QPR ProcessAnalyzer Security Hardening: Difference between revisions
No edit summary |
|||
Line 58: | Line 58: | ||
== Other Instructions to Hardening GlassFish Security == | == Other Instructions to Hardening GlassFish Security == | ||
The response headers contain some information which should not be disclosed to the public to prevent targeted attacks. | * The response headers contain some information which should not be disclosed to the public to prevent targeted attacks. | ||
<blockquote> | <blockquote> | ||
Line 67: | Line 67: | ||
You can disable this by turning off the '''XPowered By:''' header with your http-listener and by adding a JVM-Option '''-Dproduct.name=""'''. | You can disable this by turning off the '''XPowered By:''' header with your http-listener and by adding a JVM-Option '''-Dproduct.name=""'''. | ||
* The application may leak sensitive data via application errors. | |||
Configure the '''Logger Settings''' in Glassfish from the [[GlassFish_Configuration_in_QPR_UI#Opening GlassFish Administration Console | GlassFish Administration Console ]]: | |||
# In the navigation tree, expand the '''Configurations''' node. | |||
# Under the '''Configurations''' node, click the server instance or cluster configuration for which you want to configure '''Logger Settings'''. | |||
# The '''Configuration''' page opens. | |||
# On the '''Configuration''' page, click '''Logger Settings'''. | |||
# The '''Logger Settings''' page for the selected configuration target opens. | |||
# Select the desired log level | |||
More information: | More information: | ||
* http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html | * http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html |
Revision as of 07:45, 1 November 2018
The following list provides recommendations for improving (hardening) the security of QPR UI installation.
Add X-XSS-Protection and X-Frame-Options HTTP Response Headers to IIS
This step applies only when traffic is routed through IIS.
- In Internet Information Services (IIS) Console, click ui folder in the left side hierarchy, double-click HTTP Response Headers, click Add... on the right side pane, and define the following:
- Name: X-XSS-Protection
- Value: 1; mode=block
- Similarly, add the following HTTP Response Header:
- Name: X-Frame-Options
- Value: deny
More information:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Remove X-Powered-By HTTP Response Header in IIS
This step applies only when traffic is routed through IIS.
- In Internet Information Services (IIS) Console, click ui folder in the left side hierarchy
- Double-click HTTP Response Headers
- Click on the X-Powered-By header
- Click Remove on the right side pane to remove it from the response.
More information:
Disable TLS 1.0
Transport Layer Security (TLS) is used to authenticate and encrypt connections with external clients such as browsers. Browsers connect to QPR UI using TLS over HTTPS. TLS is an improved version of SSL (Secure Sockets Layer). Versions of SSL 2.0 and 3.0 are no longer considered to be adequately secure communication standards. We recommend that you only allow external clients to connect with TLS 1.2.
In addition, we recommend that TLS 1.0 and TLS 1.1 are disabled on QPR UI server. However, before you disable a specific version of TLS, verify that the browsers that your users connect to QPR UI support TLS 1.2. You may need to preserve support for TLS 1.1.
More information:
Disable Weak Ciphers
The Triple-DES cipher suite is no longer considered adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for CVE-2016-2183.
More information:
Allow Incoming Requests only from Localhost
This step applies only when traffic is routed through IIS. In GlassFish allow incoming requests only from localhost.
Change Glassfish Administrator Password
Change GlassFish administrator password.
Remove GlassFish Specific Default and Error Pages
Disable 8.3 File Name Creation
In order to disable short names creation, add a registry key named NtfsDisable8dot3NameCreation to HKLM\SYSTEM\CurrentControlSet\Control\FileSystem and set its value to 1. Note that in the computer, there may be applications that require 8.3 file names and thus may stop working.
More information:
Check That Latest Java is Installed
Check that the latest version of Java 8 is installed.
Other Instructions to Hardening GlassFish Security
- The response headers contain some information which should not be disclosed to the public to prevent targeted attacks.
Server: GlassFish Server Open Source Edition 4.1
X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition 4.1 Java/Oracle Corporation/1.8)
You can disable this by turning off the XPowered By: header with your http-listener and by adding a JVM-Option -Dproduct.name="".
- The application may leak sensitive data via application errors.
Configure the Logger Settings in Glassfish from the GlassFish Administration Console :
- In the navigation tree, expand the Configurations node.
- Under the Configurations node, click the server instance or cluster configuration for which you want to configure Logger Settings.
- The Configuration page opens.
- On the Configuration page, click Logger Settings.
- The Logger Settings page for the selected configuration target opens.
- Select the desired log level
More information: