QPR ProcessAnalyzer Security Hardening: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
The following list provides recommendations for improving (hardening) the security of QPR ProcessAnalyzer installation.
The following list provides recommendations for improving (hardening) the security of QPR ProcessAnalyzer installation.


== Database Least Privilege ==
== Database User Least Privileges ==
While it's easiest to run QPR ProcessAnalyzer with a database user assigned the [https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver15 db_owner] permissions, it's more safe to restrict the database permissions only to needed. The minimum permissions are the following:
While it's easiest to run QPR ProcessAnalyzer with a database user assigned the [https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver15 db_owner] permissions, it's more safe to restrict the database permissions only to needed. The minimum permissions are the following:
* db_datareader role
* db_datareader fixed database role
* db_datawriter role
* db_datawriter fixed database role
* user defined role with the following permissions:
* user defined role with the following permissions:
** VIEW DATABASE STATE
** VIEW DATABASE STATE
Line 12: Line 12:
** REFERENCES
** REFERENCES


To create a user defined role:
Define the permissions as follows:
# Click the QPR ProcessAnalyzer database, '''Security''' > '''Roles''' > '''Database Roles''' > '''Create Database Role...'''.
# In the QPR ProcessAnalyzer database, click '''Security''' > '''Roles''' > '''Database Roles''' > '''Create Database Role...'''.
# Give a new to the role (e.g. ''AdditionalPermissions'') and click '''OK'''.
# Give a neme to the role (e.g. ''AdditionalPermissions'') and click '''OK'''.
# To give permissions to the new role, run the following commands:
# To give permissions to the role, run the following commands:
<pre>
<pre>
GRANT VIEW DATABASE STATE to AdditionalPermissions
GRANT VIEW DATABASE STATE to AdditionalPermissions
Line 23: Line 23:
GRANT REFERENCES to AdditionalPermissions
GRANT REFERENCES to AdditionalPermissions
</pre>
</pre>
# Assign the new role to the database user '''Security''' > '''Users''' and click the user. Go to '''Membership''', and check that following roles are assigned:
4. Assign needed roles to the database user by clicking '''Security''' > '''Users''' and double click the database user. Go to '''Membership''' tab and check that following roles are assigned:
#* db_datareader
* db_datareader
#* db_datawrite
* db_datawrite
#* the new role created earlier
* the new role created earlier


== Disable SSL, TLS 1.0 and TLS 1.1, and Enable TLS 1.2 ==
== Disable SSL, TLS 1.0 and TLS 1.1, and Enable TLS 1.2 ==

Revision as of 20:32, 24 March 2020

The following list provides recommendations for improving (hardening) the security of QPR ProcessAnalyzer installation.

Database User Least Privileges

While it's easiest to run QPR ProcessAnalyzer with a database user assigned the db_owner permissions, it's more safe to restrict the database permissions only to needed. The minimum permissions are the following:

  • db_datareader fixed database role
  • db_datawriter fixed database role
  • user defined role with the following permissions:
    • VIEW DATABASE STATE
    • EXECUTE on TYPE::PA_TABLETYPE_BigInt
    • EXECUTE on TYPE::PA_TABLETYPE_NVarCharMax
    • ALTER
    • REFERENCES

Define the permissions as follows:

  1. In the QPR ProcessAnalyzer database, click Security > Roles > Database Roles > Create Database Role....
  2. Give a neme to the role (e.g. AdditionalPermissions) and click OK.
  3. To give permissions to the role, run the following commands:
GRANT VIEW DATABASE STATE to AdditionalPermissions
GRANT EXECUTE on TYPE::PA_TABLETYPE_BigInt to AdditionalPermissions
GRANT EXECUTE on TYPE::PA_TABLETYPE_NVarCharMax to AdditionalPermissions
GRANT ALTER to AdditionalPermissions
GRANT REFERENCES to AdditionalPermissions

4. Assign needed roles to the database user by clicking Security > Users and double click the database user. Go to Membership tab and check that following roles are assigned:

  • db_datareader
  • db_datawrite
  • the new role created earlier

Disable SSL, TLS 1.0 and TLS 1.1, and Enable TLS 1.2

Transport Layer Security (TLS) is used to encrypt connections with clients, such as web browsers. SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 are no longer adequately secure, so we recommend to only allow clients to connect with TLS 1.2. However, some client devices might not support TLS 1.2, so you might need to keep TLS 1.0 and/or TLS 1.1 enabled.

Here is a Powershell script to disable TLS 1.0 and TLS 1.1 and enable TLS 1.2:

#Disable TLS 1.0 and TLS 1.1
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Name Enabled -Type Dword -Value 0
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Name Enabled -Type Dword -Value 0
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Name DisabledByDefault -Type Dword -Value 1
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Name DisabledByDefault -Type Dword -Value 1

#Enable TLS 1.2
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name DisabledByDefault -Type Dword -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name Enabled -Type Dword -Value 1
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name DisabledByDefault -Type Dword -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name Enabled -Type Dword -Value 1

More information: https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat

Disable Weak Ciphers

The Triple-DES cipher is no longer adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for CVE-2016-2183.

Here is a Powershell script to disable Triple-DES cipher:

New-Item -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Force
Set-ItemProperty  -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Name Enabled -Type Dword -Value 0

More information: https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

Add Security Related HTTP Headers in IIS

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page.

  1. In Internet Information Services (IIS) Console, click the top level in the left side hierarchy, double-click HTTP Response Headers, click Add... on the right side pane, and define the following:
  2. Content-Security-Policy
    • Name: Content-Security-Policy
    • Value: default-src 'none';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data:;connect-src 'self';font-src 'self' data:;manifest-src 'self';child-src 'self' https://devnet.onqpr.com/;
  3. Strict-Transport-Security
    • Name: Strict-Transport-Security
    • Value: max-age=31536000; includeSubDomains
  4. X-XSS-Protection
    • Name: X-XSS-Protection
    • Value: 1; mode=block
  5. X-Frame-Options:
    • Name: X-Frame-Options
    • Value: deny
  6. X-Content-Type-Options:
    • Name: X-Content-Type-Options
    • Value: nosniff

Here is a Powershell script to add the HTTP headers:

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/' -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='Content-Security-Policy';value='default-src 'none';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data:;connect-src 'self';font-src 'self' data:;manifest-src 'self';child-src 'self' https://devnet.onqpr.com/;'}
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/' -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='Strict-Transport-Security';value='max-age=31536000; includeSubDomains'}
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/' -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-XSS-Protection';value='1; mode=block'}
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/' -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-Frame-Options';value='deny'}
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/' -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-Content-Type-Options';value='nosniff'}

More information:

Remove X-Powered-By HTTP Header in IIS

Removing the X-Powered-By HTTP response header improved security, because the underlying technology is not revealed publicly. This step applies only when IIS is used as a reverse proxy for QPR UI.

  1. In Internet Information Services (IIS) Console, click the top level in the left side hierarchy:
  2. Double-click HTTP Response Headers
  3. Click on the X-Powered-By header
  4. Click Remove on the right side pane to remove it from the response.

Here is a Powershell script to remove X-Powered-By HTTP Response Header:

Remove-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/' -filter "system.webServer/httpProtocol/customHeaders" -name "." -AtElement @{name='X-Powered-By'}

More information: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/

Disable 8.3 File Name Creation

In order to disable short names creation, add a registry key named NtfsDisable8dot3NameCreation to HKLM\SYSTEM\CurrentControlSet\Control\FileSystem and set its value to 1. Note that in the computer, there may be other applications that require 8.3 file names and thus may stop working.

Example Powershell script to disable 8.3 file name creation:

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name NtfsDisable8dot3NameCreation -Value 1

More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions