Académique Documents
Professionnel Documents
Culture Documents
Rule Id Result Rule Title General.COMPU Failed Accounts are not shared TER among administrators MANAGER.300 (FAILED)
Remote Registry service is set to manual (FAILED) Service "NDAPlus PDF Conversion Service" is not running administrator privileges (FAILED)
Rule Description It is a standards violation to have more than one local administrator account on a server. Domain user accounts or security groups should be used to manage administrators. Local accounts are more difficult to ensure timely provisioning and deprovisioning. Ensure that the Remote Registry service is not set to automatic.
Services should run with least privileges required to run. If the service account gets compromised it limits the damage done.
34 NDA+-PPEProd Srvrs
Services should run with least privileges required to run. If the service account gets compromised it limits the damage done.
38 NDA+-PPEProd Srvrs
42 NDA+-PPEProd Srvrs
Event viewer Application log has an appropriate maximum log size (FAILED)
The administrator account name is the most popular account to try to compromise. The account name should be changed in order to offer obfuscation from more common exploits / automated attacks. Event viewer logs must have an appropriate size
43 NDA+-PPEProd Srvrs
Event viewer Security log Event viewer logs must has an appropriate size has an appropriate maximum log size (FAILED)
44 NDA+-PPEProd Srvrs
Event viewer System log has Event viewer logs must have an appropriate size an appropriate maximum log size (FAILED)
47 NDA+-PPEProd Srvrs
54 NDA+-PPEProd Srvrs
56 NDA+-PPEProd Srvrs
Administrator and System accounts only have access to the applicationHost.config file (FAILED) Audit Policy Setting "Account Lockout" does not meet Policy Requirements (FAILED)
Only the Administrator and System accounts should have privileges on metabase.xml (IIS6/7) or applicationHost.config (IIS7). Otherwise it might be possible for a malicious user to tamper with it to conceal their activities. Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Account Lockout events Success and Failure
57 NDA+-PPEProd Srvrs
Audit Policy Setting "Special Logon" does not meet Policy Requirements (FAILED)
Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Special Logon events Success and Failure
58 NDA+-PPEProd Srvrs
Audit Policy Setting "Other Logon/Logoff Events" does not meet Policy Requirements (FAILED)
Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Other Logon/Logoff Events events Success and Failure
59 NDA+-PPEProd Srvrs
Audit Policy Setting "User Event logs are useless without data in them. Each server must Account Management" does log and store a standard list of events. As in the previous section not meet Policy regarding Event Logs, the set settings must be set equal or Requirements (FAILED) greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit User Account Management events Success and Failure
60 NDA+-PPEProd Srvrs
Audit Policy Setting "Computer Account Management" does not meet Policy Requirements (FAILED)
Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Computer Account Management events Success and Failure
61 NDA+-PPEProd Srvrs
Audit Policy Setting "Security Group Management" does not meet Policy Requirements (FAILED)
Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Security Group Management events Success and Failure
62 NDA+-PPEProd Srvrs
Audit Policy Setting "Distribution Group Management" does not meet Policy Requirements (FAILED)
Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Distribution Group Management events Success and Failure
63 NDA+-PPEProd Srvrs
Audit Policy Setting "Application Group Management" does not meet Policy Requirements (FAILED)
Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Application Group Management events Success and Failure
64 NDA+-PPEProd Srvrs
Audit Policy Setting "Other Account Management Events" does not meet Policy Requirements (FAILED)
Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Other Account Management Events events Success and Failure
65 NDA+-PPEProd Srvrs
Audit Policy Setting "Kerberos Service Ticket Operations" does not meet Policy Requirements (FAILED)
Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Kerberos Service Ticket Operations events Success and Failure
66 NDA+-PPEProd Srvrs
Audit Policy Setting "Other Account Logon Events" does not meet Policy Requirements (FAILED)
Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Other Account Logon Events events Success and Failure
67 NDA+-PPEProd Srvrs
Audit Policy Setting "Kerberos Authentication Service" does not meet Policy Requirements (FAILED)
Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Kerberos Authentication Service events Success and Failure
80 NDA+-PPEProd Srvrs
In the configuration file setting <configuration><system.web><compilation debug="true"> causes extra information in the binary which is not required for normal execution of the program.
84 NDA+-PPEProd Srvrs
85 NDA+-PPEProd Srvrs
89 NDA+-PPEProd Srvrs
In <forms> element The requireSSL attribute value set in the configuration file for an requireSSL attribute is set to ASP.NET application determines whether SSL (Secure Sockets true (FAILED) Layer) is required to return the forms-authentication cookie. For more information on this attribute please check http://msdn.microsoft.com/enus/library/system.web.security.formsauthentication.requiressl.a spx. In <forms> element The requireSSL attribute value set in the configuration file for an requireSSL attribute is set to ASP.NET application determines whether SSL (Secure Sockets true (FAILED) Layer) is required to return the forms-authentication cookie. For more information on this attribute please check http://msdn.microsoft.com/enus/library/system.web.security.formsauthentication.requiressl.a spx. In <machineKey> element The decryption attribute of machineKey element specifies the validationKey attribute is key used to validate encrypted data. validationKey is used when set to enableViewStateMAC is true in order to create a message AutoGenerate,IsolateApps authentication code (MAC) to ensure that view state has not (FAILED) been tampered with. validationKey is also used to generate outof-process, application-specific session IDs to ensure that session state variables are isolated between sessions. More information can be found at http://msdn.microsoft.com/enus/library/w8h3skw9.aspx.
90 NDA+-PPEProd Srvrs
The decryption attribute of machineKey element specifies the key used to validate encrypted data. validationKey is used when enableViewStateMAC is true in order to create a message authentication code (MAC) to ensure that view state has not been tampered with. validationKey is also used to generate outof-process, application-specific session IDs to ensure that session state variables are isolated between sessions. More information can be found at http://msdn.microsoft.com/enus/library/w8h3skw9.aspx.
In <serviceMetadata> element httpGetEnabled attribute is set to false (FAILED) In <serviceDebug> element includeExceptionDetailInFa ults attribute is set to false (FAILED)
The httpGetEnabled attribute of serviceMetadata element allows the binding to be used in HTTPS GET scenarios to be specified by name. More information can be found at http://msdn.microsoft.com/en-us/library/ms731317.aspx. The includeExceptionDetailInFaults attribute of serviceDebug element specifies whether to include managed exception information in the detail of SOAP faults returned to the client for debugging purposes. More information can be found at http://msdn.microsoft.com/en-us/library/ms788993.aspx.
Standard http ports are being used (FAILED) Default web site has been removed (FAILED)
The recommendation is to remove the default Web Site on IIS servers. The site SHOULD be removed and new site created instead IIS Log files are not located Logging provides the ability gain detailed information on the on the system drive for activity of your web server. If disabled or not properly "Default Web Site" (FAILED) configured, malicious activity may not be traceable / recognized.
Ensure logging is performed to: 1. Non-System Drive 2. Different Drive from the web files 3. NTFS formatted drive. In addition, review the ACL's on the log file directories ensuring the following: Administrators Full Control System Full Control Domain Users RWC
Logging provides the ability to get detailed information on the activity of your web server. If disabled or not properly configured, malicious activity may not be traceable / recognized.
Write permissions in handler mappings is disabled on "/ESignNotificationListener" for website "Default Web Site" (FAILED)
Failure to lock down IIS Settings can result in a compromised web site. Details/Policy: Enabling Script Source Access allows users access source files. When enabled, if Write is selected, then source can be written to. Script Source Access includes the source code for scripts. This option is not available if neither Read nor Write is selected. When you select Script source access, users might be able to view sensitive information, such as a user name and password. They might also be able to change source code that runs on your server, and thereby significantly affect your server's configuration and performance. Enabling Write give users to write / upload to the directories in this web site. For security reasons you should only enable execution of scripts and not applications directly. For more information on this as a policy requirement, see: http://technet2.microsoft.com/windowsserver/en/library/a08eb d6f-c2cb-468c-85e7-afa48b0943521033.mspx?mfr=true Note: that some of these settings no longer directly apply in Win2008.
In IIS 7.5 extended protection for website "Default Web Site" is enabled (FAILED)
Extended Protection for Authentication (EP) is a new set of features in Windows that enhance security by binding your Windows login to the underlying protocols. It was announced and released concurrently with the release of Windows 7. See the following security advisory http://www.microsoft.com/technet/security/advisory/973811.m spx for in-depth technical and background information. Extended Protection is needed to protect against some attacks where a malicious man-in-the-middle relays Windows credentials to another system in order gain unauthorized access. All these attacks can be initiated by simply luring a user to do any operation that would cause your system to connect to a compromised machine with Windows authentication. This could be as simple as clicking a link, opening a document, and in some cases reading an email in Outlook. This small act could allow a malicious user to relay the authentication credentials to get access to any other system that you have access to. Using Windows 7 and Internet Explorer will help. They are already patched and configured to use Extended Protection for client connections to Web sites and file shares. Unfortunately, servers and previous OS versions are NOT set up for Extended Protection by default. These systems will be required to install
In IIS 7.5 extended protection for website "Default Web Site" is enabled (FAILED)
Extended Protection for Authentication (EP) is a new set of features in Windows that enhance security by binding your Windows login to the underlying protocols. It was announced and released concurrently with the release of Windows 7. See the following security advisory http://www.microsoft.com/technet/security/advisory/973811.m spx for in-depth technical and background information. Extended Protection is needed to protect against some attacks where a malicious man-in-the-middle relays Windows credentials to another system in order gain unauthorized access. All these attacks can be initiated by simply luring a user to do any operation that would cause your system to connect to a compromised machine with Windows authentication. This could be as simple as clicking a link, opening a document, and in some cases reading an email in Outlook. This small act could allow a malicious user to relay the authentication credentials to get access to any other system that you have access to.
Using Windows 7 and Internet Explorer will help. They are already patched and configured to use Extended Protection for client connections to Web sites and file shares. Unfortunately, servers and previous OS versions are NOT set up for Extended Protection by default. These systems will be required to install Virtual path "/" for website Locating the web site on the system drive may lead to potential "Default Web Site" is not on denial of service attacks in the event that a malicious user can System Drive (FAILED) gain control of the web site distribution. Virtual path "/" for website Locating the web site on the system drive may lead to potential "Default Web Site" is not on denial of service attacks in the event that a malicious user can System Drive (FAILED) gain control of the web site distribution. Log files are not located on web application drive for virtual path "/" under website "Default Web Site" (FAILED) Logging provides the ability to get detailed information on the activity of your web server. If disabled or not properly configured, malicious activity may not be traceable / recognized. Ensure logging is performed to a: 1. Non- System Drive, 2. in a different Drive of the web files 3. NTFS formatted drive. In addition, review the ACL's on the log file directories and ensure the following: Administrators Full Control System Full Control Domain Users RWC Log files are not located on Logging provides the ability to get detailed information on the web application drive for activity of your web server. If disabled or not properly virtual path "/" under configured, malicious activity may not be traceable / recognized. website "Default Web Site" Ensure logging is performed to a: (FAILED) 1. Non- System Drive, 2. in a different Drive of the web files 3. NTFS formatted drive. In addition, review the ACL's on the log file directories and ensure the following: Administrators Full Control System Full Control Domain Users RWC Virtual directory Web site directories need to explicitly verify a deny write ACL for "C:\inetpub\wwwroot" for anonymous internet accounts. website "Default Web Site" has deny write permission for anonymous internet account (FAILED) Virtual directory Web site directories need to explicitly verify a deny write ACL for "C:\inetpub\wwwroot\ESig anonymous internet accounts. nNotificationListener" for website "Default Web Site" has deny write permission for anonymous internet account (FAILED)
Virtual directory Web site directories need to explicitly verify a deny write ACL for "C:\inetpub\wwwroot" for anonymous internet accounts. website "Default Web Site" has deny write permission for IIS_USRS group (FAILED) Virtual directory Web site directories need to explicitly verify a deny write ACL for "C:\inetpub\wwwroot\ESig anonymous internet accounts. nNotificationListener" for website "Default Web Site" has deny write permission for IIS_USRS group (FAILED) IIS6 Metabase Compatibility Metabase Compatibility feature allows IIS 7 is typically feature is not installed unnecessary and should be removed unless explicitly required. (FAILED) It allows for backward compatibility for features that have been enhanced and the metabase.xml file is not directly used by IIS unless this feature is explicitly installed. More information can be found on http://learn.iis.net/page.aspx/125/metabase-compatibility-withiis-7/
Rule Resolution Remove all local accounts but the built-in system administrator account from the administrators group. Use Domain user account or security groups to manage administrators who must have access to the server.
1. Start | run | compmgmt.msc /s 2. Navigate to the Computer Management / Services and Applications / Services node in the tree 3. Verify that the Remote Registry Service is set to manual. Set services to run as a non-administrator Domain account, Local Service, or Network Service account. SQL Server does not need to be running as administrator. Nor should SQL Server be running as Network Service. Often times running SQL Server under Network Service results in additional rights being added, which elevates privileges for other services inappropriately. Occasionally the SQLAgent service may need to run as administrator, but only if the following are true. 1. if you create CmdExec. 2. ActiveScript jobs that belong to someone other than a SQL Server administrator. 3. If you use the AutoRestart feature. 4. SQL server is in a clustered configuration. Otherwise SQL Agent needs to run under a non-admin account. Members of Power Users can, in some conditions, elevate themselves to Administrator. This should not be used. See: http://support.microsoft.com/default.aspx?scid=kb;en-us;825069 Set services to run as a non-administrator Domain account, Local Service, or Network Service account. SQL Server does not need to be running as administrator. Nor should SQL Server be running as Network Service. Often times running SQL Server under Network Service results in additional rights being added, which elevates privileges for other services inappropriately. Occasionally the SQLAgent service may need to run as administrator, but only if the following are true. 1. if you create CmdExec. 2. ActiveScript jobs that belong to someone other than a SQL Server administrator. 3. If you use the AutoRestart feature. 4. SQL server is in a clustered configuration. Otherwise SQL Agent needs to run under a non-admin account. Members of Power Users can, in some conditions, elevate themselves to Administrator. This should not be used. See: http://support.microsoft.com/default.aspx?scid=kb;en-us;825069 Rename the administrator account to something other than 'administrator.'
1. Start | run | compmgmt.msc /s 2. Navigate to the Computer Management / System Tools / Event Viewer/ Windows Logs node in the tree. 3. On Application node right click and select properties. 4. Verify the max log size is according to the recommended sizes at http://support.microsoft.com/kb/957662. 5. Set the log to overwrite events as needed. 1. Start | run | compmgmt.msc /s 2. Navigate to the Computer Management / System Tools / Event Viewer/ Windows Logs node in the tree. 3. On Security node right click and select properties. 4. Verify the max log size is according to the recommended sizes at http://support.microsoft.com/kb/957662. 5. Set the log to overwrite events as needed. 1. Start | run | compmgmt.msc /s 2. Navigate to the Computer Management / System Tools / Event Viewer/ Windows Logs node in the tree. 3. On System node right click and select properties. 4. Verify the max log size is according to the recommended sizes at http://support.microsoft.com/kb/957662. 5. Set the log to overwrite events as needed. In Windows Explorer, verify that none of the following exists. If any of them is found please delete it. c:\config.msi c:\inetpub\mailroot c:\inetpub\wwwroot\*.* c:\program files\online services c:\windows\help\iishelp\iis c:\windows\system32\inetsrv\iisadmpwd c:\windows\system32\inetsrv\metaback\*.*- System Admins should do this regularly as a means to backup the important IIS Meta info. However, these backup files should not be kept on the Web Server. IIS should not be using the system drive, so any inetpub directories are likely artifacts from the default configuration.
invalid kb even setting the log higher it will change it back automatically
invalid kb even setting the log higher it will change it back automatically
invalid kb even setting the log higher it will change it back automatically
IIS6: Lock down the permissions of metabase.xml. IIS7: Lock down the permissions of applicationHost.config. The default (correct) permissions are for System and Administrator. Verify the need for any other permissions defined. 1. Start | run | cmd 2. run auditpol /get /subcategory:"Account Lockout" and verify the settings shown below. Otherwise file a bug. Policy Should BE -----------------------------------------------------Account Lockout Success and Failure
1. Start | run | amd 2. run auditpol /get /subcategory:"Special Logon" and verify the settings shown below. Otherwise file a bug. Policy Should BE -----------------------------------------------------Special Logon Success and Failure
1. Start | run | cmd 2. run auditpol /get /subcategory:"Other Logon/Logoff Events" and verify the settings shown below. Otherwise file a bug. Policy Should BE -----------------------------------------------------Other Logon/Logoff Events Success and Failure
C:\Windows\system32>aud itpol /get /subcategory:"Account Lockout" System audit policy Category/Subcategory Setting Logon/Logoff Account Lockout Success and Failure C:\Windows\system32>aud itpol /get /subcategory:"Special Logon" System audit policy Category/Subcategory Setting Logon/Logoff Special Logon Success and Failure C:\Windows\system32>aud itpol /get /subcategory:"Other Logon/Logoff Events" System audit policy Category/Subcategory Setting Logon/Logoff Other Logon/Logoff Events Success and Failure
1. Start | run | cmd 2. run auditpol /get /subcategory:"User Account Management" and verify the settings shown below. Otherwise file a bug. Policy Should BE -----------------------------------------------------User Account Management Success and Failure
C:\Windows\system32>aud itpol /get /subcategory:"User Account Management" System audit policy Category/Subcategory Setting Account Management User Account Management Success and Failure 1. Start | run | cmd C:\Windows\system32>aud 2. run auditpol /get /subcategory:"Computer Account Management" and verify the settings shown below. Otherwise file a itpol /get bug. /subcategory:"Security Policy Should BE Group Management" -----------------------------------------------------System audit policy Computer Account Management Success and Failure Category/Subcategory Setting Account Management Security Group Management Success and Failure 1. Start | run | cmd C:\Windows\system32>aud 2. run auditpol /get /subcategory:"Security Group Management" and verify the settings shown below. Otherwise file a bug. itpol /get Policy Should BE /subcategory:"Security -----------------------------------------------------Group Management" Security Group Management Success and Failure System audit policy Category/Subcategory Setting Account Management Security Group Management Success and Failure
1. Start | run | cmd 2. run auditpol /get /subcategory:"Distribution Group Management" and verify the settings shown below. Otherwise file a bug. Policy Should BE -----------------------------------------------------Distribution Group Management Success and Failure
1. Start | run | cmd 2. run auditpol /get /subcategory:"Application Group Management" and verify the settings shown below. Otherwise file a bug. Policy Should BE -----------------------------------------------------Application Group Management Success and Failure
C:\Windows\system32>aud itpol /get /subcategory:"Distribution Group Management" System audit policy Category/Subcategory Setting Account Management Distribution Group Management Success and Failure C:\Windows\system32>aud itpol /get /subcategory:"Application Group Management" System audit policy Category/Subcategory Setting Account Management Application Group Management Success and Failure C:\Windows\system32>aud itpol /get /subcategory:"Other Account Management Events
1. Start | run | cmd 2. run auditpol /get /subcategory:"Other Account Management Events" and verify the settings shown below. Otherwise file a bug. Policy Should BE -----------------------------------------------------Other Account Management Events Success and Failure
System audit policy Category/Subcategory Setting Account Management Other Account Management Events Success and Failure 1. Start | run | cmd C:\Windows\system32>aud 2. run auditpol /get /subcategory:"Kerberos Service Ticket Operations" and verify the settings shown below. Otherwise file a itpol /get bug. /subcategory:"Kerberos Policy Should BE Service Ticket Operatio -----------------------------------------------------ns" Kerberos Service Ticket Operations Success and Failure System audit policy Category/Subcategory Setting Account Logon Kerberos Service Ticket Operations Success and Failure 1. Start | run | cmd C:\Windows\system32>aud 2. run auditpol /get /subcategory:"Other Account Logon Events" and verify the settings shown below. Otherwise file a bug. itpol /get Policy Should BE /subcategory:"Other -----------------------------------------------------Account Logon Events" Other Account Logon Events Success and Failure System audit policy Category/Subcategory Setting Account Logon Other Account Logon Events Success and Failure 1. Start | run | cmd C:\Windows\system32>aud 2. run auditpol /get /subcategory:"Kerberos Authentication Service" and verify the settings shown below. Otherwise file a itpol /get bug. /subcategory:"Kerberos Policy Should BE Authentication Service -----------------------------------------------------Kerberos Authentication Service Success and Failure System audit policy Category/Subcategory Setting Account Logon Kerberos Authentication Service Success and Failure
Set debug attribute to false in the \\tk5lcapweb11\C$\inetpub\wwwroot\ESignNotificationListener\Web.config file. Ex: Project team to address <configuration><system.web><compilation debug="false" /></system.web></configuration>. If debugging is required then supress this warning using SupressMessageAttribute: [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11002:CompilationDebugEnabledRule")] Set requireSSL attribute to true in the \\tk5lcapweb11\C$\inetpub\wwwroot\ESignNotificationListener\Web.config file. Ex: Project team to address <configuration><system.web><authentication><forms requireSSL="true" /></authentication></system.web></configuration>. If SSL cannot be used supress this warning using SupressMessageAttribute then place this in [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11003:FormsAuthenticationRe quireSSLRule")] your code.
Set requireSSL attribute to true in the \\tk5lcapweb11\C$\inetpub\wwwroot\ESignNotificationListener\Web.Release.config Project team to address file. Ex: <configuration><system.web><authentication><forms requireSSL="true" /></authentication></system.web></configuration>. If SSL cannot be used supress this warning using SupressMessageAttribute then place this in [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11003:FormsAuthenticationRe quireSSLRule")] your code. Set validationKey attribute to AutoGenerate,IsolateApps in the \\tk5lcapweb11\C$\inetpub\wwwroot\ESignNotificationListener\Web.config file. Ex: <configuration><system.web><machineKey validationKey="AutoGenerate,IsolateApps" /></system.web></configuration>. Project team to address
Set validationKey attribute to AutoGenerate,IsolateApps in the \\tk5lcapweb11\C$\inetpub\wwwroot\ESignNotificationListener\Web.Release.config file. Ex: <configuration><system.web><machineKey validationKey="AutoGenerate,IsolateApps" /></system.web></configuration>.
Set httpGetEnabled attribute to false in the \\tk5lcapweb11\C$\inetpub\wwwroot\ESignNotificationListener\Web.config file. Project team to address Ex: <configuration><system.serviceModel><behaviors><serviceBehaviors><behavior><serviceMetadata httpGetEnabled="false" /></behavior></serviceBehaviors></behaviors></system.serviceModel></configuration>.
Set includeExceptionDetailInFaults attribute to false in the \\tk5lcapweb11\C$\inetpub\wwwroot\ESignNotificationListener\Web.config file. Ex: <configuration><system.serviceModel><behaviors><serviceBehaviors><behavior><serviceDebug includeExceptionDetailInFaults="false" /></behavior></serviceBehaviors></behaviors></system.serviceModel></configuration>.
Where possible, use standard port 80. The default web site should be stopped/deleted and a new web site created.
Ensure logging is performed to: 1. Non-System Drive 2. Different Drive from the web files 3. NTFS formatted drive. In addition, review the ACL's on the log file directories ensuring the following: Administrators Full Control System Full Control Domain Users RWC
Ensure adequate information is included in the log. Specifically ensure the following W3C Logging Fields are selected: o Client IP Address o User Name o Method o URI Stem o HTTP Status (if available as an option) o Win32 Status o User Agent o Server IP Address o Server Port Lock down the settings for the web site / virtual directories on the server to conform with the following: 1. Start | run | %SystemRoot%\system32\inetsrv\iis.msc 2. Navigate to the (local computer) \ Web sites node. o Script Source Access is unchecked o Write is unchecked o Directory Browsing is unchecked o Log Visits is checked Execute Permissions = Scripts only Project team to address
Configuring Channel Binding from the IIS 7.5 Console: To enable Channel Binding for a TLS/SSL site hosted in Windows 7 or Windows Server 2008 R2: 1. Open IIS 7.0/7.5 management console. 2. Click on the node where you want to apply channel binding. This may be the entire server, default web site or any other site you are hosting. The site should have TLS/SSL enabled. 3. Click on the Authentication Icon 4. If Windows Authentication is enabled, select the Windows Authentication entry on the list 5. Click the Advanced Settings action 6. In the Extended Protection dropdown, select Accept (partial hardening). If you need to enable strict hardening, select Require . Strict hardening should be used on high-security servers where it is known that all clients have been properly updated with the Extended Protection features enabled. Configuring Channel Binding from the Command Line: To perform the same steps from the command line, you can run the following: Enable partial hardening: %windir%\system32\inetsrv\appcmd.exe set config your site name/your app name section:system.webServer/security/authentication/windowsAuthentication extendedProtection.tokenChecking:Allow commitpath:apphost Enable full or strict hardening: %windir%\system32\inetsrv\appcmd.exe set config your site name/your app name section:system.webServer/security/authentication/windowsAuthentication extendedProtection.tokenChecking:Require
Configuring Channel Binding from the IIS 7.5 Console: To enable Channel Binding for a TLS/SSL site hosted in Windows 7 or Windows Server 2008 R2: 1. Open IIS 7.0/7.5 management console. 2. Click on the node where you want to apply channel binding. This may be the entire server, default web site or any other site you are hosting. The site should have TLS/SSL enabled. 3. Click on the Authentication Icon 4. If Windows Authentication is enabled, select the Windows Authentication entry on the list 5. Click the Advanced Settings action 6. In the Extended Protection dropdown, select Accept (partial hardening). If you need to enable strict hardening, select Require . Strict hardening should be used on high-security servers where it is known that all clients have been properly updated with the Extended Protection features enabled. Configuring Channel Binding from the Command Line: To perform the same steps from the command line, you can run the following: Enable partial hardening: %windir%\system32\inetsrv\appcmd.exe set config your site name/your app name section:system.webServer/security/authentication/windowsAuthentication extendedProtection.tokenChecking:Allow commitpath:apphost Enable full or strict hardening: %windir%\system32\inetsrv\appcmd.exe set config your site name/your app name section:system.webServer/security/authentication/windowsAuthentication extendedProtection.tokenChecking:Require Move Web site files / directories to a non system drive.
Ensure logging is performed to a: 1. Non- System Drive, 2. in a different Drive of the web files 3. NTFS formatted drive.
Ensure logging is performed to a: 1. Non- System Drive, 2. in a different Drive of the web files 3. NTFS formatted drive.
If any of the following accounts / groups have permissions on the root directory (and corresponding sub-directories) of your website, then they explicitly have a deny for the write attribute on that directory hierarchy. o IIS_machine name o IIS_USRS o IIS_WPG
If any of the following accounts / groups have permissions on the root directory (and corresponding sub-directories) of your website, then they explicitly have a deny for the write attribute on that directory hierarchy. o IIS_machine name o IIS_USRS o IIS_WPG
If any of the following accounts / groups have permissions on the root directory (and corresponding sub-directories) of your website, then they explicitly have a deny for the write attribute on that directory hierarchy. o IIS_machine name o IIS_USRS o IIS_WPG If any of the following accounts / groups have permissions on the root directory (and corresponding sub-directories) of your website, then they explicitly have a deny for the write attribute on that directory hierarchy. o IIS_machine name o IIS_USRS o IIS_WPG
This component is not installed by default. IIS 7 uses a new configuration system with new interfaces. The legacy interfaces Project team to address have limitations and are not ideal for working with distributed configuration files. It is recommended to port legacy scripts and applications over to the new system interfaces. Once ported, uninstall the Metabase compatibility feature.
Column1
Fixed
Configuration is changed
We have used http because the Microsoft Enterprise eSign Platoform recommends this via their eSign onboarding documentation examples.
We have used http because the Microsoft Enterprise eSign Platoform recommends this via their eSign onboarding documentation examples.