89 KiB
RAP - Auswertung
Mittwoch, 20. März 2019
10:09
| Status | Title | Beschreibung | Hintergrundinformation | Vorgeschlagene Aktion (Microsoft) | Team | |||
|---|---|---|---|---|---|---|---|---|
| Kritisch | Add memory to SharePoint servers. | One or more SharePoint servers is running with less than the supported minimum amount of memory. This will cause performance issues.
|
If the affected server is virtualized, allocate more memory to the virtual machine. If the affected server is a physical server, install more physical memory. Review the articles in the Learn More section to get the most up-to-date information on memory requirements for your version of SharePoint. |
|
Server | auf 32GB | ||
| Kritisch | Change passwords that are the same as the login name.
|
One or more SQL Server logins have passwords that are the same as their login names. This creates a security vulnerability that could allow malicious users or software to access or compromise your data. | To reduce the risk of service interruption or logon failures, liaise with affected users or developers before you make any changes. You can use the following Transact-SQL query to identify the logins with passwords equal to login names: ---Detect SQL Logins with weak passwords SELECT SERVERPROPERTY('machinename') AS 'Server Name', ISNULL(SERVERPROPERTY ('instancename'), SERVERPROPERTY ('machinename')) AS 'Instance Name', name AS 'Login With Password Equal to Login Name' FROM master.sys.sql_logins WHERE PWDCOMPARE(name,password_hash)=1 ORDER BY name GO |
Use Microsoft Baseline Security Analyzer or the PWDCOMPARE command to identify SQL Server logins with blank or weak passwords. Use complex passwords and enforce password policies. | Server SQL | |||
| Kritisch | Configure and Enforce the Setting "Windows Firewall: Domain: Firewall state" via GPO | If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service. In order to improve security, it is recommended that the firewall be enabled and the state enforced in order to prevent local administrators from disabling the firewall. | Microsoft recommends that organizations select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Turning this off exposes all ports to network communication, and enabling it will ensure that the firewall is enabled. Exceptions that are needed should be configured and enforced as well. | Create Policy to Enforce Recommended Setting 1.Log on to a computer with access to connect to a DC, and the Group Policy Management Console software installed, with an account which has administrative rights necessary to modify Group Policy 2.Open Group Policy Management Consolea.Click the Start Menu b.Search for Group Policy Management c.Open Group Policy Management Console by clicking on it
3.Create an appropriate policy to test with in accordance with line of business standards and methodologya.If you are replacing a policy, copy the original policy that this will replace, or if not create a new one b.Configure Security Filtering and/or WMI Filtering on the new policy to apply to the appropriate test group c.If a policy already exists that conflicts with this setting, be sure to take the order of application into account in your implementation
4.Within the Group Policy Management Editor window for the chosen policy:a.Browse to Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security b.Click Windows Firewall Properties c.On the Domain Profile tab, locate Firewall State d.Choose On (recommended) from the pulldown menu next to it e.Click OK to close the window
5.Close the Group Policy Management Editor window 6.Close the Group Policy Management Console window
Link the Policy 1.Log on to a computer with access to connect to a DC, and the Group Policy Management Console software installed, with an account which has the rights necessary to link a Group Policy 2.Open Group Policy Management Consolea.Click the Start Menu b.Search for Group Policy Management c.Open Group Policy Management Console by clicking on it
3.Link the new policy to an OU containing the test group, and scoped to only apply to that test group 4.Once testing is completea.Ensure that the WMI Filtering and Security Filtering are duplicated from the original policy, if applicable b.Link the new policy to the appropriate Production OU(s) and adjust priority of the policy c.Remove the old policy links if necessary
5.Close the Group Policy Management Console window |
Server | Dies wird durch RAP AD geklärt | ||
| Kritisch | Disable the SMB1 protocol | SMB1 isn’t safe and should be disabled to provide key protections offered by later SMB versions. | When you use SMB1, you lose key protections offered by later SMB protocol versions:
No matter how you secure all these things, if your clients use SMB1, then a man-in-the-middle can tell your client to ignore all the above and share all its secrets unless you required encryption on that share to prevent SMB1 in the first place. |
Disable SMBv1. Follow the steps in Microsoft Knowledge Base Article 2696547 at https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012 to disable SMBv1 An alternative method for customers running Windows Server 2012 R2 and later:
How to undo: Retrace the above steps, and select the SMB1.0/CIFS File Sharing Support check box to restore the SMB1.0/CIFS File Sharing Support feature to an active state. |
Server | In Klärung. | ||
| Kritisch | Enable and Enforce the Setting "Turn off Autoplay" via GPO | An attacker could use this feature to launch a program to damage a client computer or data on the computer. This setting will not prevent the code from being run manually.
|
Microsoft recommends that organizations configure the Turn off Autoplay setting to Enabled in order to prevent malicious code from automatically executing when media is inserted. Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. You can enable the Turn off Autoplay setting to disable the Autoplay feature. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. |
Create Policy to Enforce Recommended Setting 1.Log on to a computer with access to connect to a DC, and the Group Policy Management Console software installed, with an account which has administrative rights necessary to modify Group Policy 2.Open Group Policy Management Consolea.Click the Start Menu b.Search for Group Policy Management c.Open Group Policy Management Console by clicking on it
3.Create an appropriate policy to test with in accordance with line of business standards and methodologya.If you are replacing a policy, copy the original policy that this will replace, or if not create a new one b.Configure Security Filtering and/or WMI Filtering on the new policy to apply to the appropriate test group c.If a policy already exists that conflicts with this setting, be sure to take the order of application into account in your implementation
4.Within the Group Policy Management Editor window for the chosen policy:a.Browse to Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies b.Locate Turn off Autoplay and double-click it c.Choose Enabled d.In the Turn off Autoplay on field, select All Drives e.Click OK to close the window
5.Close the Group Policy Management Editor window 6.Close the Group Policy Management Console window
Link the Policy 1.Log on to a computer with access to connect to a DC, and the Group Policy Management Console software installed, with an account which has the rights necessary to link a Group Policy 2.Open Group Policy Management Consolea.Click the Start Menu b.Search for Group Policy Management c.Open Group Policy Management Console by clicking on it
3.Link the new policy to an OU containing the test group, and scoped to only apply to that test group 4.Once testing is completea.Ensure that the WMI Filtering and Security Filtering are duplicated from the original policy, if applicable b.Link the new policy to the appropriate Production OU(s) and adjust priority of the policy c.Remove the old policy links if necessary
5.Close the Group Policy Management Console window |
Server | In Klärung | ||
| Kritisch | Schedule a full database backup and ensure that it has a frequency of seven days or less. |
To restore a backup you must restore the latest full backup, the latest differential backup, and all log backups since the latest differential backup (or full backup if there is no differential backup or the latest full backup is more recent than the latest differential backup). Infrequent full backups can result in large numbers of log files being restored and slow down the restore process. Also, differential backups will grow in size with the number of changes there are since the latest full backup. Large differential backups will also slow down the restore process and will also increase storage costs.
|
When you need to recover a database to a specific point in time, you must restore the most recent full database backup, then restore the most recent differential database backup, and then restore all transaction log file backups that are more recent than the last full or differential database backup. If your last full backup is older than one week, the time required to fully recover a database will be far longer than that necessary for a scenario where you have taken full backups daily. You should use the Full or Bulk-logged recovery models for your production database environments, rather than the Simple recovery model. Using the Simple recovery model carries a risk of data loss as you can only restore transactions committed up to the point of the last backup. For this reason, most databases in production environments should use the Full or Bulk-logged recovery model. To determine which recovery model is right for you, refer to the links in the Learn More field. |
Complete a full backup of any databases that have not had a full backup in the last seven days. Ideally you should run full backups on a daily basis. If this is not feasible, schedule full backups to run on these databases on at least a weekly basis. You can use the Maintenance Plan wizard to create a workflow of the tasks required to make sure that your database is well managed, including on to ensure that it is regularly backed up. You can find detailed steps for creating a maintenance plan for scheduling backups in Use the Maintenance Plan Wizard at http://technet.microsoft.com/en-us/library/ms191002.aspx#SSMSProcedure. To monitor database backup scheduling, you can use Policy-Based Management. This allows you monitor best practices for the SQL Server Database Engine and provides the Outdated Backup best practice rule to identify databases that have not been backed up in a defined period. |
SharePoint | Backup erstellen und Konzept erstellen
|
||
| Kritisch | Schedule transaction log backups. | One or more user databases are running in Full or Bulk-logged recovery mode, but no transaction log backups were detected in the backup history catalog in the last two days. Without transaction log backups, you can be able to recover data up to the time of your last backup and the transaction logs may rapidly run out of disk space. | The Full recovery model logs all transactions. This allows you to restore the database to a specific point in time, which can dramatically reduce the amount of data loss. However, when you use the Full recovery model, the transaction log is only truncated when you back up the log. As a result, failure to schedule frequent log backups will cause the transaction log to grow and reach its maximum size or the disk volume containing the log to run out of space. The Bulk-logged recovery model minimizes log space requirements by reducing the amount of transaction logging to a minimum. This model supports recovery up to the time of the last transaction log backup, but does not support point-in-time recovery. |
Determine which recovery model is appropriate for the affected databases. For guidance on selecting an appropriate recovery model, see Recovery Models (SQL Server) at http://msdn.microsoft.com/library/ms189275.aspx. If you configure a database to use the Full or Bulk-logged recovery model, you must schedule regular log backups. Choose a backup frequency that reduces the level of data loss to an acceptable level. |
SharePoint |
|
||
| Hoch | Close network ports that are not required by SharePoint | Allowing only the ports needed by SharePoint increases the security of the SharePoint server. | Windows Firewall with Advanced Security combines a host firewall and Internet Protocol security (IPsec). Unlike a perimeter firewall, Windows Firewall with Advanced Security runs on each computer running this version of Windows and provides local protection from network attacks that might pass through your perimeter network or originate inside your organization. It also provides computer-to-computer connection security by allowing you to require authentication and data protection for communications. Windows Firewall with Advanced Security is a stateful firewall that inspects and filters all packets for IP version 4 (IPv4) and IP version 6 (IPv6) traffic. In this context, filter means to allow or block network traffic by processing it through administrator-defined rules. By default, incoming traffic is blocked unless it is a response to a request by the host (solicited traffic) or it is specifically allowed (that is, a firewall rule has been created to allow the traffic). You can configure Windows Firewall with Advanced Security to explicitly allow traffic by specifying a port number, application name, service name, or other criteria. Windows Firewall with Advanced Security also allows you to request or require that computers authenticate each other before communicating, and to require the use of data integrity or data encryption when communicating. |
|
SharePoint | Link im OneNote | ||
| Hoch | Configure and Enforce the Setting "Windows Firewall: Public: Firewall state" via GPO | If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service. In order to improve security, it is recommended that the firewall be enabled and the state enforced in order to prevent local administrators from disabling the firewall. | Microsoft recommends that organizations select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Turning this off exposes all ports to network communication, and enabling it will ensure that the firewall is enabled. Exceptions that are needed should be configured and enforced as well. | Create Policy to Enforce Recommended Setting
Link the Policy
|
|
|||
| Hoch | Configure the Setting "Network security: LAN Manager authentication level" and Enforce via GPO |
The LM and NTLM authentication protocols are relatively weak in the modern computing environment, and for instances where the Kerberos authentication protocol cannot be used it is recommended that NTLMv2 be used.
|
Microsoft, as well as independent organizations, strongly recommend that organizations configure the Network security: LAN Manager Authentication Level setting to Send NTLMv2 responses only in environments in which all clients support NTLMv2. This is because LM offers relatively weak encryption that is a common target for attack. If the recommended setting is implemented, clients that do not support NTLMv2 authentication will not be able to authenticate in the domain and access domain resources by using LM and NTLM. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the authentication level that servers accept The possible values for the Network security: LAN Manager authentication level setting are:
These settings correspond to the levels discussed in other Microsoft documents as follows:
LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants. In Windows Server 2008, this setting is undefined and defaults to level 3. The default setting on servers allows all clients to authenticate with servers and use their resources. However, this means that LM responses-the weakest form of authentication response-are sent over the network, and it is possible for attackers to sniff that traffic to more easily reproduce the user's password. Some legacy operating systems do not support Kerberos authentication protocol. For this reason, in a Windows domain, these computers authenticate by default with both the LM and NTLM or NTLMv2 protocols for network authentication. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for earlier clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server domain controllers. |
Create Policy to Enforce Recommended Setting
Link the Policy
|
Server | In Klärung RAP AD | ||
| Hoch | Consider disabling the xp_cmdshell extended stored procedure. | The xp_cmdshell extended stored procedure has been enabled on one or more SQL Server instances. This stored procedure allows callers to pass commands to the Windows operating system. These commands are executed with the privileges of the SQL Server service account. Enabling this feature increases the vulnerability of your environment to attack. In particular, malicious users sometimes attempt to elevate their privileges by using use xp_cmdshell | If you must leave xp_cmdshell enabled, you should restrict usage to members of the sysadmin role wherever possible. If you must extend access to users outside the sysadmin role, use the sp_xp_cmdshell_proxy_account stored procedure to assign a proxy account with limited privileges. When a non-sysadmin member calls xp_cmdshell, the Windows process spawned by xp_cmdshell runs using this proxy account. Use the GRANT Transact-SQL statement to assign execute permissions to only those users who must be able to invoke xp_cmdshell. | Disable the xp_cmdshell stored procedure unless there is a compelling business case for leaving it enabled. You can use the sp_configure store procedure to enable or disable xp_cmdshell. For example, you can use the following Transact-SQL commands to disable xp_cmdshell: USE master; GO EXEC sp_configure 'xp_cmdshell', '0' GO RECONFIGURE |
SharePoint | |||
| Hoch | Deploy a dedicated database server for SharePoint farms. | The SQL Server instances that support your SharePoint farm are also hosting non-SharePoint databases. This can compromise the performance of your SharePoint environment.
|
To ensure optimal performance of your SharePoint environment, install SQL Server on a dedicated server that is not running any other farm roles and is not hosting databases for any other application. The only exception is if you are deploying SharePoint on a standalone server, which is not recommended for production environments. | Server SQL | ||||
| Hoch | Disable the Guest user.
|
When the Guest user is enabled, logins that have not been mapped to a database user can access the database with the permissions of the Guest user. This could reduce security levels.
|
The guest user account allows users with a SQL Server login, but without a specific database user account, to access a database. If the SQL Server login is not mapped to a user account on the database, and if the guest account is enabled on the database, the login assumes the identity of the guest user together with any permissions that are assigned to the guest user. You can grant permissions to the guest user in the same way that you grant permissions to any other database user. However, enabling and assigning permissions to the guest user account is not a recommended way of managing access to user databases. All databases in SQL Server include a Guest user. When the Guest user is enabled in a database, logins that have not been mapped to that database, can access the database and inherit the permissions granted to the Guest user. This may be a security risk, so you should revoke the CONNECT option for Guest users. You should not revoke CONNECT for the master, model, msdb, or tempdb databases, as this will cause issues.
|
Review the user databases that have the guest user enabled. Unless there is a specific requirement to use the guest user, disable it. You can use the following Transact-SQL command to disable the guest user on a specific database, where <database name> is the name of your database: USE [ <database name> ] GO REVOKE CONNECT FROM GUEST Important: Only disable the guest user on user databases. In particular, do not disable the guest user on the master, model, msdb, or tempdb databases. Disabling the guest user on these databases will cause several features to malfunction. You should disable the Guest user access to user databases by using the following T-SQL command: USE <database_name>; REVOKE CONNECT FROM Guest; GO |
Server SQL | |||
| Hoch | Do not use a Domain Administrator account as a SharePoint Farm Administrator
|
Microsoft recommends you use least-privileged administration to configure and maintain a SharePoint farm and to enhance overall system/domain security.
|
A SharePoint Farm Administrator is reasonable for the operation of production and lower development and testing environments for SharePoint. They are responsible for the SharePoint application and help execute approved change requests. The Farm Administrators have full central administration rights, full SharePoint services rights and provision security for the site collections. They assign permissions to the Site Collection Managers. If a domain group is used to grant SharePoint farm administrator access, the group membership should be managed carefully. Microsoft recommend using Least-Privilege Administration whenever possible. The principle states that all users should log on with a user account that has the absolute minimum permissions necessary to complete their daily non-administrative tasks and nothing more. Doing so provides protection against malicious code, among other attacks. If a task requires elevated (admin) rights, start the application with an account that has the necessary rights using the Run-As feature. |
You will need to be a SharePoint farm administrator to perform these steps. Make sure that farm administrators have Farm Admin rights outside of any domain group you remove before removing it.
|
SharePoint | Muss bewertet werden. | ||
| Hoch | Do not use one service account for multiple Application Pools
|
By default, SharePoint will use the same account for the Application Pool of the 'SharePoint Central Administration' and the 'SecurityTokenServiceApplicationPool'. All other application pools should use a distinct user for additional security and process isolation.
|
An application pool is a group of one or more URLs that are served by a worker process or a set of worker processes. Application pools set boundaries for the applications they contain, which means that any applications that are running outside a given application pool cannot affect the applications in the application pool. Application pools offer the following benefits:
In IIS7, application pools run in one of two modes: integrated mode and classic mode. The application pool mode affects how the server processes requests for managed code. If a managed application runs in an application pool with integrated mode, the server will use the integrated, request-processing pipelines of IIS and ASP.NET to process the request. However, if a managed application runs in an application pool with classic mode, the server will continue to route requests for managed code through Aspnet_isapi.dll, processing requests the same as if the application was running in IIS 6.0. By using a different service account for each application pool provides additional security. If one service account was to become compromised, it wouldnt affect the other application pools. Using different service account also simplifies troubleshooting application pool issues.
|
Before performing these steps below, you will need to have the new service account name and password. Document the what the current service account name and password is should you need to rollback your changes.
|
Muss bewertet werden. | |||
| Hoch | Do not use the Local Server Administrators group for SharePoint Farm Administrators
|
The Local Administrator group should be used for the administration of the server OS and other server administration tasks. Using the Local Administrator group as a SharePoint Farm Administrator Account could allow unattended/unauthorized admin access to the SharePoint farm. |
Microsoft’s best practices recommendation is to create accounts with a low privileged Windows local user account or domain user account. Give the service account the lowest possible permissions as well. If low-privileged processes are compromised, they will do a lot less damage to a system than high-privileged processes are capable of doing. Consequently, using a non-administrator account instead of an administrator account while completing daily tasks offers the user added protection against infection from a host of malware, external or internal security attacks, accidental or intentional modifications to system setup and configurations, and accidental or intentional access to confidential programs or documents. |
You will need to be a SharePoint farm administrator to perform these steps. Make sure that farm administrators have Farm Admin rights outside of the local admin group before removing it.
|
SharePoint | Muss bewertet werden. | ||
| Hoch | Enable User Account control on all computers
|
One or more of your computers has the User Account Control (UAC) setting disabled, which means that users who do not have Administrator privileges may intentionally or unwittingly run programs with administrative permissions. This represents a significant security risk to your environment.
|
User Account Control (UAC) is a security component that enables users to perform common tasks as non-administrators (called standard users), and as administrators without having to switch users, log off, or use Run As. When an administrator logs on to a computer that is running Windows Vista, Windows 7 or Windows 8, the user is assigned two separate access tokens. Access tokens, which contain a user's group membership and authorization and access control data, are used by the Windows operating system to control what resources and tasks the user can access. The access control model in earlier Windows operating systems did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious software could install on users' computers without notifying the users. It is strongly recommended not to disable User Account Control (UAC) on any client versions of Windows. If UAC is disabled to avoid the elevation prompt, all UAC functionality is disabled. Instead, consider configuring UAC to elevate without prompting. In this case, applications that have been marked as administrator applications, as well as setup applications, will automatically run with the full administrator access token. All other applications will automatically run with the standard user token. |
Enable user account control on all affected systems. To do this, set the value of the registry key at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA to 1.
|
Muss geprüft werden. Installation notwendig.
Muss aktiviert werden. |
|||
| Hoch | Enable local server firewall
|
To provide increased security it is recommended that all servers should be protected by a local server firewall.
|
Windows Firewall with Advanced Security combines a host firewall and Internet Protocol security (IPsec). Unlike a perimeter firewall, Windows Firewall with Advanced Security runs on each computer running this version of Windows and provides local protection from network attacks that might pass through your perimeter network or originate inside your organization. It also provides computer-to-computer connection security by allowing you to require authentication and data protection for communications. Windows Firewall with Advanced Security is a stateful firewall that inspects and filters all packets for IP version 4 (IPv4) and IP version 6 (IPv6) traffic. In this context, filter means to allow or block network traffic by processing it through administrator-defined rules. By default, incoming traffic is blocked unless it is a response to a request by the host (solicited traffic) or it is specifically allowed (that is, a firewall rule has been created to allow the traffic). You can configure Windows Firewall with Advanced Security to explicitly allow traffic by specifying a port number, application name, service name, or other criteria. Windows Firewall with Advanced Security also allows you to request or require that computers authenticate each other before communicating, and to require the use of data integrity or data encryption when communicating. |
|
Server | |||
| Hoch | Event ID 10010: Report the Windows Component Object Model (COM) to the application developer
|
This event ID indicates that an exception occurred in a COM application. Malfunctioning COM applications may impact negatively on SharePoint performance and functionality.
|
COM+ applications use Microsoft COM technology in Windows operating systems to communicate and take advantage of Windows services. COM technologies include COM+, DCOM, and ActiveX Controls. This event indicates that a COM server components did not register with DCOM within the required timeout period.
|
Review all the custom applications installed on your SharePoint servers. Custom and third party applications can negatively impact on the reliability and performance of SharePoint and you should consider running them on other servers whenever possible. Report the event to the application developer so that the developer can debug the code. One possible cause for this event is that your server security policy is configured to disallow COM component connections. To verify your COM security policy:
|
SharePoint | Dies ist gelöst durch letzten Windows Patchday. | ||
| Hoch | Investigate and remove orphaned features.
|
One or more features are referenced in content databases but are not installed in the farm. This can cause problems when you attempt to upgrade content databases.
|
Review the affected features. This issues typically occurs when an administrator retracts a solution without first deactivating a component feature at the site level. If this is the case, you can use the Disable-SPFeature PowerShell cmdlet to remove the feature reference from the content database. For example: Disable-SPFeature –Identity <Feature ID> -Confirm:$false –Url <Site URL> -Force Where <Feature ID> is the GUID-based feature ID and <Site URL> is the URL of the site or web to which the feature is scoped. |
SharePoint/MS | Muss geprüft werden. | |||
| Hoch | Investigate the failure of a backup device.
|
SQL Server has reported that a backup device has failed. This may leave you unable to recover data in the event of a disaster or a primary hardware failure.
|
SQL Server error 18204 is often associated with the more general error: 3041, Severity: 16, State: 1. Backup BACKUP failed to complete the command BACKUP DATABASE database_name. Check the backup application log for detailed messages.
|
An error 18204 indicates that SQL Server has been unable to open or close a backup device, whether a disk, tape, or pipe. You should restart the backup to an alternative target, which will ensure that the problem is isolated to this particular server, path, or file, and then investigate the issue. You can take the following steps to identify the cause of the problem:
Error 18204 returns a message in the following format: %1: Backup device '%2' failed to %3. Operating system error = %4. If the operating system error variable (%4) returns a number, you can open a command prompt and execute NET HELPMSG with the operating system error number as the parameter. |
Server SQL | |||
| Hoch | Mitigations missing for speculative execution side-channel vulnerabilities
|
Speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and can therefore lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities depending on the configured environment.
|
These vulnerabilities are information disclosure vulnerabilities. An attacker who successfully exploited these vulnerabilities could use them to leak sensitive information that could be used for further exploitation of the system. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run untrusted code on the system to leverage these vulnerabilities. In browsing scenarios, an attacker could convince a user to visit a malicious site to leverage these vulnerabilities. An attacker could also inject malicious code into advertising networks used by trusted sites or embed malicious code on a compromised, but trusted, site. | Refer to the Learn More links for patching and mitigation guidance.
|
MS | ? | ||
| Hoch | Modify auto-growth settings to use a fixed size growth increment of less than 1 GB on data and log files of user databases and the TempDB system database.
|
If auto-growth is expanding the transaction log of a database, transactions that are trying to write to that log will have to wait until file growth is complete. With a percentage increase the autogrow size will increase as the database becomes larger. If growth increment is large, it takes longer to expand a database file. This results in longer transaction delays and possible transaction timeouts.
|
In a production environment, you can use auto-grow as a contingency for unexpected growth, rather than as a method of day-to-day management of file or log growth. If you configure the file to grow as a percentage value of the data or log file, the growth increment may be very large. It is generally recommended to use a value of below 1GB. For very large databases, a percentage value may be far greater than 1GB. This may result in transaction failures because of a timeout error, due to the time required to grow the file. The auto-grow settings are configured on a per file basis; you configure the setting for the primary data file and the primary log file. If you have multiple data or log files, you must configure the setting on each file.
|
You can use the following procedure in SQL Server Management Studio to set fixed growth increments on database files and log files:
The optimum value for the file growth increment will depend on the size and volatility of the filegroup. |
Server SQL | |||
| Hoch | Resolve duplicate Service Principal Names (SPNs).
|
The domain that hosts SharePoint servers contains duplicate SPNs. This can cause various authentication issues, such as service logon failures or fallback to NTLM authentication.
|
An SPN uses up to four pieces of information to uniquely identify a service, in the format: ServiceClass/Host:Port/ServiceName Where:
The ServiceClass and Host fields are both required. The Port field is used only when a service operates on a non-standard port or to distinguish between multiple service instances, and the ServiceName field is used when required to distinguish between multiple service instances. |
Establish which of the duplicate SPNs are invalid and remove them from the affected computer object. To remove an SPN, run the following command from an elevated command prompt: setspn –d <spn> <account name> Where <spn> is the duplicate SPN and <account name> is the affected computer object.
|
Server/SharePoint | |||
| Hoch | Review disabled timer jobs.
|
One or more timer jobs are currently disabled. SharePoint relies heavily on timer jobs to perform many background and administrative tasks, and disabling these timer jobs may have unintended consequences on farm functionality.
|
Timer jobs run within the SharePoint Timer Service (SPTimerV4) Windows service. SharePoint uses timer jobs to perform various administrative and background tasks on a scheduled basis. Timer jobs also perform infrastructure tasks for the SharePoint Timer Service, such as clearing the timer job history and recycling the timer service; and tasks for Web applications, such as sending e-mail alerts. A timer job contains a definition of a piece of work and a schedule that specifies how frequently the piece of work should be undertaken. Many SharePoint features rely on timer jobs in order to function correctly.
|
Review the disabled timer jobs. Enable each timer job, unless there is a compelling reason for keeping it disabled. You can use the following procedure to enable a timer job:
Kommentare |
SharePoint | Bewusst ausgestellt. | ||
| Hoch | Review the Indexer Performance setting for your search service.
|
The Indexer Performance setting for one or more search service applications is currently set to Partially Reduced. While this setting is appropriate for some SharePoint environments, it can lead to delays in indexing content for environments that contain large amounts of content to crawl.
|
SharePoint allows administrators to adjust the amount of resources consumed by indexing operations, by setting the Indexer Performance option to one of the following values:
When you set this option to a higher value, the indexing server allocates more threads to the crawl processes. This allows crawls to complete faster, but increases the load on the index server, the database server(s), and the web front-end server that handles crawl requests.
|
Choose an appropriate Indexer Performance setting based on how your farm is used. In large environments that rely heavily on search, your environment should include a dedicated index server together with a dedicated web front-end server for search crawls, and a high performance database server or servers. In this case, you can set to Indexer Performance setting to Maximum without adversely affecting normal user traffic. In smaller environments, the server that hosts the Index Server role may also host other application server roles or serve user requests. In these scenarios, you may want to set the Indexer Performance setting to Reduced or Partially Reduced to prevent the indexer from consuming too much network bandwidth or server resources. However, this configuration is not recommended for SharePoint deployments that need to index a large amount of content. You can use the Set-SPEnterpriseSearchService PowerShell cmdlet to change the Indexer Performance setting as follows: Set-SPEnterpriseSearchService –PerformanceLevel <performance level> Where <performance level> is either Reduced, PartlyReduced, or Maximum. |
SharePoint/MS | |||
| Hoch | Review the PAGE_VERIFY setting for the databases on the SQL Server instance.
|
When the PAGE_VERIFY database option is set to CHECKSUM, SQL Server identifies database pages that have been damaged as a result of power failure or failure in the storage subsystem at the time the page was being written to disk. Consider using CHECKSUM if you want to avoid data corruption and to have an early opportunity to detect storage issues. |
When CHECKSUM is enabled for the PAGE_VERIFY database option, SQL Server calculates a checksum over the contents of the entire page. When the page is written to disk, the checksum is stored in the page header. When the page is next read from disk, SQL Server again calculates the checksum and compares it to the stored value. This ensure greater data integrity than the TORN_PAGE DETECTION option (available in versions prior to SQL Server 2005), which uses only the first two bits of each 512 byte sector as a comparison. TORN_PAGE DETECTION is available in SQL Server 2005 and later.
|
To configure the PAGE_VERIFY setting to CHECKSUM, use the ALTER DATABASE SET Transact-SQL command: ALTER DATABASE <database_name> SET PAGE_VERIFY CHECKSUM
|
Server SQL | |||
| Hoch | Review the authentication method in use.
|
Web sites exist are not using the Kerberos authentication. There are security and performance benefits by using the Kerberos authentication.
|
Typically, there are three main reasons to use the Kerberos protocol:
Kerberos authentication also requires less traffic between client and server compared with NTLM. Clients can authenticate with web servers in two request/responses versus the typical three-leg handshake with NTLM. However, this improvement is typically not noticed on low latency networks on a per-transaction basis, but can typically be noticed in overall system throughput. Remember that many environmental factors can affect authentication performance. Therefore, Kerberos authentication and NTLM should be performance-tested in your own environment before you determine whether one method performs better than the other. |
Conduct a careful review of the information presented in Overview of Kerberos authentication for Microsoft SharePoint 2010 Products link in Learn More.
|
SharePoint/MS | |||
| Hoch | Review the auto grow increment and instant file initialization setting for the databases on the SQL Server instance.
|
In SQL Server, data files can be initialized instantaneously. This allows for fast execution of the data file operations. Instant file initialization reclaims used disk space without filling that space with zeros. Instead, disk content is overwritten as new data is written to the files. Log files cannot be initialized instantaneously.
|
In a production environment, you can use autogrow as a contingency for unexpected growth, rather than as a method of day-to-day management of file or log growth. If you configure the autogrow setting to a large value, such as 1GB, queries in which you open the transaction might fail because of a timeout error, due to the time required to grow the file. The same issue can result from an autogrow of the data portion of your database. The autogrow settings are configured on a per file basis; you configure the setting for the primary data file and the primary log file. If you have multiple data or log files, you must configure the setting on each file. The Instant File Initialization (IFI) function was introduced with SQL Server 2005 and can only run on Windows Server 2003 or later, and the service account must be granted SE_MANAGE_VOLUME_NAME. IFI removes the need to overwrite existing data left on the disk from previously deleted files with zeroes when you create a new data file. This improves database performance for actions such as CREATE DATABASE, ALTER DATABASE, RESTORE, and AUTOGROW. You should be aware that “deleted” data is not overwritten with zeroes if you enable IFI, which may represent a small security risk.
|
To configure the autogrowth increment to be less than 1GB, use the following procedure in the SQL Server Management Studio (SSMS):
To enable Instant File Initialization, use the following procedure:
|
Server SQL | |||
| Hoch | Review the auto grow increment for the transaction log files of databases on the SQL Server instance, as the next auto grow might be excessively large
|
When auto-growth is expanding the transaction log of a database, transactions that are trying to write to the log have to wait until the file growth is complete. If the growth increment is large, it takes longer to expand the file, resulting in longer transaction delays and possible transaction timeouts. | In a production environment, you can use auto-grow as a contingency for unexpected growth, rather than as a method of day-to-day management of file or log growth. If you configure the autogrowth increment to a large value, such as 1GB, writes to the transaction log may fail because of a timeout error, due to the time required to grow the file. The auto-grow settings are configured on a per file basis; you configure the setting for the primary data file and the primary log file. If you have multiple data or log files, you must configure the setting on each file.
|
To change the autogrowth increments on transaction log files, use the following procedure in the SQL Server Management Studio (SSMS):
The optimum value for the file growth increment will depend on the size and volatility of the filegroup.
|
Server SQL | |||
| Hoch | Review your Alternate Access Mapping configuration.
|
If you use a load balancer to distribute requests between multiple web front end (WFE) servers, you must configure alternate access mappings with an appropriate load-balanced domain URL. Without this, the rendered content may include references to specific server names or IP addresses. This circumvents the load balancing and may cause unpredictable behavior for end users. |
Review your AAM configuration. Ensure that each zone includes an AAM with a load-balanced, domain-based public URL.
|
SharePoint | ||||
| Hoch | Set IIS Web Site to require SSL
|
SSL (Secure Socket Layer) is used is to keep information sent across the private networks and the Internet encrypted so that only the intended recipient can view it. This protects the information being sent from being viewed or modified except by the server you are sending to or receiving information from.
|
SSL and TLS can be used to authenticate and secures data transfers by using certificate-based authentication and symmetric encryption keys. Both protocols provide authentication through the use of certificates and secure communication through a variety of possible cipher suites. The generic term cipher suite refers to a combination of protocols such as key exchange, bulk encryption, and message integrity. Because authentication relies on digital certificates, certification authorities (CAs) like Verisign are an important part of Secure Channel (Schannel). A CA is a mutually trusted third party that confirms the identity of a certificate requestor (usually a user or computer), and then issues the requestor a certificate. The certificate binds the requestors identity to a public key. CAs also renew and revoke certificates as necessary. For example, if a client is presented with a servers certificate, the client computer might try to match the servers CA against the clients list of trusted CAs. If the issuing CA is trusted, the client will verify that the certificate is authentic and has not been tampered with. Microsoft Internet Explorer and Internet Information Services (IIS) make use of these protocols, and preferably TLS, for Secure Hypertext Transfer Protocol (HTTPS). The Schannel authentication protocol suite is based on public key cryptography. The Schannel suite includes Transport Layer Security (TLS), Secure Sockets Layer (SSL) version3.0, SSL version2.0, and Private Communications Transport (PCT). All Schannel protocols are based on a client/server model. An Schannel client sends a message to a server, and the server responds with the information needed to authenticate itself. The client and server perform an additional exchange of session keys, and the authentication dialogue ends. When authentication is completed, secure communication can begin between the server and the client using the secret keys established during the authentication process. Schannel does not require server keys to be stored on domain controllers or in a database, such as Active Directory. Clients, however, must be able to confirm the validity of credentials with a trusted authority. Schannel validates the credentials with the root CAs certificates, which are loaded when you install the Windows Server. Therefore, users do not need to establish accounts before authenticating and creating a secure connection with a server. The TLS/SSL security protocol is layered between the application protocol layer and the TCP/IP layer, where it can secure and send application data to the transport layer. Because it works between the application layer and the transport layer, TLS/SSL can support multiple application layer protocols. TLS/SSL assumes that a connection-oriented transport, typically TCP, is in use. The protocol allows client/server applications to detect the following security risks:
In many cases SSL is synonymous with TLS and digital certificates. Microsoft recommends using TLS certificates instead of SSL certificates as TLS is the successor to SSL certificates. Also, SSL certificates are vulnerable to several different attacks. |
To perform the steps below a SSL certificate will need to be already installed on the server.
|
SharePoint | Muss geprüft werden. | ||
| Hoch | Set the SQL Server Max Degree of Parallelism (MaxDOP) setting to 1.
|
One or more SQL Server instances that host SharePoint databases have the Maximum Degree of Parallelism (MaxDOP) option set to a value other than 1. As a result, you will be unable to create any new SharePoint databases on the instance.
|
The “Max Degree of Parallelism” controls the number of processors used to execute a single statement. SharePoint 2013 requires the “Max Degree of Parallelism” setting to be set to 1. Note that, for non-SharePoint databases, it is common to set the Max Degree of Parallelism (MaxDOP) configuration option to the number of logical processors on the machine running SQL Server. In virtualized environments, the MaxDOP value would not exceed the number of virtual processors allocated to the virtual machine. |
Disclaimer: This solution is intended to correct only the problem that is described in this issue. Apply this solution only to databases that are experiencing this specific problem. We recommended that you test this in a lab environment before applying it in Production environments. Backup: Note the existing value of the Max Degree of Parallelism setting and save it for Roll Back, in case a problem occurs. Explanation of Changes: To modify the Max Degree of Parallelism setting to 1 for SharePoint, the best practice using SQL Server Management Studio is as follows.
Verify Steps: To view the current settings:
You will see the current Max Degree of Parallelism configuration within the Advanced Properties section. Confirm that it now states a value of 1 |
Server SQL |