Monday, May 11, 2015

SharePoint Resource Monitoring

Testing a SharePoint application? Worried that your tests could knock the server over? (Want to knock the server over? This applies to you too.)

One of the new features of SharePoint 2010+ is resource throttling when the system is a bit busy handling requests. This can be tuned on at Web Application level in Central Admin. That throttling uses the health score value. If the value becomes 10 or above it will go into throttling mode. At that point it will give GET requests a lower priority than other types like POST. So people can finish the form they are filling in, but new request will be denied.

Enter the X-SharePointHealthScore HTTP Header.

It's a header that returns the systems health based on 3 performance counters:

Memory - Available MBytes
ASP.NET - Requests Queued
ASP.NET - Request Wait Time

Monitoring the headers of the SharePoint application can tell you if you're hammering the server too much or if it needs that little push more to go dark. http://yuriburger.net/2012/04/03/get-sharepoint-health-score-using-powershell/

Discuss:
Just seem like a really bad idea for an Internet facing app. 

Random Example:

HTTP/1.1 401 Unauthorized
Content-Length: 16
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
SPRequestGuid: 6dcb9a95-61a8-4817-bfd8-65ad55b5d1fa
X-SharePointHealthScore: 4
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 14.0.0.6120
X-MS-InvokeApp: 1; RequireReadOnly
Date: Sun, 19 Jan 2014 18:40:11 GMT

Example of SharePoint application used by the PCI Council:

HTTP/1.1 403 FORBIDDEN
Content-Length: 13
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
SPRequestGuid: 1569c27d-f2cd-4c58-a299-07116dff3154
X-SharePointHealthScore: 0
X-MSDAVEXT_Error: 917656; Access denied. Before opening files in this location, you must first browse to the web site and select the option to login automatically.
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 14.0.0.6029

Shodan search:

Further details:

Secure the Headers: