We understood that the problem was not with the mssql.domain_name link but the virus alert only happened after click on ASP .NET Enterprise Manager, Recomended this site. And the link was:

www.referralplanet.com/referral/windows/referralWindow.asp?id=17

Since the site was not hosted with us we had a sigh of relief that the problem is not with the server however we thought we still have a security problem if the link has been injected into ASP .NET Manager site in IIS, may be due to a security issue with Plesk control panel. And after checking several servers we came to know that the problem has happened to the site that is recommended on MSSQL Webadmin site and not the server.

If you want to remove this link from your server as well as from the MSSQL WebAdmin site then follow the steps below:

1. Login into the server through RDP with Administrator user.
2. Go to D:\inetpub\vhosts\sqladmin\mssql\app
3. Open the navbar.aspx page in notepad
4. Go to line number 119 and remove the code below:

<!-- Begin ReferralPlanet.com Referral Script -->
<a onclick="refWindow=window.open('http:// www.referralplanet.com/referral/windows/referralwindow.asp?id=18','referralWindow' ,'width=350,height=520,scrollbars=yes,menubar=no,resizable=yes'); refWindow.focus(); return false;" target=_blank href="http:// www.referralplanet.com/referral/windows/referralWindow.asp?id=17">
<IMG alt="Click Here To Tell A Friend" src="images/tellafriend.gif" border=0></A>
<!-- Begin ReferralPlanet.com Referral Script -->

5. Save the file and exit.

This problem must have infected millions of computer in the world. Let see when chinese hacker stop putting their shit on other’s website and get mature.

While I was searching for the solution I found the KB articel on Parallels sites below:

http://kb.parallels.com/en/1147

Where they (Plesk adminstrators) have clearly mentioned that custom permissions set on top level folder like httpdocs, statistics, cgi-bin etc will get reset by Plesk. So I decided to make a test, I manually gave write permissions to httpdocs folder and ran webservmng.exe on it and yes it was removed. Then after allot digging I would that there us a file .Security which is saved under the folder with the domain name (parallel to httpdocs folder), that stores all permissions for that domain.

Before we start please be informed that these steps are applicable to Parallel Plesk version 8.4 and above as .Security file was introduced in 8.4 only.

So here are steps to get around the problem permanently:

1. Backup the .Security file and delete it from [drive]:inetpub/vhosts/domain_name, this file saves all the permissions assigned to that user from Plesk on Windows. Deleting it will remove all the records.

2. After renaming or deleting the . Security file, run this command below:

"%plesk_bin%/websrvmng.exe" --reconfigure-vhost --vhost-name=domain_name

3. This command will create a new .Security file with all default permissions on that domain.

4. Now login into Plesk >> Click on Domains >> domain_name >> File Manager >> httpdocs >> golden padlock of folder_name to set perm on >> “Advance” Button >> Select users >> Assign permissions >> OK.

These steps will save new permissions in .Security file and even if you run websrvmng on that domain again, the new permissions that has been set from Plesk will not get removed. There is no need to add any special group or users like, ASPNET or NETWORK SERVICE to any folder as those permissions are handled by IUSR_ & IWAM_/IWPD_ users.

Any permissions that has been assigned directly to httpdocs folder will get reset by Plesk and if you inherit them to sub folder, permissions from sub folder will also get removed.

So the moral is, DO NOT give any permissions from RDP, use File Manager option if you want to keep the trouble of permissions away.

It would not be the case now as I have listed detailed steps along with the images on how to block IP using the IP security policy in Windows. This option is also available in XP as well as Windows 2003 Server edition.

How to BLock IP Using Windows:

You can either open MMC from START >> RUN >> MMC and add a new Snapin for IP Security policy with steps below:

Click ‘Start’ > ‘Run’ >type ‘MMC’ press ok.
In the console click > ‘File’ > ‘Add/Remove Snap in’
In the ‘Standalone Tab’ click The ‘add’ button
Seclect ‘IP Security Policy Managment’ > ‘ADD’ > ‘Local Computer’ > ‘finish’ > ‘close’ > ‘ok’
You should now be back to the Management console.

OR

Just goto START >> PROGRAMS >> ADMINISTRATIVE TOOLS >> LOCAL SECURITY POLICIES ON LOCAL COMPUTER to open the IP Security Management Console.

1. Select IP Security Policy and Right Click on the right pane to select new Policy. The screen will like an image below:

Figure 1

2. This will open the IP Security Policy Wizard, Just click on Next button.

Figure 2

3. On the Next screen you have to define the name of your IP Security policy and its description and then click Next Button.

Figure 3

4. Plesk uncheck the box for “Activate the default Response Rule” and then click Next Button..

Figure 4

5. On the Next screen remove the check for Edit Properties and Click Finish.

Figure 5

6. Once you click on the Finish Button you will see the screen below along with your rule being added to the list. Now we will create an IP filter list to block IPs.

Figure 6

7. Double click on the rule you have just create to open the properties window:

Figure 7

8. Since we have chosen to uncheck “Activate the default Response Rule” in Step 4 the Dynamic rule in not applied. Click on Add button to open Security Rule Wizard and Click again on Add button to open IP Filter List Wizard.

Figure 8

9. You will have a screen some what in Figure 9. Put in the name of your list and Click on the Add button.

Figure 9

10. This will open another window for you to add IP and ports in the IP Filter list. In the Description box just put in the IP address that you want to block and make sure that you keep the check on the box for “Mirrored. Match packets with the exact appropriate source and destination addresses” and click on the Next button.

Figure 10

11. Select My IP address in the Sources Address from the drop down list.

Figure 11

12. You have many more options to select from the list for both in Sources and Destination Address. You will need some advanced knowledge to work with those option. We will select My IP address for now and click on Next button.

Figure 12

13. In the IP Traffic Destination, select “A specific IP Address” and enter the IP address that you want to block on your machine. Here you can also select a sub net from the drop down and block the entire subnet. Once you finish entering an IP/Subnet, click on Next button.

Figure 13

14. Here in IP Protocol Type you can define the protocol that you want to block, it can be any one from the list for example TCP, UDP, ICMP etc. We will select ANY which mean all connect from a specific IP address. If you select a protocol from the list andclick Next it will ask you to enter the port address that you want to block, example 80 (See Figure 14.2). But since we want to block all ports we will select Any and click Next (Figure 14.1) and then Finish.

Figure 14.1

Figure 14.2

15.  After you click on Finish button you will see that the rule has been added in the IP filter list. If you want to add more IP and subnets then click on the Add button to add another rule or block 2nd IP. Once you finish with it you will have rules as in Figure 15.2.

Figure 15.1

Figure 15.2

16. Once your IP Filter List is complete click on the OK button to get back Security Rule Wizard. Select the IP filter list which you have created by clicking on the radio button and click Next.

Figure 16

17. In the Next screen of Security Rule Wizard you will not see any Filter Action as Block as by default it is not created. We will create a Filter action to block connect by click on Add button.

Figure 17

18. In the Name type “Block” and any discryption you like and click on Next.

Figure 18

19. In Filter Action General options select Block and click Next.

Figure 19

20. And then on Finish to get back to Security Rule Wizard.

Figure 20

21. This will add the Filter option as Block in the list, just click on radio button to select it and click Next.

Figure 21

22. Click Finish to complete the security Rule Wizard.

Figure 22

23. You will see the rule added in the list, you can add more rule with the same steps. Now just click OK to finish with the rules.

Figure 23

24. Now since we have already created the rules to block desired IP address just right click on the IP Security Policy and select Assign to apply the rule on the server.

Figure 24

There are allot many option to secure your entire server with IP security policy. You can create more rules to block every one on RDP port TCP 3389 and allow only select IPs. IP Security is IP and port based application and not Services based and you can create the rule as per your need.

EFS can be used to encrypt SQL Server 2005 data files and folders. EFS is supported on Windows 2000 and later operating systems with New Technology File Systems (NTFS) formatted drives. EFS uses a combination of symmetric and asymmetric methods to provide transparent SQL Server 2005 data encryption. On Windows 2003 Server and newer operating systems, EFS by default creates a random File Encryption Key, which is a 256-bit AES key to perform data encryption.The File Encryption Key is then itself encrypted with the user’s public key and stored within the encrypted file or folder.

To encrypt SQL Server 2005 data files and folders using EFS, follow these steps:

1. Stop the SQL Server service.
2. Log out and log in using the SQL Server service account credentials.
3. Right-click on the file or folder to be encrypted and select Properties | General Tab | Advanced.

4. Within the Advanced attributes window, select Encrypt contents to secure data.
5. Within the Advanced attributes window, press OK.
6. Within the Properties tab, press OK.
7. If you are encrypting a folder containing subfolders, you will be presented with another window asking if you would like to  encrypt them as well. Press OK.
8. EFS encrypted files and folder names should now appear in green within any Windows file explorer window.
9. Restart the SQL Server services.

If errors are generated, you may have encrypted the SQL Server data files using an account that is not linked to the SQL Server service account.You can decrypt the data folders by reversing the steps above and trying again. When encrypting individual database files, EFS first creates a plain text copy of the file to be encrypted, encrypts the target file, and then deletes the temporary file.This temporary file is not securely deleted and can be recovered using common data recovery tools. To prevent local file disclosure, you should use a secure data deletion tool to overwrite the areas of disk containing the temporary file. Alternatively, you can simply encrypt the parent folder that contains the database files to ensure any temporary files are also encrypted.

EFS encryption is beneficial if the database media is stolen or misplaced. When transferring EFS encrypted files over the network, Windows first decrypts the file and then transfers the plain text equivalent. Some administrators perform manual backups of database files prior to implementing changes on the database server. If this backup involves copying data files from one server to another, you will effectively be storing an unencrypted copy of your database on the destination server.

Encryption File System Contains Inherit Flaws

On Windows Server 2003, EFS uses a strong 256-bit AES key to encrypt data. Under most circumstances, this would be an effective method of encryption; however, this AES key is protected by the user’s public key, which is based on the user’s Windows login password. This ultimately reduces EFS protection to the strength of the user’s Windows password. There are publicly available tools that can successfully decrypt EFS encrypted data by exploiting this flaw. Because of this, EFS should not be used to encrypt sensitive database data.

Working with EFS Encrypted Data

EFS encryption is managed by the operating system, and seamlessly provides file and folder encryption to SQL Server 2005. All SQL Server functions and operations remain unchanged when using this encryption method. Because EFS is handled outside of SQL Server 2005, encryption keys must be backed up separately in addition to your database backups.