Versions Compared

Version Old Version 17 New Version Current
Changes made by

Mattias Löfstrand

Hanna Agerlo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Install SQL Management studio.

IIS options

Go to Server manager → Manage → Add Roles and Features wizard → Check: Request monitor & IIS 6 Metabase Compatiility

...

Legacy servers: Activate server role: Web Server (IIS).

...

Security settings for IIS

...

Same information from a Windows 2012 server, the feature installation confirmation window:

...

...

ASP.NET Core Applications

Follow below instructions in order to host ASP.Core Applications on Windows with IIS

https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-7.0

Still need of support of IIS6 metabase

Installing applications to IIS require components installed with IIS6 metabase. Enable and install the component.

...

...

Applications pool

Defined chosen application pool to be run by ”LocalSystem” to make it a privileged process with administrator access to databases and files. It may be that it will be defined using AppPoolIdentity.

...

Set that the applications pool will use 32 bit applications since it will refer .Net Framework 4.5.x.

...

For version 4.2.3 and later

...

Disable 32 bit applications for applications. Signifikant Server and Web-application performs better when run in 64-bit application pools.

...

Note identity: https://signifikant.atlassian.net/wiki/spaces/ASKB/pages/546963458/Technical+instruction+-+Installing+application+on+Windows+Server#Service-account

image-20240904-070018.pngImage Added

Activate ASP.NET service set it to start automatically. The service is needed to support user session data in a state server.

...

  • Start Server Manager.

  • Click Manage, and then click Add Roles and Features

  • On the Before You Begin page, click Next

  • On the Installation Type page, select Role-based or Feature-based Installation, and then click Next

  • On the Server Selection page, select the server or virtual hard disk on which to install Windows Search Service

  • On the Features page, select Windows Search Service, and then click Next

  • On the Confirmation page, verify that Windows Search Service is listed, and then click Install

...

Other Apps on Server

Info

Avoid installing apps on the server unless needed. When selecting apps, avoid apps which are not updated automatically.

Non updated apps may be security risks and normally monthly patching schedules only include what is managed by Windows and selected other apps handled by infra teams.

Connectivity

Connectivity between Manager Server and Web Server(s) using http(s) port 80/443 is required.

...

It is recommended to always organize folders according to the same structure. Proposed structure is to create a sub folder structure on the data disk;. This is the proposed structure for the Manager server.

Code Block
D:/Signifikant
  Backup
  Data
    <Site>
  Imports
    Export
    ExportArchive
    Import
  Install

This is the proposed structure for the Web server. Note the extra Remote folder under Data.

Code Block
D:/Signifikant
  Backup
  Data
    Remote
      <Site>
  Imports
    Export
    ExportArchive
    Import
  Install

...

Operational aspects not covered in guides. Procedures need to follow client’s standard operating procedures. Ensure the following is covered by client’s standard operating procedures.

Aspect

Content

Comments

Backup

Ensure to backup databases, file areas for content, and settings.

Ensure to set time for backup which does not interfere with possible nighly imports or publish processes.

Monitoring

Monitor SQL and IIS

Also consider using GetStatus. Technical documentation - Operational status of web viewer

Antivirus

Ensure to configure antivirus

Possible exclusions only if large amount of files are changed at each publish, this may hamper performance in some anti viros tools.

Incident management

Ensure to prepare organisation for handling incidents and changes

Down time procedures

Ensure to prepare organisation for down time procedure

Clean up

Ensure to apply clean up scripts for automated imports and log files

Security

Tilde Short File/Folder Name Disclosure

If IIS accept short filenames, a user may try to break security by testing different file names. Two actions are suggested for this issue.

...

Discard or filter all web requests including a tilde "~" character. The most recommended prevention technique is to apply a filtering rule in the firewall for all ~ (tilde) and Unicode encoded equivalences sent in the URL path to the server. If such a rule cannot be applied, URL rewrite should be used instead.

...

Service account

Info

It is recommended to use a service account for IIS instead of LocalSystem.

Find the security hardening checklist here: https://signifikant.atlassian.net/wiki/spaces/ASKB/pages/2830761985/Technical+instruction+-+IIS+security#IIS-settings

Publisher settings

Technical documentation - Whitelisting publisher API