20 February, 2013

General Procedure of Server Hardening


Below I have listed various resources for Server hardening:

Windows Server 2008 Security Baseline

The Windows Server 2008 Security Baseline is updated for Windows Server 2008 Service Pack 2 (SP2).  This updated product baseline provides:
·         Setting severity ratings, allowing you to quickly sort, prioritize, and apply Microsoft security and compliance recommendations.
·         Consolidated product baselines that eliminate EC and SSLF baseline components, and make viewing, customizing, and implementing your security and compliance baselines easier than ever!
·         New compliance-based settings groups allow quicker and easier compliance reporting and audit preparation, when used with the GRC management solution within System Center.

The Windows Hardening guides have been replaced with the corresponding Security guides.
The security guides for various OS and products are included within the Microsoft Security Compliance Manager http://technet.microsoft.com/en-us/library/cc677002.aspx
You can find each security guide under the “Attachments \Guides” section for each product within the Compliance Manager console.

Other security documents
- Threats and Countermeasures Guide: Security Settings in Windows Server 2003 and Windows XP

- Microsoft Baseline Security Analyzer (MBSA)

- Threats and Countermeasures Guide: Security Settings in Windows Server 2008 R2 and Windows 7

- Threats and Countermeasures Guide: Security Settings in Windows Server 2008 and Windows Vista

- Attack Surface Analyzer (beta)

- Microsoft Security Compliance Manager
 
- DoD recommendations on securing various OSs

SQL

Here is a SQL Hardening guide for Sharepoint Environments:

Microsoft  SQL Server 2008 R2 Best Practices Analyzer

IIS:

IIS 6.0 Webserver Hardening:

From what I understand IIS 7 does not have a hardening guide yet…
The following forum has really good information on IIS7 lockdown recommendations:

SMS IIS Hardening Checklist.

IIS7 Security PowerPoint  released by our EMEA team:

3rd Party considerations:
Due in part to the patching diligence of most organizations, we've seen these attacks shift from exploiting unpatched Microsoft vulnerabilities to targeting outdated 3rd party products.

 In particular Java VM and Adobe products have been heavily targeted:

- Our Malware Protection Center (MPC) details this in the following write-up:

 - Recommend upgrading any outdate Java JRE to the latest Sun Java Version (Latest Version)

- You can go to the following site to verify the version of Java on your system

 - Also recommend installing any Adobe updates from
  Adobe X reader (Latest)

-  Adobe Flash Player (Latest)

-  Other Adobe updates

- Also, Secunia has a patch management tool called Secunia Personal Software Inspector (PSI) that will scan and check for vulnerabilities in a variety 3rd party software.

19 February, 2013

Connect to Outlook Ribbon button disabled /greyed

Connect to outlook is disabled in SharePoint 2010- why? Any mystery? If yes then we needs to find out? Root cause? Workarounds? Resolutions?

Problem Description:
·         Connect to outlook is disabled in SharePoint 2010
·         The Ribbon button is disabled for the List
·         Connect to Outlook button is grayed out

Check List:
Is this problem list specific or library specific?
Is this problem site specific or farm specific?
Specifically which list we are trying to connect? Whether it’s a contact list or custom list or calendar list? –very imp to find out
Permissions??
Features --site features/site collections features??
Does the SharePointStssync Handler enable in your IE?
Does the IE belong to 32 bit or 64 bit?
Is Client Integration disabled in the Web Application Settings?
Very Important info: Connect to Outlook is available on the following list types  only- Calendar, Tasks, Project Tasks, Contacts, Document Library and Discussion Boards

Resolution:
Multiple resolutions are available so please select the one which is feasible as per your requirements.
Resolution 1--Try to open the same list (where we the problem is) in SharePoint Designer 2010 and then check the results.
Resolution 2Enable the client integration feature at the web application level  (note: if the problem is farm wide)
Resolution 3if the problem is occurring because of IE then enables the sync handler
How to enable this:
Internet Explorer—Tools--Manage Add-ons--Enable or Disable Add-ons
·         In the Show drop down and select "Add-Ons currently loaded in IE " and find for -" SharePoint Stssync Handler "
·         if it’s not there then click on Show drop down and select "Add-Ons that have been used by IE" and find for " SharePoint Stssync Handler "
·         Enable it
·         Restart the browser and then check "Connect to Outlook" option is visible or not.

Product applies to:
1.    Windows 7 client Operating system
2.    Office 2010
3.    IE 7.0 or IE 8.0
4.    SharePoint 2010
5.    SharePoint Foundation 2010

References:

If you have any queries/questions regarding the above mentioned information then please let me know.

I would be more than happy to help you as well as resolves your issues…

Thank you…


Windows could not start the SharePoint Server Search 14 service on Local Computer

Problem Description:
Recently we faced the problem in reference to search and while doing some deployment activities, we need to pause the running crawl. As soon as I clicked on Pause, it switched into “Pausing” mode and we waiting to see the idle status.

Farm details:
SQL SERVER2008-R2
WINDOWS 2008-R2
SHAREPOINT 2010- SP1 (Along with latest patches updated)

What was the status when we started facing issue?
In "Manage Services on Server" (Central Administration):
SharePoint Foundation Search was "Stopped"
SharePoint Server Search is "Stopped"

In "Manage Services Application" (Central Administration):
Search Administration Web Service for Search Service Application was "Started"
Search Service Application was "Started"

In Windows Services MMC
SharePoint Foundation Search V4 is "Disabled"
SharePoint Server Search 14 is "Disabled"
SharePoint Server Search 14 is "Automatic" but status is not "Started"

Attempting to start "SharePoint Server Search 14” via the Services MMC results in the error:
Windows could not start the SharePoint Server Search 14 service on Local Computer.
Error 6: The handle is invalid.

Troubleshooting Done:
1.    Restarted the search services – by means of services.msc console
2.    Checked the ‘manage services on server’—by means of Central Administration
3.    Net stop commands as follows:

stsadm -o osearch -action stop

then

stsadm -o osearch -action start

4.    Start-stop PowerShell commands
5.    Checked the windows application as well as SP logs
6.    Restarted the timer services

net stop SPTimerv4

net start SPTimerv4

Resolution:

I have resolved it by using the following command:

Stop-SPServiceInstance -Identity <ServiceGUID>
Note: Where <ServiceGUID> is the GUID of the service. If you do not know the service GUID, you can retrieve a list of all services in the farm together with their GUIDs by using the Get-SPServiceInstance cmdlet.

Product Applies To:
SharePoint Server 2010
SharePoint Foundation 2010

If you have any queries/questions regarding the above mentioned information then please let me know. I would be more than happy to help you as well as resolves your issue…

Thank you.

18 February, 2013

Your client does not support opening this list with windows explorer windows 2008

Error message
“Your client does not support opening this list with Windows Explorer" when you try to "Open with Explorer" on a SharePoint document library
Troubleshooting:
-          Treid to open in Windows  XP. Works fine.
-          Treid to open in Windows Server 2003, gives error messsage.
-          Treid to open in Windows Server 2008, gives above error message.
-          Removed the ‘s’ from the http protocol.
-          Supplied the correct user name and password.
-          Started the ‘webclient’ service and installed desktop support expirence as a features in Windows server 2008. Still does’t work.
Resolution:
Add https://*.sharepoint.com to Local intranet site
To configure Web browser, open “Internet Options” menu, navigate to the “Security Tab”, and add https://*.sharepoint.com to Local intranet site.
Steps Featuring artcile:
Applied to:
-          Windows Server 2008
-          SharePoint Server 2010.

Disabled accounts in AD show up in SharePoint as active profiles

Problem Description:
If the proper filer is not applied in import connections then it can lead to hundreds of unwanted / disabled profile in ssp database. Sometimes due to IT audits we want to get rid of those profiles from SharePoint.

Product Applies:
1.    MOSS2007 (Microsoft Office SharePoint Server 2007)
2.    WSS3.0 Windows SharePoint Services 3.0)

Error Message: N/A

What exactly I did? How exactly I configured and came to know about the issue?
1.    In AD, I have created lots of user and disabled few of them.

2.    Configured SSP to import user profile by using the default filter
(&(objectCategory=person)(objectClass=user).

3.    That’s it-Problem started and found lots of profiles in view user profile.

Resolution:
·         At first apply filter (&(objectCategory=person)(objectClass=user)(
!(userAccountControl:1.2.840.113556.1.4.803:=2))) to just import active profiles in
connection.

·         Run full profile import three times back to back.

·         After that you will find users in view user profile > Profile Missing from import.

·         You can manually delete these unwanted profile or wait till clean up job delete them.

If you have any queries/questions regarding the above mentioned information then please let me know, Thank you.