Gaining Configuration Control of Your essential Business Applications


Dec 4, 2013 (3 years and 8 months ago)


Solution Brief
Tracking down and repairing the improp-
erly or poorly configured settings that
cause these issues can be next to impossi-
ble when you consider how many settings
could be misconfigured in a single appli-
cation, much less multiple applications.
Fortunately, application vendors and
industry experts provide guidance based
on real world experience for configuring
applications to achieve a reliable, high-
performing, and secure state. By applying
these recommendations, and monitoring
for any change that deviates from them,
businesses can achieve and maintain con-
figuration control and fully benefit from
these important applications.
Tripwire helps IT gain control of their
business-critical applications with out-
of-the-box security, compliance, and
operational policies based on industry
expert recommendations. When IT runs a
configuration assessment against a known
internal or external standard, Tripwire
proactively identifies poorly configured
application settings and provides detailed
instructions to help fix any issues and
help IT operations get the application
configured into a known, trusted state.
When combined with Tripwire’s continuous
configuration auditing that detects any
change—desirable or not—IT can stay on
top of configurations to ensure that ser-
vice-affecting and unauthorized changes
Businesses rely on applications like Microsoft internet information Server (iiS)
and Microsoft exchange Server 2003 to support critical business functions such
as internal and external communication, e-commerce transactions, web site
and web services hosting, and many additional business services. When these
essential applications experience outages or perform poorly, business can
come to a standstill—web-based services become unavailable or slow, email
communication may be severed, revenue-generating e-commerce sites can be
disrupted, and customers become upset. these issues also impact the perception
of it’s value to the business as a whole.
“ensuring the consistent
availability of our website
and email is of the highest
priority because they are
our primary communication
channels to schools, students
and employees. that is why
we are employing tripwire to
help monitor these sys-
tems for unauthorized and
unintended changes, further
hardening our services, and
operationalizing our ability to
meet business demands.”
Chad Plemons
VP information technology
edfinancial Services
Gaining Configuration Control of
Your essential Business Applications
Solution Brief
are immediately detected, investigated,
and remediated.
MAnAGinG MiCroSoft
APPliCAtionS: A SinGle Point of
A workday without email is almost
unimaginable. Businesses rely so heavily on
applications such as Microsoft Exchange
that a disruption in service can put an
abrupt halt to business-critical transac-
tions and greatly reduce productivity.
And Microsoft Exchange is not just used
for email; employees use it every day to
schedule meetings and appointments,
maintain contact information, and collab-
orate with colleagues and customers. Any
IT organization focused on servicing its
business customers implicitly understands
the importance of ensuring 100 percent
availability and security of its email appli-
cation. Yet despite large investments in
replication, mirroring, and tape back up
systems, businesses have a 75 percent
chance of experiencing an email outage at
least once a year.
Many businesses also rely on Microsoft
Internet Information Services (IIS) Web
server to support vital services such as
e-commerce, customer support, and sup-
ply chain applications. In fact IIS is the
Web server of choice for Fortune 1000
But the benefits that make
using Web services so attractive—their
accessibility using standard protocols—also
creates security vulnerabilities if poorly
configured. Security issues, along with sub-
optimal performance and downtime are not
an option with these critical servers.
Unfortunately, both Exchange and IIS
are plagued by the same issues as other IT
systems—improper or sub-optimal configu-
rations, improper and unauthorized change,
and attacks. Administrators need powerful
configuration assessment and change
auditing to gain control of these business-
critical applications and have confidence
they can deliver the important business
services these applications support.
ControllinG ConfiGurAtionS for
SeCuritY And CoMPliAnCe
Tripwire ensures Microsoft Exchange and
IIS are configured to provide solid security
and comply with mandatory standards
such as those required by the Payment
Card Industry Data Security Standard
(PCI DSS) or developed by the Center for
Internet Security (CIS). Tripwire’s security
and compliance policies test application
configurations against these industry best
practices, alerting IT to improper configu-
ration settings, and providing detailed
information that allows IT to adjust set-
tings to achieve a secure, compliant state.
For example, the Microsoft IIS “HTTP
connection timeout” setting specifies
how many seconds the IIS server will wait
before closing a dormant connection.
The higher the number, the more vulner-
able the web server becomes to Denial of
Service attacks. To mitigate this risk, CIS
recommends a timeout threshold of 120
seconds. Tripwire tests to make sure this
setting is 120 seconds or less and quickly
detects if this configuration setting is
A second example is with the “Recipient
Limit” setting of Exchange. This setting
is used to control the maximum number
of recipients that can be specified in a
single email from the server. For security
purposes CIS recommends that the setting
for Recipient Limit not exceed 5000—a
number sufficiently large to accommodate
most organizations’ email needs, but not
so large as to encourage internal spam-
mers from sending messages to a large
“Tripwire deTecTs change
across your enTire ecosysTem,
including windows,microsofT
applicaTions (such as
exchange and iis), acTive
direcToryand sQl. iT
seamlessly inTegraTes inTo
any environmenT, bringing
immediaTe value To your
Solution Brief
number of recipients. This maximum num-
ber also represents a number of recipients
that Exchange can easily handle. Tripwire
tests to ensure the maximum number
of recipients per message is less than or
equal to 5000 and maintains this critical
IT configuration setting by detecting all
changes to it and alerting users of any
unauthorized changes to this setting.
And while conducting configuration
assessment and auditing for unauthorized
change, Tripwire generates proof of com-
pliance for audits—a huge timesaver and
convenience for compliance professionals.
oPtiMizinG ConfiGurAtionS for
HiGH PerforMAnCe And reliABilitY
Many organizations spend large sums of
money hiring consultants to help optimize
application configurations to get the
greatest performance and highest avail-
ability. Out of the box, Tripwire provides
operational policies for IIS and Exchange
servers with tests for settings recom-
mended by industry experts and validated
in demanding enterprise environments. By
combining these tests into a single opera-
tional policy, Tripwire offers businesses
a performance-tuning baseline that can
be customized according to the informa-
tion security policies of the individual
Consider, for example, the design of
the IIS platform. To help organizations
configure their Web services to meet their
specific security and performance require-
ments, IIS provides dozens of options and
settings. And although most well-designed
Web applications are built for scalability,
these applications often compete with
each other for IIS Web server resources
during periods of heavy usage. These
Web servers must be able to maintain
desired response times and throughput
even under periods of heavy load. Yet
they must also optimally use bandwidth
by massaging the connection limitations,
caching, and data compression settings.
Similarly, Microsoft Exchange offers
businesses numerous settings so they can
configure their email server to accommo-
date any security, performance, and
availability requirements the business
may have. Determining just the right set-
tings on either IIS or Exchange—or even
knowing where to start—can be a time-
consuming challenge.
In comparison to the CIS benchmarks
that assess for security, Tripwire’s opera-
tional policies assess configurations
through the lens of performance and
reliability. For example, Tripwire ensures
that CPU monitoring settings are enabled
ensuring Security And Performance in
Microsoft exchange And iiS
tripwire delivers a comprehensive set of configuration assessment
and auditing capabilities to ensure that Microsoft exchange and iiS
applications operate at peak performance and with the highest security.
• ASSeSSeS Microsoft iiS and exchange configurations against industry
best practices, internal “golden” standards and expert recommended
settings to increase security, performance and reliability.
• deliVerS an assessment scorecard, along with detailed information
to help get the application configuration into an optimal state—from a
security, compliance, and operations perspective.
• deteCtS unauthorized change through continuous auditing, and lets
it know who made the change so they can enforce a zero-tolerance
policy for circumventing established change and configuration
management processes.
• ProduCeS comprehensive, actionable reports and dashboards that
provide just the right level of detail—overview level for CiSos and
how-to-repair level for technicians.
• GenerAteS historical evidence of configurations for use in audits,
including any changes made and remediation activity.
Solution Brief
ABout triPWire
Tripwire helps over 6,000 enterprises worldwide reduce security risk, attain compliance and increase
operational efficiency throughout their virtual and physical environments. Using Tripwire’s industry-
leading configuration assessment and change auditing solutions, organizations successfully achieve and
maintain IT configuration control. Tripwire is headquartered in Portland, Oregon, with offices worldwide.
© 2008 tripwire, inc. | tripwire is a registered trademark of tripwire, inc. All other product and company names are property of their respective owners. All rights reserved. | SBAMS3
correctly to prevent a single
application pool from monopolizing IIS
server resources and decreasing perfor-
mance. Tripwire then maintains that
setting with continuous change auditing.
In fact Tripwire’s operational policy for IIS
helps businesses achieve faster page loads,
reduce hardware costs and operating
expenses, and provide a consistent and
reliable online experience. And Tripwire’s
operational policy for Exchange likewise
lets organizations count on highly avail-
able, secure email, so employees can
produce results by communicating when
and as needed.
wiTh Tripwire enTerprise,
iT can ensure The
configuraTions of criTical
business applicaTions
achieve and mainTain
configuraTion conTrol.
features & Benefits for Business-Critical Applications
inCreASed PerforMAnCe
And reliABilitY
tripwire enterprise assesses and validates Microsoft iiS and exchange configura-
tions to ensure they are configured to optimize performance and reduce system
SeCure And CoMPliAnt
tripwire tests iiS and exchange configurations against industry recognized security
standards like those issued by the CiS (Center for internet Security) and the PCi dSS
(Payment Card industry data Security Standard). tripwire enterprise also provides
valuable compliance evidence for audits.
iMMediAte ViSiBilitY into
unAutHorized CHAnGe
Continuous change auditing, alerting, and notification, along with flexible, multi-
level reporting inform it of issues that impact performance, availability, security, and
compliance so they can quickly take corrective measures.
reduCed riSK, effort,
And CoSt
tripwire’s proactive assessment of iiS and exchange system settings eliminates
time-consuming and error-prone manual assessments and monitoring.
1 Why emails fail: Survey of Microsoft exchange
outages, Messageone, http://www.messageone.
2 Port80 Surveys the Top 1000 Corporations' Web
Servers. (
top1000webservers/) Port80 Software, July 2007.