Borderwave Software - Securing and Configuring Advanced Defect Tracking Web Edition

Borderwave Software

-Related Links-

-Securing and Configuring Advanced Defect Tracking Web Edition-

Introduction

Advanced Defect Tracking contains two levels of security that you should be concerned with: MSDE/SQL Server, and the configuration of Internet Information Services (IIS). This document will recommend practices to make your deployment as secure as possible.

MSDE

If you installed MSDE with Advanced Defect Tracking rather than using a SQL Server, you would have been prompted to enter a password for the “sa” (System Admin) account. It is very important that this password is a “strong” password. We recommend mixing upper and lower case alphanumeric text. A good example of a password is the following: R8ov^TnQ.

You can change your password for the “sa” account at any time by opening the Database Manager for Advanced Defect Tracking. Follow the steps below:

1) Choose Start, Programs, Advanced Defect Tracking, Database Manager
2) From the menu select Database, Modify MSDE/SQL Password.
3) Enter the User ID and old password for the account you wish to modify the password for.
4) Enter the new password, and the confirmation password in the box below.
5) Click Ok.
6) At this point you will be prompted to ask if you wish to modify connection information for all databases. Choose yes.

SQL Server

If you are using your own copy of SQL Server, the best security configuration is to use Windows Authentication. (If you have a heterogeneous environment that prevents this, than follow the steps above in securing MSDE using SQL Authentication). This allows you to utilize your current domain accounts to limit access to SQL databases. It also has the advantage of being more secure because of the way it passes user credentials to SQL Server.

To add a database that uses Windows Authentication:

1) Choose Start, Programs, Advanced Defect Tracking, Database Manager
2) From the menu select Database, New.
3) From the connection dialog box, click ok. (Connection dialog defaults to Windows Authentication).
4) Choose a name for your database, and the path for the .mdf and .ldf files.
5) Click Ok.
6) The database will be created, and utilize Windows Authentication by default.
7) At this point you may wish to configure security using the Enterprise Manager for the database that you have just added.

To modify a database so it uses Windows Authentication:

1) Choose Start, Programs, Advanced Defect Tracking, Database Manager
2) Select the database you wish to modify connection information for.
3) Select Database, Properties.
4) Uncheck the option to use SQL Authentication.
5) Click Ok.
6) The database will now utilize Windows Authentication.
7) At this point you may wish to configure security using the Enterprise Manager for the database that you have just added.

For more information on how to secure your SQL server using Windows Authentication see SQL Server Books Online.

Internet Information Server (IIS)

How you configure IIS really depends on your company’s needs. We do have a few recommended steps that you can follow to make your application as secure as possible.

See the following link for a brief security FAQ regarding IIS:
http://www.microsoft.com/windows.netserver/community/centers/iis/iis_security_faq.asp.
Apply the latest service pack for Windows, and install any hot fixes that are available since that latest service pack release.
Your IUSR_MACHINENAME account is an IIS security account that IIS uses to authenticate when a user is anonymous. If your computer name is SERVER for example, then your IUSR account will be IUSR_SERVER. If you allow for anonymous access to your web server, ensure that the IUSR account does not have privileged access (such as full control) to the wwwroot and all folders below. (Caution: Carefully document all changes to permissions as changing these permissions could possibly break other applications. Also keep in mind that IUSR account will need to have permissions to other directories such as your operating systems directory, and other directories where IIS has installed .dll’s that it may need to execute.)
If you do not need anonymous access to your web server, disable anonymous authentication for your entire web site. (You can also disable anonymous authentication for ADTWeb itself). If all of your web clients will be Internet Explorer clients you can even go one step further by enabling only Windows Authentication (this is better than Basic Authentication because the authentication process is well encrypted).
Remove all virtual directories and scripts that you do not need.
Check your ADTWeb virtual directory through IIS to confirm that you have no more than Read, Log Visits, and Index this resource checked. Also Execute Permissions should be set to Scripts Only.

-News -

Borderwave Software announces the latest release of its highly acclaimed defect-tracking product ... <more>