QPR ProcessAnalyzer Security Hardening
This article provides recommendations for improving (hardening) the security of QPR ProcessAnalyzer Server installation. In addition to the server hardening, there are also hardening instructions for QPR ScriptLauncher installations.
Disable SSL, TLS 1.0 and TLS 1.1
Transport Layer Security (TLS) is used to encrypt connections with clients, such as web browsers. SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 are no longer adequately secure, so it's recommended to only allow clients to connect with TLS 1.2 or TLS 1.3 (preferred). However, some client devices might not support TLS 1.2, so you might need to keep TLS 1.0 and/or TLS 1.1 enabled.
Here is a Powershell script to disable TLS 1.0 and TLS 1.1 and enable TLS 1.2:
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Name Enabled -Type Dword -Value 0 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Name Enabled -Type Dword -Value 0 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Name DisabledByDefault -Type Dword -Value 1 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Name DisabledByDefault -Type Dword -Value 1 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name DisabledByDefault -Type Dword -Value 0 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name Enabled -Type Dword -Value 1 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name DisabledByDefault -Type Dword -Value 0 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name Enabled -Type Dword -Value 1
More information: https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat
Disable Weak Ciphers
Use only cipher suites that are considered secure. The up-to-date information regarding security of specific ciphers can be checked here: https://ciphersuite.info/ (use only the ciphers that are classified as recommended or secure). The up-to-date list of the recommended ciphers (maintained by Mozilla) are also available as json format: https://ssl-config.mozilla.org/guidelines/5.6.json (use only the ciphers in the modern and intermediate sections).
PowerShell commands to manage ciphers:
- Get list of all allowed ciphers in computer: https://docs.microsoft.com/en-us/powershell/module/tls/get-tlsciphersuite
- Disable ciphers: https://docs.microsoft.com/en-us/powershell/module/tls/disable-tlsciphersuite
- Enable ciphers: https://docs.microsoft.com/en-us/powershell/module/tls/enable-tlsciphersuite
More information about how to configure ciphers on Windows systems: https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc
Database User Least Privileges
While it's easiest to run QPR ProcessAnalyzer with a database user assigned the db_owner permissions, it's more safe to restrict the database permissions only to needed. The minimum permissions for QPR ProcessAnalyzer are the following:
- db_datareader fixed database role
- db_datawriter fixed database role
- user defined role with the following permissions:
- VIEW DATABASE STATE
- EXECUTE on TYPE::PA_TABLETYPE_BigInt
- EXECUTE on TYPE::PA_TABLETYPE_NVarCharMax
- ALTER
- REFERENCES
Configure QPR ProcessAnalyzer to run with minimum permissions as follows:
- In the QPR ProcessAnalyzer database, click Security > Roles > Database Roles > Create Database Role....
- Give a name to the role (e.g. AdditionalPermissions) and click OK.
- To give permissions to the role, run the following commands:
GRANT VIEW DATABASE STATE to AdditionalPermissions GRANT EXECUTE on TYPE::PA_TABLETYPE_BigInt to AdditionalPermissions GRANT EXECUTE on TYPE::PA_TABLETYPE_NVarCharMax to AdditionalPermissions GRANT ALTER to AdditionalPermissions GRANT REFERENCES to AdditionalPermissions
4. Assign needed roles to the database user by clicking Security > Users and double click the database user. Go to Membership tab and check that following roles are assigned:
- db_datareader
- db_datawrite
- user defined role created earlier
Disable 8.3 File Name Creation
In order to disable short names creation, add a registry key named NtfsDisable8dot3NameCreation to HKLM\SYSTEM\CurrentControlSet\Control\FileSystem and set its value to 1. Note that in the computer, there may be other applications that require 8.3 file names and thus may stop working.
Example Powershell script to disable 8.3 file name creation:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name NtfsDisable8dot3NameCreation -Value 1
More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions
White-list allowed source IP addresses
Security can be improved by restricting (white-listing) from which source IP addresses connections to the QPR ProcessAnalyzer UI and API can be established. This restriction is typically set in the firewall which can be part of the network infrastructure or it can be in the server machine. If taking this method into use, considered the effort to maintain the up-to-date list of allowed IP addresses versus the gained benefit of the restriction.
HTTP Response Headers
This section contains information about added or removed HTTP response headers that are related security.
Added HTTP Headers
Following security related HTTP headers are set:
- Content-Security-Policy
- Name: Content-Security-Policy
- Value: default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;connect-src 'self';font-src 'self' data:;manifest-src 'self';child-src 'self';frame-src 'self';
- Strict-Transport-Security (Note: HTTPS is required)
- Name: Strict-Transport-Security
- Value: max-age=31536000; includeSubDomains
- X-Content-Type-Options:
- Name: X-Content-Type-Options
- Value: nosniff
More information:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- https://content-security-policy.com/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Removed HTTP Headers
By default, IIS returns the X-Powered-By HTTP response header that has been removed in QPR ProcessAnalyzer. More information: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
By default, IIS 10.0 returns Server header in http response that has been removed in QPR ProcessAnalyzer. More information: https://www.saotn.org/remove-iis-server-version-http-response-header/#removeserverheader-requestfiltering-in-iis-10-0