QPR ProcessAnalyzer Security Hardening: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
The following list provides recommendations for improving (hardening) the security of QPR UI installation.
The following list provides recommendations for improving (hardening) the security of QPR UI installation.


== IIS Response Headers: X-XSS-Protection and X-Frame-Options ==
== Add X-XSS-Protection and X-Frame-Options HTTP Response Headers to IIS ==
This step applies only when [[Routing_Through_IIS_in_QPR_UI|traffic is routed through IIS]].
This step applies only when [[Routing_Through_IIS_in_QPR_UI|traffic is routed through IIS]].
# In '''Internet Information Services (IIS) Console''', click '''ui''' folder in the left side hierarchy, double-click '''HTTP Response Headers''', click '''Add...''' on the right side pane, and define the following:
# In '''Internet Information Services (IIS) Console''', click '''ui''' folder in the left side hierarchy, double-click '''HTTP Response Headers''', click '''Add...''' on the right side pane, and define the following:
Line 13: Line 13:
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
== Remove X-Powered-By HTTP Response Header in IIS ==
== Disable TLS 1.0 ==
https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat
== Disable Weak Ciphers ==
https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc


== Allow Incoming Requests only from Localhost ==
== Allow Incoming Requests only from Localhost ==
Line 21: Line 29:
Change [[GlassFish Configuration in QPR UI#Changing Glassfish Administrator Password|GlassFish administrator password]]
Change [[GlassFish Configuration in QPR UI#Changing Glassfish Administrator Password|GlassFish administrator password]]


== Latest Java is Installed ==
== Remove GlassFish Specific Default and Error Pages ==
Check that the [[QPR_UI_System_Requirements#Other Needed Server Components|latest version of Java 8]] is installed.


== Disable 8.3 File Name Creation==
== Disable 8.3 File Name Creation==
Line 29: Line 36:
More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions
More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions


== Disable All SSL Versions and TLS 1.0 ==
== Check That Latest Java is Installed ==
https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat
Check that the [[QPR_UI_System_Requirements#Other Needed Server Components|latest version of Java 8]] is installed.
 
== Disable Weak Ciphers ==
https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc
 
== Remove X-Powered-By HTTP Response Header in IIS ==
 
== Remove GlassFish Specific Default and Error Pages ==


== Hardening GlassFish Security ==
== Other Instructions to Hardening GlassFish Security ==
http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html
http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html

Revision as of 09:02, 29 October 2018

The following list provides recommendations for improving (hardening) the security of QPR UI installation.

Add X-XSS-Protection and X-Frame-Options HTTP Response Headers to IIS

This step applies only when traffic is routed through IIS.

  1. In Internet Information Services (IIS) Console, click ui folder in the left side hierarchy, double-click HTTP Response Headers, click Add... on the right side pane, and define the following:
    • Name: X-XSS-Protection
    • Value: 1; mode=block
  2. Similarly, add the following HTTP Response Header:
    • Name: X-Frame-Options
    • Value: deny

More information:

Remove X-Powered-By HTTP Response Header in IIS

Disable TLS 1.0

https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat

Disable Weak Ciphers

https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

Allow Incoming Requests only from Localhost

This step applies only when traffic is routed through IIS. In GlassFish allow incoming requests only from localhost.

Change Glassfish Administrator Password

Change GlassFish administrator password

Remove GlassFish Specific Default and Error Pages

Disable 8.3 File Name Creation

In order to disable short names creation, add a registry key named NtfsDisable8dot3NameCreation to HKLM\SYSTEM\CurrentControlSet\Control\FileSystem andset its value to 1. Note that in the computer, there may be applications that require 8.3 file names and thus may stop working.

More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions

Check That Latest Java is Installed

Check that the latest version of Java 8 is installed.

Other Instructions to Hardening GlassFish Security

http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html