QPR ProcessAnalyzer Security Hardening
The following list provides recommendations for improving (hardening) the security of QPR UI installation.
Add X-XSS-Protection and X-Frame-Options HTTP Response Headers to IIS
This step applies only when traffic is routed through IIS.
- In Internet Information Services (IIS) Console, click ui folder in the left side hierarchy, double-click HTTP Response Headers, click Add... on the right side pane, and define the following:
- Name: X-XSS-Protection
- Value: 1; mode=block
- Similarly, add the following HTTP Response Header:
- Name: X-Frame-Options
- Value: deny
More information:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Remove X-Powered-By HTTP Response Header in IIS
Disable TLS 1.0
Disable Weak Ciphers
Allow Incoming Requests only from Localhost
This step applies only when traffic is routed through IIS. In GlassFish allow incoming requests only from localhost.
Change Glassfish Administrator Password
Change GlassFish administrator password
Remove GlassFish Specific Default and Error Pages
Disable 8.3 File Name Creation
In order to disable short names creation, add a registry key named NtfsDisable8dot3NameCreation to HKLM\SYSTEM\CurrentControlSet\Control\FileSystem andset its value to 1. Note that in the computer, there may be applications that require 8.3 file names and thus may stop working.
More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions
Check That Latest Java is Installed
Check that the latest version of Java 8 is installed.
Other Instructions to Hardening GlassFish Security
http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html