QPR ProcessAnalyzer Security Hardening: Difference between revisions
No edit summary |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
The following list provides recommendations for improving (hardening) the security of QPR UI installation. | The following list provides recommendations for improving (hardening) the security of QPR UI installation. | ||
==System Hardening== | ==System Hardening== | ||
=== Disable SSL, TLS 1.0 and TLS 1.1, Ensure TLS 1.2 Enabled === | |||
Transport Layer Security (TLS) is used to encrypt connections with clients, such as web browsers. SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 are no longer adequately secure, so we recommend to only allow clients to connect with TLS 1.2. However, some client devices might not support TLS 1.2, so you might need to keep TLS 1.0 and/or TLS 1.1 enabled. | |||
Here is | Here is a Powershell script to disable TLS 1.0 and TLS 1.1 and enable TLS 1.2: | ||
<pre> | <pre> | ||
Line 30: | Line 28: | ||
</pre> | </pre> | ||
More information: | More information: https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat | ||
=== Disable Weak Ciphers === | === Disable Weak Ciphers === | ||
The Triple-DES cipher | The Triple-DES cipher is no longer adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for [https://nvd.nist.gov/vuln/detail/CVE-2016-2183 CVE-2016-2183]. | ||
Here is | Here is a Powershell script to disable Triple-DES cipher: | ||
<pre> | <pre> | ||
#Disable | #Disable Triple-DES | ||
New-Item -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Force | New-Item -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Force | ||
Set-ItemProperty -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Name Enabled -Type Dword -Value 0 | Set-ItemProperty -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Name Enabled -Type Dword -Value 0 | ||
</pre> | </pre> | ||
More information: | More information: https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc | ||
=== Check the Latest Java Version Installed === | |||
Check that the [[QPR_UI_System_Requirements#Other Needed Server Components|latest version of Java 8]] is installed. Make sure also that the automatic updating of Java is enabled. | |||
=== Disable 8.3 File Name Creation=== | === Disable 8.3 File Name Creation=== | ||
In order to disable short names creation, add a registry key named '''NtfsDisable8dot3NameCreation''' to '''HKLM\SYSTEM\CurrentControlSet\Control\FileSystem''' and set its value to '''1'''. Note that in the computer, there may be applications that require 8.3 file names and thus may stop working. | In order to disable short names creation, add a registry key named '''NtfsDisable8dot3NameCreation''' to '''HKLM\SYSTEM\CurrentControlSet\Control\FileSystem''' and set its value to '''1'''. Note that in the computer, there may be other applications that require 8.3 file names and thus may stop working. | ||
Here is an example of Powershell script to disable 8.3 | Here is an example of Powershell script to disable 8.3 file name creation: | ||
<pre> | <pre> | ||
#Disable 8.3 File Name Creation | #Disable 8.3 File Name Creation | ||
Line 57: | Line 54: | ||
</pre> | </pre> | ||
More information: | More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions | ||
=== | ==Hardening Security with IIS Settings== | ||
=== X-XSS-Protection, X-Frame-Options and X-Content-Type-Options HTTP Response Headers === | |||
This step applies only when IIS is used as a [[Setting up IIS as Reverse Proxy for QPR UI|reverse proxy for QPR UI]]. | |||
=== | |||
This step applies only when [[ | |||
# In '''Internet Information Services (IIS) Console''', click '''ui''' folder in the left side hierarchy, double-click '''HTTP Response Headers''', click '''Add...''' on the right side pane, and define the following: | # In '''Internet Information Services (IIS) Console''', click '''ui''' folder in the left side hierarchy, double-click '''HTTP Response Headers''', click '''Add...''' on the right side pane, and define the following: | ||
#* Name: '''X-XSS-Protection''' | #* Name: '''X-XSS-Protection''' | ||
Line 79: | Line 70: | ||
#* Value: '''nosniff''' | #* Value: '''nosniff''' | ||
Here is a Powershell script to add X-XSS-Protection, X-Frame-Options, and X-Content-Type-Options HTTP Response Headers: | |||
Here is | |||
<pre> | <pre> | ||
Line 94: | Line 84: | ||
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options | * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options | ||
=== Remove the Default X-Powered-By HTTP Response Header in IIS === | |||
=== Remove X-Powered-By HTTP Response Header in IIS === | Removing the X-Powered-By HTTP response header improved security, because the underlying technology is not revealed publicly. This step applies only when IIS is used as a [[Setting up IIS as Reverse Proxy for QPR UI|reverse proxy for QPR UI]]. | ||
This step applies only when [[ | |||
# In '''Internet Information Services (IIS) Console''', click '''ui''' folder in the left side hierarchy | # In '''Internet Information Services (IIS) Console''', click '''ui''' folder in the left side hierarchy | ||
# Double-click '''HTTP Response Headers''' | # Double-click '''HTTP Response Headers''' | ||
Line 102: | Line 91: | ||
# Click '''Remove''' on the right side pane to remove it from the response. | # Click '''Remove''' on the right side pane to remove it from the response. | ||
Here is | Here is a Powershell script to remove X-Powered-By HTTP Response Header: | ||
<pre> | <pre> | ||
#Remove X-Powered-By HTTP Response Header in IIS | #Remove X-Powered-By HTTP Response Header in IIS | ||
Line 108: | Line 97: | ||
</pre> | </pre> | ||
More information: | More information: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/ | ||
== Glassfish | == Hardening Security with Glassfish Settings == | ||
=== Change Glassfish Administrator Password=== | === Change Glassfish Administrator Password=== | ||
Change [[GlassFish Configuration in QPR UI#Changing Glassfish Administrator Password|GlassFish administrator password]]. | Change [[GlassFish Configuration in QPR UI#Changing Glassfish Administrator Password|GlassFish administrator password]]. | ||
Here is | Here is a Powershell script to change Glassfish Administrator password: | ||
<pre> | <pre> | ||
#Change Glassfish Administrator Password (CMD popup will ask for password. Default glassfish admin credentials: admin/admin) | #Change Glassfish Administrator Password (CMD popup will ask for password. Default glassfish admin credentials: admin/admin) | ||
Line 121: | Line 109: | ||
Start-Process -FilePath "C:\Program Files\QPR Software Plc\QPR UI\Glassfish\bin\asadmin" -ArgumentList 'set configs.config.server-config.http-service.virtual-server.server.property.errorReportValve=""' -Wait | Start-Process -FilePath "C:\Program Files\QPR Software Plc\QPR UI\Glassfish\bin\asadmin" -ArgumentList 'set configs.config.server-config.http-service.virtual-server.server.property.errorReportValve=""' -Wait | ||
</pre> | </pre> | ||
=== Allow Incoming Requests only from Localhost === | === Allow Incoming Requests only from Localhost === | ||
This step applies only when [[ | This step applies only when IIS is used as a [[Setting up IIS as Reverse Proxy for QPR UI|reverse proxy for QPR UI]]. In GlassFish allow incoming requests only from localhost. | ||
In GlassFish allow incoming requests only from localhost. | |||
=== Remove the Default X-Powered-By HTTP Response Header in GlassFish === | |||
Removing the X-Powered-By HTTP response header improved security, because the underlying technology is not revealed publicly. You can disable this by turning off the '''XPowered By:''' header with your http-listener and by adding a JVM-Option '''-Dproduct.name=""'''. | |||
More information about Glassfish hardening: | More information about Glassfish hardening: http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html | ||
Revision as of 18:45, 17 February 2019
The following list provides recommendations for improving (hardening) the security of QPR UI installation.
System Hardening
Disable SSL, TLS 1.0 and TLS 1.1, Ensure TLS 1.2 Enabled
Transport Layer Security (TLS) is used to encrypt connections with clients, such as web browsers. SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 are no longer adequately secure, so we recommend to only allow clients to connect with TLS 1.2. However, some client devices might not support TLS 1.2, so you might need to keep TLS 1.0 and/or TLS 1.1 enabled.
Here is a Powershell script to disable TLS 1.0 and TLS 1.1 and enable TLS 1.2:
#Disable TLS 1.0 and TLS 1.1 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\" -Name Enabled -Type Dword -Value 0 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\" -Name Enabled -Type Dword -Value 0 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\" -Name DisabledByDefault -Type Dword -Value 1 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\" -Name DisabledByDefault -Type Dword -Value 1 #Enable TLS 1.2 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name DisabledByDefault -Type Dword -Value 0 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\" -Name Enabled -Type Dword -Value 1 New-Item -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Force Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name DisabledByDefault -Type Dword -Value 0 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\" -Name Enabled -Type Dword -Value 1
More information: https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat
Disable Weak Ciphers
The Triple-DES cipher is no longer adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for CVE-2016-2183.
Here is a Powershell script to disable Triple-DES cipher:
#Disable Triple-DES New-Item -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Force Set-ItemProperty -path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Name Enabled -Type Dword -Value 0
More information: https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc
Check the Latest Java Version Installed
Check that the latest version of Java 8 is installed. Make sure also that the automatic updating of Java is enabled.
Disable 8.3 File Name Creation
In order to disable short names creation, add a registry key named NtfsDisable8dot3NameCreation to HKLM\SYSTEM\CurrentControlSet\Control\FileSystem and set its value to 1. Note that in the computer, there may be other applications that require 8.3 file names and thus may stop working.
Here is an example of Powershell script to disable 8.3 file name creation:
#Disable 8.3 File Name Creation Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name NtfsDisable8dot3NameCreation -Value 1
More information: https://support.microsoft.com/en-us/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions
Hardening Security with IIS Settings
X-XSS-Protection, X-Frame-Options and X-Content-Type-Options HTTP Response Headers
This step applies only when IIS is used as a reverse proxy for QPR UI.
- In Internet Information Services (IIS) Console, click ui folder in the left side hierarchy, double-click HTTP Response Headers, click Add... on the right side pane, and define the following:
- Name: X-XSS-Protection
- Value: 1; mode=block
- Similarly, add the following HTTP Response Header:
- Name: X-Frame-Options
- Value: deny
- Finally add also:
- Name: X-Content-Type-Options
- Value: nosniff
Here is a Powershell script to add X-XSS-Protection, X-Frame-Options, and X-Content-Type-Options HTTP Response Headers:
#Add X-XSS-Protection, X-Frame-Options, and X-Content-Type-Options HTTP Response Headers to IIS Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui' -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-XSS-Protection';value='1; mode=block'} Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui' -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-Frame-Options';value='deny'} Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui' -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='X-Content-Type-Options';value='nosniff'}
More information:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Remove the Default X-Powered-By HTTP Response Header in IIS
Removing the X-Powered-By HTTP response header improved security, because the underlying technology is not revealed publicly. This step applies only when IIS is used as a reverse proxy for QPR UI.
- In Internet Information Services (IIS) Console, click ui folder in the left side hierarchy
- Double-click HTTP Response Headers
- Click on the X-Powered-By header
- Click Remove on the right side pane to remove it from the response.
Here is a Powershell script to remove X-Powered-By HTTP Response Header:
#Remove X-Powered-By HTTP Response Header in IIS Remove-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/ui' -filter "system.webServer/httpProtocol/customHeaders" -name "." -AtElement @{name='X-Powered-By'}
More information: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
Hardening Security with Glassfish Settings
Change Glassfish Administrator Password
Change GlassFish administrator password.
Here is a Powershell script to change Glassfish Administrator password:
#Change Glassfish Administrator Password (CMD popup will ask for password. Default glassfish admin credentials: admin/admin) Start-Process -FilePath "C:\Program Files\QPR Software Plc\QPR UI\Glassfish\bin\asadmin" -ArgumentList "change-admin-password" -Wait Start-Process -FilePath "C:\Program Files\QPR Software Plc\QPR UI\Glassfish\bin\asadmin" -ArgumentList 'set configs.config.server-config.http-service.virtual-server.server.property.errorReportValve=""' -Wait
Allow Incoming Requests only from Localhost
This step applies only when IIS is used as a reverse proxy for QPR UI. In GlassFish allow incoming requests only from localhost.
Remove the Default X-Powered-By HTTP Response Header in GlassFish
Removing the X-Powered-By HTTP response header improved security, because the underlying technology is not revealed publicly. You can disable this by turning off the XPowered By: header with your http-listener and by adding a JVM-Option -Dproduct.name="".
More information about Glassfish hardening: http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html