QPR ProcessAnalyzer Security Hardening: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
The following list provides recommendations for improving (hardening) the security of QPR UI installation.
The following list provides recommendations for improving (hardening) the security of QPR UI installation.


== Add X-XSS-Protection and X-Frame-Options HTTP Response Headers to IIS ==
This step applies only when [[Routing_Through_IIS_in_QPR_UI|traffic is routed through IIS]].
# In '''Internet Information Services (IIS) Console''', click '''ui''' folder in the left side hierarchy, double-click '''HTTP Response Headers''', click '''Add...''' on the right side pane, and define the following:
#* Name: '''X-XSS-Protection'''
#* Value: '''1; mode=block'''
# Similarly, add the following HTTP Response Header:
#* Name: '''X-Frame-Options'''
#* Value: '''deny'''
Here is an example of Powershell script to add X-XSS-Protection and X-Frame-Options HTTP Response Headers:
<pre>
#Add X-XSS-Protection and X-Frame-Options HTTP Response Headers to IIS
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui'  -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-XSS-Protection';value='1; mode=block'}
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui'  -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-Frame-Options';value='deny'}
</pre>
More information:
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
== Remove X-Powered-By HTTP Response Header in IIS ==
This step applies only when [[Routing_Through_IIS_in_QPR_UI|traffic is routed through IIS]].
# In '''Internet Information Services (IIS) Console''', click '''ui''' folder in the left side hierarchy
# Double-click '''HTTP Response Headers'''
# Click on the '''X-Powered-By''' header
# Click '''Remove''' on the right side pane to remove it from the response.


Here is an example of Powershell script to remove X-Powered-By HTTP Response Header:
==System Hardening==
<pre>
=== Disable TLS 1.0 and TLS 1.1, ensure TLS 1.2 is enabled ===
#Remove X-Powered-By HTTP Response Header in IIS
Remove-WebConfigurationProperty  -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui'  -filter "system.webServer/httpProtocol/customHeaders" -name "." -AtElement @{name='X-Powered-By'}
</pre>
 
More information:
* https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
 
== Disable TLS 1.0 ==
Transport Layer Security (TLS) is used to authenticate and encrypt connections with external clients such as browsers. Browsers connect to QPR UI using TLS over HTTPS. TLS is an improved version of SSL (Secure Sockets Layer). Versions of SSL 2.0 and 3.0 are no longer considered to be adequately secure communication standards. We recommend that you only allow external clients to connect with TLS 1.2.
Transport Layer Security (TLS) is used to authenticate and encrypt connections with external clients such as browsers. Browsers connect to QPR UI using TLS over HTTPS. TLS is an improved version of SSL (Secure Sockets Layer). Versions of SSL 2.0 and 3.0 are no longer considered to be adequately secure communication standards. We recommend that you only allow external clients to connect with TLS 1.2.


Line 68: Line 33:
* https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat
* https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat


== Disable Weak Ciphers ==
 
=== Disable Weak Ciphers ===
The Triple-DES cipher suite is no longer considered adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for [https://nvd.nist.gov/vuln/detail/CVE-2016-2183 CVE-2016-2183].
The Triple-DES cipher suite is no longer considered adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for [https://nvd.nist.gov/vuln/detail/CVE-2016-2183 CVE-2016-2183].


Line 81: Line 47:
* https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc
* https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc


== Allow Incoming Requests only from Localhost ==
 
=== Disable 8.3 File Name Creation===
In order to disable short names creation, add a registry key named '''NtfsDisable8dot3NameCreation''' to '''HKLM\SYSTEM\CurrentControlSet\Control\FileSystem''' and set its value to '''1'''. Note that in the computer, there may be applications that require 8.3 file names and thus may stop working.
 
Here is an example of Powershell script to disable 8.3 File Name Creation:
<pre>
#Disable 8.3 File Name Creation
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name NtfsDisable8dot3NameCreation -Value 1
</pre>
 
More information:
* https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions
 
 
=== Check That Latest Java is Installed ===
Check that the [[QPR_UI_System_Requirements#Other Needed Server Components|latest version of Java 8]] is installed.
 
 
 
==IIS Hardening==
=== Add X-XSS-Protection and X-Frame-Options HTTP Response Headers to IIS ===
This step applies only when [[Routing_Through_IIS_in_QPR_UI|traffic is routed through IIS]].
This step applies only when [[Routing_Through_IIS_in_QPR_UI|traffic is routed through IIS]].
In GlassFish allow incoming requests only from localhost.
# In '''Internet Information Services (IIS) Console''', click '''ui''' folder in the left side hierarchy, double-click '''HTTP Response Headers''', click '''Add...''' on the right side pane, and define the following:
#* Name: '''X-XSS-Protection'''
#* Value: '''1; mode=block'''
# Similarly, add the following HTTP Response Header:
#* Name: '''X-Frame-Options'''
#* Value: '''deny'''
 
Here is an example of Powershell script to add X-XSS-Protection and X-Frame-Options HTTP Response Headers:
 
<pre>
#Add X-XSS-Protection and X-Frame-Options HTTP Response Headers to IIS
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui'  -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-XSS-Protection';value='1; mode=block'}
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui'  -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-Frame-Options';value='deny'}
</pre>
 
More information:
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
 
 
=== Remove X-Powered-By HTTP Response Header in IIS ===
This step applies only when [[Routing_Through_IIS_in_QPR_UI|traffic is routed through IIS]].
# In '''Internet Information Services (IIS) Console''', click '''ui''' folder in the left side hierarchy
# Double-click '''HTTP Response Headers'''
# Click on the '''X-Powered-By''' header
# Click '''Remove''' on the right side pane to remove it from the response.
 
Here is an example of Powershell script to remove X-Powered-By HTTP Response Header:
<pre>
#Remove X-Powered-By HTTP Response Header in IIS
Remove-WebConfigurationProperty  -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui'  -filter "system.webServer/httpProtocol/customHeaders" -name "." -AtElement @{name='X-Powered-By'}
</pre>
 
More information:
* https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
 


== Change Glassfish Administrator Password==
== Glassfish Hardening ==
=== Change Glassfish Administrator Password===
Change [[GlassFish Configuration in QPR UI#Changing Glassfish Administrator Password|GlassFish administrator password]].
Change [[GlassFish Configuration in QPR UI#Changing Glassfish Administrator Password|GlassFish administrator password]].


Line 95: Line 117:
</pre>
</pre>


== Disable 8.3 File Name Creation==
In order to disable short names creation, add a registry key named '''NtfsDisable8dot3NameCreation''' to '''HKLM\SYSTEM\CurrentControlSet\Control\FileSystem''' and set its value to '''1'''. Note that in the computer, there may be applications that require 8.3 file names and thus may stop working.


Here is an example of Powershell script to disable 8.3 File Name Creation:
=== Allow Incoming Requests only from Localhost ===
<pre>
This step applies only when [[Routing_Through_IIS_in_QPR_UI|traffic is routed through IIS]].
#Disable 8.3 File Name Creation
In GlassFish allow incoming requests only from localhost.
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name NtfsDisable8dot3NameCreation -Value 1
</pre>
 
More information:
* https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions


== Check That Latest Java is Installed ==
Check that the [[QPR_UI_System_Requirements#Other Needed Server Components|latest version of Java 8]] is installed.


== Other Instructions to Hardening GlassFish Security ==
=== Remove server information from headers response ===


* The response headers contain some information which should not be disclosed to the public to prevent targeted attacks.
The response headers contain some information which should not be disclosed to the public to prevent targeted attacks.


<pre>
<pre>

Revision as of 12:28, 7 November 2018

The following list provides recommendations for improving (hardening) the security of QPR UI installation.


System Hardening

Disable TLS 1.0 and TLS 1.1, ensure TLS 1.2 is enabled

Transport Layer Security (TLS) is used to authenticate and encrypt connections with external clients such as browsers. Browsers connect to QPR UI using TLS over HTTPS. TLS is an improved version of SSL (Secure Sockets Layer). Versions of SSL 2.0 and 3.0 are no longer considered to be adequately secure communication standards. We recommend that you only allow external clients to connect with TLS 1.2.

In addition, we recommend that TLS 1.0 and TLS 1.1 are disabled on QPR UI server. However, before you disable a specific version of TLS, verify that the browsers that your users connect to QPR UI support TLS 1.2. You may need to preserve support for TLS 1.1.

Here is an example of Powershell script to disable and enable TLS protocol: 

#Disable TLS 1.0 and TLS 1.1
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Name Enabled -Type Dword -Value 0
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Name Enabled -Type Dword -Value 0
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Name DisabledByDefault -Type Dword -Value 1
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Name DisabledByDefault -Type Dword -Value 1

#Enable TLS 1.2
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name DisabledByDefault -Type Dword -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name Enabled -Type Dword -Value 1
New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Force
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name DisabledByDefault -Type Dword -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name Enabled -Type Dword -Value 1

More information:


Disable Weak Ciphers

The Triple-DES cipher suite is no longer considered adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for CVE-2016-2183.

Here is an example of Powershell script to disable 3DES cipher suite: 

#Disable Weak Ciphers
New-Item -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Force
Set-ItemProperty  -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Name Enabled -Type Dword -Value 0

More information:


Disable 8.3 File Name Creation

In order to disable short names creation, add a registry key named NtfsDisable8dot3NameCreation to HKLM\SYSTEM\CurrentControlSet\Control\FileSystem and set its value to 1. Note that in the computer, there may be applications that require 8.3 file names and thus may stop working.

Here is an example of Powershell script to disable 8.3 File Name Creation: 

#Disable 8.3 File Name Creation
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name NtfsDisable8dot3NameCreation -Value 1

More information:


Check That Latest Java is Installed

Check that the latest version of Java 8 is installed.


IIS Hardening

Add X-XSS-Protection and X-Frame-Options HTTP Response Headers to IIS

This step applies only when traffic is routed through IIS.

  1. In Internet Information Services (IIS) Console, click ui folder in the left side hierarchy, double-click HTTP Response Headers, click Add... on the right side pane, and define the following:
    • Name: X-XSS-Protection
    • Value: 1; mode=block
  2. Similarly, add the following HTTP Response Header:
    • Name: X-Frame-Options
    • Value: deny

Here is an example of Powershell script to add X-XSS-Protection and X-Frame-Options HTTP Response Headers: 

#Add X-XSS-Protection and X-Frame-Options HTTP Response Headers to IIS
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui'  -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-XSS-Protection';value='1; mode=block'}
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui'  -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-Frame-Options';value='deny'}

More information:


Remove X-Powered-By HTTP Response Header in IIS

This step applies only when traffic is routed through IIS.

  1. In Internet Information Services (IIS) Console, click ui folder in the left side hierarchy
  2. Double-click HTTP Response Headers
  3. Click on the X-Powered-By header
  4. Click Remove on the right side pane to remove it from the response.

Here is an example of Powershell script to remove X-Powered-By HTTP Response Header: 

#Remove X-Powered-By HTTP Response Header in IIS
Remove-WebConfigurationProperty  -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui'  -filter "system.webServer/httpProtocol/customHeaders" -name "." -AtElement @{name='X-Powered-By'}

More information:


Glassfish Hardening

Change Glassfish Administrator Password

Change GlassFish administrator password.

Here is an example of Powershell script to change Glassfish Administrator password: 

#Change Glassfish Administrator Password (CMD popup will ask for password. Default glassfish admin credentials: admin/admin)
Start-Process -FilePath "C:\Program Files\QPR Software Plc\QPR UI\Glassfish\bin\asadmin" -ArgumentList "change-admin-password" -Wait
Start-Process -FilePath "C:\Program Files\QPR Software Plc\QPR UI\Glassfish\bin\asadmin" -ArgumentList 'set configs.config.server-config.http-service.virtual-server.server.property.errorReportValve=""' -Wait


Allow Incoming Requests only from Localhost

This step applies only when traffic is routed through IIS. In GlassFish allow incoming requests only from localhost.


Remove server information from headers response

The response headers contain some information which should not be disclosed to the public to prevent targeted attacks. 

Server: GlassFish Server Open Source Edition  4.1 
X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition  4.1  Java/Oracle Corporation/1.8)

You can disable this by turning off the XPowered By: header with your http-listener and by adding a JVM-Option -Dproduct.name="".

More information:

Retrieved from "https://wiki.onqpr.com/pa/index.php?title=QPR_ProcessAnalyzer_Security_Hardening&oldid=11313"