how to remove unnecessery handler mappings from Sharepoint 2010 web application for security purpose

This article explains how to restrict or remove unnecessary handler mappings for  Microsoft SharePoint Foundation web application in the Integrated Request Pipeline of Internet Information Services (IIS) .

As you know Sharepoint has modifed the pipeline for more information about Why Sharepoint modifing the request pipeline please read this topic :
http://msdn.microsoft.com/en-us/library/ee537834.aspx

For a general web application you can modify pipleline using:

  • Pipeline Changes at the ASP.NET Framework Level: Sharepoint  does not change any thing for this level that mean sharepoint makes no changes to the machine.config file or the global web.config file.
  • Pipeline Changes at the IIS Configuration Level : The modifications on applicationhost.config file.This file is located in the %WinDir%\System32\inetsrv\config\ directory and it contains registrations of the IIS Web sites and application pools on the server, as well as some settings that apply to all Web applications on the Web server. The settings in applicationhost.config are primarily oriented to the parts of the pipeline that are contributed by IIS, whereas the machine.config and the global web.config files contain settings that are primarily oriented to the parts of the integrated request pipeline that are contributed by ASP.NET.
  • Pipeline Changes at the SharePoint Web Application Level: The modifications on web.config files.
  • Pipeline Changes at the Directory Level : The modifications on directory levels still using web.config files.Particular physical or virtual directories in an IIS Web site can also have their own web.config file to add new settings or override inherited settings. The new settings and overrides, of course, apply only to HTTP requests for resources located within the directory and its subdirectories.

Important ! :In this article scope of “Pipeline Changes at the IIS Configuration Level” so get backup your applicationhost.config file before do anything in %WinDir%\System32\inetsrv\config\

Bellowed configuration is for standart sharepoint web application so if you have some custom codes that need extra handler please add needed handlers to list.

For removing handler mappings

1) open your IIS console.
2) select your Sharepoint Web Application
3) Click Handler Mappings.

And Remove unneceserry handler mappings by selecting and clicking remove button on iis console.

 The handlers in  picture below are the needed ones so don’t delete them.

So sharepoint is not use any .net framework 4.0 components and the other iis default isapi extentions.
Always make a test that your site is working correctly. For testing use these starting points:

  • Test Pages
  • Test System Pages
  • Test File Upload
  • Test Search
  • Test Sharepoint Designer Connection
  • Add your custom test items.

see you next articles.

Advertisements

Sharepoint 2010 – Delete all users’ personel sites via powershell

#PowerShell Script - Delete All Users Personel Sites - SharePoint 2010
#The scripts is distributet "as-is." Use it on your own risk. The author give no warranties, guarantees or conditions.

#Add SharePoint PowerShell SnapIn if not already added
 if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) {
    Add-PSSnapin "Microsoft.SharePoint.PowerShell"
}
[Reflection.Assembly]::LoadWithPartialName("Microsoft.Office.Server")

$mysiteHostUrl = "http://my"
$mysite = Get-SPSite $mysiteHostUrl
$context = [Microsoft.Office.Server.ServerContext]::GetContext($mysite)

$upm =  New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($context)

$AllProfiles = $upm.GetEnumerator()

foreach($profile in $AllProfiles)
{
   $DisplayName = $profile.DisplayName
   $AccountName = $profile[[Microsoft.Office.Server.UserProfiles.PropertyConstants]::AccountName].Value  

   if($profile.PersonalSite -ne $Null)
   {

	   $profile.PersonalSite.Delete()
	   write-host $AccountName , " personel site deleted successfully"
   }
}
$mysite.Dispose();

Move Sharepoint 2010 server to another domain

If once you need to move your sharepoint server to another farm you have to know this is not an easy process. In this article i am telling you a way of doing migration via using domain trusts.

  1. Upgrade Current farm lastest SP (Service Pack 1) and lasted CU
    Sharepoint SP1 and June CU information
    http://blogs.msdn.com/b/joerg_sinemus/archive/2011/06/29/sharepoint-2010-sp1-and-post-sp1-june-2011-cu.aspx
    http://blog.bugrapostaci.com/2011/06/29/sharepoint-2010-service-pack-1-sp1-and-june-2011-cu-released/
  2. Estabilish two way domain trust between Domain A (old) and Domain B
    http://technet.microsoft.com/en-us/library/cc773178(WS.10).aspx
    http://technet.microsoft.com/en-us/library/cc816837(WS.10).aspx
    http://technet.microsoft.com/en-us/library/cc816590(WS.10).aspx
  3. Setup and Install new Sharepoint Server on Domain B and Upgrade this server lastest SP and Lastest CU
    Prepare to deploy software updates (SharePoint Server 2010)
    http://technet.microsoft.com/hi-in/library/ff806331(en-us).aspx
  4. Join new server to farm using configuration wizard.
  5. Migrate all roles and service applications to new server and stop the domain A server services.
    Server and Site Architecture
    http://msdn.microsoft.com/en-us/library/ms473633.aspx
    Service Applications and Topologies in SharePoint Server 2010
    http://technet.microsoft.com/en-us/sharepoint/ff686757
  6. Update all service accounts and farm admin account with new Domain users.
    Initial deployment administrative and service accounts
    http://technet.microsoft.com/en-us/library/ee662513.aspx
    http://blogs.msdn.com/b/russmax/archive/2010/01/08/changing-sharepoint-2010-service-accounts.aspx
  7. Migrate all other needed users and groups using stsadm.
    http://technet.microsoft.com/en-us/sharepoint/ee517214
    Verify that you meet the following minimum requirements: See Add-SPShellAdmin.
    On the Start menu, click All Programs.
    Click Microsoft SharePoint 2010 Products.
    Click SharePoint 2010 Management Shell.
    From the Windows PowerShell command prompt, type the following:
    $w = Get-SPWebApplication “http://<server>/&#8221;
    $w.MigrateUsers($True)
  8. Check if needed Equalize all custom solutions, and web.config files and make a complete test of your custom solutions
    http://technet.microsoft.com/en-us/library/cc262995.aspx
  9. Stop all services on Domain A sharepoint servers and test your all application for any problem .(broken links , content redirections, posible errors)
  10. If Everything is ok at step 9 .Disconnect old servers (domian A servers) from farm
  11. Stop All Sharepoint servers on Domian B
  12. Stop SQL Server and change domain of SQL Server .
  13. Start SQL server services.
  14. Start Sharepoint Servers.
  15. Remove Domain Trusts.

I hope this helps 🙂

How to enable Query Latency Trend report for Sharepoint 2010

Sharepoint Server 2010 has contains builting Search administration reports. You can find them via
Central Administration -> Administrative Report Library -> Search Administration reports.

One of the reports that is very useful is the Query Latency Trend chart. This does not work out of the box because verbose query monitoring is disabled.

To enable the Query Latency Trend report, you must run the following Windows PowerShell cmdlets:

$app = Get-SPEnterpriseSearchServiceApplication “<application name>”
$app = Set-SPEnterpriseSearchServiceApplication -VerboseQueryMonitoring “True”
$app = Get-SPEnterpriseSearchServiceApplication “<application name>”
$app.Update()

Example:

$sar = Get-SPEnterpriseSearchServiceApplication
$sar.VerboseQueryMonitoring = $true
$sar.Update()
Resource:
http://technet.microsoft.com/en-us/library/ee808861.aspx

Access Violation error on Sharepoint 2010 OOB components

If you are facing Access Violation error with newly upgraded Sharepoint 2010 server on common components like randomly calender view,document lists, etc. at undeterministic times.You may interested with this article.

Here is a sample error in ULS log:
System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.    at Microsoft.SharePoint.WebControls.SPCalendarTabs.CreateChildControls()     at System.Web.UI.Control.EnsureChildControls()     at System.Web.UI.Control.PreRenderRecursiveInternal()     at System.Web.UI.Control.PreRenderRecursiveInternal()     at System.Web.UI.Control.PreRenderRecursiveInternal()     at System.Web.UI.Control.PreRenderRecursiveInternal()     at System.Web.UI.Control.PreRenderRecursiveInternal()     at System.Web.UI.Control.PreRenderRecursiveInternal()     at System.Web.UI.Control.PreRenderRecursiveInternal()     at System.Web.UI.Control.PreRenderRecursiveInternal()     at System.Web.UI.Control.PreRenderRecursiveInternal()     at System.W…       a45ffc85-760b-4b92-8dc9-6d6a8d3e16f9

and Event log:
Event code :3005
Exception type: AccessViolationException
Exception message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

Cause:
This problem occurs because the values of the GC pointers are incorrect.

Solution:
There is a hotfix published by Microsoft for .net framework.
FIX: An access violation occurs when you pass structs as parameters through remoting or reflection in 64-bit applications in the .NET Framework 3.5 SP1 or the .NET Framework 2.0 SP2
http://support.microsoft.com/kb/974168/en-us

Before patching the hotfix please check your installed .net frameworks.
You must have .NET Framework 3.5 SP1 or .NET Framework 2.0 SP2 installed to apply this hotfix.

Check this article for determine  which versions and service pack levels of the Microsoft .NET Framework are installed
http://msdn.microsoft.com/en-us/kb/kbarticle.aspx?id=318785
You don’t have to restart the computer after you apply the hotfix if no relative .NET Framework instance is in use.
Apply this hotfix to your sharepoint wfe,app servers one by one. After patched you should better to execute an iisreset.

End of article.

Recursive Triggers on SQL Server and User Profile Service Problem

Recently Microsoft has published a “FAST PUBLISH” article about User Profile Application service starting problem with FIM Syncronization service.In KB defined problem is caused by The ‘Recursive Triggers Enabled’ property for the Model database is set to ‘True’ in the SQL instance. And the error is in your application log

The server encountered an unexpected error and stopped.
“ERR: MMS(6016): sql.cpp(5580): Query (update [mms_run_history] set [is_run_complete] = 1,[run_result] = N’stopped-server’,[end_date] = <Date & Time> where ([is_run_complete] = 0)) performed with error
ERR: MMS(6016): sql.cpp(5633): Maximum stored procedure, function, trigger, or view nesting level exceeded (limit 32).
….

What is a Recursive Triggers ?
A requirsive trigger is a trigger that fired by the other triggers or intreacting object that fire the trigger when executed recursively.

SQL Server also allows for recursive invocation of triggers when the RECURSIVE_TRIGGERS setting is enabled using ALTER DATABASE.

Recursive triggers enable the following types of recursion to occur:

  • Indirect recursion
    With indirect recursion, an application updates table T1. This fires trigger TR1, updating table T2. In this scenario, trigger T2 then fires and updates table T1.
  • Direct recursion
    With direct recursion, the application updates table T1. This fires trigger TR1, updating table T1. Because table T1 was updated, trigger TR1 fires again, and so on.

The following example uses both indirect and direct trigger recursion Assume that two update triggers, TR1 and TR2, are defined on table T1. Trigger TR1 updates table T1 recursively. An UPDATE statement executes each TR1 and TR2 one time. Additionally, the execution of TR1 triggers the execution of TR1 (recursively) and TR2. The inserted and deleted tables for a specific trigger contain rows that correspond only to the UPDATE statement that invoked the trigger.

Note:The previous behavior occurs only if the RECURSIVE_TRIGGERS setting is enabled by using ALTER DATABASE. There is no defined order in which multiple triggers defined for a specific event are executed. Each trigger should be self-contained.

Disabling the RECURSIVE_TRIGGERS setting only prevents direct recursions. To disable indirect recursion also, set the nested triggers server option to 0 by using sp_configure.

If any one of the triggers performs a ROLLBACK TRANSACTION, regardless of the nesting level, no more triggers are executed.

How to change “Recursive Triggers Enabled” property to false ?

From the SQL Server Management Studio, expand ‘System Databases’ > Right-click ‘Model’ | Properties | Options | under Miscellaneous section, set ‘Recursive Triggers Enabled’ property to ‘False’.

or.

The recursive trigger setting works on a database level . For checking the status of the recursive setting, use this command:

 EXEC sp_dboption '<name of db>', 'recursive triggers' -

for enabling Recusive Triggers:

 EXEC sp_dboption '<name of db>', 'recursive triggers', 'true' 

for disabling Recursive Triggers:

 EXEC sp_dboption '<name of db>', 'recursive triggers', 'false' 

For our senario use like this:

EXEC sp_dboption 'Model', 'recursive triggers', 'false' 

Resources:
http://msdn.microsoft.com/en-us/library/ms189799.aspx
http://support.microsoft.com/kb/2579951

 

 

How to rename Sharepoint database server

In some cases User Profile service is in “starting” mode but not started after a while getting “stopped” . one of the cause this situation is Sharepoint server name is using an ip address instead of using netbios name. You can check if from Central Administration -> Servers in farm section.

How can we change the ip address of SQL server to netbios name? Answer is simple use stsadm.
Run the following command to rename the server from IP address to netbios name sucessfully:

Stsadm -o renameserver -oldservername <ipaddress> -newservername <netbios name of the sql server>

Example: Stsadm -o renameserver -oldservername 192.168.10.2 -newservername POSTSQL

Now you can try starting the User Profile Synchronization Service. It should start successfully, unless there is some other User Profile Sync Service related issue.

..