advertisement
To enable additional IIS logging options
1. On the Start menu, point to Programs, point to Administrator Tools, and then click
Internet Information Services Manager.
2. Expand the local computer node.
3. Right-click Web Sites, and then click Properties.
4. On the Web Site tab, under the Active log format box, click Properties.
5. In Logging Properties go to the Advanced tab, and select the check boxes for the following logging options:
Server Name
Time taken
Host
Cookie
Referer
Remove header extensions
By default, IIS enables header extensions for HTTP requests. We recommend removing any header extensions for IIS.
To remove header extensions for HTTP requests
1. On the Start menu, point to Programs, point to Administrator Tools, and then click
Internet Information Services Manager.
2. Expand the local computer node.
3. Right-click Web Sites, and then click Properties.
4. On the HTTP Headers tab, select the X-Powered-By: ASP.NET check box, and then click Remove.
SQL Server
The following are security recommendations for SQL Server with WSUS.
SQL registry permissions
Use access control permissions to secure the SQL Server registry keys.
HKLM\SOFTWARE\MICROSOFT\MSSQLSERVER
ISEC setting
Administrators: Full Control
Rationale
These settings help ensure limited access to
124
ISEC setting
SQL Service Account: Full Control
System: Full Control
Rationale
the application’s registry key to authorized administrators or system accounts.
Stored procedures
Remove all stored procedures that are unnecessary and that have the ability to control the database server remotely.
Unnecessary SQL Server 2005 stored procedures
Description Stored procedures
Delete stored procedures by using the following command:
use master exec
sp_dropextendedproc stored
procedure where stored procedure is the name of the stored procedure to be deleted.
Sp_OACreate
Sp_OADestroy
Sp_OAGetErrorInfo
Sp_OAGetProperty
Sp_OAMethod
Sp_OASetProperty
SP_OAStop
Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumvalues
Xp_regread
Xp_regremovemultistring
Xp_regwrite
sp_sdidebug
xp_availablemedia
xp_cmdshell
xp_deletemail
xp_dirtree
xp_dropwebtask
xp_dsninfo
xp_enumdsn
xp_enumerrorlogs
xp_enumgroups
Rationale
Remove all stored procedures that are not necessary for WSUS and could possibly give unauthorized users the ability to perform command-line actions on the database.
125
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 10 Simple WSUS deployment
- 11 Using computer groups
- 12 WSUS server hierarchies
- 13 Distributing updates in different languages within a server hierarchy
- 14 Networks disconnected from the Internet
- 14 Branch offices
- 15 Network load balancing clusters
- 15 Support for roaming clients
- 16 Centralized management
- 17 Distributed management
- 19 Selecting a database
- 20 Database authentication, instance, and database name
- 20 Local storage
- 21 Remote storage
- 22 Deferring the download of updates
- 23 Filtering updates
- 23 Using express installation files
- 25 Background Intelligent Transfer Service
- 25 Minimum Hardware Requirements
- 26 Supported Capacity by Configuration
- 28 Configure the Proxy Server
- 28 Configure the Firewall
- 30 WSUS Server Software Prerequisites
- 31 Configuring IIS 7.0
- 31 Client self-update
- 32 Using the WSUS custom Web site
- 32 Accessing WSUS on a custom port
- 32 Using host headers
- 33 Before upgrading from WSUS 2.0 to WSUS 3.0 SP2
- 33 Upgrading a Remote SQL Server Installation from WSUS 2.0 to WSUS 3.0 SP2
- 34 After upgrading
- 34 Before you begin
- 35 Installing WSUS
- 35 If You Are Using Server Manager
- 36 If You Are Using the WSUSSetup.exe File
- 36 Using the WSUS 3.0 SP2 Setup Wizard
- 40 WSUS Administration Console Software Prerequisites
- 40 Install the Console
- 41 Access the WSUS Administration Console
- 43 Choose the upstream server
- 43 Specify the proxy server
- 44 Connect to the upstream server
- 44 Choose update languages
- 45 Choose update products
- 45 Choose update classifications
- 46 Configure the synchronization schedule
- 47 Configuring WSUS from the administration console
- 48 Update storage options
- 48 Deferred downloads options
- 49 Express installation files options
- 49 Filtering updates options
- 54 Enable reporting rollup from replica servers
- 54 Setting up computer groups
- 54 Step 1: Specify how to assign computers to computer groups
- 55 Step 2: Create computer groups
- 55 Step 3: Move the computers
- 57 Hardening your Windows Server 2003 running WSUS
- 57 Adding authentication for chained WSUS Servers in an Active Directory environment
- 58 Step 1: Create an authentication list
- 58 Step 2: Disable anonymous access to the WSUS server
- 59 Securing WSUS with the Secure Sockets Layer Protocol
- 59 Limitations of WSUS SSL deployments
- 59 Configuring SSL on the WSUS server
- 61 Configuring SSL on client computers
- 61 Configuring SSL for downstream WSUS servers
- 62 Additional SSL resources
- 63 Special considerations for client computers set up by using a Windows 2000, Windows Server 2003, or Windows XP image
- 64 Automatic Updates client self-update feature
- 66 Load the WSUS Administrative Template
- 67 Configure Automatic Updates
- 68 Specify intranet Microsoft Update service location
- 68 Enable client-side targeting
- 69 Reschedule Automatic Updates scheduled installations
- 69 No auto-restart for scheduled Automatic Update installation options
- 70 Automatic Update detection frequency
- 71 Allow Automatic Update immediate installation
- 71 Delay restart for scheduled installations
- 71 Reprompt for restart with scheduled installations
- 72 Allow non-administrators to receive update notifications
- 72 Allow signed content from the intranet Microsoft update service location
- 73 Remove links and access to Windows Update
- 73 Disable access to Windows Update
- 74 Editing the Local Group Policy object
- 74 Using the registry editor
- 76 Automatic Update configuration options
- 79 Automatic Updates scenarios
- 79 RescheduleWaitTime
- 79 Example 1: Installation must occur immediately following system startup
- 80 Example 2: Installations must occur fifteen minutes after the Automatic Updates service starts
- 80 NoAutoRebootWithLoggedOnUsers
- 81 Example 1: Non-administrator user on a workstation
- 81 Example 2: Non-administrator user on a server
- 82 Summary of behavior for NoAutoRebootWithLoggedOnUsers settings
- 83 Interaction with other settings
- 84 Detectnow Option
- 84 Resetauthorization Option
- 85 Expired and unexpired deadlines
- 85 Deadlines and updates that require restarts
- 85 WSUS updates and deadlines
- 90 Import metadata to a replica server
- 93 Remote SQL Limitations and Requirements
- 93 Database requirements
- 94 Step 1: Install SQL Server 2005 Service Pack 2 or SQL Server 2008 on the back-end computer
- 95 Step 2: Check administrative permissions on SQL Server
- 96 Step 3: Install WSUS on the front-end computer
- 97 Step 1: Configure remote SQL
- 97 Step 2: Set up the other front-end WSUS servers
- 97 Step 3: Configure the front-end WSUS servers
- 98 Step 4: Set up a DFS share
- 99 Step 5: Configure IIS on the front-end WSUS servers
- 99 Step 6: Move the local content directory on the first front-end WSUS server to the DFS share
- 100 Step 7: Configure the NLB
- 101 Step 8: Test the WSUS NLB configuration
- 101 Step 9: Configure WSUS clients to sync from the DFS share
- 101 Upgrading NLB
- 102 Step 1: Identify the servers to use as WSUS servers
- 103 Step 2: Set up the host names on the DNS server
- 103 Step 3: Set up the DNS server for netmask ordering and round robin
- 103 Step 4: Configure the WSUS servers
- 104 Step 5: Configure WSUS clients to use the same host name
- 104 Windows Server
- 104 Audit policy
- 105 Security options
- 115 Event log settings
- 116 System services
- 121 TCP/IP hardening
- 123 IIS security configuration
- 123 Enable general IIS error messages
- 123 Enable additional IIS logging options
- 124 Remove header extensions
- 124 SQL Server
- 124 SQL registry permissions
- 125 Stored procedures
- 126 Prerequisites Schema
- 127 Example
- 128 Versioning in WSUS 2.0
- 129 WSUS 3.0 SP2 pre-release candidate versions
- 129 WSUS 3.0 SP2 Release Candidate 1 and later versions