About Me · Send mail to the author(s) E-mail · Twitter

At GROSSWEBER we practice what we preach. We offer trainings for modern software technologies like Behavior Driven Development, Clean Code and Git. Our staff is fluent in a variety of languages, including English.

Feed Icon


Open Source Projects


Blogs of friends

Now playing [?]

Error retrieving information from external service.
Page 1 of 1 in the IIS category

General Considerations For Securing Windows Servers On The Internet (And Anywhere Else)

Posted in IIS | Networking | PowerShell | Security | SQL Server | Windows at Friday, 08 February 2008 17:04 W. Europe Standard Time

By now there are a couple of Windows Servers that I actively manage, or, in the case of projects, I touched while moving the project forward. Most of these servers have an Internet connection. Since I've been asked how to make servers more secure and manageable, here are a couple of management rules I applied. Consider it a checklist.

  • Use a firewall and configure it accordingly.
  • Enable automatic Windows Updates and upgrade to Microsoft Update to receive updates of other Microsoft products like SQL Server.

Okay, the two above should have been obvious.

  • Keep the machine clean.
    Don't install any unnecessary software and don't leave any temporary files on the server. I've seen certificate requests lingering on drive C: and "test" folder remnants. A clean system might reveal hacker activity early in case they leave unfamiliar files behind.
  • Leverage the principle of least privilege.
    All users and service accounts should only have the minimum rights they need. Configure the file system such that system services can only access the files and folders they are in charge of. Typical example: Use a dedicated service account for SQL Server. (Setting this up on SQL 2005 is even more simple.)
  • Rename the Administrator account.
    Rename the Administrator account and make it match your preferred user naming scheme (i. e. agross). You might apply this to your whole organization if you use Active Directory. This is another hurdle to guess the Administrator account from a list of user accounts and works good with account lockout enabled (see below).
  • Create a new "Administrator" account
    and give it a very strong throw-away password. I typically use two or three concatenated GUIDs that I immediately forget. Disallow this user to change his password, remove all group memberships and disable the account.
  • Audit the hell out of the machine.
    Windows uses the Security event log to record security-related events. Configure auditing using secpol.msc and enable success and failure logging at least for
    • Account logon events,
    • Logon events and
    • Policy change.
    The last option is for tracking changes to the policy you just set.
  • Enable complexity criteria for passwords and account lockout.
    To be found in the same MMC snap-in as above. For account lockout I often go with the default values of 5 attempts and 30 minutes of threshold and duration.
  • Deactivate file sharing/Microsoft Networking on the WAN connection.
    Because it's most likely unneeded.
  • Secure RDP sessions using a certificate.
    Torsten has a nice write-up on how to leverage SSL to secure the RDP handshaking/authentication phase to overcome man-in-the-middle and ARP spoofing attacks. His article is available in German only so here's two-sentence recap: On the server's RDP security tab, enable SSL and choose the same certificate you use for HTTPS encryption. On the client side, enable server authentication.
  • Extra: Allow RDP sessions only from white-listed workstations.
    For a server that was hacked a while ago using an ARP spoofing attack (see bullet above) I wrote a Powershell script forces RDP session to originate from a list of known workstations. Each RDP user can have multiple allowed workstations. If a logon attempt occurs from another machine that RDP session is killed immediately.
    # Alert.ps1
    # Logon script for users with known RDP client names.
    # Array of users with known workstations.
    $userWorkstations = @{
    	"user2" = @("VALIDCOMPUTERNAME3")
    # Logoff executable.
    $logoffCommand = $Env:SystemRoot + "\system32\logoff.exe"
    # Trim the user name.
    $currentUser = $Env:UserName.Trim()
    # Cancel if a user that's not contained in $userWorkstations logs on.
    if ($userWorkstations.Keys -inotcontains $currentUser)
    # Send alert e-mail and log off if the user logs on from an unknown workstation.
    if ($userWorkstations[$currentUser] -inotcontains $Env:ClientName.Trim())
    	$subject = $("Unknown RDP client '{0}' for user '{1}'" -f $Env:ClientName.Trim(), $currentUser)
    	$message = New-Object System.Net.Mail.MailMessage
    	$message.From = ""
    	$message.IsBodyHtml = $false
    	$message.Priority = [System.Net.Mail.MailPriority]::High
    	$message.Subject = $subject
    	$message.Body = $subject
    	$smtp = New-Object System.Net.Mail.SmtpClient
    	$smtp.Host = "localhost"
    	# Force logoff.
    Set the script as a logon script for your users using the Alert.cmd helper script below.
    rem Alert.cmd - runs the Alert.ps1 Powershell script.
    @powershell.exe -noprofile -command .\Alert.ps1
  • Enable SQL Server integrated authentication.
    I don't see a need for SQL Server Authentication in most scenarios, especially if you're running/hosting .NET applications. However, in some projects I've worked on there seems to be a tendency towards SQL Server Authentication for no special reason.
  • Configure IIS log detail and directories.
    I tend to enable full IIS logs, that is, all information regarding a request should be logged. Also, I like my logs residing in "speaking" folders, so instead of %windir%\system32\LogFiles\W3SVC<Some number> they should be placed in %windir%\system32\LogFiles\IIS <Site name>\W3SVC<Some number>. This makes it easy to find the logs you're interested in.
  • Use SSH to connect remotely.
    There's a little free SSH server out there that should fit most user's needs. Besides a secure shell environment freeSSHd offers SFTP and port tunneling capabilities to tunnel insecure protocols. Authentication works natively against Windows accounts.
  • Deploy a server monitoring tool.
    I like to use the free MRTG tool, of course any other tool allowing you quickly view any uncommon activity to will do.
  • Use a dedicated management network interface, if possible.
    You should configure strict firewall rules for that interface. Allow access only from a known management subnet.

What rules do you apply to make your servers more secure and manageable?

Now Playing [?]: MorcheebaDive DeepEnjoy the ride (feat. Judy Tzuke)

Office 2007 File Icons for Windows SharePoint Services 2.0 and SharePoint Portal Server 2003

Posted in IIS | Office | SharePoint at Saturday, 16 December 2006 20:30 W. Europe Standard Time

As you probably know some applications of the 2007 Office System introduce new file extensions. Word 2007, Excel 2007 and PowerPoint 2007 save their data in a new XML-based format by default. To distinguish between the old (binary) and new (XML) file formats Microsoft has created some four-letter file extensions like docx for Word documents. The XML files are stored in a zip container, if you rename such files to have a zip extension, you can peek inside them with WinZip and other zip-aware tools.

If you upload documents created with the 2007 Office System to your WSS 2.0/SharePoint 2003 server you will see that the file icon in front of the file name is missing. This is because those versions of SharePoint essentially are not aware of the new file types. You'll have to register the new file types with SharePoint and provide icons for them.

    The archive contains 16x16 icons in 32-bits color-depth for all new file types. You'll also find five subfolders with the icons saved in the GIF, JPEG and PNG formats (GIF and JPEG with light and dark backgrounds for transparency). The Photoshop Automation.jsx script can be used to create all five images on the fly using Photoshop's scripting functionality - be sure to install the Photoshop ICO plugin first.
    If you want to extract other icons, these are embedded resources of the executables inside the C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\ folder.
  2. Choose an image format appropriate to your SharePoint style – I went with the images from the gif-light folder as these suit the default SharePoint theme.
  3. Copy the images to the C:\Program Files\Common Files\Microsoft Shared\web server extensions\60\TEMPLATE\IMAGES\ folder on your SharePoint server.
  4. Open the C:\Program Files\Common Files\Microsoft Shared\web server extensions\60\TEMPLATE\XML\docicon.xml file with an editor. Add the following lines under the ByExtension element. Be sure to change the file extension (Value attribute) based on the image format you chose.
    <Mapping Key="docx" Value="docx.gif" EditText="Microsoft Office Word" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="docm" Value="docm.gif" EditText="Microsoft Office Word" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="dotx" Value="dotx.gif" EditText="Microsoft Office Word" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="dotm" Value="dotm.gif" EditText="Microsoft Office Word" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="xlsx" Value="xlsx.gif" EditText="Microsoft Office Excel" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="xlsm" Value="xlsm.gif" EditText="Microsoft Office Excel" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="xltx" Value="xltx.gif" EditText="Microsoft Office Excel" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="xltm" Value="xltm.gif" EditText="Microsoft Office Excel" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="xlsb" Value="xlsb.gif" EditText="Microsoft Office Excel" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="xlam" Value="xlam.gif" EditText="Microsoft Office Excel" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="pptx" Value="pptx.gif" EditText="Microsoft Office PowerPoint" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="pptm" Value="pptm.gif" EditText="Microsoft Office PowerPoint" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="potx" Value="potx.gif" EditText="Microsoft Office PowerPoint" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="potm" Value="potm.gif" EditText="Microsoft Office PowerPoint" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="ppam" Value="ppam.gif" EditText="Microsoft Office PowerPoint" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="ppsx" Value="ppsx.gif" EditText="Microsoft Office PowerPoint" OpenControl="SharePoint.OpenDocuments"/>
    <Mapping Key="ppsm" Value="ppsm.gif" EditText="Microsoft Office PowerPoint" OpenControl="SharePoint.OpenDocuments"/>
  5. Reset IIS by running iisreset.exe.
  6. You can test if the new icons work if you download this zip with sample documents. Upload the files to a document library. If everything worked, you should see something like this:
    Office 2007 sample documents with icons in SharePoint

The next step would be to let SharePoint index the new file types making them searchable. Unfortunately there are publicly available IFilters available yet. Even the new Windows Desktop Search 3.0 doesn't crawl docx and the like. Update: It appears there's a configuration issue with Windows Desktop Search on my machine as WDS just does not crawl my documents folder.

Another Update: A reader asked why documents of the Office 2007 flavor are handled differently by SharePoint. Instead of opening a docx in Word when you left-click the document's name, the browser shows a download dialog. Old-style doc files will be opened instantly by Word (assuming you're using Internet Explorer and have the SharePoint collaboration components installed).

Currently I have no idea how to make the new file types handled the same as the old files. After all, I'm no SharePoint expert. A workaround for this issue is to click the triangle on the right to the document name and choose "Edit in Microsoft Word" from the drop down list of actions.

Another thing that may help is adding the MIME types for Office 2007 documents in IIS. Without them, SharePoint serves 2007-style file types with the "application/octet-stream" generic content-type. The easiest way to do this is stopping IIS and editing the metabase XML file (C:\WINDOWS\system32\inetsrv\MetaBase.xml) using a text editor. Search for the <IIsMimeMap Location="/LM/MimeMap" …> element and append these lines to the MimeMap attribute:


Be sure to add one MIME type per line. This will make the MIME types globally available on the server. After saving the metabase file, restart IIS.

Now Playing [?]: Zoot Woman – It's automatic

IIS and Unknown MIME Types

Posted in IIS at Sunday, 23 October 2005 18:06 W. Europe Daylight Time

Having written my last blog entry, I noticed that IIS won't serve the attached kmz file that stores the Google Earth location data.

It appears that the outcome of Microsoft's Secure Development Lifecycle (SDL) hit me, especially Secure by Default, as IIS won't serve files of unknown content type: IIS responds with a HTTP/404 Not Found error and blocks access to those files. You will have to add a content-type mapping using the IIS MMC add-in to permit serving such files.

Configure MIME Types in IIS.gif

There's no way of disabling MIME type blocking in IIS 6.0. Instead of defining content types on a file-extension basis, you may add a new MIME type for files of extension * with a type of application/octet-stream. This will provide a default MIME type for all files that don't have one and bypass the blocking.

Now playing: Anathema - Judgement - Make it right (F.F.S.)

Page 1 of 1 in the IIS category