QPR ProcessAnalyzer Security Hardening: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
No edit summary
Line 74: Line 74:
More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions
More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions


== Add Security Related HTTP Headers in IIS ==
==HTTP Response Headers==
This chapter contains information about security related HTTP response headers that are already set by default in QPR ProcessAnalyzer. Thus, no actions are required regarding the HTTP response headers.


# In '''Internet Information Services (IIS) Console''', click the top level in the left side hierarchy, double-click '''HTTP Response Headers''', click '''Add...''' on the right side pane, and define the following headers:
=== Additional Security Related HTTP Headers in IIS ===
Following security related HTTP headers are set:
# Content-Security-Policy
# Content-Security-Policy
#* Name: '''Content-Security-Policy'''
#* Name: '''Content-Security-Policy'''
Line 89: Line 91:
#* Name: '''X-Content-Type-Options'''
#* Name: '''X-Content-Type-Options'''
#* Value: '''nosniff'''
#* Value: '''nosniff'''
Alternatively you can use the following Powershell script:
<pre>
Add-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST/Default Web Site/" -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name="Content-Security-Policy";value="default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;connect-src 'self';font-src 'self' data:;manifest-src 'self';child-src 'self';frame-src *;"}
Add-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST/Default Web Site/" -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name="Strict-Transport-Security";value="max-age=31536000; includeSubDomains"}
Add-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST/Default Web Site/" -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name="X-Frame-Options";value="sameorigin"}
Add-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST/Default Web Site/" -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name="X-Content-Type-Options";value="nosniff"}
</pre>


More information:
More information:
Line 104: Line 98:
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options


== Remove X-Powered-By HTTP Header in IIS ==
=== Remove X-Powered-By HTTP Header in IIS ===
Removing the X-Powered-By HTTP response header improves security, as the underlying technology is not revealed. Follow these steps:
By default, IIS returns the X-Powered-By HTTP response header that has been removed. More information: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
# In '''Internet Information Services (IIS) Console''', click the top level in the left side hierarchy:
# Double-click '''HTTP Response Headers'''
# Click on the '''X-Powered-By''' header
# Click '''Remove''' on the right side pane to remove it from the response.
 
Powershell script to remove the X-Powered-By header:
<pre>
Remove-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST/Default Web Site/" -filter "system.webServer/httpProtocol/customHeaders" -name "." -AtElement @{name="X-Powered-By"}
</pre>
 
More information: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
 
== Remove Server HTTP Header in IIS ==
 
IIS 10.0 returns ''Server'' header in http response. It can be removed with the following PowerShell command:
<pre>
Set-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST" -filter "system.webServer/security/requestFiltering" -name "removeServerHeader" -value "True"
</pre>
 
Note that this setting is not applicable to earlier versions than IIS 10.0.
 
More information: https://www.saotn.org/remove-iis-server-version-http-response-header/#removeserverheader-requestfiltering-in-iis-10-0
 


=== Remove Server HTTP Header in IIS ===
By default, IIS 10.0 returns ''Server'' header in http response that has been removed. More information: https://www.saotn.org/remove-iis-server-version-http-response-header/#removeserverheader-requestfiltering-in-iis-10-0


[[Category: QPR ProcessAnalyzer]]
[[Category: QPR ProcessAnalyzer]]

Revision as of 18:26, 21 August 2023

The following list provides recommendations for improving (hardening) the security of QPR ProcessAnalyzer installation.

Disable SSL, TLS 1.0 and TLS 1.1

Transport Layer Security (TLS) is used to encrypt connections with clients, such as web browsers. SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 are no longer adequately secure, so it's recommended to only allow clients to connect with TLS 1.2 or TLS 1.3 (preferred). However, some client devices might not support TLS 1.2, so you might need to keep TLS 1.0 and/or TLS 1.1 enabled.

Here is a Powershell script to disable TLS 1.0 and TLS 1.1 and enable TLS 1.2: 

New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Name Enabled -Type Dword -Value 0
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Name Enabled -Type Dword -Value 0
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Force

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Name DisabledByDefault -Type Dword -Value 1
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Name DisabledByDefault -Type Dword -Value 1

New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name DisabledByDefault -Type Dword -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name Enabled -Type Dword -Value 1
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name DisabledByDefault -Type Dword -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name Enabled -Type Dword -Value 1

More information: https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat

Disable Weak Ciphers

Use only cipher suites that are considered secure. The up-to-date information regarding security of specific ciphers can be checked here: https://ciphersuite.info/ (use only the ciphers that are classified as recommended or secure). The up-to-date list of the recommended ciphers (maintained by Mozilla) are also available as json format: https://ssl-config.mozilla.org/guidelines/5.6.json (use only the ciphers in the modern and intermediate sections).

PowerShell commands to manage ciphers:

More information about how to configure ciphers on Windows systems: https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

Database User Least Privileges

While it's easiest to run QPR ProcessAnalyzer with a database user assigned the db_owner permissions, it's more safe to restrict the database permissions only to needed. The minimum permissions for QPR ProcessAnalyzer are the following:

  • db_datareader fixed database role
  • db_datawriter fixed database role
  • user defined role with the following permissions:
    • VIEW DATABASE STATE
    • EXECUTE on TYPE::PA_TABLETYPE_BigInt
    • EXECUTE on TYPE::PA_TABLETYPE_NVarCharMax
    • ALTER
    • REFERENCES

Configure QPR ProcessAnalyzer to run with minimum permissions as follows:

  1. In the QPR ProcessAnalyzer database, click Security > Roles > Database Roles > Create Database Role....
  2. Give a name to the role (e.g. AdditionalPermissions) and click OK.
  3. To give permissions to the role, run the following commands:
GRANT VIEW DATABASE STATE to AdditionalPermissions
GRANT EXECUTE on TYPE::PA_TABLETYPE_BigInt to AdditionalPermissions
GRANT EXECUTE on TYPE::PA_TABLETYPE_NVarCharMax to AdditionalPermissions
GRANT ALTER to AdditionalPermissions
GRANT REFERENCES to AdditionalPermissions

4. Assign needed roles to the database user by clicking Security > Users and double click the database user. Go to Membership tab and check that following roles are assigned:

  • db_datareader
  • db_datawrite
  • user defined role created earlier

Disable 8.3 File Name Creation

In order to disable short names creation, add a registry key named NtfsDisable8dot3NameCreation to HKLM\SYSTEM\CurrentControlSet\Control\FileSystem and set its value to 1. Note that in the computer, there may be other applications that require 8.3 file names and thus may stop working.

Example Powershell script to disable 8.3 file name creation: 

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name NtfsDisable8dot3NameCreation -Value 1

More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions

HTTP Response Headers

This chapter contains information about security related HTTP response headers that are already set by default in QPR ProcessAnalyzer. Thus, no actions are required regarding the HTTP response headers.

Additional Security Related HTTP Headers in IIS

Following security related HTTP headers are set:

  1. Content-Security-Policy
    • Name: Content-Security-Policy
    • Value: default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;connect-src 'self';font-src 'self' data:;manifest-src 'self';child-src 'self';frame-src *;
  2. Strict-Transport-Security (Note: HTTPS is required)
    • Name: Strict-Transport-Security
    • Value: max-age=31536000; includeSubDomains
  3. X-Frame-Options:
    • Name: X-Frame-Options
    • Value: sameorigin
  4. X-Content-Type-Options:
    • Name: X-Content-Type-Options
    • Value: nosniff

More information:

Remove X-Powered-By HTTP Header in IIS

By default, IIS returns the X-Powered-By HTTP response header that has been removed. More information: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/

Remove Server HTTP Header in IIS

By default, IIS 10.0 returns Server header in http response that has been removed. More information: https://www.saotn.org/remove-iis-server-version-http-response-header/#removeserverheader-requestfiltering-in-iis-10-0

Retrieved from "https://wiki.onqpr.com/pa/index.php?title=QPR_ProcessAnalyzer_Security_Hardening&oldid=23377"