QPR ProcessAnalyzer Security Hardening: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 15: Line 15:


== Remove X-Powered-By HTTP Response Header in IIS ==
== Remove X-Powered-By HTTP Response Header in IIS ==
https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/


== Disable TLS 1.0 ==
== Disable TLS 1.0 ==
https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat
Transport Layer Security (TLS) is used to authenticate and encrypt connections with external clients such as browsers. Browsers connect to QPR UI using TLS over HTTPS. TLS is an improved version of SSL (Secure Sockets Layer). Versions of SSL 2.0 and 3.0 are no longer considered to be adequately secure communication standards. We recommend that you only allow external clients to connect with TLS 1.2.
 
In addition, we recommend that TLS 1.0 and TLS 1.1 are disabled on QPR UI server. However, before you disable a specific version of TLS, verify that the browsers that your users connect to QPR UI support TLS 1.2. You may need to preserve support for TLS 1.1.
 
More information:
* https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat


== Disable Weak Ciphers ==
== Disable Weak Ciphers ==
https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc
The Triple-DES cipher suite is no longer considered adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for [https://nvd.nist.gov/vuln/detail/CVE-2016-2183 CVE-2016-2183].
 
More information:
* https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc


== Allow Incoming Requests only from Localhost ==
== Allow Incoming Requests only from Localhost ==
Line 27: Line 36:


== Change Glassfish Administrator Password==
== Change Glassfish Administrator Password==
Change [[GlassFish Configuration in QPR UI#Changing Glassfish Administrator Password|GlassFish administrator password]]
Change [[GlassFish Configuration in QPR UI#Changing Glassfish Administrator Password|GlassFish administrator password]].


== Remove GlassFish Specific Default and Error Pages ==
== Remove GlassFish Specific Default and Error Pages ==
Line 34: Line 43:
In order to disable short names creation, add a registry key named '''NtfsDisable8dot3NameCreation''' to '''HKLM\SYSTEM\CurrentControlSet\Control\FileSystem''' andset its value to '''1'''. Note that in the computer, there may be applications that require 8.3 file names and thus may stop working.
In order to disable short names creation, add a registry key named '''NtfsDisable8dot3NameCreation''' to '''HKLM\SYSTEM\CurrentControlSet\Control\FileSystem''' andset its value to '''1'''. Note that in the computer, there may be applications that require 8.3 file names and thus may stop working.


More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions
More information:
* https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions


== Check That Latest Java is Installed ==
== Check That Latest Java is Installed ==

Revision as of 07:09, 31 October 2018

The following list provides recommendations for improving (hardening) the security of QPR UI installation.

Add X-XSS-Protection and X-Frame-Options HTTP Response Headers to IIS

This step applies only when traffic is routed through IIS.

  1. In Internet Information Services (IIS) Console, click ui folder in the left side hierarchy, double-click HTTP Response Headers, click Add... on the right side pane, and define the following:
    • Name: X-XSS-Protection
    • Value: 1; mode=block
  2. Similarly, add the following HTTP Response Header:
    • Name: X-Frame-Options
    • Value: deny

More information:

Remove X-Powered-By HTTP Response Header in IIS

https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/

Disable TLS 1.0

Transport Layer Security (TLS) is used to authenticate and encrypt connections with external clients such as browsers. Browsers connect to QPR UI using TLS over HTTPS. TLS is an improved version of SSL (Secure Sockets Layer). Versions of SSL 2.0 and 3.0 are no longer considered to be adequately secure communication standards. We recommend that you only allow external clients to connect with TLS 1.2.

In addition, we recommend that TLS 1.0 and TLS 1.1 are disabled on QPR UI server. However, before you disable a specific version of TLS, verify that the browsers that your users connect to QPR UI support TLS 1.2. You may need to preserve support for TLS 1.1.

More information:

Disable Weak Ciphers

The Triple-DES cipher suite is no longer considered adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for CVE-2016-2183.

More information:

Allow Incoming Requests only from Localhost

This step applies only when traffic is routed through IIS. In GlassFish allow incoming requests only from localhost.

Change Glassfish Administrator Password

Change GlassFish administrator password.

Remove GlassFish Specific Default and Error Pages

Disable 8.3 File Name Creation

In order to disable short names creation, add a registry key named NtfsDisable8dot3NameCreation to HKLM\SYSTEM\CurrentControlSet\Control\FileSystem andset its value to 1. Note that in the computer, there may be applications that require 8.3 file names and thus may stop working.

More information:

Check That Latest Java is Installed

Check that the latest version of Java 8 is installed.

Other Instructions to Hardening GlassFish Security

http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html