Tuesday 17 January 2017
Tuesday, January 17, 2017
Unknown
No comments
Tuesday, January 17, 2017
- Tuesday, January 17, 2017
- Unknown
- No comments
- Tuesday, January 17, 2017
- Unknown
- No comments
- Tuesday, January 17, 2017
- Unknown
- No comments
Monday 16 January 2017
- Monday, January 16, 2017
- Unknown
- No comments
=========================================================
cleanup_folderstructure.pl
=========================================================
#!/usr/bin/perl -w
# Cleanup_FolderStructure.pl
# This script takes a folder as input, recurses through the folder structure, and deletes any files it finds which are older than X days.
# It will also remove any empty folders which are left behind after the files are deleted.
# You can configure the script to either remove or ignore the first level of subfolders it finds using the $remove_top_level variable. (0=ignore, 1=remove)
# Version 1.2 - moves variables to input values
############ MODULES TO USE ###############
use File::Glob qw(bsd_glob);
use strict;
############ USER VARIABLES ###############
if (scalar @ARGV != 4)
{
print "USAGE: $0 <Source Folder> <day limit> <Unique Name for Logs> <remove top level>\n";
exit;
}
my $source_dir = $ARGV[0]; #"E:\\Shields"; # Set the source directory to start the listing from
my $log_path = "D:\\GIST\\LOGS";
my $max_days = $ARGV[1];
my $log_name = $ARGV[2];
my $remove_top_level = $ARGV[3];
my $info = "short";
############ GLOBAL VARS ##################
my $totalmoved = 0;
my $totaldups = 0;
my $totalskipped = 0;
my $totalnomatch = 0;
my ($second, $minute, $hour, $dayOfMonth, $month, $yearOffset, $dayOfWeek, $dayOfYear, $daylightSavings, $year);
sub GetTime
{
($second, $minute, $hour, $dayOfMonth, $month, $yearOffset, $dayOfWeek, $dayOfYear, $daylightSavings) = localtime(time);
$year = 1900 + $yearOffset;
$month = $month + 1;
if ($month < 10) { $month = "0" . "$month"};
if ($dayOfMonth < 10) { $dayOfMonth = "0" . "$dayOfMonth"};
if ($minute < 10) { $minute = "0" . "$minute"};
if ($hour < 10) { $hour = "0" . "$hour"};
}
sub removeEmptyFolders
{
my $source = $_[0];
chdir($source) or die("Cannot access folder $source");
my @directories;
# Update the current Date and time
GetTime();
# Contstruct the Log filename
my $logfile = $log_path . "\\cleanup-$log_name-" . $dayOfMonth . "-" . $month . "-" . $year . ".log";
my $counter = 0;
# Pass 1 - list the contents of the folder
my @all_files = (bsd_glob("*"),bsd_glob(".*"));
foreach (@all_files)
{
# check for the dodgy . and .. in the listed path (i.e. current dir and parent dir), as we don't want to recurse into these.
# ... it's really not very fun when you start running this program outside of the given source path!
open LOGFILE, ">>$logfile" or die "unable to open logfile $logfile for writing";
if (($_ eq '.') || ($_ eq '..'))
{
#print "$_ matched . or .. and was discarded\n";
}
else
{
# Check if the file is a directory or not. Directories don't get checked for mod time, but they get added to the directories array for
# recursive processing to find files.
if (-d $_)
{
#print "Adding new dir - $source\\$_\n";
push @directories, "$source\\$_";
$counter++;
}
else
{
# If it's not a dir then it's a file. Find the mod time of the file, and delete that file if it's old.
my $days_old = -M $_;
if ((-f $_) && ($days_old > $max_days))# check if the file is an actual file and that it's more than 2 days old
{
print LOGFILE "Cleanup: Deleting $_ ($days_old days old)\n";
#$counter++;
unlink ("$_");
}
else
{
# If it's a file but not older than our limit then add to the counter to say files were found
print LOGFILE "Cleanup: Ignoring $_ ($days_old days old)\n";
$counter++;
}
}
}
close LOGFILE;
}
if ($counter == 0)
{
# this means that no subfolders or files were found, so we should be able to delete the folder
print "==> CLEANUP - Delete $source\n";
return 1;
}
else
{
foreach (@directories) # recursively call itself to process any directories which have been found
{
my $return_value = &removeEmptyFolders($_);
chdir "$source" or die "cannot chdir to $source: $!";
if ($return_value == 1)
{
# If it returns 1 then delete the folder
print "==> CLEANUP - Deleting $_\n";
rmdir ("$_") or print "$!\n";
open LOGFILE, ">>$logfile" or die "unable to open logfile $logfile for writing";
print LOGFILE "==> CLEANUP - Deleting $_\n";
close LOGFILE;
}
}
my @second_pass = (bsd_glob("*"),bsd_glob(".*"));
my $secondcounter = 0;
foreach (@second_pass)
{
if (($_ eq '.') || ($_ eq '..'))
{
#print "$_ matched . or .. and was discarded\n";
}
else
{
$secondcounter++;
}
}
if ($secondcounter == 0)
{
# this means that no subfolders or files were found, so we should be able to delete the folder
print "==> CLEANUP (Pass 2) - Delete $source\n";
return 1;
}
else
{
return 0;
}
}
}
############ DRIVER FUNCTION ##############
# Check that the log path exists
if (!-d $log_path)
{
print "Log Path - $log_path does not exist - please create it to run this script.\n";
exit;
}
if (!-d $source_dir)
{
print "Source Dir - $source_dir does not exist - please create it to run this script.\n";
exit;
}
else
{
print "Analyzing $source_dir\n";
}
my $waiting = 0;
chdir($source_dir) or die("Cannot access folder $source_dir");
GetTime();
my $logfile = $log_path . "\\cleanup-$log_name-" . $dayOfMonth . "-" . $month . "-" . $year . ".log";
my @directories;
my @all_files = (bsd_glob("*"),bsd_glob(".*"));
foreach (@all_files)
{
if (($_ eq '.') || ($_ eq '..'))
{
#print "$_ matched . or .. and was discarded\n";
}
else
{
if (-d $_)
{
my $current_folder = "$source_dir\\$_";
GetTime();
open LOGFILE, ">>$logfile" or die "unable to open logfile $logfile for writing\n";
print LOGFILE "[$dayOfMonth/$month/$year $hour:$minute] Found $source_dir\\$_ \n";
push @directories, "$source_dir\\$_";
close LOGFILE;
}
# If it's not a dir then it's a file. Find the mod time of the file, and delete that file if it's old.
my $days_old = -M $_;
if ((-f $_) && ($days_old > $max_days))# check if the file is an actual file and that it's more than 2 days old
{
open LOGFILE, ">>$logfile" or die "unable to open logfile $logfile for writing\n";
print LOGFILE "Cleanup: Deleting $_ ($days_old days old)\n";
unlink ("$_");
}
else
{
# If it's a file but not older than our limit then add to the counter to say files were found
open LOGFILE, ">>$logfile" or die "unable to open logfile $logfile for writing\n";
print LOGFILE "Cleanup: Ignoring $_ ($days_old days old)\n";
close LOGFILE;
}
}
}
chdir ($source_dir);
if (scalar(@directories) > 0)
{
foreach (@directories)
{
GetTime();
open LOGFILE, ">>$logfile" or die "unable to open logfile $logfile for writing";
print "**** [$dayOfMonth/$month/$year $hour:$minute] Starting to process $_ ****\n";
print LOGFILE "**** [$dayOfMonth/$month/$year $hour:$minute] Starting to process $_ ****\n";
close LOGFILE;
# if the return value here is 1 from the function then usually we delete the folder, but we don't want to remove the top level folders in this case
my $return_value = &removeEmptyFolders($_);
if ($remove_top_level)
{
# Remove the top level folder if it has been requested!
if ($return_value == 1)
{
chdir ($source_dir);
# If it returns 1 then delete the folder
print "==> CLEANUP - Deleting $_\n";
rmdir ("$_") or print "$!\n";
open LOGFILE, ">>$logfile" or die "unable to open logfile $logfile for writing";
print LOGFILE "==> CLEANUP - Deleting $_\n";
close LOGFILE;
}
else
{
open LOGFILE, ">>$logfile" or die "unable to open logfile $logfile for writing";
print LOGFILE "==> CLEANUP - Ignoring Top Level Folder: $_\n";
close LOGFILE;
}
}
print "Completed deletion of files older than $max_days from $_\n";
}
}
=========================================================
cleanup file structure.bat
=========================================================
@ echo off
Q:
cd Q:\ShieldsFiles\Shields
echo [%DATE%] [%TIME%] Start.
forfiles.exe /p Q:\ShieldsFiles\Shields\Outgoing /s /m *.* /d -10 /c "cmd /c del @file"
forfiles.exe /p Q:\ShieldsFiles\Shields\BASH /s /m *.* /d -21 /c "cmd /c del @file"
forfiles.exe /p Q:\ShieldsFiles\Shields\BASHDupsZip /s /m *.* /d -21 /c "cmd /c del @file"
forfiles.exe /p Q:\ShieldsFiles\Shields\BASHDups /s /m *.* /d -21 /c "cmd /c del @file"
forfiles.exe /p Q:\ShieldsFiles\Shields\BASHRescan /s /m *.* /d -21 /c "cmd /c del @file"
echo [%DATE%] [%TIME%] Done.
=========================================================
deleteanythingunderthat folder.bat
=========================================================
@ echo off
c:
cd C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FOR /D %%p IN ("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\*.*") DO rmdir "%%p" /s /q
forfiles.exe /p C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp /s /m *.* /d -1 /c "cmd /c del @file"
mkdir c:\temp\new
move C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\*.* c:\temp\new
rmdir /s /q c:\temp\new
=========================================================
deloldestfile..cmd
=========================================================
@echo off
setlocal
set Folder=E:\W\Screenshots
set FileMask=*.png
set OldestFile=
for /f "delims=" %%a in ('dir /b /o:d "%Folder%\%FileMask%" 2^>NUL') do (
set OldestFile=%%a
goto Break
)
:Break
if "%OldestFile%"=="" (
echo No files found in '%Folder%' matching '%FileMask%'!
) else (
del "%Folder%\%OldestFile%"
)
Friday 13 January 2017
- Friday, January 13, 2017
- Unknown
Documents, Important Questions, Linux- 1 comment
Linux Boot Process
The process happens behind the scenes from the time we press the power button until the Linux login prompt appears is known as Linux Boot Process.
Linux booting process can be divided to multiple stages.
Step 1: Power Supply & SMPS (there are two program post and run services )
One of the main component of a computer is SMPS (Switching Mode Power Supply). The primary objective of this component is to provide the perfect required voltage level to the motherboard and other computer components.
Computer internals work in DC, however the power supply we have at home and other places are AC. SMPS converts AC to DC and maintain the required voltage level so that the computer can work flawlessly.
But the main task performed by SMPS, is to inform about the good power supply. If the voltage is more/ or is less, in both the conditions a computer cannot work. As soon as you supply power to the computer, the SMPS checks the voltage level's its providing to the motherboard. If the power signal level is perfect, then SMPS will send a POWER GOOD signal to the motherboard timer. On receiving this POWER GOOD signal from SMPS, the motherboard timer will stop sending reset signal to the CPU. Which means the power level is good and the computer can boot.
Step 2: Bootstrapping (runtime services program loads into memory and post program clear from memory)
Something has to be programmed by default, so that the CPU knows where to search for instructions. This is an address location in the ROM. The address location is FFFF:0000h. This address location is the last region of the ROM. It only contains one instruction. The instruction is to jump to another memory address location. This JUMP command, will tell the location of the BIOS program in the ROM. This is how the computer will come to know where the BIOS program is located.
Step 3: The Role of BIOS in booting process
BIOS stands for Basic Input Output System. The most important use of BIOS during the booting process is POST. POST stands for Power on Self-Test. It’s a series of tests conducted by the bios, which confirms the proper functioning of different hardware components attached to the computer.
Once the POST check is completed successfully, BIOS will look CMOS settings to know what the boot order is.
Boot order is nothing but an user defined order which tells where to look for the operating system. It looks for boot loader (MBR) in first boot device as set in bios. If MBR is not found in first boot device, it keeps on searching for MBR in consecutive boot devices. Once the boot loader program is detected in bootable device (HDD), bios load it into the memory & give the control to it.
Step 4: MBR and GRUB
BIOS is programmed to look at a permanent location on the hard disk to complete its task. This location is called a Boot sector. This is nothing but the first sector of your hard disk. This area is sometimes called as MBR (Master Boot Record).
This is the location that contains the program that will help our computer to load the operating system. As soon as bios finds a valid MBR, it will load the entire content of MBR to RAM, and then further execution is done by the content of MBR.
It is located in the 1st sector of the bootable disk.
• MBR is less than 512 bytes in size. This has three components
a) primary boot loader info in 1st 446 bytes,
b) partition table info in next 64 bytes
c) mbr validation check in last 2 bytes.
• MBR contains information about GRUB (or LILO in old systems).
• So, in simple terms MBR loads and executes the GRUB (Grand unified boot loader).
• GRUB stands for Grand Unified Boot loader.
• If you have multiple kernel images installed on your system, you can choose which one to be executed.
There are three stages of grub in total.
1. GRUB Stage 1 : Contains the boot loader information
2. GRUB Stage 1.5 : Identify Boot Loader File System
3. Grub Stage 2 : Read /boot/grub/grub.conf
• Now this is the point where you are presented with a beautiful TUI (Terminal user interface), where you can select your operating system kernel and press enter to boot it. If you don’t enter anything, it loads the default kernel image as specified in the grub configuration file.
• GRUB has the knowledge of the files system.
• The “/boot/grub/grub.conf” file contains kernel and initrd image.
• So, in simple terms GRUB loads and executes Kernel and initrd images.
Step 5 loading The kernel Image
• Mounts the root file system as specified in the “grub.conf” file.
• Kernel executes the “/sbin/init” program
• Since init was the 1st program to be executed by Linux Kernel, it has the process id (PID) of 1.
• initrd stands for Initial RAM Disk.
• initrd is used by kernel as temporary root file system until kernel is booted and the real root file system is mounted. Initrd image also contains necessary drivers compiled inside, which will required for accessing the hard drive partitions, and other hardware.
• So, in simple term Kernel mounts the “/root” filesystem & executes the init programs with the help of initrd image.
Step 6. Init
• The “/etc/inittab file” decides the Linux Default run level.
• Following are the available run levels
0 – halt, 1 – Single user mode
2 – Multiuser, without NFS, 3 – Full multiuser mode,
4 – unused, 5 – X11, GUI Mode
6 – reboot
• So, in simple term, Init identifies the default initlevel from “/etc/inittab” and loads all appropriate programs for default run level.
Step 7. Runlevel programs
• When the Linux system is booting up, you might see various services getting started. Those are the run level programs, executed from the run level directory as defined by your run level.
• Depending on your default init level setting, the system will execute the programs from particular run level directories.
# cd /etc/rc.d/
# ll drwxr-xr-x. 2 root root 4096 Oct 8 00:50 init.d
-rwxr-xr-x. 1 root root 2617 Jul 24 08:53 rc
drwxr-xr-x. 2 root root 4096 Oct 8 00:50 rc0.d
drwxr-xr-x. 2 root root 4096 Oct 8 00:50 rc1.d
drwxr-xr-x. 2 root root 4096 Oct 8 00:50 rc2.d
drwxr-xr-x. 2 root root 4096 Oct 8 00:50 rc3.d
drwxr-xr-x. 2 root root 4096 Oct 8 00:50 rc4.d
drwxr-xr-x. 2 root root 4096 Oct 8 00:50 rc5.d
drwxr-xr-x. 2 root root 4096 Oct 8 00:50 rc6.d
-rwxr-xr-x. 1 root root 499 Aug 13 10:55 rc.local
-rwxr-xr-x. 1 root root 19216 Jul 24 08:53 rc.sysinit
• Here u can see rc.sysinit file. It runs first and load hostname, date, time, acl, quota, selinux etc after it goes to below step.The folders rc0.d, rc1.d, rc2.d etc contains run level specific programs that will be executed depending upon the default run level you have in your inittab configuration file.
• If you see the files inside these run level specific folders, they either begin with S or they begin with K. The files are also numbered.
• Now files with an S at starting will be executed during the startup process, and files that begins with K, will be killed during shutdown process.
• The number after either S or K is the sequence with which these will be executed.
• Once the kernel has started all programs in your desired run level directory. It runs the rc.local file where user can put any executable script or command. Now you will get a login screen to log inside your booted system.
BOOT LEVEL PROBLEMS
1. To change configure Run Level=> # vi /etc/inittab
2. To Configure IP=> # setup or
# cd /etc/sysconfig/network-scripts/
# vi ifcfg-eth0
BOOTPROTO=static
IPADDR=192.168.249.2
NETMASK=255.255.255.0
ONBOOT=yes
# service network reload
# chkconfig network on
3. To change hostname => # vi /etc/sysconfig/network
4. To reinstall Grub => Boot with ‘Linux Rescue’….& follow cmds,
#chroot /mnt/sysimage/
# grub-install /dev/sda
# grub
# root (hd0,0)
# setup (hd0)
# quit
5. To set Grub password in an encrypted format =>
# grub-md5-crypt
{Then entry the encrypted password in grub.conf file after the timeout line}.
6. To remove Grub password if forgotten => Boot with ‘Linux Rescue’….& follow cmds,
#chroot /mnt/sysimage/
{In /etc/grub.conf, comment the password line}.
7. To reinstall Initrd => Boot with ‘Linux Rescue’….& follow cmds,
# mkinitrd /initrd-$(uname –r).img $(uname -r)
#cp initrd-2.6.18-164.el5.img /boot/
#exit
8. Boot with single user mode. => Edit the kernel by pressing ‘e’ at the booting.
Write ‘ s’ or ‘1’ at the end of the kernel file following by a ‘space’.
OR
Instead of ‘S’or ‘1’ write init=/bin/bash
Then type # mount –o remount,rw /
This will give the read/write permission in the single user mode.
YUM INSTALLATION
# mount /dev/cdrom /mnt
# cd /mnt
# mkdir /yum
# cp -rf /mnt/* /yum
# cd /etc/yum.repos.d/
# vi station.repo
[base]
name=rhel6
baseurl=file:///yum
enable=1
gpgcheck=0
# yum clean all
# yum update all
# rpm -qa | grep -i samba
# yum install samba [All these things will run in RHEL 6]
# cd /yum/Server
# ls | grep -i createrepo
# rpm -ivh createrepo-0.4.11-3.el5.noarch.rpm
# createrepo -v /yum [All these things will run in RHEL 5]
Q. Command for installing a package
# rpm –ivh <package name>
Q. Command for uninstalling a package
# rpm –e <package name>
Q. Command to check a package has been installed or not?
# rpm –qa <package name>
TO CREATE PASSWORD LESS LOGIN
# ssh-keygen –t rsa
# cd /root/.ssh/
# cat id_rsa.pub
copy the whole thing to a file
# /root/.ssh/authorized_keys
# ssh other server login name
ISO FILE MOUNTING
Mount an iso file/root/boot.iso on /disk. This mount should be persistent across system restart.
# mkdir /disk
# mount –t iso9660 /root/boot.iso /disk
# vi /etc/fstab
/root/disk.iso /disk iso9660 defaults, loop 0 0
# mount -a
# df -Th
IMPLEMENTING NIC BONDING
Step #1: Create Bond0 :
# vi /etc/sysconfig/network-scripts/ifcfg-bond0
DEVICE=bond0
IPADDR=192.168.0.25
NETWORK=192.168.0.255
NETMASK=255.255.255.0
Step #2: Modify eth0 config :
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
MASTER=bond0
SLAVE=yes
Step #3: Modify eth1 config :
# vi /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
MASTER=bond0
SLAVE=yes
Step #4: # vi /etc/modprobe.conf
alias bond0 bonding
options bond0 mode=4 miimon=100
Step #5: # modprobe bonding
Step #6: # service network restart
Step #7: # cat /proc/net/bonding/bond0
Step #8: # ifconfig –a
Modes of bonding:
-----------------
These modes determine the way in which traffic sent out of the bonded interface is actually dispersed over the real interfaces.
Mode 0 (balance-round robin) This mode transmits packets in a sequential order. The first will be transmitted on the first slave and the second frame will be transmitted on the second slave. The third packet will be sent on the first and so on. This provides load balancing and fault tolerance.
Mode 1 (active-backup) This mode places one of the interfaces into a backup state and will only make it active if the link is lost by the active interface. Only one slave in the bond is active at an instance of time. A different slave becomes active only when the active slave fails. This mode provides fault tolerance.
Mode 2 (Load balancing and Fault tolerance) This selects the same slave for each destination MAC address and provides load balancing and fault tolerance.
Mode 3 (broadcast) This mode transmits everything on all slave interfaces. This mode is least used (only for specific purpose) and provides only fault tolerance.
Mode 4 (Aggregation) This mode is known as Dynamic Link Aggregation mode. If the speed of the NIC cards are 1gb each then the data transfer rate will be 2gb. It increases the speed of the data transfer.
Mode 5 (balance-tlb) This is called as Adaptive transmit load balancing. The outgoing traffic is distributed according to the current load and queue on each slave interface. Incoming traffic is received by the current slave.
Mode 6 (balance-alb) This is Adaptive load balancing mode. This includes balance-tlb + receive load balancing (rlb) for IPV4 traffic. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the server on their way out and overwrites the src hw address with the unique hw address of one of the slaves in the bond such that different clients use different hw addresses for the server.
S/W RAID CONFIGURATION IN A RUNNING M/C.
To check partition list: # fdisk –cul
To create partition # fdisk /dev/sdb
Command (m for help): m {List the menu}
Command (m for help): n {add a new partition }
P { partition type }
Partition number (1-4): 1
Last cylinder, +cylinders or +size{K,M,G} (1-1958, default 1958): +3800M{partition size}
Command (m for help): t {change a partition's system id}
Partition number (1-4): 1
Hex code (type L to list codes): l {list known partition types}
Hex code (type L to list codes): fd {type of partition}
Command (m for help): p {print the partition table }
# reboot
To create a RAID 5 meta disk # mdadm --create /dev/md0 --level=5 --raid-disk=3 /dev/sdb1 /dev/sdb2 /dev/sdb3
To check the meta disk # mdadm --detail /dev/md0
To format the Meta disk # mkfs.ext4 /dev/md0
Make a directory # mkdir /raid
# mount /dev/md0 /raid
To fail a disk in RAID 5 # mdadm /dev/md0 --fail /dev/sdb1
# mdadm --detail /dev/md0
To add a disk in Raid 5 # mdadm /dev/md0 --add /dev/sdb4
# mdadm --detail /dev/md0
To remove the faulty disk # mdadm /dev/md0 --remove /dev/sdb1
# mdadm --detail /dev/md0
# mdadm /dev/md0 --add /dev/sd1
# mdadm /dev/md0 --add /dev/sdb1
# mdadm --detail /dev/md0
{ If there is a spare disk and at the mean time a working disk goes failed then the spare disk will come to use and take the place of the failed disk}.
# mdadm /dev/md0 --fail /dev/sdb4
# mdadm --detail /dev/md0
H/W RAID CONFIGURATION IN A SERVER
ü Before installing the OS go to the bios of the server. There you can find the storage configuration in the main tab.
ü In the Storage configuration tab you have to set “configure SATA as RAID”. Then save it and exit.
ü Then when the server will reboot we have to press Ctrl + F9 or F8 to enter.
ü Now we can see the disks which are in the server. There one option will be there as “create Raid Volume”.
ü Going by that option we have to set the RAID type in Raid Level. Then the HW raid will be configured.
MONITORING COMMANDS
1. Top -> The top program provides a dynamic real-time view of a running system i.e. actual process activity.
By default, it displays the most CPU-intensive tasks running on the server and updates the list every
five seconds.
2. vmstat -> The command vmstat reports information about processes, memory, paging, block IO, traps, and CPU activity.
3. w -> w command displays information about the users currently on the machine, and their processes.
4. uptime -> The uptime command can be used to see how long the server has been running. The current time,
how long the system has been running, how many users are currently logged on, and the system
load averages for the past 1, 5, and 15 minutes.
5. free -> The command free displays the total amount of free and used physical and swap memory in the system, as well as the buffers used by the kernel.
6. iostat -> The command iostat report Central Processing Unit (CPU) statistics and input/output statistics for devices, partitions and network filesystems (NFS).
7. ps -> Command to display all running process:
# ps aux | less
Command to see every process on the system
# ps –A or # ps –e
Command to see process run by user vivek
# ps -u vivek
Command to display a tree of processes
# pstree
8. mpstat -> The mpstat command displays activities for each available processor, processor 0 being the first one.
mpstat -P ALL to display average CPU utilization per processor:
9. netstat -> The command netstat displays network connections, routing tables, interface statistics,
masquerade connections, and multicast memberships.
MIGRATION AND DEPLOYMENT OF A SERVER
ü To migrate a server from a physical server to virtual server, first install the OS in the Virtual server.
ü Then arrange the storage from the storage side. After completing this work the application team installs the application.
ü Then we ask for the down time to stop the application in the physical server and copy all the data to the virtual server from the physical server.
ü After coping the data we have to change the ip of the virtual server as it is in the physical server. Then only the user can access the data from the server they are using.
ü After doing all this thing the application team may face some problem like to change the kernel parameters or to access some more files. So we have to give access to all those files they ask for by chown command.
SEMI KICKSTART INSTALLATION PROCEDURE:
We need to create the kick start configuration file manually, by logging into the server prdrhadm01.net.bms.com, and copy any previous ushpwbmsclz???.cfg file(/data/configs/cfg/) with our server’s name like ushpwbmsclz095.cfg and edit it and change the IP ADDRESS= with the IP Address of our server, and the kick start configuration file is ready.
Now you may begin with the installation:
I had already copied the RHEL4 iso image on the server USAHZBMSQ001(location --> E:\Software\boot8.iso) by the name boot8.iso, just mount that image to the server before starting with installation, by opening the “Virtual Media Applet” from the ILO and then browse for the iso image and press connect button, as shown.
After this restart the server and it will show the boot prompt, there we have to write:
boot: linux ks=http://165.89.184.69/cfg/ushpwbmsclz???.cfg
and press enter to start the installation.
HP ILO CONFIGURATION:
1. Q. Accessing and configuring the server by using HP ILO {Integrated Light Out -2} & VM console.
Ans. If the remote server needs to be powered off or something like that then ILO is used to short that problem. I need to login to the server with ILO software and in the power management column I need to operate. There are four switches are there to operate.
• Momentary press : should do a gracefull shutdown.
• Press and Hold : will force the server to power off.
• Cold boot : is like removing power and restarting.
• Reset : is like a warm boot
2. The details of the server is in
ILO2/System Status/ Summary/Status Summary/
3. The details of the logs are in
ILO2/System Status/ ILO2 Log/
4. The details of information
ILO2/System Status/ System Information/
5. To go to the Remote Console
ILO2/Remote Console/Remote Console/
ISCSI DISK INITIATOR
In the server side add a hard disk
# yum install scsi-target-utils* -y
# chkconfig tgtd on
# service tgtd start
# vi /etc/tgt/targets.conf
# TGTD example targets file
#
# Example iSCSI target with one LUN.
# This gets read when "service tgtd start" is run.
#
<target iqn.lun1.com.example:tgtd>
# List of files to export as LUNs
#backing-store /usr/storage/disk_1.img
backing-store /dev/sdd
# Authentication :
# if no "incominguser" is specified, it is not used
#incominguser backup secretpass12
# Access control :
# defaults to ALL if no "initiator-address" is specified
initiator-address 192.168.100.
initiator-address 192.168.100.224 223 {Mention the ip who will take this disk}
</target>
# service tgtd start
# tgt-admin –s
In the client side
# yum install iscsi-initiator-utils* -y
# chkconfig iscsid on
# service iscsid restart
# iscsiadm -m discovery -t st -p 192.168.100.222
192.168.100.222:3260,1 iqn.lun1.com.example:tgtd
# iscsiadm -m node -T iqn.lun1.com.example:tgtd -p 192.168.100.222 –l
# fdisk –l
{If any problem in finding the disks then restart both the server and the client}.
# fdisk /dev/sda (Create a partition table on the device as required)
# mkfs.ext4 /dev/sda1 (create a file system on partition)
# mkdir /coldstorage (create a mount point for partition)
# vim /etc/fstab (create partition mountable on every reboot)
UUID=XXXX-XXXX-XXXX /coldstorage ext4, _netdev 0 0
# mount -a
# df -Th
SECURITY & ACCESS MANAGEMENT
1. How you can use firewall as a Security measure.
# iptables –F
# chkconfig iptables off
# service iptables save
# service iptables stop
# service iptables status
INPUT : used to block incoming traffic to your server
OUTPUT : used to block outgoing traffic from your server
FORWARD : scan for incoming and outgoing and forwarding packets accordingly over another interface.
This is used for gateway/router type of scenarios.
a. Now, I need to use ssh login on port 22, from *.example.com (192.168.1.0/255.255.255.0/24) only.
# iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -d 192.168.0.250 -j ACCEPT
b. My server should not be allowed to use (ssh login) from anywhere in the world (0.0.0.0/0.0.0.0 a.k.a 0/)
# iptables -A INPUT -p tcp --dport 22 -s 0.0.0.0./0 -d 192.168.0.250 -j REJECT
To Delete a IP table list
# iptables -D INPUT 2 (will delete INPUT chain rule #2)
iptables -A INPUT -p icmp -s 192.168.0.254 -d 192.168.0.250 -j DROP (to disable ping)
iptables -A INPUT -p tcp -s *.myl33tgroup.org -d 192.168.0.250 -j DROP
SELINUX CONFIGURATION
1. To check se status # sestatus
2. for permissive # setenforce 0
3. for enabling # setenforce 1
4. Config file editing # vim /etc/selinux/config
5. To see the directory context
# ls –Zd
6. change file SELinux security context
# chcon –R –t public_contents_rw_t <dir-path>
[root@chittaranjan2 /]# getsebool -a | grep -i samba
[root@chittaranjan2 /]# getsebool -a | wc -l
[root@chittaranjan2 /]# getsebool -a | grep -i samba
[root@chittaranjan2 /]# setsebool -P samba_share_nfs on
[root@chittaranjan2 /]# getsebool -a | grep -i samba
SSH SERVER CONFIGURATION
Configure SSH Server. Only example.com domain's persons can come in to your machine & Clients within “remote. test” or “my133t.org” should NOT have access to ssh on your system.
Solution: - # chkconfig sshd on
# service sshd restart
# vim /etc/hosts.allow
sshd: .example.com
# vim /etc/hosts.deny
sshd: .remote.test
Or
sshd: .my133t.com
(Note: while using hosts.deny & hosts.allow file wild cards should not be used)
CRON CONFIGURATION
Cron is a daemon that executes commands at specified intervals. These commands are called "cron jobs."
Cron is available on Unix, Linux and Mac servers. Windows servers use a Scheduled Task to execute commands.
Cron is a process to setup or schedule a task at a partial time.
[root@chittaranjan-3 ~]# service crond restart
[root@chittaranjan-3 ~]# chkconfig crond on
[root@chittaranjan-3 ~]# crontab –e
5 * * * * echo "hi">/dev/pts/0
[Execute the command or job you want to do.]
* ( 0 -59)is for minutes.
* ( 0 -23)is for hours.
* ( 0 -31)is for days.
* ( 0 -12)is for months.
* ( 0 -7)is for weeks.
~
"/tmp/crontab.XXXXAvq1Ux" 1L, 31C
[root@chittaranjan-3 ~]# crontab –l
5 * * * * echo "hi">/dev/pts/0
[root@chittaranjan-3 ~]#
hi
[root@chittaranjan-3 ~]# service crond stop
Q. To find out cron jobs in root user for other users
# crontab –u username –l
Q. In user login to find the cron tabs
# crontab –l
Q. Deny cron service for sarsha user and allow cron service for all users.
# vim /etc/cron.deny
Add “ sarsha”
# service crond restart
SENDMAIL CONFIGURATION
Just specify the relay server in
# /etc/mail/sendmail.mc file like below.
DSrelayserver.abc.com
# cat submit.cf | grep -i mailhost
Set DS as mailhost
DSmailhost.bms.com
Q. Linux Configure Sendmail as SMTP Mail Client
Step # 1: Disable Sendmail Daemon In a Listing Mode
# vi /etc/sysconfig/sendmail
Modify the line:
DAEMON=no
Step #2: Configure Mail Submission
# vi /etc/sysconfig/submit.cf
Find the line beginning with D{MTAHost}, and update it to read as follows:
DS {MTAHost}mail.nixcraft.net
POSTFIX CONFIGURATION
Q. Configure Postfix. Set up Intranet E-mail for user john. John’s mail should me spooled to /var/spool/mail/john.
Your server should accept from remote networks.
Solution: - # yum install postfix
Open a main.cf config file and edit the line
# vim /etc/postfix/main.cf
myhostname = serverX.example.com (Uncomment a line and edit)
mydomain = example.com (Uncomment a line and edit)
myorigin = $myhostname (Uncomment a line)
myorigin = $mydomain (Uncomment a line)
inet_interfaces = all (Uncomment a line)
#inet_interfaces = localhost (Comment a line)
mydestination = $myhostname,
localhost.$mydomain, localhost, $mydomain (Uncomment a line)
mynetworks =127.0.0.1/8, 172.24.48.0/24 (Uncomment a line and edit)
relay_domains = $mydestination (Uncomment a line)
relayhost = $mydomain (Uncomment a line)
#chkconfig postfix on
#service postfix restart
Q. Configure a POP3 server. Allow only example.com network and deny all for POP3 server.
Solution: - # yum install dovecot
Open dovecot.conf file and uncomment a line
# vim /etc/dovecot/dovecot.conf
Protocols = imap pop3 lmtp
# chkconfig dovecot on
# service dovecot restart
# vim /etc/hosts.deny
dovecot: ALL EXCEPT .example.com
Q. Configure mail aliases. User jerry should get the mail of principal.
Solution: - # vim /etc/aliases
Principal: jerry
[root@luci /]# yum install nmap –y
[root@luci /]# nmap 192.168.100.11 {This will show all the ports in use}
NTP SERVER
Q. Setup your machine as NTP Client
Ans: - Go to System Administration Date and Time
Click on Synchronize date and time over the network,
Click on Add and Type the Server name or IP add,
Click Apply and Ok.
# chkconfig ntpd on
# service ntpd restart
DNS SERVER ADMINISTRATION
Q. Configure a caching-only DNS server that forwards requests to the physical host system
Solution: -
# yum install bind
Modify the named configuration file
# vim /etc/named.conf
listen-on port 53 {any ;};
listen-on port 53 {any ;};
allow-query {localhost; 172.24.48.0/24 ;};
forwarders {172.24.48.254 ;};
Dnssec-query no;
# chkconfig named on
# service named restart
Test from the desktop X system
(where X is a machine number)
# host serverX.example.com 172.24.48.X
(where X is a machine number)
NFS SERVER CONFIGURATION
Q. Export your “/common” directory via NFS to the example.com domain only.
# mkdir /common
# vim /etc/export
/common *.example.com(ro,sync)
# chcon -R --reference=/var/ftp/pub /common
# exportfs -ra
# chkconfig nfs on
# service nfs restart
# showmount -e x.x.x.x (where as x.x.x.x is IP of nfs server)
Q. Export “/share” directory, allow example.com and deny all. The exported directory must be automatically mounted
under “/net/misc/serverX”.
Solution: -
# mkdir /share
# vim /etc/exports
/share *.example.com(ro,sync)
# exportfs -ra
# chkconfig nfs on
# service nfs restart
# showmount -e x.x.x.x (Where as x.x.x.x is IP of nfs server)
# vim /etc/auto.master
/net/misc/serverX /etc/auto.misc (Where X is a your machine number)
# vim /etc/auto.misc
Share -ro,sync,intr serverx.example.com:/share
(Where as serverx is nfs server)
# service autofs stop
# service autofs start
# chcon -R --reference=/var/ftp/pub /share
(setting Selinux permission)
# cd /net/misc/serverX
# cd share
Q. Name the NFS Daemons.
mountd, Automountd, nfsd, nfslogd, lockd, statd
Q. How do I fix NFS Stale Partition?
Find a good base directory mount point and execute the following:
# mount -o remount [directory you selected]
This basically refreshes the NFS mount across all mounted points.
FTP CONFIGURATION
Q. Configure ftp server. Make access to example.com and deny all.
Solution: - # vim /etc/hosts.deny
Vsftpd: ALL EXCEPT .example.com
Q. Set up drop-box for anonymous upload should be enabled on “/var/ftp/upload”, Anonymous Should connects as wx and allow for only your domain
Solution: - Open a Configuration File and uncomment a line
# vim /etc/vsftpd/vsftpd.conf
anon_upload_enable=YES
anon_mkdir_write_enable=YES
# mkdir /var/ftp/upload
# chgrp ftp /var/ftp/upload
# chmod 730 /var/ftp/upload
# yum install libsemanage*
# yum install libsemanage-python
# yum install policycoreutils*
# chkconfig vsftpd on
# service vsftpd restart
# semanage fcontext -a –t public_content_rw_t ‘/var/ftp/upload (/.*)?’
# restorecon -vvFR /var/ftp/upload
# getsebool -a | grep ftp
# setsebool -P allow_ftpd_anon_write=1
# setsebool -P allow_ftpd_full_access=1
# setsebool -P ftp_home_dir=1
LDAP USER CLIENT CONFIGURATION
Q. Setup LDAP inyour machine so that all ldapusers can login without their home directory.
# system-config-authentication
# authconfig -gui
Set the User Account Database dropdown to LDAP. If it is not already set, DAP Search Base DN to dc=example, dc=com. Set the LDAP Server to “ldap://server.example.com”. Check the Use TLS to encrypted connections checkbox. Click Download CA Certificate and enter http://server.example.com/pub/EXAMPLE-CA-CERT. Set the Authencation Method dropdown to LDAP. Click Apply and ok
# getent passwd ldapuser8
Q. Setup LDAP inyour machine so that all ldapusers can login with their home directory.
# yum install authconfig-gtk
# yum groupinstall directory-client
# vim /etc/auto.master
/rhome /etc/auto.misc
# vim /etc/auto.misc
(Where X is a your machine number)
ldapuserX –rw –fstype=nfs server.example.com:/rhome/server/ldapuserX
# service sssd restart
#chkconfig sssd on
# service autofs reload
# chkconfig autofs on
SAMBA SERVER CONFIGURATION
Install samba package
# yum install samba*
Open smb.conf file and edit
# vim /etc/samba/smb.conf
workgroup = RHCEGROUP (Edit a line)
hosts allow = 127. 172.24.48. (Open semicolon and edit line)
[share]
comment = samba server
path = /share
writable = no
browseable = yes
valid users = jerry
# Smbpasswd -a jerry
# chkconfig smb on
# service smb restart
# getsebool -a | grep samba
# setsebool -P samba_create_home_dirs=1
# setsebool -P samba_domain_controller=1
# setsebool -P samba_enable_home_dirs=1
# setsebool -P samba_export_all_ro=1
# setsebool -P samba_export_all_rw=1
# setsebool -P use_samba_home_dirs=1
# getsebool -a | grep smb
# setsebool -P allow_smbd_anon_write=1
# smbclient //server.example.com/share -u jerry
Password:
Smb:\>
WEB SERVER CONFIGURATION
1. Install the packages required for configuring http server
# yum install httpd wget
2. Configure http server with document root default path
# vim /etc/httpd/conf/httpd.conf
< VirtualHost *:80>
ServerAdmin root@serverX.example.com
DocumentRoot /var/www/html
ServerName serverX.example.com
</VirtualHost >
(Where X is a your machine number)
3. Setting html page from given path
# cd /var/www/html
# wget http://server.example.com/pub/serverX.html
# mv serverX.html index.html
# chcon -R --reference=/var/www/html index.html
# chkconfig httpd on
# service httpd restart
4. Testing http server
# elinks http://serverX.example.com
(Where X is a machine number)
VIRTUAL WEB SERVER CONFIGURATION
Open Configuration file & uncomment the line
“NameVirtualHost *:80” to enable virtual hosting
# vim /etc/httpd/conf/httpd.conf
NameVirtualHost *:80
(Uncomment this line to enable virtual hosting)
< VirtualHost *:80>
ServerAdmin root@serverX.example.com
DocumentRoot /var/www/virtual
ServerName wwwX.example.com
</VirtualHost >
(Where as “wwwX.example.com” is virtual host name)
# mkdir /var/www/virtual
# cd /var/www/virtual
# wget http://server.example.com/pub/wwwX.html
# mv wwwX.html index.html
# chcon -R --reference=/var/www/html /var/www/virtual
# chkconfig httpd on
# service httpd restart
# elinks http://wwwX.example.com
(Where X is a machine number)
Enable Access control to file system for giving write access to John to “/var/www/virtual”
# vim /etc/fstab
/dev/mapper/GLSvg-GLSroot / ext4 defaults,acl 1 1
(Note by default need to enable acl in rhel6)
# mount -o remount; /
# mount
# setfacl -m u:john:rwx /var/www/virtual
SECURE WEB SERVER CONFIGURATION
Open Configuration file and last 7 line Copy and paste. Change the lines number (1, 2, 3, 4, 7) and
uncomment changes line. (Line number 5 and 6 will be commented)
# vim /etc/httpd/conf/httpd.conf
< VirtualHost *:80>
ServerAdmin root@serverX.example.com
(Where X is a your machine number)
DocumentRoot /var/www/localhost
ServerName localhost.localdomain
</VirtualHost >
# mkdir /var/www/localhost
# cd /var/www/localhost
# wget http://server.example.com/pub/local.html
# mv local.html index.html
# chcon -R --reference=/var/www/html /var/www/localhost
# chkconfig httpd on
# service httpd restart
# elinks http://localhost.localdomain
CREATING A CUSTOM SELF-SIGNED CERTIFICATE
1. Install following packages for generating certificate
# yum install crypto-utils mod_ssl
# genkey --days 365 serverX.example.com
Provide the appropriate input as required while generating certificate &
note down the path of newly generated certificate file & certificate key.
2. Open the /etc/httpd/conf.d/ssl.conf”file & change the path of “SSLCertificateFile” & “SSLCertificateFile” as follows
# vim /etc/httpd/conf.d/ssl.conf
# SSLCertificateFile /etc/pki/tls/certs/localhost.crt (old path)
SSLCertificateFile /etc/pki/tls/certs/serverX.example.com.crt
# SSLCertificateKeyFile /etc/pki/tls/private/localhost.key (old path)
SSLCertificateKeyFile /etc/pki/tls/private/serverX.example.com.key
3. Restart the httpd service
LINUX CLUSTER COMMANDS
1. Where the cluster configuration files are stored?
# /etc/cluster/cluster.conf
2. To check the Service information
# clustat -l
Cluster Status for chittucluster @ Tue Feb 4 11:25:12 2014
Member Status: Quorate
Member Name ID Status
------ ---- ---- ------
node1.cluster.com 1 Online, Local, rgmanager
node2.cluster.com 2 Online, rgmanager
Service Information
------- -----------
Service Name : service:nfs_service
Current State : started (112)
Flags : none (0)
Owner : node2.cluster.com
Last Owner : none
Last Transition : Tue Feb 4 10:04:15 2014
Service Name : service:nfsserv10
Current State : started (112)
Flags : none (0)
Owner : node2.cluster.com
Last Owner : none
Last Transition : Tue Feb 4 10:04:15 2014
3. To check the cluster status and it should be refreshed in each 3 seconds.
# clustat -i 3
Cluster Status for chittucluster @ Tue Feb 4 11:37:45 2014
Member Status: Quorate
Member Name ID Status
------ ---- ---- ------
node1.cluster.com 1 Online, Local, rgmanager
node2.cluster.com 2 Online, rgmanager
Service Name Owner (Last) State
------- ---- ----- ------ -----
service:nfs_service node2.cluster.com started
service:nfsserv10 node2.cluster.com started
4. To migrate a a service
# clusvcadm -r nfsserv10 -m node1.cluster.com
5. To enable a service
# clusvcadm -e nfsserv10
6. To disable a service
# clusvcadm -d nfsserv10
7. To update the cluster.conf file
# ccs_tool update /etc/cluster/cluster.conf
Proposed updated config file does not have greater version number.
Current config_version :: 12
Proposed config_version:: 12
Failed to update config file.
8. To update the version of the cluster.conf file
# cman_tool version –r 12
9. What are the services needed to start the cluster ?
1. cman, 2. clvmd/gfs, 3. rgmanager
10. What are the services needed to close the cluster ?
1. rgmanager, 2. clvmd/gfs, 3. cman
KERNEL UPDATE
1. Check the kernel version # uname –r
2. Install the kernel update # rpm –ivh <Path of the kernel where it has been stored.>
# rpm –ivh /root/Desktop/kernel/kernel – firmware 2.6.32.220…
3. There will be a conflict in the firmware, so install the firmware force fully and then install the kernel again.
# rpm –ivh /root/Desktop/kernel/kernel – firmware 2.6.32.220… --force
4. Install the kernel update # rpm –ivh /root/Desktop/kernel/kernel – firmware 2.6.32.220…
5. Now check whether the kernel is there in the module or not. # ls /lib/modules/
6. Now check the Linuz image is there or not. # ls /boot/vmlinuz*
7. Now reboot the server. # reboot
TO EDIT KERNEL PARAMETERS
1. Configure kernel ip range to 35000 to 61000
# sysctl -a |grep -i range {net.ipv4.ip_local_port_range = 32768 61000}
# vi /etc/sysctl.conf Add this at the end net.ipv4.ip_local_port_range = 35000 61000
# sysctl –p { will take effect after running this command}
2. Configure kernel such that kernstack value is 1.
# vi /etc/grub.conf {At the end of the kernel write “ kernstack = 1”}
# reboot
# cat /proc/cmdline
3. Configure or Enable IP forwarding
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
# sysctl –p
LINUX PATCHING PROCESS
1. To register the server # Up2date --register/rhn_register
2. To list channels # Up2date –show-channels
# echo "repo list" | yum shell
# rhn-channel -l
3. To list updates # Up2date --list or up2date –l
# yum list updates
4. Up2date configuration # Up2date --configure
# /etc/sysconfig/rhn/up2date
{This is the file it actually updates with up2date –configure}
5. To configure yum to save rollback information,
add the line tsflags=repackage to /etc/yum.conf.
6. To configure command-line rpm to do the same thing, step-2
add the line %_repackage_all_erasures 1 to /etc/rpm/macros
7. Apply patches
Use console to do it, not ssh connection
#up2date –u
OR
#yum update
This can even take hours to finish, let it finish.
8. Actual Roll back of patches
If/when you want to rollback to a previous state, perform an rpm update with the --rollback option followed by a date/time specifier.
Some examples:
# rpm -Uhv --rollback '9:00 am',
# rpm -Uhv --rollback'4 hours ago',
# rpm -Uhv --rollback 'december 25'.
TO SET ACL PARAMETERS
1. To check the ACL status of a mount point # getfacl /mount point/
2. To set the ACL status of a mount point for an user # setfacl -m u:username:rwx <mount point/>
3. To set the ACL status of a mount point for others # setfacl -m o::rwx <mount point/>
4. To remove ACL parameters # setfacl –remove-all /mount point
5. If necessary to remount the mount point. # mount -o remount /mount point/
FINE TUNING A SERVER.
1. Increser swapiness or swap memory increased to 75%. # cat /proc/sys/vm/swappiness
# echo 75 > /proc/sys/vm/swappiness
2. To release the cache memory (page Caches) # sync;echo 1 > /proc/sys/vm/drop_caches
To release the dentries and inode caches # sync;echo 2 > /proc/sys/vm/drop_caches
To release the both page caches and dentries,inode caches # sync;echo 3 > /proc/sys/vm/drop_caches
# /sbin/sysctl vm.drop_cache=3
3. To edit the kernel range # sysctl -a | grep -i range
# sudo sysctl -w net.ipv4.ip_local_port_range="32800 61000"
# sysctl -a | grep -i range
# echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range
4. Unique list of open files used in root file system. # lsof / | awk ‘{print $1}’ | uniq
5. To get current CPU usage # sar 2 10
To get the CPU usage for previous date, consider 14th # sar -P ALL -f /var/log/sa/sa14
To get the CPU usage for 10th of month, from 7 AM to 3 PM (i.e. with specifying the time)
# sar -P ALL -f /var/log/sa/sa10 -s 07:00:00 -e 15:00:00
6. How to know Database (Oracle) is running in the server? # ps -ef | grep pmon
or
# ps -ef | grep smon
# ps -ef | grep tnslsnr (Listner service (lsnr))
7. Command to the file using highest space in the storage. # du -sch * | grep K (will show the size in kb)
# du -sch * | grep M (will show the size in mb)
# du -sch * | grep G (will show the size in gb)
8. To zip all the folders in a directory starting with 0 and 11 -12. # bzip2 sa*0*
# bzip2 sa* 1{1..2}
9. To remove all the files starting with 2013 # rm –rf 2013-*
List of some Ethernet tools commands
1. Command to detect the status of the Eth0 # ethtool eth0
2. Command to detect the status of the NIC # mii-tool bond0
3. To down an Ethernet # ifdown eth0
4. To up an Ethernet card # ifup eth0
5. Command to chk the version of the Eth0. # ethtool –i eth0
6. To ping a ip only once # ping 192.168.100.111 -c 1
SHELL SCRIPTING
1. Show the average speed of the cpu from 12 to 21 date
# for i in {12..21}; do sar -u -f sa$i | grep -i average; done
2. Show the average speed of the memory from 12 to 21 date
# for i in {12..21}; do sar -r -f sa$i | grep -i average; done
3. Show the average speed of the paging from 12 to 21 date
# for i in {12..21}; do sar -B -f sa$i | grep -i average; done
4. To ping all the ips in between 192.168.100.111 to 192.168.100.150
# for i in {111..150}; do ping 192.168.100.$i -c 2 | grep ttl; done
What are the System information required before restarting the server and you need to restart them in the server after rebooting?
Before reboot
# mount>file1.txt; mount | wc -l >> file1.txt
# df -Th>>file1.txt; df -Th | wc -l >> file1.txt
# ip addr list>>file1.txt; ip addr list | wc -l >> file1.txt
# cat /etc/fstab>>file1.txt; cat /etc/fstab | wc -l >> file1.txt
# netstat -nr>>file1.txt; netstat -nr | wc -l >> file1.txt
# cat/etc/rc.local>>file1.txt; cat /etc/rc.local | wc -l >> file1.txt
After reboot
# mount> file2.txt; mount | wc -l >> file2.txt
# df -Th>> file2.txt; df -Th | wc -l >> file2.txt
# ip addr list>> file2.txt; ip addr list | wc -l >> file2.txt
# cat /etc/fstab>> file2.txt; cat /etc/fstab | wc -l >> file2.txt
# netstat -nr>> file2.txt; netstat -nr | wc -l >> file2.txt
# cat/etc/rc.local>> file2.txt; cat /etc/rc.local | wc -l >> file2.txt
Then compare both the files
# diff 'file1.txt' 'file2.txt'
LUN DETECTION
1. For WWN Number => # cat /sys/class/fc_host/host1/port_name
2. For HBA Status => # cat /sys/class/fc_host/host1/port_state
3. command to check the Manageable HBA List # hbacmd listhbas
4. Command to chk the HBA Port state # systool -c fc_host -v |grep -i port_state
5. Command to reset the HBA Port State # hbacmd Reset < Port WWN > # hbacmd Reset 10:00:00:90:fa:74:da:fa
6. Command to scan a new hard disk without rebooting the system.
# rescan-scsi-bos.sh
7. First take output of multipath and dev-mapper
# multipath -ll > /tmp/mpath.pri
# ls > /tmp/devmapper.pri
8. For Adding LUN commands used are:
#echo 1 > /sys/class/fc_host/host0/issue_lip,
#echo 1 > /sys/class/fc_host/host1/issue_lip
#echo 1 > /sys/class/fc_host/host2/issue_lip
#echo "- - -" > /sys/class/scsi_host/host0/scan
#echo "- - -" > /sys/class/scsi_host/host1/scan
#echo "- - -" > /sys/class/scsi_host/host2/scan
9. Take output of multipath and dev-mapper again
# multipath -ll > /tmp/mpath.post
# ls > /tmp/devmapper.post
10. Now compare both the files pri and post. Then we can get the new lun which has been added recently.
# diff /tmp/mpath.pri /tmp/mpath.post
# diff /tmp/devmapper.pri /tmp/devmapper.post
11. If this output you have forgotten to taken before then use following command. The scan disk will flush.
# multipath -f
12. To check what are the new luns have came now.
# multipath -v2
13. Detect LUNs with different HBA Card
# lsmod | grep scsi
# lsmod | grep fc
rfcomm 104937 0
l2cap 89409 8 hidp,rfcomm
bluetooth 118725 3 hidp,rfcomm,l2cap
scsi_transport_fc 83145 1 bfa
scsi_mod 199001 10
scsi_dh_emc,bfa,scsi_dh,sr_mod,sg,scsi_transport_fc,usb_storage,libata,cciss,sd_mod
bfa This is the module here for this HBA card
# rmmod bfa
# modprobe bfa
14. Configuring Multipath on the server:
# yum install device-mapper-multipath* {To install the multipath software in the server}
# mpathconf –enable
# service multipathd start { If this does not work then }
# /etc/init.d/multipathd start
# chkconfig multipathd on
# cd /etc/multipath/
# ls –ltr /dev/mapper (Check if any mpath* or pv* file available)
# vi /etc/multipath.conf
Comment the below lines: # it
devnode_blacklist {
devnode "*"
}
Uncomment the below lines: remove #
defaults {
user_friendly_names yes
}
#service multipathd restart (Now, must be able to see mpath* or pv* file)
15. Add this things at the end of the multipath.conf file. So that instead of such a big name for the new multipath an user friendly name as per us will be seen.
# Persistent binding start info
multipaths {
multipath { wwid 360060e8016528a000001528a000011d5
alias ARCH_EXP-d1
}
multipath {wwid 360060e8016528a000001528a000011ca
alias RECO_EXP-d1
}
}
# Persistent binding ends info
16. Display the current multipath configuration gathered from sysfs and the device mapper.
# multipath –l
17. Display the current multipath configuration gathered from sysfs, the device mapper, and all other available components on the system.
# multipath –ll
Only for multipath environment:
After detection run the below command
# multipath
And then check the files under /dev/mapper
# /dev/mapper/pv2 Or # /dev/mapper/mpath2
18. To check the mpath* is belong to which dm-*
[root@host0] #cd /dev/mpath/
[root@host0 mpath] # pwd
/dev/mpath
[root@host0 mpath] # ls -ltr
total 0
lrwxrwxrwx 1 root root 8 Nov 10 13:09 mpath6 -> ../dm-23
lrwxrwxrwx 1 root root 8 Nov 10 13:09 mpath7 -> ../dm-24
lrwxrwxrwx 1 root root 8 Nov 10 13:09 mpath8 -> ../dm-25
[root@dloradb10 mpath]# multipath -ll | grep -A6 mpath6
mpath6 (360060160ff4b1f009a8649299909e111)
[size=70 GB][features="1 queue_if_no_path"][hwhandler="1 emc"]
\_ round-robin 0 [prio=2][active]
\_ 0:0:1:3 sdp 8:240 [active][ready]
\_ 2:0:1:3 sdz 65:144 [active][ready]
\_ round-robin 0 [enabled]
\_ 0:0:2:3 sdu 65:64 [active][ready]
19. Remove the named multipath device
# multipath –f device
[root@dloradb10 mpath] # multipath –f mpath6
[root@host0 mpath] # echo 1 > /sys/block/sdp/device/delete
[root@host0 mpath] # echo 1 > /sys/block/sdz/device/delete
After removal it will come like:
[root@tlmnora07 mapper]# multipath -ll | grep -A5 mpath3 | more
mpath3 (360060e80058d1c0000008d1c000004bb)
[size=33 GB][features="1 queue_if_no_path"][hwhandler="0"]
\_ round-robin 0 [active]
\_ #:#:#:# - 65:192 [active][faulty]
\_ #:#:#:# - 8:48 [active][faulty]
COMMAND OF HPACUCLI TOOL
hpacucli = hp array configuration utility cli
1. Command to check the RAID status # hpacucli ctrl all show config
Smart Array P400 in Slot 1 (sn: PAFGK0R9SX80JW)
array A (SAS, Unused Space: 0 MB)
logicaldrive 1 (279.4 GB, RAID 1+0, Interim Recovery Mode)
physicaldrive 2I:1:1 (port 2I:box 1:bay 1, SAS, 300 GB, Failed)
physicaldrive 2I:1:2 (port 2I:box 1:bay 2, SAS, 300 GB, OK)
2. Command to check the RAID status in details # hpacucli ctrl all show config detail
3. Some other commands to check drive status:
# hpacucli ctrl slot=0 pd all show
# hpacucli ctrl slot=0 pd 1I:1:1 show
# hpacucli ctrl slot=0 pd 1I:1:2 show
4. To check the Server Health
Install the package # yum install hp-health.x86_64
# /etc/init.d/hp-health status
# /etc/init.d/hp-health start
Display general information of the server hpasmcli> SHOW SERVER
Show current temperatures hpasmcli> SHOW TEMP
Get the status of the server fans hpasmcli> SHOW FAN
# hpasmcli -s "show fan; show temp"
Show device boot order configuration hpasmcli> SHOW BOOT
Set USB key as first boot device hpasmcli> SET BOOT FIRST USBKEY
Show memory modules status hpasmcli> SHOW DIMM
# hpasmcli -s "show dimm" | egrep "Module|Status"
Generating ADUReport
| caede0p004:~# hpacucli HP Array Configuration Utility CLI 9.20.9.0 Detecting Controllers...Done. Type "help" for a list of supported commands. Type "exit" to close the console. => ctrl all diag file=/tmp/ADUReport.zip Generating diagnostic report...done |
CFG2HTML report
| You can download a CFG2HTML report for more details about the hardware status • Download the file -cfg2html linux124HP (Attached to the file) in a directory / xxx • Run cd / xxx • Run chmod + x-cfg2html linux124HP • Run the script . / Cfg2html-linux124HP • A file will be generated (hostname). Tar under / xxx • All output is stored all together in the file {hostname}.tar (as stated during execution of the script). |
LVM COMMANDS
1. To check partition list: # fdisk –cul
2. To create partition # fdisk /dev/sdb
Command (m for help): m {List the menu}
Command (m for help): n {add a new partition }
P { partition type }
Partition number (1-4): 1
Last cylinder, +cylinders or +size{K,M,G} (1-1958, default 1958): +3800M {partition size}
Command (m for help):t {change a partition's system id}
Partition number (1-4): 1
Hex code (type L to list codes): l {list known partition types}
Hex code (type L to list codes): fd {type of partition}
Command (m for help): p {print the partition table }
3. # reboot
4. To create PV: # pvcreate /dev/sdb2
# pvcreate /dev/sdc
5. To create VG : # vgcreate vghr /dev/sdb2 /dev/sdc
6. To create VG with 8MB PE size # vgcreate –s 8 vghr /dev/sdb2 /dev/sdc
7. To create LV of 200mb. # lvcreate -L 200M -n lvhcl01 vghr
8. LV is of 10%of total VG: # lvcreate -l 10%VG -n lvhcl02 vghr
9. LV is of 10% of freeVG: # lvcreate -l 10%FREE -n lvhcl03 vghr
10. To format the LV: # mkfs.ext3 /dev/vghr/lvhcl01
Process to mount the file system to a mount point
11. Create a mount point # mkdir /hr
#mount /dev/vghr/lvhcl01 /hr
#mount-t ext3 /dev/vghr/lvhcl01 /hr
# vi /etc/fstab
12. To extend the LV
# df –Th
# lvextend -L +200M /dev/vghr/lvhcl01
# resize2fs /dev/vghr/lvhcl01
Or
# lvextend -L +200M /dev/vghr/lvhcl01 –r
# df –Th
13. To extend the VG # pvcreate /dev/sdd
# vgextend hcl /dev/sdd
14. To reduce the VG & remove the LV # pvmove /dev/sdd
# vgreduce hcl /dev/sdd
15. To remove LV & VG # lvremove /dev/hcl/lvhcl01
# vgremove vgname
16. To remove a PV # pvmove /dev/sdd
# vgreduce hcl /dev/sdd
# pvremove /dev/sdd
17. To reduce and resize LV
# umount /hr
# e2fsck -f /dev/hcl/hr
# resize2fs /dev/hcl/hr 500M
# lvreduce /dev/hcl/hr -L 500M
# mount /hr
Or
# umount /hr
# lvreduce -L -50M /dev/hcl/hr -r
# mount /hr
18. To create SWAP LV # lvcreate -L 100M -n swapvol01 vghr
# mkswap -c /dev/vghr/swapvol01
# vi /etc/fstab
# swapon –s
# swapon –a
19. To remove SWAP LV # swapoff –s
# swapoff –a
# lvremove /dev/vghcl/lvswap01
# vi /etc/fstab
20. To check the swap partitions # cat /proc/swaps
21. To check which LVs are mounted on which disk # lvs -a -o +devices
22. To check a certain LV mounted on which disk # lvdisplay -m /dev/vg01/lv01
23. To move a vg from one m/c to another
In 1st m/c
# vgchange –a n vgname (to deactivate the vg)
# vgexport vgname
In 2nd m/c
# vgs
# vgimport vgname
# vgchange –a y vgname (to activate the vg)
24. To Recover Physical Volume # lvs -a -o +devices
# vgchange -a n --partial
# pvcreate --uuid "FmGRh3-zhok-iVI8-7qTD-S5BI-MAEN-NYM5Sk" --restorefile
(UUID is "FmGRh3-zhok-iVI8-7qTD-S5BI-MAEN-NYM5Sk")
# vgcfgrestore -f VG
# lvs -a -o +devices
# lvchange -a y /dev/VG/LV
25. If a mount point is showing busy at the time of unmounting then
# fuser –vm <mount point> {to view who are using this}
# fuser –km <mount point> {to kill who are using this}
USER & GROUP PERMISSIONS
1. All the information of the user stored in # cat /etc/passwd
2. All the information of the group stored in # cat /etc/group
3. User password stored in # cat /etc/shadow
4. To add an user # useradd <username>
5. To remove an user # userdel <username>
6. To change the username # usermod –l <new username> <old username>
7. To change the user’s information # usermod -c "Sanjeev Kumar" jhulu
8. To lock an user # usermod –L <username> / # passwd –l <username>
9. To unlock an user # usermod –U <username> / # passwd –u <username>
10. How to add with specific user id? # useradd <user name> -u <user id>
# useradd manalo –u 5433
11. Check if the user expiry date # chage -l username
12. Command to extend the user expiry time. # usermod -e yyyy-mm-dd username
# chage -E yyyy-mm-dd username
(if user has been locked the in /etc/shadow file there will be ’!!’ before the password.)
13. To add a group # groupadd <groupname>
14. To remove the group # groupdel <username>
15. To change the group name # groupmod -n <new-group-name> <old-group-name>
16. To view the information of an user # id
17. Add an user with primary and secondary group in path /opt/home
# useradd <username> -g <primary group> -G <Secondary group> -d </opt/home>
18. To give password to a group? # gpasswd <group name>
19. To remove password from an assigned group? # gpasswd –r <group name>
20. To change the group owner of a directory # chgrp <group owner> <mount point>
21. To change user and group owner of a mount point # chown user:group /mount point
22. To change the user and group of a mount point with all its contents.
# chown –R user:group /mount point
23. To change the permissions of the directory # chmod 775 dir1
24. To change the permissions of the directory as well as its contents
# chmod -R 775 dir1
25. To copy all the contents of a folder to a new folder. # cp –rf path of the folder/* newfoldername/
26. To make an user a password less login
In /etc/passwd file remove ‘X’ for password and change the /bin/bash to /sbin/nologin.
Then it will not ask for the password at the time of login.
27. To add an user who is not having access to an interactive shell.
# usermod –s /sbin/nologin
28. To check the the new folder or the new files permission properties.
# umask or #umask -S
New folder permission will be as 755
New file permission will be as 644
29. To clear the history # history –c
30. To go to a particular history command # !<line number of history>
31. Explain stickybit with an example.
If Sticky bit is enabled on a folder, the folder contents are deleted by only owner who created them and the root user. No one else can delete other users data in this folder.
For Ex. /tmp
32. To make a directory stickybit permitted. # chmod 1777 directory name
# chmod o+t directory name
# chmod +t directory name
33. Explain SUID with an example.
In simple words users will get file owner’s permissions as well as owner UID and GID, when executing a file/program/command. For Ex. /user/bin/shutdown and /etc/shadow
34. How to make a file suid permitted. # chmod 4755 file name
# chmod o+s file name
# chmod +s file name
35. Explain SGID with an example
In simple words if a directory is SGID permitted then all its contents will of the same user owner and group owner as the directory. If the directory is configured as the secondary user then all the contents are will be in the secondary group owner. Parent folder group owner will be assigned to the contents inside the collaborated/shared directory.
36. Command to make a file SGID permitted # chmod 2755 file name
37. Command to give both the permission of SGID & Stickybit access to a directory
# chmod 3755 /diectory
OTHER COMMANDS
1. To check Linux kernel Version # uname –a & # uname –r
2. To check the version of the running Linux. # cat /etc/redhat-release
3. To see the physical configuration of servers. # dmidecode
4. To check the Kernel Architechture or platform. # arch [ shows OS is running 64 bit or 32 bit ]
5. Command to know the PCI slot details # lspci
6. To make a folder TAR type. # tar cvf foldername.tar foldername/
7. To make a TAR folder UNTAR. # tar xvf foldername.tar
8. To make a folder a gz file. # tar cvfz foldername.tar.gz foldername/
9. To unzip a tar.gz file # tar xvfz foldername.tar.gz foldername/
10. To compress a file # gzip <file name>
11. To unzip the gzip file # unzip <file name>
12. To copy a file with date and time # cp -p /etc/selinux/config /etc/selinux/config`date +%F`
13. Command to set date in Linux. # date –s “2 OCT 2013 18:00:00”
This cmd will not run in putty.
14. To check the size of the directory # du –sh /directory name or path
15. To determine which service needs to be start during the boot.
# pwd
# /etc/rc.d/rc3.d
16. To check the service startup mode # chkconfig - -list service name
17. To add route => # vi /etc/rc.local
18. To check Route = > # netstat –nr or # route
19. Command to configure DNS server # /etc/resolve.conf
DNS uses a feature called FQDN : Fully qualified Domain name )
Forward FQDN resolves from host name to IP Address
Reverse FQDN resolve from IP Address to host name.
Port number of DNS is 53.
20. To set umask # vi /etc/bashrc
21. To set allias permanently # cat ~/.bashrc
22. To set alias temporarily # alias lsss='ls -ltr'
23. To check when the server is rebooted. # last | grep boot
24. To check the log files # tail –f /var/log/messages
25. Logs of users login? # /var/log/secure
26. Logs of cpu uses average for every day? # /var/log/sa/
27. Where can we find the mail logs # /var/log/maillog
28. Configuration files of all the systems are stored? # /etc/
29. System configurations are stored? # /proc/
30. Command for CPU information Details # cat /proc/cpuinfo
31. Command for Memory Information Details # cat /proc/meminfo
32. Command for swap Information Details # cat /proc/swaps
33. To check a port is active or not # telnet <address> <port number>
# telnet <localhost> <53> [to check the DNS port]
34. Command to create a softlink # ln –s <destination folder name> <link path>
# ln –s /etc/sysconfig/network_scripts/ /ippath
35. To remove the softlink # unlink <link path>
# unlink </ippath>
36. Command to know the Zombie process id. # ps auxf | grep D
37. Command to print ( 3rd column of /etc/fstab/) # awk ‘{print $3}’ /etc/fstab
38. To see the list of open file in root filesystem. # lsof /
39. How to find all files of an user and copy it to a particular directory?
# findfiles / -type f –user <username> -exec cp {}/home/findfiles \;
40. How to find all directories of an user and copy it to a particular directory?
# findfiles / –user <username> -exec cp {}/home/findfiles \;
41. To check all the services status at a time # service --status-all
42. Where all the script are located? # /etc/init.d
43. Command to restart a script? # < Path of the script > restart
# /etc/init.d/sendmail restart (this is an example)
44. Command to get the ip of a name server or site # dig www.google.com
45. To create a file of 100mb # dd if=/dev/zero of=/tmp/chitta bs=2M count =50
46. To nullify the above file # > chitta
47. Convert ext2 fs to ext3 fs. # tune2fs –j /dev
48. To adjust the number of mounts after which the file system will be checked by e2fsck # tune2fs –c
49. To Set the number of times the file system has been mounted. # tune2fs –C
50. To Adjust the maximal time between two file system checks. # tune2fs –i
51. To List the contents of the file system superblock. # tune2fs -l
53. Killing Defounct process # preap `ps -ef|grep -i defunc |awk '{print $2}'`
55. Changing KeyBoard Type # loadkeys us
# system-config-keyboard
{change to US international Keyboard}
56. Sending files to other system
# scp -rp /root/tmp/chitta/auto_home_mngr.sh.INT sh-local-adm-ai@fr0-vsiaas-1825:/tmp
57. Adding and giving access to a user
# visudo (add the useraccess @ the end "username ALL=/bin/su, /bin/su -")
# vi /etc/security/access.conf (add the user at the end)
# vi /etc/hosts.allow (sshd:ALL)
# vi /etc/group (add the user name in the wheel)
58. passwd:Authentication information cannot be recovered
The file /etc/security/opasswd is used to store old passwords for users.
This file should exist if "remember = X" is used with pam_unix in password section of /etc/pam.d/system-auth
or /etc/pam.d/password-auth file.
Create or replace the opasswd file :
# rm -f /etc/security/opasswd
# touch /etc/security/opasswd
# chmod 600 /etc/security/opasswd
59. Find largest size file into the fs
# find // -xdev -type f -size +1000000000c -exec ls -lad {} \;
# find . -xdev -size +100M
Sunday 8 January 2017
- Sunday, January 08, 2017
- Unknown
- System hardening, Windows
- No comments
System hardening is a step by step process of securely configuring a system to protect it against unauthorized access, while taking steps to make the system more reliable. Generally anything that is done in the name of system hardening ensures that the system is both secure and reliable. Since most systems are dedicated to one or two functions, reduction of possible vectors of attack is done by the removal of any software, user accounts or services that are not related and required by the planned system functions. System hardening is vendor specific process, since different system vendors install different elements in the default install process.
System hardening is necessary since "out of the box", some operating systems tend to be designed and installed primarily to be easy to use rather than secure. Most but not all systems can have security measures enabled that will make them suitable for high security and high reliability environments.
Desktop Hardening Checklist –Windows 7
Windows 7 comes with a more tight security model than previous versions of Microsoft’s client operating systems, but there are a couple of things you can do to tighten down the security of your Windows computer even more.
1. First of all, you should make sure that the user account you use for day to day work is not member of the Administrators local group. This is because an administrative user account poses security vulnerability in itself as the administrators on the local machine have access permissions to change system settings.
In Windows 7, the old RunAs command – which could be quite annoying to use in earlier versions of Windows as not all applications supported this, has been integrated more tightly.
Now, whenever you choose to do an administrative Windows task, Windows will prompt you for credentials for an account with administrative permissions eliminating the need to right click and choose RunAs. The less privileges you have as a user, the less damage you will be able to do to the system by mistake so running the most tasks as a User will improve the overall security of your system.
2. Change your network type to ‘Public’.
When setting up a new network connection, for instance to your newly created wireless network, Windows 7 will prompt you to choose a network type for the network connection. You will have options to choose:
a. Home Network
b. Office Network
c. Public Network Home network will be more ‘Open’ than Office network as Windows will treat all computers on the network as ‘Good’ and the network type allows for sharing of personal folders and files with all other computers on this network.
Windows will create a home group for all computers on the network and will enable network discovery and File and Printer Sharing on the computer. Office Network is a little bit more strict, while the Public network type is the most strict. The Public network type will simply disable Network discovery – which will simply hide your computer on the network and File And Printer Sharing will be disabled by default. If you want a more secure computer and do not need to share your files and do not wish to be part of a Home Group, simply choose the Public network type. Go to Control Panel\Network and Internet\Network and Sharing Center: Change network type to 'Public'.
3. Enable Windows Updates.
Windows Updates are enabled per default. Make sure the ‘Recommended settings’ are chosen or set it to download and notify for install.
Keeping up with the latest updates can significantly help protect you Windows installation.
4. Enable Windows Firewall and make sure all inbound connections are automatically dropped.
The firewall is enabled per default. If you do not need to share anything with other people and computers, you can safely choose to drop all inbound connections to make sure no one can access anything on your computer from the network.It is possible to filter on the outgoing traffic in the Windows firewall as well. If you are really up to protecting your personal files, it can be a good idea to filter outgoing traffic and application access as well.
5. Data Execution Prevention (DEP)
Data Execution Prevention (DEP) is a security feature that can help prevent damage to your computer from viruses and other security threats. Harmful programs can try to attack Windows by attempting to run (also known as execute) code from your computer's memory reserved for Windows and other authorized programs. These types of attacks can harm your programs and files. DEP can help protect your computer by monitoring your programs to make sure that they use computer memory safely. If DEP notices a program on your computer using memory incorrectly, it closes the program and notifies you. Go to system/ advanced system settings/ performance/ settings/ data execution prevention : Set to all programs Turn On DEP for all Programs and services except those I select
6. Disable remote assistance and remote desktop connections
If you do not want to allow people messing with your system remotely – that is, if you do not want to give other people the option to connecting to your precious Windows 7 box and playing around with it, you can specify that this will not be an option. Go to Control Panel\System and Security\System\Advanced System Settings\Remote and uncheck ‘Allow remote assistance connections to this computer’ and ‘Dont allow connections to this computer’.
7. Change User Account Control Settings to highest level
You might get prompted a bit more, but the overall security is raised a bit as you will get prompts for more common administrative system tasks, enabling you to take a stand on whether you will actually allow the specific task to run. Go to Control Panel\User Accounts and Family Safety\User Accounts\ Change User Account Control Settings = Set to highest level
8. Disable sharing and the NetBios protocol
If you are pretty sure you will not need to share your files over the network, you can go further and completely remove the option to share files.
Disable Netbios over tcp/ip on the network adapters on the computer. Remove check mark on Network and sharing, so that the machine is not using the 'File And Printer Sharing For Microsoft Networks' protocol. Go to Control Panel\Network and Internet\Network Connections
Right click the adapter of your choice (if you have more than one) and choose Properties.
Double click the ‘Internet protocol version 4 (TCP/IPv4)’. Navigate to ‘Advanced’ and choose ‘Wins’.
Check ‘Disable NetBios over TCP/IP’. This will block connections to some of the most insecure ports on a Windows operating system – or some of the most exploited.
9. Disable unnecessary services
You can stop for now, but if you are sure exactly what your computer will be used for. You can go any further and disable some of the many services Windows 7 runs, but probably won’t need.
Examples of those services are:
a. TCP/IP Netbios helper
b. Server Service
c. Computer Browser
d. Remote Registry
e. HomeGroup Listener (If you are not intenting to use the homegroup features)
f. HomeGroup Provider (If you are not intenting to use the homegroup features) There might be many more but I have chosen some of the services used for sharing files and if you do not want your Windows computer to be every man’s property, you can safely disable these services to secure your box even more.
Desktop Hardening Checklist –Windows
Desktop computer security is very important to ITS. To better protect our systems and information, we are asking all ITS employees to run through a short checklist of items based on the Information Security Office Desktop and Laptop Computer Standard.
1. Computer Name Please list all desktop or laptop machines for which you are the primary user, or for which you have assumed primary responsibility. (List the Computer Name of each machine. If you have more than one machine, please list on an additional attached page.) To find the computer name for your computer: For Windows XP: - Click on the Start menu, choose Control Panel (or Start _ Settings _Control Panel) - Open the System control panel, click on the Computer Name tab - The “Full Computer Name” is listed in the middle of the window
2. Use Antivirus Software Most viruses will be caught by antivirus as long as the antivirus software is kept up to date. It is absolutely crucial that users run antivirus software on their computers. It is mandatory to have Antivirus installed on every system in the network.
3. Install and Run an Anti-Spyware Program The ISO Desktop Standard requires that all desktop users run an anti-spyware program to search for and clean unwanted spyware programs from your system. Spyware is software that collects information about your system without your knowledge Anti-spyware software is only recommended if the system is: a) Used to browse the internet and b) If the potential exists for a user of the system to use the internet for other than business purposes and c) The system will be used to access, store, or process protected information.
4. Make sure your operating system is patched Many of the exploits circulating through the Internet take advantage of unpatched systems. Keeping your system fully patched is one of the most important security steps you can take, and is easy to do. The easiest way to keep your system patched is to set it to automatically download and install critical patches. To do this: For Windows XP: - Click on the Start menu, choose Control Panel (or Start _ Settings _ Control Panel) - Open the Automatic Updates control panel - Click the Automatic radio button As an additional measure to ensure that all critical patches have been applied, you should also run a check of your operating system. To do this: For all Windows systems: New security bugs are discovered almost every day. In order to keep your system secure it is critical that it be kept up to date with recent patches and software upgrades. Microsoft provides patches to fix these security bugs, but expects you to download and install these patches. By applying these patches regularly, you have much lower chances of getting a virus, trojan, or worm as most of these exploit common known security holes in unpatched systems Microsoft commonly releases patches on a regular schedule of the 2nd Tuesday of every month. Other critical patches may be released at any time during the month due to their severity and importance. It is important to be aware that Service Packs and Security Updates are not just applicable to operating systems. Individual applications have their own Service Pack and Security Update requirements. The total security of the system requires attention to both Operating System and application levels. Use Synechron Patch Management Procedure to push patches to the Systems thru WSUS server on regular basis.
5. Set Strong Passwords Many systems are compromised as a result of weak or non-existent passwords on accounts. Setting strong passwords that are difficult to guess is important for the security of your system. A strong password is one that: - Is at least 8 characters long, - Contains upper and lower case letters, - Contains at least one number, - Is changed every 120 days, - Does not contain your username Most RIT users log onto their computer system with a username that matches their RIT computer account. To change the password on this account, please visit http://start.rit.edu and click on “Change you password.” This password will be synchronized through your RIT computer account, the Exchange mail system, and your computer. In addition to the account that matches your RIT computer account, your computer system may have additional accounts. Most systems have a default “Administrator” account. These should have strong passwords as well. To check for additional local accounts and change passwords: For Windows XP: - Click on the Start menu, choose Control Panel (or Start _ User Accounts) - Check the accounts that are listed and change the passwords as necessary. - Click on the account, and click the “Reset Password” button Password Policy Settings: The following table shows password policy settings to enable and enforce through your server group policy settings.
| Setting | Domain controller default |
| Enforce password history | 10 passwords |
| Maximum password age | 40 days |
| Minimum password age | 1 day |
| Minimum password length | 8 characters |
| Password must meet complexity requirements | Enabled |
| Store password using reversible encryption for all users in the domain | Disabled |
| Setting | Domain controller default |
| Account Lockout Duration | 60 minutes (minimum) |
| Account Lockout Threshold | 5 attempts |
| Reset Account Lockout After | 30 minutes (minimum) |
7. Run a Desktop Firewall The desktop standard requires you to run a firewall on your desktop computer. Firewall.
8. Remove or Delete Software
If existing software isn't needed by any user, uninstall it, delete it, or rename it. As discussed earlier in this book, even when software isn't used, it can make a computer vulnerable. If possible, uninstall or delete the software or service. Using the program's official uninstall program is preferred, as it should remove associated files, folders, and registry entries. Unfortunately, many uninstall routines still leave unneeded files and registry entries even when they claim to be removing them. If the software being removed is high-risk, be sure to manually inspect the related files, folders, and registry keys, and delete if needed. Renaming the software executable or folder to something Windows or the end user doesn't expect can be useful when the software is difficult to remove. It's security-by-obscurity, but it can work in preventing easy execution. Be aware that Windows will sometimes track name changes and update the pointers, icons, and shortcuts to the new name. Unfortunately, this method doesn't prevent re-installation. For example, if a network administrator removes America Online's Instant Messaging (AIM) client, there is little to prevent an end user from re-installing it if they have the appropriate admin permissions. Also, you cannot remove, delete, or rename Windows File Protection (WFP)—protected files. If you do any of the preceding, Windows just replaces them in a few seconds. Still, if you can successfully remove unneeded software, it is one of the best ways to strengthen the security of any computer system. 9. All partitions use NTFS Reason: NTFS supports security properties and auditing. FAT16/32 does not.Use NTFS Permissions
You can use NTFS permissions to prevent the execution of existing installed software, and in some limited cases, prevent the installation of new software. NTFS permissions are the number one most secure way to prevent the unauthorized execution of existing software. If appropriately used, NTFS is hard to get around or trick. Determine what software most normal users should be able to execute, and if the software cannot be removed completely (e.g., needed for admin purposes or other users on a shared computer), then use appropriately set NTFS permissions to secure it. In most cases, an administrator wants to take away a normal user's Read & Execute permission. As Figure 9-1 shows, a common decision would be to set permissions at the application's folder level and let the resulting permissions be inherited downward. In this case, Figure 9-1 shows the Everyone group's permissions being set to none (as if it had previously had permissions set). Administrators, System, and Service have the expected default Read & Execute permissions.Figure 9-1 Remove any other groups that should not have permissions. There is no need to add the Everyone group (or any other group) and then remove the permissions if the group does not already have permissions. When Windows realizes that a listed security principal has no permissions set on a protected resource, it will remove it from the access control list completely. Be careful. Do not set Read & Execute-Deny permissions for the Everyone or Authenticated Users group unless that is your true intent. Administrators and other privileged accounts belong to the larger groups as well and any permissions you set will also apply to the more privileged user accounts. Doing so could result in Read & Execute permissions unintentionally being taken away for the more specific groups. The key here is to remove Read & Execute permissions from groups that do not need access.
Preventing New Installs Using NTFS Permissions
The easiest way to prevent new installs using NTFS permissions is to not allow non-admin users to be logged in with admin credentials. Outside of that effort, another way to prevent new installs using NTFS permissions is to remove all permissions on the folders where the software is likely to be installed. Essentially, you want to take away the Read permissions from even the Administrators group, if end users are normally logged on with admin credentials. The true administrator can always take ownership and add back permissions if they are really needed. 10. Use Microsoft Baseline Security Analyzer This is a free host-based application that is available to download from Microsoft. In addition to detailing missing patches, this tool also performs checks on basic security settings and provides information on remediating any issues found. It is mandatory to scan each server thru MBSA and take appropriate action on all the reported issues, before putting it into production 11. Restricting physical and network access to critical or highly sensitive systems Allow only trusted personnel to have access to critical systems. Establish security practices for users to ensure that only authorized personnel have access to systems that access protected information. If RDP is used set the encryption level to high. 12. Enable Internet Connection Firewall (ICF) or any Third Party Firewall Windows Firewall is a software-based, state full filtering firewall for Windows PCs and it should be enabled on every system or the system should have any other third party firewall program. 13. Windows Explorer Configure Windows to always show file extensions. In Windows, this is done through Explorer via the Tools menu: Tools/Folder Options/View – and uncheck "Hide file extensions for known file types". This makes it more difficult to for a harmful file (such as an EXE or VBS) to masquerade as a harmless file (such as TXT or JPG). 14. Configure the Device Boot Order Configure the device boot order to prevent unauthorized booting from alternate media. It is recommended that the boot order of the system be set to boot from the Hard Disk first followed by other media such as the CD Drive. This will prevent an unauthorized user from inserting bootable media into the available drives or ports and taking control of the system. 15. Configure services on all the desktops as following| Service | Startup Type |
| Alerter | Automatic |
| Automatic Update | Automatic |
| BITS | Automatic |
| Messenger | Automatic |
| Windows Firewall | Automatic |
| Windows Event Log | Automatic |
| Remote Registry | Disabled |
| SMTP | Disabled |
| Server | Disabled |
| Secondary Logon | Disabled |
| Windows Installer | Disabled |
| Computer Browser | Disabled |
| Routing and Remote Access | Disabled |
| Encrypting File System | Disabled |
| SNMP Service | Disabled |
| Telnet(Server) | Disabled |
- Help and Support
- IPSEC Services
- Print Spooler
- Windows Firewall/Internet Connection Sharing (ICS)
- Wireless Configuration
21. Don't Let End Users Be Logged In As Admin
One of the single best things you can do to prevent unauthorized software installation is to prevent non-admin users from being logged in as administrators. Non-admin users cannot install most software, modify the HKLM registry key, or add programs to most Windows auto-start areas. Non-admin users normally cannot install programs from the Internet or modify existing program configuration information. Unfortunately, this recommendation doesn't prevent normal users from running already installed software. Unless the user is restricted from running a program using permissions or some other method, Windows allows users to run most programs without administrative access. 22.Lock down the filesystem Reason: Note: %SystemRoot% is the directory that holds the currently running installation of Windows. Normally it is c:\windows. Remove "Everyone" and "All Users" from the root of the System disk. Change the permissions on %SystemRoot%\repair and set that only Administrators and Systems have access (full access). Create a new directory that only Administrators and SYSTEM have full access to called %SystemRoot%\dump. Enable auditing for everyone on this folder and check all checkboxes under Failed and the “Change Permissions” checkbox under Successful. Then goto the Control Panel - System - Advanced - Startup and Recovery settings. Change the path at “Dump File” to %SystemRoot%\dump\MEMORY.DMP. (It must end with a filename.) Then run drwtsn32.exe and change the path ”Crash Dump” to %SystemRoot%\dump\user.dmp. 23.Lock down the registry Reason: Disable AutoRun for CD-ROM drives.Find this key key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom\AutoRun
Change the value to : 0 (REG_DWORD) Secure registry keys for the SNMP service. Only allow these accounts to access the keys: Administrators – Full Control
System – Full Control HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities Secure the registry keys below with this access: Administrators and System - Full Control Authenticated Users – Read Also set auditing for Everyone on these keys; check all checkboxes under Failed and the “Set Value” checkbox under Successful.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\Software\Microsoft\DrWatson (Leave the permissions for Terminal Server User, if exists)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg Select "winreg". Click Security and then click Permissions. Only those system, administrators and backup operators should have permissions. This is setup like this default on a Windows 2003 Server, but it’s worth checking this out anyway. Navigate to Start / Control Panel / Administrative Tools / Local Security Policy”. Expand “Security Settings” and “Local Policies”. Choose "Security Options” and set ”Network security: Do not store LAN Manager hash value on next password change” to Enabled. 24.Other settings that must be checked Reason: Load ”Event viewer” into the MMC. Right click on each log and choose ”Properties”. Set the following values: Application Log: 16384 kb / Overwrite events as needed
Security Log: 16384 kb / Overwrite events as needed
System Log: 16384 kb / Overwrite events as needed Navigate to Start / Control Panel / Administrative Tools / Local Security Policy”. Expand “Security Settings” and “Local Policies”. Choose "Security Options”, “Local Policy” and “Auditing Policy”. Set it up as follows: Audit Account Logon events Success, Failure
Audit Account Management Success, Failure
Audit Logon Events Success, Failure
Audit Object Access Failure
Audit Policy Change Success, Failure
Audit Privilege Use Failure
Audit System Events Success, and Failure Remove unnecessary software - all systems come with a predefined set of software packages that are assumed to be useful to most users. Depending on your target use of the system, you should remove all software that is not to be used like graphics and office packages on a web server. Disable or remove unnecessary usernames and passwords - most systems come with a lot of predefined user accounts for all kinds of purposes - from remote support to dedicated user accounts for specific services. Remove all remote and support accounts, and all accounts related to services which are not to be used. For all used accounts, ALWAYS change the default passwords. Disable or remove unnecessary services - just as the two previous points, remove all services which are not to be used in production. You can always just disable them, but if you have the choice remove them altogether. This will prevent the possible errors of someone activating the disabled service further down the line. Apply patches - after clearing the 'mess' of the default install, apply security and functionality patches for everything that is left in the system - especially the target services. Run Nessus Scan - update your Nessus scanner and let her rip. Perform a full scan including dangerous scans. Do the scan without any firewalls on the path of the scan. Read through the results, there will always be some discoveries, so you need to analyse them.If no Vulnerabilities are discovered, use system - after the analysis of the results, if there is nothing significant discovered, congratulations! You have a hardened system ready for use. Professional Windows Desktop and Server Hardening
| Hardening Recommendation | Description | Criticality |
| Don’t give non-admin users administrator privileges | Will prevent 70-90% of malware today | High |
| Keep patches updated | Will prevent many attacks | High |
| Use a host-based firewall | High | |
| Use antivirus software with an updated signature file | High | |
| Use anti-spam software | Medium | |
| Use anti-spyware software | High | |
| Enable boot-up passwords on portable computers | Medium | |
| Enable booting from primary boot drive only | To prevent bypassing of Windows security, password cracking, and boot viruses | Medium on workstations, High on servers |
| Password protect the BIOS | To prevent resetting of boot drive | Medium on workstations, High on servers |
| Harden TCP/IP stack | To prevent DoS attacks | Low on most computers, high on Internet servers |
| Rename Administrator and other highly privileged accounts; create bogus accounts | Medium/High | |
| Highly privileged account names should not reflect their roles in the organization | For example, an Exchange Administrator account should not be called ExchAdmin. Better calling it something like PTravers, or some other less notable name | Medium |
| Run services on non-default TCP/IP ports | High | |
| Install high-risk software to non-default folders | May defeat scripted attacks | Low |
| Institute Logon and Account Logon auditing for highly-privileged accounts, consider Per-User Auditing, as well. | Medium | |
| All highly privileged accounts should have long (15 characters or longer), complex passwords. | To defeat password cracking | High |
| Security must be automated | Or it won’t be consistently applied | High |
| Disable delegation on highly-privileged users (and any computers) not needing delegation | Can prevent malicious programs from impersonating users to remote services and computers | Low |
| On Windows Server 2003 servers required to use delegation, enable constrained delegation. | Minimizes a hacker’s attack space on a server enabled with delegation | Medium |
| Make sure SID History filtering is enabled in your environment, which it is by default | Or else, hackers might be able to elevate their privileges | Low |
| Use the AGULP method to assign security permissions | Not using it means you don’t really understand what security is set in your environment. | High |
| Always assign permissions to groups and never to individual users | Or else control becomes problematic and unmanageable | Medium/High |
| Use Advanced Security Settings dialog box when setting NTFS permissions | It will display “true” permissions. Sometimes Windows doesn’t display correct permissions on permissions summary screen. | Medium |
| Set Share and NTFS permissions as tight as you can to meet least-privilege principle. | Don’t make Share permissions Everyone Full Control as recommended by many documents. | Medium |
| Use Share Change permissions instead of Full Control. | That’s all people need most of the time anyway | Medium |
| Use NTFS Modify permission instead of Full Control unless user really needs Full Control | Most non-admin users never need Full Control to a file or folder. | High |
| Decrease Number of previous logons to cache to 0-3 versus the default of 10. | By default Windows stores 10 user profiles worth of previous logon names and passwords that may be extracted with admin access and the right tools (e.g. Cachedump.exe) | Low/Medium |
| Do not save passwords with your RDP connection objects | They can easily be revealed using Cain & Able and a locally logged on admin | Medium |
| Disable the storage of LM password hashes and force users to change their passwords after LM hash storage is disabled. | Most password cracking programs rely on the existence of LM password hashes | High |
| Minimum password size should be 15 characters long. | Disables LM hash storage and presents complexity to password crackers | High/Medium |
| Minimum password age should be set to any value above 0. | Prevents password re-use or circumventing Enforce Password history rules. | Medium |
| Require long, complex passwords | Prevents password crackers from being successful | High |
| Enable Account Lockouts. Set the Account lockout threshold to a certain number of acceptable bad password attempts, say 3 to 5. Set the Reset account lockout counter after to 1 minute (the smallest it can be). Set Account lockout duration to 1 minute. | Stops password guessers | High |
| Force password changes every 90 days or less | Stops password guessors, crackers, and rainbow table programs | High/Medium |
| Periodically re-create Windows trusts and put in new trust passwords | Needed only in high-security environments | Low |
| Consider requiring smart cards or biometrics for highly-privileged accounts | To add extra security | Medium |
| Consider only using your most highly-privileged accounts on trusted computers. | You want to ensure that a hardware keyboard logger or trojan isn’t intercepting the password. | Low |
| Separate domain admin and enterprise and schema admin roles (don’t give both to same user account). | To prevent island hopping | Medium |
| Use different passwords for your different administrative accounts. | To prevent island hopping | High/Medium |
| Don’t forget to change passwords on Directory Services Restore Mode admin account occasionally. | To prevent local admin account cracking | Low |
| Do periodic password audits using password crackers | To audit the strength of user passwords and monitor compliance. | High |
| Enable logon screen warning messages | To defeat many brute force tools | High/Medium |
| Consider randomly generating passwords | Would defeat many password cracking tools. This is a good idea, but users are highly resistant to it. | Low (ranking offset by other non-technical issues) |
| Disable Autorun.inf feature using registry edit or SRP | To prevent autorun programs from removable media from running malicious commands or programs | Low |
| Prevent users from running high-risk files and programs | To prevent malicious use | Medium |
| Turn off file extension hiding in Windows Explorer | Malware can use double-naming tricks to confuse users into executing malware. | High |
| Disable “Super Hidden” file extensions for high-risk file associations | Else malware can trick users into executing malware by accident | High |
| Uninstall, disable, remove, delete, and rename unneeded high-risk files and programs | To prevent malicious exploitation using those same files. | High |
| Use NTFS permissions to prevent non-admin users from running high-risk files and folders. | To prevent malicious use | High |
| Use GPOs when possible to push NTFS security on high-risk files, folders, and registry keys. | Security permissions will re-apply even if file gets replaced. Make sure to also enable Security policy processing and Process even if Group Policy objects have not changed for the GPO carrying the NTFS permission settings. | High |
| Create a LeastPrivilegedUsers _Grp and highly-restrict its members | To give them access to only the exact resources they need access to. | High |
| Enable Object Access auditing for high-risk critical files. | To monitor unauthorized requests | Medium |
| Use Software Restriction Policies to deny all software except that which is specifically allowed. | To prevent unauthorized software execution. One of the single best things you can do to your system. | High |
| Block non-admin access to high-risk registry keys | Block non-admin write access to registry “run” keys, and block al non-admin access to high-risk file associations. | High |
| Block non-admin access to high-risk URI handlers | To prevent malware execution that depends on rarely used URI handlers. Examples include telnet://, rlogin://, news://, tn3270://;and aim:// if you don’t allow AIM. | Medium |
| Enable the Confirm open after download file type option for potentially dangerous file types | To prevent automatic malware execution | High |
| Make lesser-privileged custom service account for non-default services | Reduce attack surface if service account is compromised | High |
| Make custom service account passwords long and complex, and change more frequently than normal accounts | Service account passwords can be extracted in plaintext by an admin user | High |
| Use lesser privileged service accounts (LocalService, NetworkService, and custom) when possible instead of LocalSystem or admin-level accounts. | To decrease risk of successful exploit from direct use or buffer overflows | Medium/High |
| Prevent unneeded services from executing | Use ACLs, SRP, etc. | High |
| Disable services in hardware profiles not needing them | Reduces attack surface area | Medium |
| Lock custom service account to the local PC | Prevents island hopping attacks. | Medium |
| Consider configuring high-risk services to alert users/administrators when they have stopped (e.g. from a buffer overflow attack), instead of automatically restarting. | Can be configured on the services’ Recovery tab on the Services console. | Medium |
| Environments with high-security requirements or expecting attacks against its IPSec infrastructure should enable Perfect Forward Secrecy. | Prevents an attacker cracking one IPSec secret key from easily brute forcing the others | Low |
| Use IPSec to create network security domains, VPNs, and to filter host connections. | Prevents many types of attacks. | Medium/High |
| Use latest versions of IE and keep patched | Most resistant version of IE | High |
| Use Killbit to stop risky ActiveX controls without easier alternate defenses | Stop malicious ActiveX use | Medium |
| Don’t surf untrusted web sites | Avoid malicious code | Medium/High |
| Customize and tighten IE’s Internet security zone | Minimize malicious browser attacks | Medium/High |
| Use 3rd party tool to protect IE | If additional protection is needed | Medium/High |
| Block High-Risk File Attachments | As recommended | High |
| Disable HTML Content in e-mail clients | One of the single best things you can do to protect users | High |
| Use Software That Authenticate E-mail Links | Hopefully your email or browser client does this | Medium |
| Run Anti-virus software that scans e-mail | Run on client and email gateway | High |
| Block Unmanaged E-mail Connections (over SMTP, HTTP, etc.) | Unmanaged email provides high-risk opportunities for internal network compromises | High |
| Block Spam | Implement at least one non-client-side solution (i.e. on gateway or prior to network perimeter) | High |
| Block e-mail clients from using port 25 | Outlook/Exchange clients on the internal LAN use RPC, not SMTP to communicate. By only allowing email servers to use port 25, you will catch SMTP worms and bots with their own email engines | High |
| Implement authenticated e-mail protocols | Consider implementing a PKI hierarchy on the LAN, Sender ID (or other anti-spam protocol) to fight spam, and use S/MIME or PGP to authenticate sensitive emails | Medium |
| Securely configure email client | To minimize the chances of exploitation | High |
| Secure DNS services | To prevent DNS poisoning that can redirect users to bogus web sites | High |
| IIS: Only allow the bare minimum of TCP/IP ports to and from the web server | Usually the only ingress filters that should be allowed are 80, maybe 443, and whatever the remote management port requirement is. There should be no egress filters allowed, unless external communications is an authorized component of the server. Do not allow port 80 and 53 outbound all the time. | High |
| IIS: Unless otherwise contraindicated IIS should always be installed on a dedicated computer | To prevent exploitation from other services. | High |
| IIS: Check for and install updated hardware drivers | To prevent hardware exploitation. | Medium |
| IIS: IIS should be installed on a system with two separate, clean hard drives, each formatted with NTFS | To prevent directory traversal attacks. | Medium/High |
| IIS: Install in stand-alone, workgroup mode unless domain authentication is needed. | Less information to be protected if Active Directory is not needed | High |
| IIS: Specifically denied access to IIS anonymous user and anonymous null session | Add accounts to \Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon through Terminal Services | Medium |
| IIS: Enabled High level encryption on any Terminal Services connections. | Set under \Computer Configuration\Administrative Templates\Terminal Services\Encryption and Security\Set client connection encryption level | Medium |
| IIS: If you use Remote Desktop to administer web server, change RDP port to something random and high | To prevent easy RDP port enumeration and remote password guessing attacks | High |
| IIS: Structure web site content directories to maximize security. | High | |
| Disable EFS until an EFS recovery policy is defined | Otherwise encrypted files could be lost | High |
| Encrypt confidential and sensitive files | To prevent information theft | Medium |
| Encrypt sensitive information stored on laptops and other computer assets subject to high-risk of theft | To prevent information theft | Medium/High |
| Ensure that a data recovery agent (DRA) is defined on stand-alone XP Pro machines | To prevent EFS-encrypted data from becoming unrecoverable | Medium/High |
| Create a custom DRA account to replace the default DRA selection of Administrator | To give added protection to EFS-protected files. Disable the custom DRA account until needed. | Medium/High |
| After using or creating a DRA account, export and remove the DRA’s recovery certificate from the system | You can import when needed. Gives added protection to the DRA account and EFS. | Medium/High |
| Consider implementing Syskey protect (mode 2 or 3) on computers using EFS | to protect local credentials against password attacks trying to recover EFS keys | Low |
| Use GPO software publishing to install and update software | If not other automated software install tool is in use, especially for common Internet Explorer browser add-on programs, like Sun’s Java VM, Adobe’s Acrobat Reader, RealPlayer, etc. | High/Medium |
| Modify the Access this computer from the network right. | Should be set to Authenticated Users and Administrators, not Everyone, in most environments. Must Allow Enterprise Domain Controllers group on Domain Controllers; and add Backup Operators, Everyone, and Pre-Win 2K Compatible groups if they are used. Early versions of OWA required remote users have this right | Low/Medium |
| Modify the Add workstations to the domain right. | By default all Authenticated Users have this right, consider only granting this right to the Administrators group. | Low/Medium |
| Enable the Require Domain Controller authentication to unlock workstation security option | Determines whether or not a domain controller is required to unlock a locked workstation, or whether cached credentials will work. Default is disabled. Should be enabled to prevent timing issues and other types of hacks involving locked screen savers. | Medium |
| Use the Restricted Group GPO feature to control the membership of highly-privileged groups | Prevents unauthorized users from remaining in highly-privileged groups for long | High |
| Use role-based security in designing your AD structure | Make role-based security templates, role-based OUs, role-based GPOs, etc. | High |
| Create and use Local Computer Policy | To prevent users from circumventing GPOs | Medium |
| Create and apply a one-time uber-security template to each new or existing PC that fully reflects (as best as possible) your company’s security policy | To make sure all computers meet the defined security policy. | High |
| If a cross-forest trust is used, enable selective authentication. | To prevent remote forest users from automatically being added to local forest’s Authenticated Users group upon connection. | High |
| Trust passwords should be long and complex | To prevent unauthorized recovery during initial setup. Overall risk is low because attackers haven’t attacked trust passwords much and after the initial setup, Windows frequently changes the password and makes it long and complex. | Low/Medium |
| Use Gpresult.exe /V to report effective GPO policy settings instead of RSoP | Gpresult.exe /v can report the affects of Local Computer Policy, while RSoP cannot. | Medium if Local Computer Policy is used, otherwise Low |
| Ensure that GPOs get applied during the refresh interval even if the GPO settings did not change | Each GPO category can be disabled or enforced under \Computer Configuration\Administrative Templates\System\GroupPolicy. | Medium/High |
| Other than domain-level policies, each GPO should be applied to a computer or user object, but not both at the same time. Disable the Computer Configuration or User Configuration option when not used | This will speed up GPO application significantly | Medium |
| Make sure administrators are not exempt from GPO settings | Some sources tell you remove all GPOs from applying to Admin accounts, which is the wrong advice. | Medium |
