QPR ProcessAnalyzer Security Hardening

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search

The following list provides recommendations for improving (hardening) the security of QPR UI installation.

IIS Response Headers: X-XSS-Protection and X-Frame-Options

This step applies only when traffic is routed through IIS.

  1. In Internet Information Services (IIS) Console, click ui folder in the left side hierarchy, double-click HTTP Response Headers, click Add... on the right side pane, and define the following:
    • Name: X-XSS-Protection
    • Value: 1; mode=block
  2. Similarly, add the following HTTP Response Header:
    • Name: X-Frame-Options
    • Value: deny

More information:

Allow Incoming Requests only from Localhost

This step applies only when traffic is routed through IIS. In GlassFish allow incoming requests only from localhost.

Change Glassfish Administrator Password

Change GlassFish administrator password

Latest Java is Installed

Check that the latest version of Java 8 is installed.

Disable 8.3 File Name Creation

In order to disable short names creation, add a registry key named NtfsDisable8dot3NameCreation to HKLM\SYSTEM\CurrentControlSet\Control\FileSystem andset its value to 1. Note that in the computer, there may be applications that require 8.3 file names and thus may stop working.

More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions

Disable All SSL Versions and TLS 1.0

https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat

Disable Weak Ciphers

https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

Remove X-Powered-By HTTP Response Header in IIS

Remove GlassFish Specific Default and Error Pages

Hardening GlassFish Security

http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html