QPR ProcessAnalyzer Security Hardening
The following list provides recommendations for improving (hardening) the security of QPR ProcessAnalyzer installation.
Database User Least Privileges
While it's easiest to run QPR ProcessAnalyzer with a database user assigned the db_owner permissions, it's more safe to restrict the database permissions only to needed. The minimum permissions for QPR ProcessAnalyzer are the following:
- db_datareader fixed database role
- db_datawriter fixed database role
- user defined role with the following permissions:
- VIEW DATABASE STATE
- EXECUTE on TYPE::PA_TABLETYPE_BigInt
- EXECUTE on TYPE::PA_TABLETYPE_NVarCharMax
- ALTER
- REFERENCES
Configure QPR ProcessAnalyzer to run with minimum permissions as follows:
- In the QPR ProcessAnalyzer database, click Security > Roles > Database Roles > Create Database Role....
- Give a name to the role (e.g. AdditionalPermissions) and click OK.
- To give permissions to the role, run the following commands:
GRANT VIEW DATABASE STATE to AdditionalPermissions GRANT EXECUTE on TYPE::PA_TABLETYPE_BigInt to AdditionalPermissions GRANT EXECUTE on TYPE::PA_TABLETYPE_NVarCharMax to AdditionalPermissions GRANT ALTER to AdditionalPermissions GRANT REFERENCES to AdditionalPermissions
4. Assign needed roles to the database user by clicking Security > Users and double click the database user. Go to Membership tab and check that following roles are assigned:
- db_datareader
- db_datawrite
- user defined role created earlier
Disable SSL, TLS 1.0 and TLS 1.1, and Enable TLS 1.2
Transport Layer Security (TLS) is used to encrypt connections with clients, such as web browsers. SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 are no longer adequately secure, so we recommend to only allow clients to connect with TLS 1.2. However, some client devices might not support TLS 1.2, so you might need to keep TLS 1.0 and/or TLS 1.1 enabled.
Here is a Powershell script to disable TLS 1.0 and TLS 1.1 and enable TLS 1.2:
#Disable TLS 1.0 and TLS 1.1 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Name Enabled -Type Dword -Value 0 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Name Enabled -Type Dword -Value 0 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Name DisabledByDefault -Type Dword -Value 1 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Name DisabledByDefault -Type Dword -Value 1 #Enable TLS 1.2 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name DisabledByDefault -Type Dword -Value 0 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name Enabled -Type Dword -Value 1 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name DisabledByDefault -Type Dword -Value 0 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name Enabled -Type Dword -Value 1
More information: https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat
Disable Weak Ciphers
The Triple-DES cipher is no longer adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for CVE-2016-2183.
Here is a Powershell script to disable Triple-DES cipher:
New-Item -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Force Set-ItemProperty -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Name Enabled -Type Dword -Value 0
More information: https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc
Add Security Related HTTP Headers in IIS
- In Internet Information Services (IIS) Console, click the top level in the left side hierarchy, double-click HTTP Response Headers, click Add... on the right side pane, and define the following headers:
- Content-Security-Policy
- Name: Content-Security-Policy
- Value: default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data:;connect-src 'self';font-src 'self' data:;manifest-src 'self';child-src 'self' https://devnet.onqpr.com/;
- Strict-Transport-Security (Note: HTTPS is required)
- Name: Strict-Transport-Security
- Value: max-age=31536000; includeSubDomains
- X-Frame-Options:
- Name: X-Frame-Options
- Value: deny
- X-Content-Type-Options:
- Name: X-Content-Type-Options
- Value: nosniff
Alternatively you can use the following Powershell script:
Add-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST/Default Web Site/" -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name="Content-Security-Policy";value="default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data:;connect-src 'self';font-src 'self' data:;manifest-src 'self';child-src 'self' https://devnet.onqpr.com/;"} Add-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST/Default Web Site/" -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name="Strict-Transport-Security";value="max-age=31536000; includeSubDomains"} Add-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST/Default Web Site/" -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name="X-Frame-Options";value="deny"} Add-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST/Default Web Site/" -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name="X-Content-Type-Options";value="nosniff"}
More information:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP / https://content-security-policy.com/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Remove X-Powered-By HTTP Header in IIS
Removing the X-Powered-By HTTP response header improves security, as the underlying technology is not revealed. Follow these steps:
- In Internet Information Services (IIS) Console, click the top level in the left side hierarchy:
- Double-click HTTP Response Headers
- Click on the X-Powered-By header
- Click Remove on the right side pane to remove it from the response.
Here is a Powershell script to remove X-Powered-By HTTP Response Header:
Remove-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST/Default Web Site/" -filter "system.webServer/httpProtocol/customHeaders" -name "." -AtElement @{name="X-Powered-By"}
More information: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
Remove Server HTTP Header in IIS
IIS 10.0 returns Server header in http response. It can be removed with the following PowerShell command:
Set-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST" -filter "system.webServer/security/requestFiltering" -name "removeServerHeader" -value "True"
Note that this setting is not applicable to earlier versions than IIS 10.0.
More information: https://www.saotn.org/remove-iis-server-version-http-response-header/#removeserverheader-requestfiltering-in-iis-10-0
Remove X-Aspnet-Version HTTP Header in IIS (already set)
The web.config file provided with QPR ProcessAnalyzer sets enableVersionHeader="false" of the httpRuntime element, removing the X-Aspnet-Version HTTP response header in failed requests. Example:
<httpRuntime maxRequestLength="2147483647" executionTimeout="3600" requestValidationMode="2.0" requestPathInvalidCharacters="" enableVersionHeader="false" />
Disable 8.3 File Name Creation
In order to disable short names creation, add a registry key named NtfsDisable8dot3NameCreation to HKLM\SYSTEM\CurrentControlSet\Control\FileSystem and set its value to 1. Note that in the computer, there may be other applications that require 8.3 file names and thus may stop working.
Example Powershell script to disable 8.3 file name creation:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name NtfsDisable8dot3NameCreation -Value 1
More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions