Hardening and Optimizing Windows CF Servers MARK KRUGER

Hardening and Optimizing Windows CF Servers MARK KRUGER, CFG WWW. COLDFUSIONMUSE. COM

Hardening: The Myth of Win Servers Instability Left over from NT and Windows 95 There is no need to reboot your server constantly A Windows Server CAN be made Secure Not every patch is for you Take the simple steps and repeat them for every server. Defense in Depth covers a multitude of sins

Hardening: Checklist Change the Defaults (This goes for everything!) Administrator Account Administrative Shares Guest Account Disable Unneeded Services Print Spooler Fax, ICS, Intersite Message, Remote Registry, Telnet Add Auditing For Failed Attempts Segregate Data Carefully C drive for system D drive for Data Each drive should have different permissions

Hardening: Checklist part 2 Always use NTFS – it allows for extremely granular and layered permissions. Set Strong Password Policies Set ACLs on file shares Minimize “Everyone” group Anti-Virus and Updates Anti-virus is only as good as the frequency of update. Real time scan or not is a judgment call (my view) Remove unneeded programs Office

Hardening: Checklist Part 3 Separate DB from Code – if at all possible No File based (embedded) DBs Always install the SPs Judiciously install the patches Use the Baseline Security Analyzer. Build up the server block by block – add CF last. BOTTOM LINE: A “hardened” server does only the things you specifically ask it to do.

Hardening: IIS Checklist Remove Unneeded File mappings Hdr Mdb Printer Support Technologies on a Site by Site basis Don’t Run CF on HTML sites. Don’t run PHP on CF sites etc. Don’t allow any old MIME type download. Use specific IP settings not catchall settings Secure Certificate – New standard is TLS/2048 bit. Disable HTTPS 2. x and below. http: //support. microsoft. com/kb/187498

Hardening Resources Microsoft Baseline Security Analyzer http: //technet. microsoft. com/en-us/security/cc 184923. aspx URLScan http: //www. microsoft. com/downloads/details. aspx? Family. Id=EE 41818 F-3363 -4 E 249940 -321603531989&displaylang=en SQL Digger http: //www. foundstone. com/us/resources/termsofuse. asp? file=ssldigger. zip MS Win 2000 Security checklist - http: //technet. microsoft. com/enus/library/cc 751389. aspx Spath Win 2003 sec checklist: http: //www. servepath. com/support/win 2003 securitychecklist. php NOTE: Use the “TCP/IP Hardening” check list with great care. It’s not a web server check list. A security check list : http: //www. securityfocus. com/archive/105/508808/30/150/threaded Series by Mark Minasi

Troubleshooting (TBS) Scenario 1 – User complains that “JRUN is locking up”. Scenario 2 – Server periodically crawls, then speeds up again. Scenario 3 – a Web service refuses to work. For each Scenario we are going to do triage. But first, what do we have to work with?

TBS Resources Log Files CF Logs – usually in %cf home%/logs Jrun or JVM logs – usually in %cf home%/runtime/logs Hot Spot Logs – Sometimes found in the runtime/bin directory Web Logs – if sites are logging Windows Logs – System, Security, application Performance Monitor Web service counters Coldfusion Counters (if you can get them running) CFStat Jrun Metrics (http: //kb 2. adobe. com/cps/191/tn_19120. html) Server Monitor, Seefusion or Fusion Reactor Hard knocks and experience Networking Logs (SMTP, Firewall, SNMP) Database Logs and error reporting

TBS Scenario 1 JRUN is Locked Up Only means a JRUN error on a web page. Could be a hot spot crash Could be queuing threads (most likely) Could be Do. S or capacity issue Triage Steps Watch Counters in CFSTAT, Perf. Mon or a monitor Check for a hot spot log file Check JVM Heap Sizes and GC settings Watch “active” requests Monitor the DB for Blocks or Locks Enable “slow page logging” at a reasonable threshold Ask the “predictable timing” question and examine client vars. Check Network settings for other possibilities.

TBS Lockup Most Likely Suspects (in order) DB or other external Service JVM Settings Issue (more in a moment) Client Vars in Registry Specific high traffic page(s) that is underperforming Server Resources (File I/O, Memory, Procs etc) Conflicting program (Virus scan in RT for example) 3 rd part jar or CFX Tag One of the 3 or 4 hot spot compiler bugs.

TBS and the JVM There is one thing that everyone can do – adjust your JVM memory. The default is inadequate for anything but a test desktop. Use a max and min that are the same or nearly so Use as much as you can 1. 3 gigs on a 32 bit 6, 8, 16 gigs on a 64 bit (maybe more)

TBS Scenario 2 Server Crawls Periodically This is usually due to an external resource. Check Client Vars and purge routine Check routines for backup, scanning etc. Try to “trap” the moment the crawl begins Think about the traffic patterns – login at market open for example DB Indexing Tweaks GC issues Network Changes or re-negotiation

TBS Scenario 3 Web Service Issues Web services rely on domain resolution HOSTS file + DNS Internal External Networking Some resources are local Firewalls have a say Certificates that work for you may not work for your JVM without some extra steps Web services use “stub generation” – they create a ‘wrapper’ class that encapsulates the class definition.

TBS Additional Resources www. coldfusionmuse. com – Rundowns of troubleshooting adventures www. houseoffusion. com – CF-Talk www. cfbloggers. org – the best blog aggregator of CF blogs http: //www. carehart. org/cf 411/ - Charlie Arehart puts a great deal of work into this page.

Q and A mkruger@cfwebtools. com