QPR ProcessAnalyzer Security Hardening: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
No edit summary
 
(100 intermediate revisions by 2 users not shown)
Line 1: Line 1:
The following list provides recommendations for improving (hardening) the security of QPR UI installation.
This article provides recommendations for improving (hardening) the security of QPR ProcessAnalyzer Server installation. In addition to the server hardening, there are also hardening instructions for [[QPR_ProcessAnalyzer_ScriptLauncher#Hardening_ScriptLauncher_Security|QPR ScriptLauncher]] installations.


== Add X-XSS-Protection and X-Frame-Options HTTP Response Headers to IIS ==
== Disable SSL, TLS 1.0 and TLS 1.1 ==
This step applies only when [[Routing_Through_IIS_in_QPR_UI|traffic is routed through IIS]].
Transport Layer Security (TLS) is used to encrypt connections with clients, such as web browsers. SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 are no longer adequately secure, so it's recommended to only allow clients to connect with TLS 1.2 or TLS 1.3 (preferred). However, some client devices might not support TLS 1.2, so you might need to keep TLS 1.0 and/or TLS 1.1 enabled.
# In '''Internet Information Services (IIS) Console''', click '''ui''' folder in the left side hierarchy, double-click '''HTTP Response Headers''', click '''Add...''' on the right side pane, and define the following:
#* Name: '''X-XSS-Protection'''
#* Value: '''1; mode=block'''
# Similarly, add the following HTTP Response Header:
#* Name: '''X-Frame-Options'''
#* Value: '''deny'''
 
More information:
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options


== Remove X-Powered-By HTTP Response Header in IIS ==
Here is a Powershell script to disable TLS 1.0 and TLS 1.1 and enable TLS 1.2:
This step applies only when [[Routing_Through_IIS_in_QPR_UI|traffic is routed through IIS]].
# In '''Internet Information Services (IIS) Console''', click '''ui''' folder in the left side hierarchy
# Double-click '''HTTP Response Headers'''
# Click on the '''X-Powered-By''' header
# Click '''Remove''' on the right side pane to remove it from the response.


More information:
<pre>
* https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Name Enabled -Type Dword -Value 0
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Name Enabled -Type Dword -Value 0
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Force


== Disable TLS 1.0 ==
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Name DisabledByDefault -Type Dword -Value 1
Transport Layer Security (TLS) is used to authenticate and encrypt connections with external clients such as browsers. Browsers connect to QPR UI using TLS over HTTPS. TLS is an improved version of SSL (Secure Sockets Layer). Versions of SSL 2.0 and 3.0 are no longer considered to be adequately secure communication standards. We recommend that you only allow external clients to connect with TLS 1.2.
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Name DisabledByDefault -Type Dword -Value 1


In addition, we recommend that TLS 1.0 and TLS 1.1 are disabled on QPR UI server. However, before you disable a specific version of TLS, verify that the browsers that your users connect to QPR UI support TLS 1.2. You may need to preserve support for TLS 1.1.
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name DisabledByDefault -Type Dword -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name Enabled -Type Dword -Value 1
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name DisabledByDefault -Type Dword -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name Enabled -Type Dword -Value 1
</pre>


More information:
More information: https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat
* https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat


== Disable Weak Ciphers ==
== Disable Weak Ciphers ==
The Triple-DES cipher suite is no longer considered adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for [https://nvd.nist.gov/vuln/detail/CVE-2016-2183 CVE-2016-2183].
Use only cipher suites that are considered secure. The up-to-date information regarding security of specific ciphers can be checked here: https://ciphersuite.info/ (use only the ciphers that are classified as ''recommended'' or ''secure''). The up-to-date list of the recommended ciphers (maintained by Mozilla) are also available as json format: https://ssl-config.mozilla.org/guidelines/5.6.json (use only the ciphers in the ''modern'' and ''intermediate'' sections).


More information:
PowerShell commands to manage ciphers:
* https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc
* Get list of all allowed ciphers in computer: https://docs.microsoft.com/en-us/powershell/module/tls/get-tlsciphersuite
* Disable ciphers: https://docs.microsoft.com/en-us/powershell/module/tls/disable-tlsciphersuite
* Enable ciphers: https://docs.microsoft.com/en-us/powershell/module/tls/enable-tlsciphersuite


== Allow Incoming Requests only from Localhost ==
More information about how to configure ciphers on Windows systems: https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc
This step applies only when [[Routing_Through_IIS_in_QPR_UI|traffic is routed through IIS]].
In GlassFish allow incoming requests only from localhost.


== Change Glassfish Administrator Password==
== Database User Least Privileges ==
Change [[GlassFish Configuration in QPR UI#Changing Glassfish Administrator Password|GlassFish administrator password]].
While it's easiest to run QPR ProcessAnalyzer with a database user assigned the [https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver15 db_owner] permissions, it's more safe to restrict the database permissions only to needed. The minimum permissions for QPR ProcessAnalyzer are the following:
* db_datareader fixed database role
* db_datawriter fixed database role
* user defined role with the following permissions:
** VIEW DATABASE STATE
** EXECUTE on TYPE::PA_TABLETYPE_BigInt
** EXECUTE on TYPE::PA_TABLETYPE_NVarCharMax
** ALTER
** REFERENCES


== Remove GlassFish Specific Default and Error Pages ==
Configure QPR ProcessAnalyzer to run with minimum permissions as follows:
# In the QPR ProcessAnalyzer database, click '''Security''' > '''Roles''' > '''Database Roles''' > '''Create Database Role...'''.
# Give a name to the role (e.g. ''AdditionalPermissions'') and click '''OK'''.
# To give permissions to the role, run the following commands:
<pre>
GRANT VIEW DATABASE STATE to AdditionalPermissions
GRANT EXECUTE on TYPE::PA_TABLETYPE_BigInt to AdditionalPermissions
GRANT EXECUTE on TYPE::PA_TABLETYPE_NVarCharMax to AdditionalPermissions
GRANT ALTER to AdditionalPermissions
GRANT REFERENCES to AdditionalPermissions
</pre>
4. Assign needed roles to the database user by clicking '''Security''' > '''Users''' and double click the database user. Go to '''Membership''' tab and check that following roles are assigned:
* db_datareader
* db_datawrite
* user defined role created earlier


== Disable 8.3 File Name Creation==
==Disable 8.3 File Name Creation==
In order to disable short names creation, add a registry key named '''NtfsDisable8dot3NameCreation''' to '''HKLM\SYSTEM\CurrentControlSet\Control\FileSystem''' and set its value to '''1'''. Note that in the computer, there may be applications that require 8.3 file names and thus may stop working.
In order to disable short names creation, add a registry key named '''NtfsDisable8dot3NameCreation''' to '''HKLM\SYSTEM\CurrentControlSet\Control\FileSystem''' and set its value to '''1'''. Note that in the computer, there may be other applications that require 8.3 file names and thus may stop working.


More information:
Example Powershell script to disable 8.3 file name creation:
* https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions
<pre>
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name NtfsDisable8dot3NameCreation -Value 1
</pre>


== Check That Latest Java is Installed ==
More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions
Check that the [[QPR_UI_System_Requirements#Other Needed Server Components|latest version of Java 8]] is installed.


== Other Instructions to Hardening GlassFish Security ==
==White-list allowed source IP addresses==
Security can be improved by restricting (white-listing) from which source IP addresses connections to the QPR ProcessAnalyzer UI and API can be established. This restriction is typically set in the firewall which can be part of the network infrastructure or it can be in the server machine. If taking this method into use, considered the effort to maintain the up-to-date list of allowed IP addresses versus the gained benefit of the restriction.


* The response headers contain some information which should not be disclosed to the public to prevent targeted attacks.
==HTTP Response Headers==
This chapter contains information about security related HTTP response headers that are added or removed in QPR ProcessAnalyzer. Thus, no actions are required regarding these HTTP response headers.


<blockquote>
=== Added HTTP Headers ===
<code>Server: GlassFish Server Open Source Edition  4.1
Following security related HTTP headers are set:
# Content-Security-Policy
#* Name: '''Content-Security-Policy'''
#* Value: '''default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;connect-src 'self';font-src 'self' data:;manifest-src 'self';child-src 'self';frame-src *;'''
# Strict-Transport-Security (Note: HTTPS is required)
#* Name: '''Strict-Transport-Security'''
#* Value: '''max-age=31536000; includeSubDomains'''
# X-Frame-Options:
#* Name: '''X-Frame-Options'''
#* Value: '''sameorigin'''
# X-Content-Type-Options:
#* Name: '''X-Content-Type-Options'''
#* Value: '''nosniff'''


X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition  4.1  Java/Oracle Corporation/1.8)</code>
More information:
</blockquote>
* https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
 
* https://content-security-policy.com/
You can disable this by turning off the '''XPowered By:''' header with your http-listener and by adding a JVM-Option '''-Dproduct.name=""'''.
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
 
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
* The application may leak sensitive data via application errors.
 
Configure the '''Logger Settings''' in Glassfish from the [[GlassFish_Configuration_in_QPR_UI#Opening GlassFish Administration Console | GlassFish Administration Console ]]:


# In the navigation tree, expand the '''Configurations''' node.
=== Removed HTTP Headers ===
# Under the '''Configurations''' node, click the server instance or cluster configuration for which you want to configure '''Logger Settings'''.
By default, IIS returns the '''X-Powered-By''' HTTP response header that has been removed in QPR ProcessAnalyzer. More information: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
# The '''Configuration''' page opens.
# On the '''Configuration''' page, click '''Logger Settings'''.
# The '''Logger Settings''' page for the selected configuration target opens.
# Select the desired log level


By default, IIS 10.0 returns '''Server''' header in http response that has been removed in QPR ProcessAnalyzer. More information: https://www.saotn.org/remove-iis-server-version-http-response-header/#removeserverheader-requestfiltering-in-iis-10-0


More information:  
[[Category: QPR ProcessAnalyzer]]
* http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html

Latest revision as of 23:08, 27 December 2023

This article provides recommendations for improving (hardening) the security of QPR ProcessAnalyzer Server installation. In addition to the server hardening, there are also hardening instructions for QPR ScriptLauncher installations.

Disable SSL, TLS 1.0 and TLS 1.1

Transport Layer Security (TLS) is used to encrypt connections with clients, such as web browsers. SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 are no longer adequately secure, so it's recommended to only allow clients to connect with TLS 1.2 or TLS 1.3 (preferred). However, some client devices might not support TLS 1.2, so you might need to keep TLS 1.0 and/or TLS 1.1 enabled.

Here is a Powershell script to disable TLS 1.0 and TLS 1.1 and enable TLS 1.2:

New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Name Enabled -Type Dword -Value 0
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Name Enabled -Type Dword -Value 0
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Force

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Name DisabledByDefault -Type Dword -Value 1
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Name DisabledByDefault -Type Dword -Value 1

New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name DisabledByDefault -Type Dword -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name Enabled -Type Dword -Value 1
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name DisabledByDefault -Type Dword -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name Enabled -Type Dword -Value 1

More information: https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat

Disable Weak Ciphers

Use only cipher suites that are considered secure. The up-to-date information regarding security of specific ciphers can be checked here: https://ciphersuite.info/ (use only the ciphers that are classified as recommended or secure). The up-to-date list of the recommended ciphers (maintained by Mozilla) are also available as json format: https://ssl-config.mozilla.org/guidelines/5.6.json (use only the ciphers in the modern and intermediate sections).

PowerShell commands to manage ciphers:

More information about how to configure ciphers on Windows systems: https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

Database User Least Privileges

While it's easiest to run QPR ProcessAnalyzer with a database user assigned the db_owner permissions, it's more safe to restrict the database permissions only to needed. The minimum permissions for QPR ProcessAnalyzer are the following:

  • db_datareader fixed database role
  • db_datawriter fixed database role
  • user defined role with the following permissions:
    • VIEW DATABASE STATE
    • EXECUTE on TYPE::PA_TABLETYPE_BigInt
    • EXECUTE on TYPE::PA_TABLETYPE_NVarCharMax
    • ALTER
    • REFERENCES

Configure QPR ProcessAnalyzer to run with minimum permissions as follows:

  1. In the QPR ProcessAnalyzer database, click Security > Roles > Database Roles > Create Database Role....
  2. Give a name to the role (e.g. AdditionalPermissions) and click OK.
  3. To give permissions to the role, run the following commands:
GRANT VIEW DATABASE STATE to AdditionalPermissions
GRANT EXECUTE on TYPE::PA_TABLETYPE_BigInt to AdditionalPermissions
GRANT EXECUTE on TYPE::PA_TABLETYPE_NVarCharMax to AdditionalPermissions
GRANT ALTER to AdditionalPermissions
GRANT REFERENCES to AdditionalPermissions

4. Assign needed roles to the database user by clicking Security > Users and double click the database user. Go to Membership tab and check that following roles are assigned:

  • db_datareader
  • db_datawrite
  • user defined role created earlier

Disable 8.3 File Name Creation

In order to disable short names creation, add a registry key named NtfsDisable8dot3NameCreation to HKLM\SYSTEM\CurrentControlSet\Control\FileSystem and set its value to 1. Note that in the computer, there may be other applications that require 8.3 file names and thus may stop working.

Example Powershell script to disable 8.3 file name creation:

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name NtfsDisable8dot3NameCreation -Value 1

More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions

White-list allowed source IP addresses

Security can be improved by restricting (white-listing) from which source IP addresses connections to the QPR ProcessAnalyzer UI and API can be established. This restriction is typically set in the firewall which can be part of the network infrastructure or it can be in the server machine. If taking this method into use, considered the effort to maintain the up-to-date list of allowed IP addresses versus the gained benefit of the restriction.

HTTP Response Headers

This chapter contains information about security related HTTP response headers that are added or removed in QPR ProcessAnalyzer. Thus, no actions are required regarding these HTTP response headers.

Added HTTP Headers

Following security related HTTP headers are set:

  1. Content-Security-Policy
    • Name: Content-Security-Policy
    • Value: default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;connect-src 'self';font-src 'self' data:;manifest-src 'self';child-src 'self';frame-src *;
  2. Strict-Transport-Security (Note: HTTPS is required)
    • Name: Strict-Transport-Security
    • Value: max-age=31536000; includeSubDomains
  3. X-Frame-Options:
    • Name: X-Frame-Options
    • Value: sameorigin
  4. X-Content-Type-Options:
    • Name: X-Content-Type-Options
    • Value: nosniff

More information:

Removed HTTP Headers

By default, IIS returns the X-Powered-By HTTP response header that has been removed in QPR ProcessAnalyzer. More information: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/

By default, IIS 10.0 returns Server header in http response that has been removed in QPR ProcessAnalyzer. More information: https://www.saotn.org/remove-iis-server-version-http-response-header/#removeserverheader-requestfiltering-in-iis-10-0