QPR ProcessAnalyzer Security Hardening: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
 
(97 intermediate revisions by 2 users not shown)
Line 1: Line 1:
The following list provides recommendations for improving (hardening) the security of QPR UI installation.
This article provides recommendations for improving (hardening) the security of QPR ProcessAnalyzer Server installation. In addition to the server hardening, there are also hardening instructions for [[QPR_ProcessAnalyzer_ScriptLauncher#Hardening_ScriptLauncher_Security|QPR ScriptLauncher]] installations.


==System Hardening==
== Disable SSL, TLS 1.0 and TLS 1.1 ==
 
Transport Layer Security (TLS) is used to encrypt connections with clients, such as web browsers. SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 are no longer adequately secure, so it's recommended to only allow clients to connect with TLS 1.2 or TLS 1.3 (preferred). However, some client devices might not support TLS 1.2, so you might need to keep TLS 1.0 and/or TLS 1.1 enabled.
=== Disable SSL, TLS 1.0 and TLS 1.1, Ensure TLS 1.2 Enabled ===
Transport Layer Security (TLS) is used to encrypt connections with clients, such as web browsers. SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 are no longer adequately secure, so we recommend to only allow clients to connect with TLS 1.2. However, some client devices might not support TLS 1.2, so you might need to keep TLS 1.0 and/or TLS 1.1 enabled.


Here is a Powershell script to disable TLS 1.0 and TLS 1.1 and enable TLS 1.2:
Here is a Powershell script to disable TLS 1.0 and TLS 1.1 and enable TLS 1.2:


<pre>
<pre>
#Disable TLS 1.0 and TLS 1.1
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Force
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Name Enabled -Type Dword -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Name Enabled -Type Dword -Value 0
Line 15: Line 12:
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Name Enabled -Type Dword -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Name Enabled -Type Dword -Value 0
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Force
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Name DisabledByDefault -Type Dword -Value 1
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Name DisabledByDefault -Type Dword -Value 1
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Force
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Name DisabledByDefault -Type Dword -Value 1
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Name DisabledByDefault -Type Dword -Value 1


#Enable TLS 1.2
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Force
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name DisabledByDefault -Type Dword -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name DisabledByDefault -Type Dword -Value 0
Line 30: Line 27:
More information: https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat
More information: https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat


=== Disable Weak Ciphers ===
== Disable Weak Ciphers ==
The Triple-DES cipher is no longer adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for [https://nvd.nist.gov/vuln/detail/CVE-2016-2183 CVE-2016-2183].
Use only cipher suites that are considered secure. The up-to-date information regarding security of specific ciphers can be checked here: https://ciphersuite.info/ (use only the ciphers that are classified as ''recommended'' or ''secure''). The up-to-date list of the recommended ciphers (maintained by Mozilla) are also available as json format: https://ssl-config.mozilla.org/guidelines/5.7.json (use only the ciphers in the ''modern'' and ''intermediate'' sections).
 
PowerShell commands to manage ciphers:
* Get list of all allowed ciphers in computer: https://docs.microsoft.com/en-us/powershell/module/tls/get-tlsciphersuite
* Disable ciphers: https://docs.microsoft.com/en-us/powershell/module/tls/disable-tlsciphersuite
* Enable ciphers: https://docs.microsoft.com/en-us/powershell/module/tls/enable-tlsciphersuite
 
More information about how to configure ciphers on Windows systems: https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc
 
== Database User Least Privileges ==
While it's easiest to run QPR ProcessAnalyzer with a database user assigned the [https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver15 db_owner] permissions, it's more secure to restrict the database permissions only to needed. The minimum permissions for QPR ProcessAnalyzer are the following:
* db_datareader fixed database role
* db_datawriter fixed database role
* user defined role with the following permissions:
** VIEW DATABASE STATE
** ALTER
** REFERENCES


Here is a Powershell script to disable Triple-DES cipher:
Configure QPR ProcessAnalyzer to run with minimum permissions as follows:
# In the QPR ProcessAnalyzer database, click '''Security''' > '''Roles''' > '''Database Roles''' > '''Create Database Role...'''.
# Give a name to the role (e.g. ''AdditionalPermissions'') and click '''OK'''.
# To give permissions to the role, run the following commands:
<pre>
<pre>
#Disable Triple-DES
GRANT VIEW DATABASE STATE to AdditionalPermissions
New-Item -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Force
GRANT ALTER to AdditionalPermissions
Set-ItemProperty  -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Name Enabled -Type Dword -Value 0
GRANT REFERENCES to AdditionalPermissions
</pre>
</pre>
4. Assign needed roles to the database user by clicking '''Security''' > '''Users''' and double click the database user. Go to '''Membership''' tab and check that following roles are assigned:
* db_datareader
* db_datawrite
* user defined role created earlier


More information: https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc
== SAML 2.0 Authentication ==
 
It's recommended to use the [[SAML_2.0_Federated_Authentication|SAML 2.0 authentication]] because the password authentication provided by QPR ProcessAnalyzer does not fulfill most security standards. When configuring the SAML 2.0 authentication, it's recommended to set a custom certificate for signing authentication requests (SAMLSigningCertificate setting). It's also possible to configure the SAML asssertion encryption but that might not be needed because all messages are already encrypted using the TLS.
=== Check the Latest Java Version Installed ===
Check that the [[QPR_UI_System_Requirements#Other Needed Server Components|latest version of Java 8]] is installed. Make sure also that the automatic updating of Java is enabled.


=== Disable 8.3 File Name Creation===
==Disable 8.3 File Name Creation==
In order to disable short names creation, add a registry key named '''NtfsDisable8dot3NameCreation''' to '''HKLM\SYSTEM\CurrentControlSet\Control\FileSystem''' and set its value to '''1'''. Note that in the computer, there may be other applications that require 8.3 file names and thus may stop working.
In order to disable short names creation, add a registry key named '''NtfsDisable8dot3NameCreation''' to '''HKLM\SYSTEM\CurrentControlSet\Control\FileSystem''' and set its value to '''1'''. Note that in the computer, there may be other applications that require 8.3 file names and thus may stop working.


Here is an example of Powershell script to disable 8.3 file name creation:
Example Powershell script to disable 8.3 file name creation:
<pre>
<pre>
#Disable 8.3 File Name Creation
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name NtfsDisable8dot3NameCreation -Value 1
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name NtfsDisable8dot3NameCreation -Value 1
</pre>
</pre>
Line 56: Line 73:
More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions
More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions


==Hardening Security with IIS Settings==
==White-list allowed source IP addresses==
Security can be improved by restricting (white-listing) from which source IP addresses connections to the QPR ProcessAnalyzer UI and API can be established. This restriction is typically set in the firewall which can be part of the network infrastructure or it can be in the server machine. If taking this method into use, considered the effort to maintain the up-to-date list of allowed IP addresses versus the gained benefit of the restriction.
 
==HTTP Response Headers==
This section contains information about added or removed HTTP response headers that are related security.


=== X-XSS-Protection, X-Frame-Options and X-Content-Type-Options HTTP Response Headers ===
=== Added HTTP Headers ===
This step applies only when IIS is used as a [[Setting up IIS as Reverse Proxy for QPR UI|reverse proxy for QPR UI]].
Following security related HTTP headers are set:
# In '''Internet Information Services (IIS) Console''', click '''ui''' folder in the left side hierarchy, double-click '''HTTP Response Headers''', click '''Add...''' on the right side pane, and define the following:
# Content-Security-Policy
#* Name: '''X-XSS-Protection'''
#* Name: '''Content-Security-Policy'''
#* Value: '''1; mode=block'''
#* Value: '''default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;connect-src 'self';font-src 'self' data:;manifest-src 'self';child-src 'self';frame-src 'self';object-src 'none';frame-ancestors 'self'; form-action 'none';base-uri 'none';worker-src blob:;'''
# Similarly, add the following HTTP Response Header:
# Strict-Transport-Security (Note: HTTPS is required)
#* Name: '''X-Frame-Options'''
#* Name: '''Strict-Transport-Security'''
#* Value: '''deny'''
#* Value: '''max-age=31536000; includeSubDomains'''
# Finally add also:
# X-Content-Type-Options:
#* Name: '''X-Content-Type-Options'''
#* Name: '''X-Content-Type-Options'''
#* Value: '''nosniff'''
#* Value: '''nosniff'''


Here is a Powershell script to add X-XSS-Protection, X-Frame-Options, and X-Content-Type-Options HTTP Response Headers:
Notes about the used Content-Security-Policy header:
 
* '''sandbox''' directive is not required because by default everything is disabled.
<pre>
* '''plugin-types''' directive is not needed because it's only used when allowing plugins with object-src directive.
#Add X-XSS-Protection, X-Frame-Options, and X-Content-Type-Options HTTP Response Headers to IIS
* '''report-uri''' directive is deprecated and should not be used.
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui' -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-XSS-Protection';value='1; mode=block'}
* '''font-src: data:''' directive is used by Syncfusion and Bpmn.io components.  
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui' -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-Frame-Options';value='deny'}
* '''img-src: blob:''' directive is used when downloading files with the URL.createObjectURL() call.
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui' -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-Content-Type-Options';value='nosniff'}
* '''worker-src blob:''' directive is needed by the Monaco editor (expression language and SQL script code editor).
</pre>
 
More information:
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
 
 
=== Content-Security-Policy and HTTP Strict-Transport-Security HTTP Response Headers (WORK IN PROGRESS) ===
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. This step applies only when IIS is used as a [[Setting up IIS as Reverse Proxy for QPR UI|reverse proxy for QPR UI]].
 
# In '''Internet Information Services (IIS) Console''', click '''ui''' folder in the left side hierarchy, double-click '''HTTP Response Headers''', click '''Add...''' on the right side pane, and define the following:
#* Name: '''Strict-Transport-Security'''
#* Value: '''max-age=31536000; includeSubDomains'''
# Similarly, add the following HTTP Response Header:
#* Name: '''Content-Security-Policy'''
#* Value: '''script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self''''


More information:
More information:
* https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
* https://content-security-policy.com/
* https://content-security-policy.com/
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options


=== Remove the Default X-Powered-By HTTP Response Header in IIS ===
=== Removed HTTP Headers ===
Removing the X-Powered-By HTTP response header improved security, because the underlying technology is not revealed publicly. This step applies only when IIS is used as a [[Setting up IIS as Reverse Proxy for QPR UI|reverse proxy for QPR UI]].
By default, IIS returns the '''X-Powered-By''' HTTP response header that has been removed in QPR ProcessAnalyzer. More information: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
# In '''Internet Information Services (IIS) Console''', click '''ui''' folder in the left side hierarchy
# Double-click '''HTTP Response Headers'''
# Click on the '''X-Powered-By''' header
# Click '''Remove''' on the right side pane to remove it from the response.


Here is a Powershell script to remove X-Powered-By HTTP Response Header:
By default, IIS 10.0 returns '''Server''' header in http response that has been removed in QPR ProcessAnalyzer. More information: https://www.saotn.org/remove-iis-server-version-http-response-header/#removeserverheader-requestfiltering-in-iis-10-0
<pre>
#Remove X-Powered-By HTTP Response Header in IIS
Remove-WebConfigurationProperty  -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui' -filter "system.webServer/httpProtocol/customHeaders" -name "." -AtElement @{name='X-Powered-By'}
</pre>
 
More information: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
 
== Hardening Security with Glassfish Settings ==
=== Change Glassfish Administrator Password===
Change [[GlassFish Configuration in QPR UI#Changing Glassfish Administrator Password|GlassFish administrator password]].
 
Here is a Powershell script to change Glassfish Administrator password:
<pre>
#Change Glassfish Administrator Password (CMD popup will ask for password. Default glassfish admin credentials: admin/admin)
Start-Process -FilePath "C:\Program Files\QPR Software Plc\QPR UI\Glassfish\bin\asadmin" -ArgumentList "change-admin-password" -Wait
Start-Process -FilePath "C:\Program Files\QPR Software Plc\QPR UI\Glassfish\bin\asadmin" -ArgumentList 'set configs.config.server-config.http-service.virtual-server.server.property.errorReportValve=""' -Wait
</pre>


=== Allow Incoming Requests only from Localhost ===
=== Customize Content-Security-Policy Header===
This step applies only when IIS is used as a [[Setting up IIS as Reverse Proxy for QPR UI|reverse proxy for QPR UI]]. In GlassFish allow incoming requests only from localhost.
In certain scenarios, the default Content-Security-Policy (CSP) HTTP header settings may be too restrictive and need modification to better suit specific requirements. If a too restrictive CSP blocks an operation, en error message can be seen in the browser console. Keep in mind that the CSP is designed to enhance information security, and configuring it too permissively can pose a security risk.


=== Remove the Default X-Powered-By HTTP Response Header in GlassFish ===
To modify the Content-Security-Policy, follow these steps:
Removing the X-Powered-By HTTP response header improved security, because the underlying technology is not revealed publicly. You can disable this by turning off the '''XPowered By:''' header with your http-listener and by adding a JVM-Option '''-Dproduct.name=""'''.
* Navigate to the QPR ProcessAnalyzer Server.
* Open the '''[[Installing_QPR_ProcessAnalyzer_Server#Server_settings_file_(appsettings.json)|appsettings.json]]''' file. Locate the ''Content-Security-Policy'' setting within the ''ResponseHeaders'' section and adjust the value as needed.
* Access the '''web.config''' file in the same directory. Find the '''Content-Security-Policy''' setting within the '''customHeaders''' section and modify the value to match the one in the appsettings.json file.
* Restart the QPR ProcessAnalyzer Server by stopping and starting the IIS application pool.


More information about Glassfish hardening: http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html
[[Category: QPR ProcessAnalyzer]]

Latest revision as of 15:02, 28 September 2025

This article provides recommendations for improving (hardening) the security of QPR ProcessAnalyzer Server installation. In addition to the server hardening, there are also hardening instructions for QPR ScriptLauncher installations.

Disable SSL, TLS 1.0 and TLS 1.1

Transport Layer Security (TLS) is used to encrypt connections with clients, such as web browsers. SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 are no longer adequately secure, so it's recommended to only allow clients to connect with TLS 1.2 or TLS 1.3 (preferred). However, some client devices might not support TLS 1.2, so you might need to keep TLS 1.0 and/or TLS 1.1 enabled.

Here is a Powershell script to disable TLS 1.0 and TLS 1.1 and enable TLS 1.2: 

New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Name Enabled -Type Dword -Value 0
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Name Enabled -Type Dword -Value 0
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Force

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Name DisabledByDefault -Type Dword -Value 1
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Name DisabledByDefault -Type Dword -Value 1

New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name DisabledByDefault -Type Dword -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name Enabled -Type Dword -Value 1
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name DisabledByDefault -Type Dword -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name Enabled -Type Dword -Value 1

More information: https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat

Disable Weak Ciphers

Use only cipher suites that are considered secure. The up-to-date information regarding security of specific ciphers can be checked here: https://ciphersuite.info/ (use only the ciphers that are classified as recommended or secure). The up-to-date list of the recommended ciphers (maintained by Mozilla) are also available as json format: https://ssl-config.mozilla.org/guidelines/5.7.json (use only the ciphers in the modern and intermediate sections).

PowerShell commands to manage ciphers:

More information about how to configure ciphers on Windows systems: https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

Database User Least Privileges

While it's easiest to run QPR ProcessAnalyzer with a database user assigned the db_owner permissions, it's more secure to restrict the database permissions only to needed. The minimum permissions for QPR ProcessAnalyzer are the following:

  • db_datareader fixed database role
  • db_datawriter fixed database role
  • user defined role with the following permissions:
    • VIEW DATABASE STATE
    • ALTER
    • REFERENCES

Configure QPR ProcessAnalyzer to run with minimum permissions as follows:

  1. In the QPR ProcessAnalyzer database, click Security > Roles > Database Roles > Create Database Role....
  2. Give a name to the role (e.g. AdditionalPermissions) and click OK.
  3. To give permissions to the role, run the following commands:
GRANT VIEW DATABASE STATE to AdditionalPermissions
GRANT ALTER to AdditionalPermissions
GRANT REFERENCES to AdditionalPermissions

4. Assign needed roles to the database user by clicking Security > Users and double click the database user. Go to Membership tab and check that following roles are assigned:

  • db_datareader
  • db_datawrite
  • user defined role created earlier

SAML 2.0 Authentication

It's recommended to use the SAML 2.0 authentication because the password authentication provided by QPR ProcessAnalyzer does not fulfill most security standards. When configuring the SAML 2.0 authentication, it's recommended to set a custom certificate for signing authentication requests (SAMLSigningCertificate setting). It's also possible to configure the SAML asssertion encryption but that might not be needed because all messages are already encrypted using the TLS.

Disable 8.3 File Name Creation

In order to disable short names creation, add a registry key named NtfsDisable8dot3NameCreation to HKLM\SYSTEM\CurrentControlSet\Control\FileSystem and set its value to 1. Note that in the computer, there may be other applications that require 8.3 file names and thus may stop working.

Example Powershell script to disable 8.3 file name creation: 

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name NtfsDisable8dot3NameCreation -Value 1

More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions

White-list allowed source IP addresses

Security can be improved by restricting (white-listing) from which source IP addresses connections to the QPR ProcessAnalyzer UI and API can be established. This restriction is typically set in the firewall which can be part of the network infrastructure or it can be in the server machine. If taking this method into use, considered the effort to maintain the up-to-date list of allowed IP addresses versus the gained benefit of the restriction.

HTTP Response Headers

This section contains information about added or removed HTTP response headers that are related security.

Added HTTP Headers

Following security related HTTP headers are set:

  1. Content-Security-Policy
    • Name: Content-Security-Policy
    • Value: default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;connect-src 'self';font-src 'self' data:;manifest-src 'self';child-src 'self';frame-src 'self';object-src 'none';frame-ancestors 'self'; form-action 'none';base-uri 'none';worker-src blob:;
  2. Strict-Transport-Security (Note: HTTPS is required)
    • Name: Strict-Transport-Security
    • Value: max-age=31536000; includeSubDomains
  3. X-Content-Type-Options:
    • Name: X-Content-Type-Options
    • Value: nosniff

Notes about the used Content-Security-Policy header:

  • sandbox directive is not required because by default everything is disabled.
  • plugin-types directive is not needed because it's only used when allowing plugins with object-src directive.
  • report-uri directive is deprecated and should not be used.
  • font-src: data: directive is used by Syncfusion and Bpmn.io components.
  • img-src: blob: directive is used when downloading files with the URL.createObjectURL() call.
  • worker-src blob: directive is needed by the Monaco editor (expression language and SQL script code editor).

More information:

Removed HTTP Headers

By default, IIS returns the X-Powered-By HTTP response header that has been removed in QPR ProcessAnalyzer. More information: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/

By default, IIS 10.0 returns Server header in http response that has been removed in QPR ProcessAnalyzer. More information: https://www.saotn.org/remove-iis-server-version-http-response-header/#removeserverheader-requestfiltering-in-iis-10-0

Customize Content-Security-Policy Header

In certain scenarios, the default Content-Security-Policy (CSP) HTTP header settings may be too restrictive and need modification to better suit specific requirements. If a too restrictive CSP blocks an operation, en error message can be seen in the browser console. Keep in mind that the CSP is designed to enhance information security, and configuring it too permissively can pose a security risk.

To modify the Content-Security-Policy, follow these steps:

  • Navigate to the QPR ProcessAnalyzer Server.
  • Open the appsettings.json file. Locate the Content-Security-Policy setting within the ResponseHeaders section and adjust the value as needed.
  • Access the web.config file in the same directory. Find the Content-Security-Policy setting within the customHeaders section and modify the value to match the one in the appsettings.json file.
  • Restart the QPR ProcessAnalyzer Server by stopping and starting the IIS application pool.
Retrieved from "https://wiki.onqpr.com/pa/index.php?title=QPR_ProcessAnalyzer_Security_Hardening&oldid=27027"