GP Admin Best Practices

Security, Maintenance & and Disaster Recovery

IISInternet Information Services

IIS Security and Best Practices

IIS Security and Best Practices

Securing your IIS installation

IIS Security and Best Practices

Install the appropriate IIS modules

IIS Security and Best Practices

IIS Security and Best Practices

6

Disable the OPTIONS method

Can reduce hacker reconnaissance information

IIS Security and Best Practices

IIS Security and Best Practices

Enable Dynamic IP Restrictions

• Reduce the chances of a Denial of Service attack by dynamically

blocking requests from malicious IP addresses

• Minimize the possibilities of Brute-force-cracking of the passwords of

your Web Server

IIS Security and Best Practices

• Installing IP and Domain Restrictions in Windows Server 2012 R2

• Done in Server Manager, Roles and Features.

IIS Security and Best Practices

Setting Dynamic IP restrictions

IIS Security and Best Practices

IIS Security and Best Practices

12

Enable and configure Request Filtering Rules

Restricts types of HTTP requests

IIS Security and Best Practices

IIS Security and Best Practices

Enable logging

• Logs HTTP requests

• Aids in troubleshooting

• Can be used to monitor performance

IIS Security and Best Practices

IIS Security and Best Practices

Security Configuration Wizard (SCW)

Security Compliance Manager (SCM)

• Microsoft tools for testing IIS security.

• Not in IIS Manager - downloadable.

IIS Security and Best Practices

Security and Best Practice Tips• Use an AD user or machine account to control access to SQL

databases rather than store a SQL login in the web.config.

• Ensure NTFS permissions are locked down.

• During IIS installation, by default, the InetPub folder is created on the system partition. It is recommended to move InetPub to another partition.

• Do not install unneeded services. (FTP, SMTP)

• If possible, install IIS and SQL on separate servers for better security and performance.

IIS Security and Best Practices

Security and Best Practice Tips• Monitor systems with application such as System Center

Operations Manager (SCOM) or LabTech.

• Ensure antivirus is installed and up to date with latest definitions.

• Updates - The majority of hacks affecting IIS occur on unpatched servers. This demonstrates how important it is to always keep your web server up to date. Ensure that your server is current with the latest updates and security patches. The simple act up performing updates are one of the easiest steps you can take to improve your server’s performance and security.

IIS Security and Best Practices

Please remember to fill out your evaluation form.

Contact CAL:

Call: (860) 485-0910 ext. 3

Email: support@calszone.com

Online: www.calszone.com

Follow-up forms are available at the back of the room.

Thank you for coming.

Q & A

20

Disaster Recovery

Protecting your data from the unpredictable

Disaster Recovery

Disaster Recovery

• What is Disaster Recovery?

• Why is Disaster Recovery important?

• What is the difference between backup and

Disaster Recovery?

Disaster Recovery Plan

Disaster Recovery

Why is a Disaster Recovery important?

Disaster Recovery

Backup versus Disaster Recovery

Disaster Recovery

Disaster Recovery Technologies

Disaster Recovery

Virtualization

Disaster Recovery

Failover Cluster

Disaster Recovery

Disaster Recovery

Archiving

Disaster Recovery

Data Deduplication

Monitoring

Disaster Recovery

Please remember to fill out your evaluation form.

Contact CAL:

Call: (860) 485-0910 ext. 3

Email: support@calszone.com

Online: www.calszone.com

Follow-up forms are available at the back of the room.

Thank you for coming.

Q & A

33

Cloud Computing and Technologies

34

What is “the Cloud”?

Cloud Computing and Technologies

35

Public Cloud

• Pool of shared computing resources, applications and storage offered

to customer as a single service

• Allows customer to grow/shrink resources as needed

• Delivered “publicly” – cannot secure with private firewall and access

privately

• Often requires on-staff development resource

Cloud Computing and Technologies

36

Cloud Computing and Technologies

37

Public Cloud network

Private Cloud

• Provides dedicated instance of services for exclusive use

• Can be secured and accessed privately

• Housed in private data center

• Support often outsourced to service provider for hosting

Cloud Computing and Technologies

38

Cloud Computing and Technologies

39

Private Cloud (Data Center)

Hybrid Cloud

• Allows for hardware selection and system design

• Allows organizations to leverage capabilities of public

cloud platform providers while maintaining security

• Better performance

• More expensive then public or private cloud solutions

• Typically used by financial and healthcare industries

Cloud Computing and Technologies

40

Disaster Recovery and the Cloud

Cloud Computing and Technologies

Benefits of Cloud-based DR Solution

• Extends Disaster Recovery Options

• Extends backup options

• Significant cost savings

Cloud Computing and Technologies

42

Back up to and restore from the cloud

• Applications and data remain on-premises

• Data backed up into the cloud

• Data restored onto on-premises hardware when a disaster occurs

• Backup in the cloud becomes a substitute for tape-based off-site

backups

Cloud Computing and Technologies

43

Replication to virtual machines in the cloud

• For applications that require aggressive recovery time and recovery

point objectives (RPOs)

• Replication to cloud virtual machines can be used to protect both cloud

and on-premises production instances

Cloud Computing and Technologies

44

Please remember to fill out your evaluation form.

Contact CAL:

Call: (860) 485-0910 ext. 3

Email: support@calszone.com

Online: www.calszone.com

Follow-up forms are available at the back of the room.

Thank you for coming.

45

GP Security for SSRS Reporting

46

GP Security for SSRS

• Reporting Roles

GP Security for SSRS Reporting

47

• DO

– Create Active Directory groups to mirror the reporting roles

• Group similar report roles together as necessary

• Only create the ones your company will need

• DON’T

– Directly assign users to roles (Management Nightmare!)

– Give users “Power User” roles who don’t need them

GP Security for SSRS Reporting

48

• Site/Folder Security

GP Security for SSRS Reporting

49

• DO

– Give administrators full permissions on the site

– Give standard users the “Browser” role for running reports

– Use AD groups

– Mirror site and folder security, differences can cause serious confusion

• DON’T

– Give standard users full permission

– Give permission directly to users (Management Nightmare!)

– Give different permission at site and folder levels unless absolutely

needed

GP Security for SSRS Reporting

50

eConnect and Web Services

51

eConnect and Web Services

• Service Security

– Create a service account in Active Directory to run the services under

– Don’t make service account an administrator or assign the sysadmin role

– Grant access to the GP system and company databases with the

following roles:

• db_datareader

• db_datawriter

– Make sure all company and GP system databases are owned by the

‘DYNSA’ user (EXEC sp_changedbowner ‘DYNSA’)

eConnect and Web Services

52

• Web Services Internal Security

– Make sure all users that should have access to Web Services are granted

access to the DCOM components

– Use one generic administrator account to ensure access in case of

disabled AD accounts or AD account issues

– Make note of all ports used during the installation for future reference

eConnect and Web Services

53

• SQL Server Service Accounts

– Remember that SQL has multiple services and may have more than one

account

– Configure SQL services to use non-built in accounts to have greater

control over access to system resources

– Make sure to grant read/write access to all locations used by SQL Agent

Jobs to the agent’s service account

• SQL Features to be Careful With

– xp_commandShell

– SQL CLR and Extended Procedures

– Trustworthy Mode

– Ad-Hoc Queries

– OPENROWSET() without linked server

– The SA password

SQL Server Services and Database Security

54

Management Reporter Services and GP Share

55

MR Services and GP Share

• Management Reporter

– Avoid the use of SA for access to the database

– Use Integrated Security (SSPI) where possible

– Make sure user has the following roles

• Server Roles

– securityadmin

– dbcreator

– Run services on a server other than SQL

– Plan for high volumes of data

Management Reporter Services and GP Share

56

• GP Share

– Make sure all GP users have Read/Write access to the GP share

– Consider using a group to avoid updating security when adding/removing

users

– Only grant Read/Write access to folders containing check signatures to

users that are allowed to print/administer them

– Make sure to take regular backups on off hours to avoid corrupting

reports dictionaries

– Regularly inspect the share to make sure data old data is not filling up the

disk

• Remove unnecessary old database backups

• Remove old log files

• Remove old version of software

Management Reporter Services and GP Share

57

58

Fin