recovery
• What is Disaster Recovery?
• Why is Disaster Recovery important?
• What is the difference between backup and
Disaster Recovery?
Disaster Recovery Plan
Disaster Recovery
Why is a Disaster Recovery important?
Disaster Recovery
Backup versus Disaster Recovery
Disaster Recovery
Disaster Recovery Technologies
Disaster Recovery
Virtualization
Disaster Recovery
Failover Cluster
Disaster Recovery
Disaster Recovery
Archiving
Disaster Recovery
Data Deduplication
Monitoring
Disaster Recovery
Please remember to fill out your evaluation form.
Contact CAL:
Call: (860) 485-0910 ext. 3
Email: [email protected]
Online: www.calszone.com
Follow-up forms are available at the back of the room.
Thank you for coming.
Q & A
33
Cloud Computing and Technologies
34
What is “the Cloud”?
Cloud Computing and Technologies
35
Public Cloud
• Pool of shared computing resources, applications and storage offered
to customer as a single service
• Allows customer to grow/shrink resources as needed
• Delivered “publicly” – cannot secure with private firewall and access
privately
• Often requires on-staff development resource
Cloud Computing and Technologies
36
Cloud Computing and Technologies
37
Public Cloud network
Private Cloud
• Provides dedicated instance of services for exclusive use
• Can be secured and accessed privately
• Housed in private data center
• Support often outsourced to service provider for hosting
Cloud Computing and Technologies
38
Cloud Computing and Technologies
39
Private Cloud (Data Center)
Hybrid Cloud
• Allows for hardware selection and system design
• Allows organizations to leverage capabilities of public
cloud platform providers while maintaining security
• Better performance
• More expensive then public or private cloud solutions
• Typically used by financial and healthcare industries
Cloud Computing and Technologies
40
Disaster Recovery and the Cloud
Cloud Computing and Technologies
Benefits of Cloud-based DR Solution
• Extends Disaster Recovery Options
• Extends backup options
• Significant cost savings
Cloud Computing and Technologies
42
Back up to and restore from the cloud
• Applications and data remain on-premises
• Data backed up into the cloud
• Data restored onto on-premises hardware when a disaster occurs
• Backup in the cloud becomes a substitute for tape-based off-site
backups
Cloud Computing and Technologies
43
Replication to virtual machines in the cloud
• For applications that require aggressive recovery time and recovery
point objectives (RPOs)
• Replication to cloud virtual machines can be used to protect both cloud
and on-premises production instances
Cloud Computing and Technologies
44
Please remember to fill out your evaluation form.
Contact CAL:
Call: (860) 485-0910 ext. 3
Email: [email protected]
Online: www.calszone.com
Follow-up forms are available at the back of the room.
Thank you for coming.
45
GP Security for SSRS Reporting
46
GP Security for SSRS
• Reporting Roles
GP Security for SSRS Reporting
47
• DO
– Create Active Directory groups to mirror the reporting roles
• Group similar report roles together as necessary
• Only create the ones your company will need
• DON’T
– Directly assign users to roles (Management Nightmare!)
– Give users “Power User” roles who don’t need them
GP Security for SSRS Reporting
48
• Site/Folder Security
GP Security for SSRS Reporting
49
• DO
– Give administrators full permissions on the site
– Give standard users the “Browser” role for running reports
– Use AD groups
– Mirror site and folder security, differences can cause serious confusion
• DON’T
– Give standard users full permission
– Give permission directly to users (Management Nightmare!)
– Give different permission at site and folder levels unless absolutely
needed
GP Security for SSRS Reporting
50
eConnect and Web Services
51
eConnect and Web Services
• Service Security
– Create a service account in Active Directory to run the services under
– Don’t make service account an administrator or assign the sysadmin role
– Grant access to the GP system and company databases with the
following roles:
• db_datareader
• db_datawriter
– Make sure all company and GP system databases are owned by the
‘DYNSA’ user (EXEC sp_changedbowner ‘DYNSA’)
eConnect and Web Services
52
• Web Services Internal Security
– Make sure all users that should have access to Web Services are granted
access to the DCOM components
– Use one generic administrator account to ensure access in case of
disabled AD accounts or AD account issues
– Make note of all ports used during the installation for future reference
eConnect and Web Services
53
• SQL Server Service Accounts
– Remember that SQL has multiple services and may have more than one
account
– Configure SQL services to use non-built in accounts to have greater
control over access to system resources
– Make sure to grant read/write access to all locations used by SQL Agent
Jobs to the agent’s service account
• SQL Features to be Careful With
– xp_commandShell
– SQL CLR and Extended Procedures
– Trustworthy Mode
– Ad-Hoc Queries
– OPENROWSET() without linked server
– The SA password
SQL Server Services and Database Security
54
Management Reporter Services and GP Share
55
MR Services and GP Share
• Management Reporter
– Avoid the use of SA for access to the database
– Use Integrated Security (SSPI) where possible
– Make sure user has the following roles
• Server Roles
– securityadmin
– dbcreator
– Run services on a server other than SQL
– Plan for high volumes of data
Management Reporter Services and GP Share
56
• GP Share
– Make sure all GP users have Read/Write access to the GP share
– Consider using a group to avoid updating security when adding/removing
users
– Only grant Read/Write access to folders containing check signatures to
users that are allowed to print/administer them
– Make sure to take regular backups on off hours to avoid corrupting
reports dictionaries
– Regularly inspect the share to make sure data old data is not filling up the
disk
• Remove unnecessary old database backups
• Remove old log files
• Remove old version of software
Management Reporter Services and GP Share
57
58
Fin