http://blogs.msdn.com/alikl/archive/tags/Deployment+Inspection/default.aspxTags: Deployment Inspectionen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/alikl/archive/2008/02/28/securing-iis7-windows-server-2008-security-guide.aspxThu, 28 Feb 2008 22:09:42 GMT91d46819-8472-40ad-a661-2c78acb4018c:7936911alikl1http://blogs.msdn.com/alikl/comments/7936911.aspxhttp://blogs.msdn.com/alikl/commentrss.aspx?PostID=7936911http://blogs.msdn.com/alikl/rsscomments.aspx?PostID=7936911<p><a href="http://technet.microsoft.com/en-us/library/cc264463.aspx" target="_blank">Windows Server 2008 Security Guide</a> is out.</p> <p>It covers many crucial aspects but my favorite of course is IIS7 chapter:</p> <blockquote> <h4><a name="_Toc191716753">Chapter 6: Hardening</a><a name="_Idx118"></a> Web Services</h4> <p>This chapter provides prescriptive guidance for hardening<a name="_Idx119"></a> the Web Server role. The chapter discusses how the Web server role installs Microsoft&#174; Internet Information Services<a name="_Idx120"></a> (IIS) 7.0, which has been redesigned into forty modular components that you can choose to install as needed.</p> </blockquote> <p>It points to the following resources:</p> <ul> <li><a href="http://technet2.microsoft.com/WindowsServer2008/en/library/dbaadb7c-433d-4c88-ab7f-1575258131dc1033.mspx" target="_blank">IIS 7.0: Configuring Authentication in IIS 7.0</a></li> <li><a href="http://technet2.microsoft.com/WindowsServer2008/en/library/2464e39e-2a21-4c7b-907c-ed8b4b4f3d031033.mspx" target="_blank">IIS 7.0: Configuring IPv4 Address and Domain Name Rules</a></li> <li><a href="http://technet2.microsoft.com/WindowsServer2008/en/library/ec81dd52-8ddc-41d3-984f-9f710c21add91033.mspx" target="_blank">IIS 7.0: Configuring URL Authorization Rules in IIS 7.0</a></li> <li><a href="http://technet2.microsoft.com/WindowsServer2008/en/library/bf4afb4c-4ce3-40e1-bd4b-d7df6daeb9b61033.mspx" target="_blank">IIS 7.0: Configuring Server Certificates in IIS 7.0</a></li> <li><a href="http://technet2.microsoft.com/WindowsServer2008/en/library/8ddc1f85-27fb-439d-a3da-ced11f7dcf031033.mspx" target="_blank">IIS 7.0: Configuring ISAPI and CGI Restrictions in IIS 7.0</a></li> <li><a href="http://technet2.microsoft.com/WindowsServer2008/en/library/70c33ea8-4192-4110-be70-a11e11984f1e1033.mspx" target="_blank">IIS 7.0: Configuring Secure Sockets Layer in IIS 7.0</a></li> <li><a href="http://technet2.microsoft.com/WindowsServer2008/en/library/7b4d4d2b-780f-47d5-bc6c-514c65754c521033.mspx" target="_blank">IIS 7.0: Configuring Request Filters</a></li> <li><a href="http://technet2.microsoft.com/WindowsServer2008/en/library/b0a91b50-1582-44b5-b61e-7207e6e1c2d11033.mspx" target="_blank">IIS 7.0: Configuring Shared Configuration</a></li> <li><a href="http://go.microsoft.com/fwlink/?LinkId=103904" target="_blank">How to Setup SSL on IIS7</a>. </li> <li><a href="http://go.microsoft.com/fwlink/?LinkId=94165" target="_blank">How to Use Request Filtering</a><a name="_Idx1510"></a>. </li> <li><a href="http://go.microsoft.com/fwlink/?LinkId=86769" target="_blank">Improving Web Application Security: Threats and Countermeasures</a><a name="_Idx1511"></a>. </li> <li><a href="http://technet2.microsoft.com/windowsserver2008/en/library/939d621e-c023-48f8-9503-47f24a6be7211033.mspx?mfr=true" target="_blank">IIS 7.0: Configure Web Server Security</a>. </li> <li><a href="http://go.microsoft.com/fwlink/?LinkId=99832" target="_blank">Server Core Installation Option of Windows Server 2008 Step-By-Step Guide</a>. </li> <li><a href="http://go.microsoft.com/fwlink/?LinkId=3655" target="_blank">Windows Management Instrumentation</a>. </li> <li><a href="http://go.microsoft.com/fwlink/?LinkId=89710" target="_blank">Windows Server 2008 Technical Library</a>. </li> <li><a href="http://go.microsoft.com/fwlink/?LinkId=100617" target="_blank">Understanding IIS7 URL Authorization</a>.</li> </ul><img src="http://blogs.msdn.com/aggbug.aspx?PostID=7936911" width="1" height="1">SecurityDeployment PhaseDeployment InspectionIIS 7Planning Phasehttp://blogs.msdn.com/alikl/archive/2007/03/22/security-code-deployment-review-using-office.aspxThu, 22 Mar 2007 10:30:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:1929247alikl1http://blogs.msdn.com/alikl/comments/1929247.aspxhttp://blogs.msdn.com/alikl/commentrss.aspx?PostID=1929247http://blogs.msdn.com/alikl/rsscomments.aspx?PostID=1929247<P>I am a big fun of small time savers to be more productive.</P> <P><A href="http://blogs.msdn.com/jmeier/default.aspx" mce_href="http://blogs.msdn.com/jmeier/default.aspx">JD</A> has the whole category for <A href="http://blogs.msdn.com/jmeier/archive/tags/Effectiveness/default.aspx" mce_href="http://blogs.msdn.com/jmeier/archive/tags/Effectiveness/default.aspx">Effectiveness</A>&nbsp;tag&nbsp;- worth checking on these gems.</P> <P>So I am looking always how to reuse my practices across disciplines</P> <P>I&nbsp;am trying to combine my security engineering practice with MS Office productivity tool<A href="http://blogs.msdn.com/blogfiles/alikl/WindowsLiveWriter/SecurityCodeReviewUsingOutlook2007_7786/image%7B0%7D%5B3%5D.png" atomicselection="true" mce_href="http://blogs.msdn.com/blogfiles/alikl/WindowsLiveWriter/SecurityCodeReviewUsingOutlook2007_7786/image%7B0%7D%5B3%5D.png">s</A></P> <P>This time I will show how I use Excel for <A href="http://msdn2.microsoft.com/en-us/library/ms998401.aspx" mce_href="http://msdn2.microsoft.com/en-us/library/ms998401.aspx">Deployment Inspection</A>.</P> <P><FONT color=#ff0000>NOTE: It is not ultimate holistic approach for deployment inspection rather some productivity trick. For me at least :)</FONT></P> <P>Imagine I have a strong desire to inspect deployment on some IIS server where <A href="http://msdn2.microsoft.com/en-us/library/aa479071.aspx" mce_href="http://msdn2.microsoft.com/en-us/library/aa479071.aspx">Pet Shop Web App</A> is deployed. One thing I'd check if there are only sane files deployed. I will use my friend DIR command</P> <P>/A:-D means no directories please</P> <P>/S means subfolder too please</P> <P>/B means no summaries please</P> <P>thank you</P> <P><IMG height=130 src="http://blogs.msdn.com/blogfiles/alikl/WindowsLiveWriter/SecurityCodeReviewUsingOutlook2007_7786/image%7B0%7D_thumb%5B1%5D.png" width=845 mce_src="http://blogs.msdn.com/blogfiles/alikl/WindowsLiveWriter/SecurityCodeReviewUsingOutlook2007_7786/image%7B0%7D_thumb%5B1%5D.png"> </P> <P mce_keep="true">&nbsp;</P> <P>&nbsp;Here is how result looks like, notice source files deployed to production - not the best practices, but we just spotted it - good job!</P> <P><A href="http://blogs.msdn.com/blogfiles/alikl/WindowsLiveWriter/SecurityCodeReviewUsingOutlook2007_7786/image%7B0%7D%5B13%5D.png" atomicselection="true" mce_href="http://blogs.msdn.com/blogfiles/alikl/WindowsLiveWriter/SecurityCodeReviewUsingOutlook2007_7786/image%7B0%7D%5B13%5D.png"><IMG height=395 src="http://blogs.msdn.com/blogfiles/alikl/WindowsLiveWriter/SecurityCodeReviewUsingOutlook2007_7786/image%7B0%7D_thumb%5B7%5D.png" width=507 mce_src="http://blogs.msdn.com/blogfiles/alikl/WindowsLiveWriter/SecurityCodeReviewUsingOutlook2007_7786/image%7B0%7D_thumb%5B7%5D.png"></A>&nbsp;</P> <P mce_keep="true">&nbsp;</P> <P>I've recently reviewed application with 650 dlls... well notepad is handy but not in this case. So let me open the txt file in Excel 2007 (other version are good too for this task) and define formula in B column like =RIGHT(A1, 3) - now I got extensions. "fig" would stand for .config files I presume. Now you have the power of excel spotting sane and insane files</P> <P mce_keep="true">&nbsp;</P> <P><A href="http://blogs.msdn.com/blogfiles/alikl/WindowsLiveWriter/SecurityCodeReviewUsingOutlook2007_7786/image%7B0%7D%5B21%5D.png" atomicselection="true" mce_href="http://blogs.msdn.com/blogfiles/alikl/WindowsLiveWriter/SecurityCodeReviewUsingOutlook2007_7786/image%7B0%7D%5B21%5D.png"><IMG height=444 src="http://blogs.msdn.com/blogfiles/alikl/WindowsLiveWriter/SecurityCodeReviewUsingOutlook2007_7786/image%7B0%7D_thumb%5B11%5D.png" width=758 mce_src="http://blogs.msdn.com/blogfiles/alikl/WindowsLiveWriter/SecurityCodeReviewUsingOutlook2007_7786/image%7B0%7D_thumb%5B11%5D.png"></A> </P> <P mce_keep="true">&nbsp;</P> <P>More on files that should be deployed to production are here <A class="" href="http://msdn2.microsoft.com/en-us/library/ms998367.aspx#paght000028_binandspecial" mce_href="http://msdn2.microsoft.com/en-us/library/ms998367.aspx#paght000028_binandspecial">Bin and Special Directories</A></P> <P>Enjoy</P><img src="http://blogs.msdn.com/aggbug.aspx?PostID=1929247" width="1" height="1">SecurityToolsDeployment PhaseDeployment Inspection