Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Project Part 1 Task 1: Outline Security Policy Scenario To stay competitive in t

ID: 3527422 • Letter: P

Question

Project Part 1 Task 1: Outline Security Policy Scenario To stay competitive in the financial institution market, the First World Bank Savings and Loan wishes to provide all banking services online to its customers. These services also include the online use of credit cards for loan applications. The organization estimates over $100,000,000 a year in online credit card transactions for loan applications and other banking services. A task team has been formed to study the cost, performance, and security of maintaining a Linux and open source infrastructure. According to rough estimates, annual cost savings in licensing fees alone can be up to $4,000,000. At the same time, the confidentiality, integrity, and availability (CIA) triad perspective needs to be taken into account for infrastructure maintenance. The task team has engaged a network engineer with the network and routing design. The team has determined the following server services that would be needed to support the online transaction infrastructure: A database server A Web server A file server A Simple Mail Transfer Protocol (SMTP) server A Lightweight Directory Access Protocol (LDAP) server All servers would be physically located in a third-party data center.

Explanation / Answer

PLEASE RATE ME AND AWARD ME KARMA POINTS IF IT IS HELPFUL FOR YOU Web server and application server roles This section identifies hardening characteristics for Web servers and application servers. Some of the guidance applies to specific service applications; in these cases, the corresponding characteristics need to be applied only on the servers that are running the services associated with the specified service applications. Category Characteristic Services listed in the Services MMC snap-in Enable the following services: ASP.NET State service (if you are using InfoPath Forms Services or Project Server 2013) View State service (if you are using InfoPath Forms Services) World Wide Web Publishing Service Ensure that these services are not disabled: AppFabric Caching Service Claims to Windows Token Service SharePoint Administration SharePoint Timer Service SharePoint Tracing Service SharePoint VSS Writer Ensure that these services are not disabled on the servers that host the corresponding roles: SharePoint User Code Host SharePoint Search Host Controller SharePoint Server Search 15 The following services are required by the User Profile service application on the server that imports profiles from the directory store: Forefront Identity Manager service Forefront Identity Manager Synchronization service Ports and protocols TCP 80, TCP 443 (SSL) Custom ports for search crawling, if configured (such as for crawling a file share or a website on a non-default port) Ports used by the search index component — TCP 16500-16519 (intra-farm only) Ports required for the AppFabric Caching Service — TCP 22233-22236 Ports required for Windows Communication Foundation communication — TCP 808 Ports required for communication between Web servers and service applications (the default is HTTP): HTTP binding: TCP 32843 HTTPS binding: TCP 32844 net.tcp binding: TCP 32845 (only if a third party has implemented this option for a service application) Ports required for synchronizing profiles between SharePoint 2013 and Active Directory Domain Services (AD DS) on the server that runs the Forefront Identity Management agent: TCP 5725 TCP&UDP 389 (LDAP service) TCP&UDP 88 (Kerberos) TCP&UDP 53 (DNS) UDP 464 (Kerberos Change Password) For information about how to synchronize profiles with other directory stores, see User Profile service hardening requirements, later in this article. Default ports for SQL Server communication — TCP 1433, UDP 1434. If these ports are blocked on the SQL Server computer (recommended) and databases are installed on a named instance, configure a SQL Server client alias for connecting to the named instance. Microsoft SharePoint Foundation User Code Service (for sandbox solutions) — TCP 32846. This port must be open for outbound connections on all Web servers. This port must be open for inbound connections on Web servers or application servers where this service is turned on. Ensure that ports remain open for Web applications that are accessible to users. Block external access to the port that is used for the Central Administration site. SMTP for e-mail integration — TCP 25 Registry No additional guidance Auditing and logging If log files are relocated, ensure that the log file locations are updated to match. Update directory access control lists (ACLs) also. Web.config Follow these recommendations for each Web.config file that is created after you run Setup: Do not allow compilation or scripting of database pages via the PageParserPaths elements. Ensure CallStack="false" and AllowPageLevelTrace="false". Ensure that the Web Part limits around maximum controls per zone are set low. Ensure that the SafeControls list is set to the minimum set of controls needed for your sites. Ensure that your Workflow SafeTypes list is set to the minimum level of SafeTypes needed. Ensure that customErrors is turned on (). Consider your Web proxy settings as needed (/). Set the Upload.aspx limit to the highest size you reasonably expect users to upload (the maximum is 2 GB). Performance can be affected by uploads that exceed 100 MB. Database server role The primary recommendation for SharePoint 2013 is to secure inter-farm communication by blocking the default ports used for SQL Server communication and establishing custom ports for this communication instead. For more information about how to configure ports for SQL Server communication, see Blocking the standard SQL Server ports, later in this article. Category Characteristic Ports Block UDP 1434. Consider blocking TCP 1433. This article does not describe how to secure SQL Server. For more information about how to secure SQL Server, see Securing SQL Server (http://go.microsoft.com/fwlink/p/?LinkId=186828). Specific port, protocol, and service guidance The rest of this article describes in greater detail the specific hardening requirements for SharePoint 2013. In this section: Blocking the standard SQL Server ports Service application communication User Profile service hardening requirements Connections to external servers Service requirements for e-mail integration Service requirements for session state SharePoint 2013 Products services Web.config file Blocking the standard SQL Server ports The specific ports used to connect to SQL Server are affected by whether databases are installed on a default instance of SQL Server or a named instance of SQL Server. The default instance of SQL Server listens for client requests on TCP 1433. A named instance of SQL Server listens on a randomly assigned port number. Additionally, the port number for a named instance can be reassigned if the instance is restarted (depending on whether the previously assigned port number is available). By default, client computers that connect to SQL Server first connect by using TCP 1433. If this communication is unsuccessful, the client computers query the SQL Server Resolution Service that is listening on UDP 1434 to determine the port on which the database instance is listening. The default port-communication behavior of SQL Server introduces several issues that affect server hardening. First, the ports used by SQL Server are well-publicized ports and the SQL Server Resolution Service has been the target of buffer overrun attacks and denial-of-service attacks, including the "Slammer" worm virus. Even if SQL Server is updated to mitigate security issues in the SQL Server Resolution Service, the well-publicized ports remain a target. Second, if databases are installed on a named instance of SQL Server, the corresponding communication port is randomly assigned and can change. This behavior can potentially prevent server-to-server communication in a hardened environment. The ability to control which TCP ports are open or blocked is essential to securing your environment. Consequently, the recommendation for a server farm is to assign static port numbers to named instances of SQL Server and to block UDP 1434 to prevent potential attackers from accessing the SQL Server Resolution Service. Additionally, consider reassigning the port used by the default instance and blocking TCP 1433. There are several methods you can use to block ports. You can block these ports by using a firewall. However, unless you can be sure that there are no other routes into the network segment and that there are no malicious users that have access to the network segment, the recommendation is to block these ports directly on the server that hosts SQL Server. This can be accomplished by using Windows Firewall in Control Panel. Configuring SQL Server database instances to listen on a nonstandard port SQL Server provides the ability to reassign the ports that are used by the default instance and any named instances. In SQL Server, you reassign ports by using SQL Server Configuration Manager. Configuring SQL Server client aliases In a server farm, all front-end Web servers and application servers are SQL Server client computers. If you block UDP 1434 on the SQL Server computer, or you change the default port for the default instance, you must configure a SQL Server client alias on all servers that connect to the SQL Server computer. In this scenario, the SQL Server client alias specifies the TCP port that the named instance is listening on. To connect to an instance of SQL Server, you install SQL Server client components on the target computer and then configure the SQL Server client alias by using SQL Server Configuration Manager. To install SQL Server client components, run Setup and select only the following client components to install: Connectivity Components Management Tools (includes SQL Server Configuration Manager) For specific hardening steps for blocking the standard SQL Server ports, see Configure SQL Server security for SharePoint 2013 environments. Service application communication By default, communication between Web servers and service applications within a farm takes place by using HTTP with a binding to TCP 32843. When you publish a service application, you can select either HTTP or HTTPS with the following bindings: HTTP binding: TCP 32843 HTTPS binding: TCP 32844 Additionally, third parties that develop service applications can im

Related Questions

Project Management Exercise 1 1. Mrs. Tolstoy and her husband, Serge, are planni
Question #406730
Project Management Please use the table below to answer the following questions:
Question #468509
Project Management Scenario: Brown and Sons Ltd. are manufacturers of brass beds
Question #3541861
Project Management Scenario: You are a consultant with expertise in project mana
Question #3368084
Project Management The main point of project management is the concept of an “Ir
Question #337835
Project Management The main point of project management is the concept of an “Ir
Question #396520
Project Management Which of the following methods for shortening the critical pa
Question #2748516
Project Management You are developing a wireless network for your five-bedroom h
Question #668623

Navigate

Previous
Project Part 1 Introduction: Different economic studies estimate the price elast
Next
Project Part 1: Risks, Threats, and Vulnerabilities Scenario Fullsoft, Inc. is a

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.