QPR ProcessAnalyzer Security Hardening: Difference between revisions
No edit summary |
|||
Line 1: | Line 1: | ||
The following list provides recommendations for improving (hardening) the security of QPR ProcessAnalyzer installation. | The following list provides recommendations for improving (hardening) the security of QPR ProcessAnalyzer installation. | ||
== Disable SSL, TLS 1.0 and TLS 1.1, | == Disable SSL, TLS 1.0 and TLS 1.1, and Enable TLS 1.2 == | ||
Transport Layer Security (TLS) is used to encrypt connections with clients, such as web browsers. SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 are no longer adequately secure, so we recommend to only allow clients to connect with TLS 1.2. However, some client devices might not support TLS 1.2, so you might need to keep TLS 1.0 and/or TLS 1.1 enabled. | Transport Layer Security (TLS) is used to encrypt connections with clients, such as web browsers. SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 are no longer adequately secure, so we recommend to only allow clients to connect with TLS 1.2. However, some client devices might not support TLS 1.2, so you might need to keep TLS 1.0 and/or TLS 1.1 enabled. | ||
Revision as of 12:33, 23 December 2019
The following list provides recommendations for improving (hardening) the security of QPR ProcessAnalyzer installation.
Disable SSL, TLS 1.0 and TLS 1.1, and Enable TLS 1.2
Transport Layer Security (TLS) is used to encrypt connections with clients, such as web browsers. SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 are no longer adequately secure, so we recommend to only allow clients to connect with TLS 1.2. However, some client devices might not support TLS 1.2, so you might need to keep TLS 1.0 and/or TLS 1.1 enabled.
Here is a Powershell script to disable TLS 1.0 and TLS 1.1 and enable TLS 1.2:
#Disable TLS 1.0 and TLS 1.1 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Name Enabled -Type Dword -Value 0 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Name Enabled -Type Dword -Value 0 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Name DisabledByDefault -Type Dword -Value 1 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Name DisabledByDefault -Type Dword -Value 1 #Enable TLS 1.2 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name DisabledByDefault -Type Dword -Value 0 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name Enabled -Type Dword -Value 1 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name DisabledByDefault -Type Dword -Value 0 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name Enabled -Type Dword -Value 1
More information: https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat
Disable Weak Ciphers
The Triple-DES cipher is no longer adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for CVE-2016-2183.
Here is a Powershell script to disable Triple-DES cipher:
#Disable Triple-DES New-Item -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Force Set-ItemProperty -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Name Enabled -Type Dword -Value 0
More information: https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc
Disable 8.3 File Name Creation
In order to disable short names creation, add a registry key named NtfsDisable8dot3NameCreation to HKLM\SYSTEM\CurrentControlSet\Control\FileSystem and set its value to 1. Note that in the computer, there may be other applications that require 8.3 file names and thus may stop working.
Here is an example of Powershell script to disable 8.3 file name creation:
#Disable 8.3 File Name Creation Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name NtfsDisable8dot3NameCreation -Value 1
More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions
Add Security Related HTTP Headers in IIS
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page.
- In Internet Information Services (IIS) Console, click ui folder in the left side hierarchy, double-click HTTP Response Headers, click Add... on the right side pane, and define the following:
- Content-Security-Policy
- Name: Content-Security-Policy
- Value: default-src 'none';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data:;connect-src 'self';font-src 'self' data:;manifest-src 'self';child-src 'self' https://devnet.onqpr.com/;
- Strict-Transport-Security
- Name: Strict-Transport-Security
- Value: max-age=31536000; includeSubDomains
- X-XSS-Protection
- Name: X-XSS-Protection
- Value: 1; mode=block
- X-Frame-Options:
- Name: X-Frame-Options
- Value: deny
- X-Content-Type-Options:
- Name: X-Content-Type-Options
- Value: nosniff
Here is a Powershell script to add X-XSS-Protection, X-Frame-Options, and X-Content-Type-Options HTTP Response Headers:
#Add X-XSS-Protection, X-Frame-Options, and X-Content-Type-Options HTTP Response Headers to IIS Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui' -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-XSS-Protection';value='1; mode=block'} Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui' -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-Frame-Options';value='deny'} Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui' -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-Content-Type-Options';value='nosniff'}
More information:
- https://content-security-policy.com/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Remove X-Powered-By HTTP Header in IIS
Removing the X-Powered-By HTTP response header improved security, because the underlying technology is not revealed publicly. This step applies only when IIS is used as a reverse proxy for QPR UI.
- In Internet Information Services (IIS) Console, click the top level in the left side hierarchy:
- Double-click HTTP Response Headers
- Click on the X-Powered-By header
- Click Remove on the right side pane to remove it from the response.
Here is a Powershell script to remove X-Powered-By HTTP Response Header:
#Remove X-Powered-By HTTP Response Header in IIS Remove-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui' -filter "system.webServer/httpProtocol/customHeaders" -name "." -AtElement @{name='X-Powered-By'}
More information: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/