Skip to main content

Hitachi ID LinkedIn Page Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Locking Down a Hitachi ID Identity and Access Management Suite Server

arrowAbstract
Organizations that are either considering deployment of Hitachi ID Identity Manager or have already deployed it need to understand how to secure the Identity Manager server. Identity Manager is a sensitive part of an organization's IT infrastructure and consequently must be defended by strong security measures.

This document is a "best practices" guide for securing a Identity Manager server. The objective of securing a Identity Manager server is to have a reliable, high availability server that is difficult or impossible for users and intruders to compromise.

Organizations that are either considering deployment of Hitachi ID Identity and Access Management Suite, or have already deployed it, need to understand how to secure the Hitachi ID Identity and Access Management Suite server. Hitachi ID Identity and Access Management Suite is a sensitive part of an organization's IT infrastructure and consequently must be defended by strong security measures.

It is important to protect not only the Hitachi ID Identity and Access Management Suite server, but also, the sensitive data it stores, which includes:

  • Administrator credentials that Hitachi ID Identity and Access Management Suite uses to authenticate to target systems and perform operations.
  • Support staff passwords that are used by Hitachi ID Identity and Access Management Suite to authenticate help desk analysts.
  • Personal user data that is managed by Hitachi ID Identity and Access Management Suite and used to authenticate users who access Hitachi ID Identity and Access Management Suite's self-service portal.

This document is organized as follows:

  • Basic precautions

    Some common-sense security precautions.

  • Physical access and security

    Provides suggestions on how to control physical access to the Hitachi ID Identity and Access Management Suite server.

  • Employee training

    Explains the importance of security awareness training for all employees.

  • Hardening the operating system

    Explains how to configure a secure Microsoft Windows server for use with Hitachi ID Identity and Access Management Suite.

  • Web server

    Explains how to select and configure the web server that serves the Hitachi ID Identity and Access Management Suite software.

  • Password and key management

    Provides guidance on password management.

  • Communication defenses

    Explains how to protect the data transmitted to and from each Hitachi ID Identity and Access Management Suite server.

  • Auditing

    Explains why auditing is important and provides guidance on monitoring access, events, and changes to Hitachi ID Identity and Access Management Suite.

  • Microsoft Security Compliance Manager Toolkit

    Information on Microsoft Security Compliance Manager.

  • More information

    A list of references for further information regarding network security and server hardening.

Basic precautions

Some of the most effective security measures are common sense:

  • Use a single-purpose server for Hitachi ID Identity and Access Management Suite. Sharing this server with other applications introduces more complexity and more administrators, each of which carries its own incremental risk.

  • Use strong passwords for every administrative account on the server.

  • Maintain a current, well-patched operating system on the Hitachi ID Identity and Access Management Suite server. This eliminates well-known bugs that have already been addressed by the vendor (Microsoft).

  • Keep the Hitachi ID Identity and Access Management Suite server in a physically secure location.

  • Provide security awareness training to all employees.

  • Install, and keep up to date anti-virus/malware software.

  • Do not leave a login session open and unattended on the Hitachi ID Identity and Access Management Suite server's console.

  • Place the Hitachi ID Identity and Access Management Suite server on your internal network, rather than on the Internet, if this is possible in your environment. If required, you can still expose password management web pages to the extranet using an HTTP proxy (for example, a Linux or Solaris server running Apache connected to both your intranet and extranet).

  • Schedule periodic examination of Hitachi ID Identity and Access Management Suite, Windows and network device logs.

  • Use the Microsoft Security Compliance Manager for information on additional measures you can take to further harden your server.

Physical access and security

Hitachi ID Identity and Access Management Suite servers should be physically protected, since any logical security measures can be bypassed by an intruder with physical access to the server, time, and skill.

Suggestions for physically securing the Hitachi ID Identity and Access Management Suite server include:

  • Restricting physical access

    Put Hitachi ID Identity and Access Management Suite server(s) in a locked and secured room. Restrict access to authorized personnel only. Hitachi ID Identity and Access Management Suite administrators should install and configure the server(s), then restrict themselves to accessing Hitachi ID Identity and Access Management Suite using the web interface rather than console access. Ensure that no login sessions to Hitachi ID Identity and Access Management Suite are left open and unattended, and ensure that all access to the server, physically and remotely, is logged.

  • Ensuring uninterruptible power

    • Protect Hitachi ID Identity and Access Management Suite servers with adequate, online (also known as continuous) uninterruptible power sources (UPS). UPS equipment will protect the server from temporary power loss that could cause a server crash or corruption of critical user files.

    • While many UPSs tune and condition the electricity they supply, for the best possible protection, use a UPS that also provides surge protection to protect the servers from damaging spikes.

    • Use a UPS that also provides data line protection to avoid indirect damage from a spike traveling through the ethernet cables.

    • Configure the UPS software to execute a graceful shutdown in the case of an extended power outage, longer than the runtime of the battery, to avoid data corruption if the server crashes.

  • Locking down removable media

    Restrict the boot process so it is more difficult for intruders to circumvent Windows security by booting from floppy disks, a CD-ROM or a USB drive. Specifically, use a BIOS-level password, disable boot from a floppy drive, USB or CD-ROM drive, and lock the system BIOS to prevent unauthorized changes to the BIOS configuration.

Employee training

An organization can have the strongest security policies and procedures, but they can be completely undermined if the employees do not know of their existence, or do not understand their own role in the security of the organization. Employees must understand their organization's security policies and procedures to implement and maintain the required measures.

Security Awareness training should include:

  1. Building security, visitor requirements, ID badge requirements.
  2. Password policies, including the importance of not sharing passwords.
  3. Social engineering - what it is and how to avoid it.
  4. Malware and phishing and how someone can gain access to important data using either.
  5. The consequences of a security breach.
  6. Mobile device security requirements, including mobile phones and laptops.
  7. The risks of leaving workstations unlocked when unattended.

Hardening the operating system

Hitachi ID Systems requires that Hitachi ID Identity and Access Management Suite be installed on a Microsoft Windows 2003 Windows 2008, or Windows Server 2012 operating system. The first step in configuring a secure Hitachi ID Identity and Access Management Suite server is to harden its operating system. The following are suggestions on how to lock down the operating system.

Service packs

Install the latest service packs, as these frequently include security patches and updates.

Equally important to installing the latest service pack is testing the service pack installation before deployment on a production platform. This will ensure there are no adverse affects on Hitachi ID Identity and Access Management Suite.

Hitachi ID Systems recommend that you keep up-to-date with the latest Windows security upgrades by subscribing to Microsoft's security bulletin at:

http://www.microsoft.com/technet/security/bulletin/notify.mspx

Securing the server setup

Since the Hitachi ID Identity and Access Management Suite server contains sensitive information, you should restrict the users who can access its files.

Domain membership

One way to limit the number of users who can access the Hitachi ID Identity and Access Management Suite server is to remove it from any Windows domain. If the Hitachi ID Identity and Access Management Suite server is not a member of a domain, it reduces the risk of a security intrusion in the domain being leveraged to gain unauthorized access to the Hitachi ID Identity and Access Management Suite server.

Ensuring that the Hitachi ID Identity and Access Management Suite server is not a domain member also reduces the risk of lockouts due to concurrent domain logins by the Hitachi ID Identity and Access Management Suite server - some by Hitachi ID Identity and Access Management Suite itself, and others by an administrator logged into the server's console.

Accounts

The Hitachi ID Identity and Access Management Suite setup program creates one local user on the Hitachi ID Identity and Access Management Suite server, called psadmin. The account is, by default, a member of the Administrators group. It is the only account needed by Hitachi ID Identity and Access Management Suite. Hitachi ID Systems recommend the following:

  • Remove unused accounts, leaving just psadmin -- the Hitachi ID Identity and Access Management Suite service account.
  • Create one administrator account to be used by the Hitachi ID Identity and Access Management Suite administrator to manage the server and establish a strong password for it.
  • Disable the default administrator account.
  • Ensure the Guest account is not enabled.

If you must have other accounts on the Hitachi ID Identity and Access Management Suite server, then Hitachi ID Systems recommend the following:

  • Remove all guest account access to resources.
  • Do not increase the default level of access for the default USERS group.
  • Do not assign files/directories to the EVERYONE group.
  • Limit the number of administrator-level accounts needed to manage the system. As stated above, the Hitachi ID Identity and Access Management Suite server only requires one administrator-level account.
  • Remove the terminal services user account TsInternetUser. This account is used by the Terminal Service Internet Connector License. Hitachi ID Systems products do not require the use of this account, and unless your environment requires it, it should be removed.

Additionally, a regular review of accounts, groups, and group memberships should be done to ensure that access permissions are appropriate.

Remote access

Turn off the remote access and management features on the server to protect the server from remote access attempts using brute force password attacks. This includes the following:

  • Ensure "Enable remote management of this server from other computers" is not enabled.

  • Turn off "Remote Desktop Administration".

    Note:

    Remote Desktop Administration is provided by Remote Desktop Services, however, Remote Desktop Services does not have to be explicitly enabled on the server in order to support Remote Desktop Administration.

If you do require remote access:

  • Edit the local security policy and remove Administrators from the Allow log on through Remote Desktop Services policy. This is the Deny log on through Terminal Services policy if Server 2003.

  • Add the alternative account created for administration purposes to the Remote Desktop Users group.
  • Use Microsoft Remote Desktop Gateway to establish an encrypted connection.

Securing services

An important way to secure a server on any platform is to reduce the amount of software that it runs. This eliminates potential sources of software bugs that could be exploited to violate the server's security.

Only the following services are required on Identity Manager servers:

  • DNS Client - Required to resolve host names
  • Event Log - Core OS component
  • IIS Admin Service - Only required if IIS is used
  • IPSEC Policy Agent - Core OS component
  • Logical DiskManager - Core OS component
  • Network Connections - Required to manage network interfaces
  • Plug and Play - Hardware support
  • Protected Storage - Core OS component
  • Remote Procedure Call (RPC) - Core OS component
  • Removable Storage - Required to open CD-ROM drives
  • RunAs Service - Core OS security component
  • Security Accounts Manager - Core OS security component
  • TCP/IP NetBIOS Helper Service - Only required if directly managing Windows NT, Windows 2000, or Windows 2003 passwords
  • Workstation - Only required if directly managing Windows NT, Windows 2000, or Windows 2003 passwords
  • World Wide Web Publishing Service - Only required if IIS is used

If additional services are required during implementation, then Hitachi ID Systems will notify Hitachi ID Systems customer.

All other services should be disabled unless there is some specific reason (not related to Hitachi ID Identity and Access Management Suite) to enable them. Once you have identified a minimum set of services for your server, save the list. Check which services are running after applying service packs and other operating system updates, and disable services as required to return to your original list.

Packet filtering

Open ports are an exploitable means of system entry. By limiting the number of open ports, you effectively reduce the number of potential entry points into the server. A server can be port scanned to identify available services.

Use packet filtering to block all inbound connections other than the following default ports required by Hitachi ID Identity and Access Management Suite:

443/TCP https
5555/TCP Database (iddb)
2380/TCP File Replication (idfilerep)
3334/TCP Password Manager (idpm)
2340/TCP Session Monitoring Package Generation Service (idsmpg)
4444/TCP RSA Authentication Manager Service (psace) - optional service

 

To access the TCP/IP filtering on Windows Server 2003 server:

  1. Open the Network and Dial-up Connection control panel.

  2. Right-click on the appropriate connection and select Properties.

    The Properties dialog box is displayed.

  3. Highlight Internet Protocol (TCP/IP) then click Properties.

    The Internet Protocol (TCP/IP) Properties dialog box is displayed.

  4. Click Advanced.

    The Advanced TCP/IP Settings dialog box is displayed.

  5. Select the Options tab then double-click on TCP/IP filtering.

    The TCP/IP Filtering dialog box is displayed.

  6. To modify the settings, select the Permit Only radio button and then use Add to set appropriate TCP and UDP ports.

To block all ports except those required, on Microsoft Server 2008 and Microsoft Server 2012, use Windows Firewall with Advanced Security (WFAS):

  1. On Windows Server 2008 this can be accessed from Windows Server Manager.
  2. On Windows Server 2012, from the Start screen type wf.msc and press [Enter].

Target system ports

Below is a list of ports the connectors use on the target system servers:

Active Directory

Service

Port (non-SSL)

Port (SSL)

LDAP

TCP/389

TCP/636

MSDS

TCP/445

NA

 

Related Articles

http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/bb727063.aspx
http://support.microsoft.com/kb/832017

Windows NT Domain

Service

Port (non-SSL)

Port (SSL)

SMB

TCP/137-139

NA

 

IBM i-Series Access AS400

Service

Port (non-SSL)

Port (SSL)

Server Mapper (as-svrmap)

TCP/449

TCP/449

License Management (as-central)

TCP/8470

TCP/9470

Database Access (as-database)

TCP/8471

TCP/9471

Remote Command (as-rmtcmd)

TCP/8475

TCP/9475

Signon Verification (as-signon)

TCP/8476

TCP/9476

Management Central (as-mgtc)

TCP/5555

TCP/5566

 

This is just a summary of the services that Hitachi ID Identity and Access Management Suite might use. For a full list of ports, see:

http://www-01.ibm.com/support/docview.wss?uid=nas8N1019667

IBM System z (z/OS, OS/390 with Mainframe Connector)

Service

Port (non-SSL)

Port (SSL)

Mainframe Connector default port

TCP/8000

NA

 

Lotus Domino/Notes

Service

Port (non-SSL)

Port (SSL)

lotusrpc

TCP/1352

NA

 

Related Articles

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/H_USING_MULTIPLE_NICS_IP_ADDRESSES_WITH_A_DOMINO_SERVER_OVER.html

LDAP

Service

Port (non-SSL)

Port (SSL)

LDAP

TCP/389

TCP/636

 

NDS

Service

Port (non-SSL)

Port (SSL)

NDS

TCP/542, udp/542

NA

LDAP

TCP/389

TCP/636

SLP

TCP/427

NA

NTP

udp/123

NA

 

Unix

Service

Port (non-SSL)

pxunix listener server (Unix agent)

TCP/905

 

Oracle Database

Ports for Oracle Connection Manager:

Service

Port (non-SSL)

Port (SSL)

Deprecated default server port

TCP/1521

NA

Replacement default server port

TCP/2483

TCP/2484

Default administrative port

TCP/1830

NA

 

Related Articles

http://download.oracle.com/docs/cd/B28359_01/network.111/b28317/protocoladd.htm#i470539

Microsoft SQL Server

Service

Port (non-SSL)

Port (SSL)

Default server port

TCP/1433

NA

 

Related Articles

http://support.microsoft.com/kb/287932

Win32 console script/Telnet targets

Telnet

Service

Port (non-SSL)

Port (SSL)

Telnet

TCP/23

TCP/992

HTTP

TCP/80

TCP/443

 

Oracle Essbase

Service

Port (non-SSL)

Agent

TCP/1423

Server applications (ESSSVR)

TCP/32768–33768 (two ports per process)

Integration Services Server

TCP/3388

 

Lotus Sametime

https://www-304.ibm.com/support/docview.wss?uid=swg21097949

Hardening the TCP/IP stack

For specific information on hardening the TCP/IP stack refer to the following documents at the Microsoft Developer Network web site:

  • How to harden the TCP/IP stack against denial of service attacks in Microsoft Windows Server 2003

    http://support.microsoft.com/kb/324270

  • Next Generation TCP/IP Stack

    Note:

    The TCP/IP stack in Windows 2008 and above, is a complete redesign of TCP/IP functionality and includes Syn Attack protection by default.

Anti-Virus/Malware software

Malware is a broad term referring to all sorts of malicious code - this includes viruses. When choosing a product, don't let the name of the product fool you. There are many products out there marketed as "anti-virus" software that will also protect you from other types of malware such as adware, bots and nagware.

There are also products marketed as "anti-malware" that will protect you from viruses.

Check the product you are using and ensure it is up to date and protecting your server from as many types of malware as possible, including viruses, worms, keyloggers, trojans, backdoors, spyware, adware, bot, exploits, and nagware. If your product doesn't cover all facets of malware, considering combining two products.


Web server

The web server is a required component since it provides all user interface modules. It should therefore be carefully protected.

Since Hitachi ID Identity and Access Management Suite does not require any web server functionality beyond the ability to serve static documents (HTML, images) and to execute self-contained CGI executable programs, all non-essential web server content should be removed.

Several web servers are commonly available for Windows servers, including Apache, IIS, and Sun ONE. Hitachi ID Systems tests Hitachi ID Identity and Access Management Suite on IIS web server, therefore, this document only details how to lock down the IIS web server.

Microsoft Internet Information Server (IIS) 6.0

IIS 6.0 is more than a web server; it is also an FTP server, indexing server, proxy for database applications, and a server for active content and applications. If you run Hitachi ID Identity and Access Management Suite on IIS 6.0, you should disable most of these features, as each of them may represent a security risk, due to the possibility of software bugs. All web service extensions not related to Hitachi ID Identity and Access Management Suite operation should also be disabled. The following subsections provide more specific guidance.

Use separate NTFS partitions

Create two separate NTFS partitions - one for the operating system and one for IIS 6.0. This will separate most of the operating system files from the application files, allowing a more controlled distribution of permission sets.

Remove non-essential web server content

As stated previously, Hitachi ID Identity and Access Management Suite only requires the web server to serve static documents (HTML, images) and to execute self-contained CGI executable programs, which means that all non-essential web server content should be removed, including: IISAdmin, Printers, Scripts, and similar folders, as shown in the IIS dialog box.

figure

The web server's scripting, indexing and data access subsystems should likewise be removed as shown in the Application Configuration dialog box.

figure

In IIS 6.0, ensure that all all web service extensions except for the Hitachi ID Identity and Access Management Suite instance are disabled, as shown in the Web Service Extensions window. Most web services in IIS 6.0 are disabled by default, and the Hitachi ID Identity and Access Management Suite installer adds the instance extension.

figure

  • The "Active Server Pages" and "ASP.NET vX.X.XXXX" extensions should be set to prohibited to prevent any ASP or .NET code, inserted accidentally or maliciously from being executed.
  • The "Server Side Includes" extension can be left to allowed if you want to use server side includes in your customized skins.
  • The "aspnet_client" application folder, under the Default Website Instance can be removed as the system does not require ASP.NET. This folder will only be present if ASP.NET functionality is installed with IIS6.

Remove RDS registry keys

As an extra precaution, remote data services (RDS) should be disabled by removing the following registry keys:

  •   HKLM\System\CurrentControlSet\Services
          \W3SVC\Parameters\ADCLaunch\RDSServer.DataFactory
    
  •   HKLM\System\CurrentControlSet\Services
          \W3SVC\Parameters\ADCLaunch\AdvancedDataFactory
    
  •   HKLM\System\CurrentControlSet\Services
          \W3SVC\Parameters\ADCLaunch\BusObj.VbBusObjCls
    

Remove ODBC drivers

All ODBC drivers that are not required should also be disabled because they can introduce possible security concerns for IIS. To disable the ODBC drivers, remove the data sources manually, and add this entry to the registry:

    HKLM\Software\Microsoft\Jet\4.0\engines\SandBoxMode = 3

The above registry entry will ensure that no cmd.exe commands can be chained with ODBC queries.

Restrict IUSR and IWAM account permissions

The IUSR account is created during the IIS installation and provides the mechanism that allows web clients to access the web server anonymously. The IWAM account is used to start out-of-process web applications in IIS. Do not add these accounts to a privileged group such as Administrators. Delete these accounts if possible as Hitachi ID Identity and Access Management Suite does not use them (it creates and uses the psadmin user for anonymous access).

Preventing DOS attack

Available connections to the server should be limited if possible. Allowing unlimited connections to the IIS server would potentially allow malicious users to execute Denial of Service attacking on the system more easily. Lowering the allowed connections would help prevent the system from being overloaded.

Microsoft Internet Information Server (IIS) 7.0

Note:

Most of the information for hardening IIS 7.0 was obtained from Windows Server 2008 R2 SP1 Security Guide from Security Compliance Manager, Version 2.0. Published: March 2010 | Updated September 2011.

By default, IIS 7.0 is more secure than IIS 6.0. Instead of installing a variety of features like IIS 6.0 does and then disabling them, IIS 7.0 only installs the following features:

  • Static content module
  • Default document module
  • Directory browsing module
  • HTTP Errors module
  • HTTP Logging module
  • Request Monitor module
  • Request Filtering module
  • Static Content Compression module
  • IIS Management Console module

The default installation only supports serving static content such as HTML and image files.

Note:

Hitachi ID Identity and Access Management Suite requires CGI. During the IIS install, you will have to explicitly select the CGI option, otherwise it will not be installed.

Set the authentication mechanism

Enable Windows Authentication as the user authentication mechanism for web servers on a private network, and disable it for sites in a DMZ.

Disable Anonymous Authentication to provide extra security on the server.

Install the Windows Authentication Role Service via the Server Manager:

  1. In the Server Manager pane, expand Roles and then click Web Server (IIS).
  2. In the Role Services box, click Add Role Services.
  3. In the Add Role Services wizard, select Windows Authentication, and then click Next.
  4. Click Install.
  5. click Close when the install is complete.

To enable Windows Authentication and disable Anonymous Authentication:

  1. In the Server Manager pane, click Internet Information Services (IIS) Manager.
  2. In the "Connections" pane, click the server name, and then in the "Home" pane, double-click Authentication.
  3. In the "Authentication" pane, click Windows Authentication, and then in the "Actions" pane, click Enable.
  4. In the "Authentication" pane, click Anonymous Authentication, and then in the "Actions" pane, click Disable.

Move root directories to a separate data partition

IIS 7.0 is designed to prevent attackers from traversing from the URL name space into the file system, which could be done in IIS 6.0. However, it is still best practice to move your website content onto a separate partition:

  1. Open Internet Information Services (IIS) Manager.
  2. Click the name of your web server, and then under the "sites" node, right click the Default Web Site.
  3. Select Manage Web Site and then select Advanced Settings.
  4. Change the Physical Path to a directory on a new data partition.
  5. You then need to transfer the data from the old location to the new location.

Configure user account permissions

Assign permissions on the website content directory and check the user accounts that will be allowed to access the website. To configure the permissions, use the standard Windows file system permissions via Windows Explorer on the web site's folder:

  • Ensure the IIS worker process has access - by default this is NetworkService.
  • Assign the users access - in most cases you can use the ComputerName Users group, however, you can create a specific group for this purpose if you wish.

Enable Secure Sockets Layer (SSL)

Enabling Secure Sockets Layer (SSL) encrypts the traffic to help secure it from network sniffing.

Ensure you always use an update to date certificate. Whether it is self-signed or signed by a trusted signing authority is a matter of preference based on your organizations policies. Each have their own advantages and disadvantages:

  • If you issue a self-signed certificate, you know it is valid. However, it is not as seamless to the end user as a certificate signed by a certificate authority - the user will be prompted for acceptance.

  • If you use a certificate signed by a certificate authority, the user won't be prompted for acceptance However, the downside of this is that there have been several instances where certificate authorities have been breached and fraudulent digital certificates were issued, allowing sessions to be hijacked.

For more information about how to install a SSL certificate, check the Microsoft website or the following URL:

http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

Configure a unique binding

The preferable solution is to enable SSL, however, if this is not possible for some reason, you can reduce the risk of automated attacks by configuring a unique binding:

  1. Open Internet Information Services (IIS) Manager.
  2. Select the name of your web server, and then under the "sites" node, right-click the required site.
  3. Select Edit Bindings.
  4. In the "Edit Site Binding" dialog box, select http in the type list and then click Edit.
  5. Select the IP address for the website and then configure the Host header to match your required host name.

figure

Microsoft Internet Information Services (IIS) 7.5

IIS 7.5 is installed with Microsoft Windows Server 2008R2. To harden IIS7.5, follow the same recommendations as (_label_harden:webserver:iisseven) with one addition. Enable extended protection on Windows Authentication:

  1. In the Server Manager pane, click Internet Information Services (IIS) Manager.
  2. In the "Connections" pane, click the server name, and then in the "Home" pane, double-click Authentication.
  3. In the "Authentication" pane, click Windows Authentication, and then in the "Actions" pane, click Enable.
  4. In the "Actions" pane again, click Advanced Settings.
  5. When the "Advanced Settings" dialog box appears, select one of the Extended Protection options from the menu:
    • Select Accept if you want to enable extended protection while providing down-level support for clients that do not support extended protection.
    • Select Required if you want to enable extended protection without providing down-level support.
  6. Click OK to close the dialog box.

Microsoft Internet Information Services (IIS) 8.0

Note:

Most of the information for hardening IIS 8.0 was obtained from Windows Server 2012 Security Guide from Security Compliance Manager, Version 1.0. Published: January 2013.

IIS 8.0 Setup installs a web server with minimum functionality that supports static web pages, request filtering, static file compression, and the IIS Manager GUI interface. The following features are installed during a default installation:

  • Static content module
  • Default document module
  • Directory browsing module
  • HTTP Errors module
  • HTTP Logging module
  • Request Monitor module
  • Request Filtering module
  • Static Content Compression module
  • IIS Management Console module

Note:

Hitachi ID Identity and Access Management Suite requires CGI. During the IIS install, you will have to explicitly select the CGI option otherwise, it will not be installed.

Set the Authentication Mechanism

Enable Windows Authentication as the user authentication mechanism for web servers on a private network, and disable it for sites in a DMZ.

Disable Anonymous Authentication to provide extra security on the server.

To install Windows Authentication:

  1. In the Server Manager pane, click Manage, and then click Add Roles and Features.
  2. In the Add Roles and Features Wizard, on the "Before you begin" page, click Next.
  3. Click Next on the Select installation type page.
  4. Click Next on the Select destination server page.
  5. On the Select server roles page, expand Web Server (IIS)(Installed).
  6. Expand Web Server (Installed).
  7. Expand Security (Installed).
  8. Select Windows Authentication, and click Next.
  9. Click Next and then Install.
  10. Click Close when complete.

Enable Windows Authentication, enable extended protection and disable Anonymous Authentication:

  1. On Windows Server 2012, from the Start screen type IIS Manager and press [Enter] to open the Internet Information Services (IIS) Manager.
  2. From the IIS Manager, in the "Connections" pane, click the server name, and then in the "Home" pane, double-click Authentication.
  3. In the "Authentication" pane, click Windows Authentication, and then in the "Actions" pane, click Enable.
  4. Click Advanced Settings in the "Actions" pane.
  5. When the "Advanced Settings" dialog box appears, select one of the Extended Protection options from the menu:
    • Select Accept if you want to enable extended protection while providing down-level support for clients that do not support extended protection.
    • Select Required if you want to enable extended protection without providing down-level support.
  6. Click OK to close the dialog box.
  7. In the "Authentication" pane, click Anonymous Authentication, and then in the "Actions" pane, click Disable.

Move root directories to a separate data partition

IIS 8.0 is designed to prevent attackers from traversing from the URL name space into the file system, which could be done in IIS 6.0. However, it is still best practice to move your website content onto a separate partition.

The process for IIS 8.0 is the same as 7.0. See (_label_iis7:partition)

Configure user account permissions

Assign permissions on the website content directory and check the user accounts that will be allowed to access the website.

The process for IIS 8.0 is the same as 7.0. See (_label_iis7:permissions)

Enable Secure Sockets Layer (SSL)

Enabling Secure Sockets Layer (SSL) encrypts the traffic to help secure it from network sniffing.

For more information about how to install a SSL certificate, check the Microsoft website or the following URL:

http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

Configure a Unique Binding

The preferable solution is to enable SSL, however, if this is not possible for some reason, you can reduce the risk of automated attacks by configuring a unique binding:

The process for IIS 8.0 is the same as 7.0. See (_label_iis7:binding)

Configure dynamic IP restrictions

Windows Server 2012 includes a new feature to help reduce denial-of-service (DoS) attacks and brute-force password attacks. Hitachi ID Systems recommend testing the configuration in a test environment first in order to identify the appropriate thresholds without disrupting the Hitachi ID Identity and Access Management Suite, before deploying into production.

These restrictions can be set via the Internet Information Services (IIS) Manager console:

  1. On Windows Server 2012, from the Start screen type IIS Manager and press [Enter] to open the Internet Information Services (IIS) Manager.
  2. From the IIS Manager, in the "Connections" pane, click the server name.
  3. Double-click IP Address and Domain Restrictions in the list of features.
  4. Click Edit Dynamic Restriction Settings in the Action pane.
  5. When the Dynamic IP Restriction Settings dialog box appears, check the Deny IP Address based on the number of concurrent requests option and set this to 10.
  6. Check the Deny IP Address based on the number of requests over a period of time option and set this to 20 requests within 200 milliseconds.

figure

Password and key management

During the installation of Hitachi ID Identity and Access Management Suite, ensure that the security communication key (CommKey) used to encrypt communication between Hitachi ID Identity and Access Management Suite servers and other components on the network has been randomly created. Either create your own or use the default random key.

You should change the CommKey on a periodic basis. Note, the CommKey is located on all Hitachi ID Identity and Access Management Suite servers, secondary servers, proxy servers, and target systems using transparent password synchronization or listeners (anything that calls the Hitachi ID Identity and Access Management Suite API). Identify all instances of the CommKey, schedule a change and complete the change, then test and verify that the change was successfully carried out.

Use a strong password policy for all passwords associated with the use of Hitachi ID Identity and Access Management Suite. At a minimum, always use the default password policy provided with Hitachi ID Identity and Access Management Suite.

Communication defenses

Hitachi ID Identity and Access Management Suite sends and receives sensitive data over the network. Its communications include user passwords, administrator credentials, and personal user information. These are all valuable assets that should be defended.

Ensure that the Hitachi ID Identity and Access Management Suite server is located on your internal network. If required, you can still expose password management web pages to the extranet using a HTTP proxy -- for example, a Linux or Solaris server running Apache connected to both your intranet and extranet utilizing a Demilitarized Zone (DMZ).

Firewalls

If you have to expose your web pages to the Internet, also ensure you install a firewall using the following as a guide:

  • Make sure you purchase all network hardware, including the firewall, directly from the manufacturer or from resellers who are authorized and certified by the equipment manufacturer.
  • Always ensure the latest firmware running.
  • Shutdown unused physical interfaces on the device.
  • Implement access lists that only allow the protocols, ports and IP addresses required and deny everything else.
  • Never use default usernames and/or passwords.
  • Monitor outbound traffic to prevent internal machines from being used to launch a zombie attack on a server.
  • Use egress filtering to block all traffic by default, then only allow certain traffic such as email and the Web.
  • Consider purchasing a firewall which has three connections; one for the internal network, one for the Internet and the third for the DMZ.
  • Use NTP to synchronize the time on the firewall. This will ensure the logs have the correct timestamps.
  • Configure the Intrusion Detection System on the firewall if available.

Communicating with target systems

It is essential that no sensitive information is passed over an unencrypted channel.

  • Where possible ensure that communications are encrypted.

    For example, if you have an Oracle target system, the default setup for the Oracle client is to configure unencrypted communications with the Oracle database. Ensure that you configure encrypted communication.

  • When communications cannot be encrypted, you can:
    • Use a proxy server to set up a secure channel with the primary server.

    • Not synchronize the accounts on that target system and ensure that administrative passwords are periodically rotated.

Auditing

Audit logs are an important measure to identify and analyze suspicious activity.

Since anyone with administrator access to the Hitachi ID Identity and Access Management Suite server can alter or remove audit logs, arrange for periodic archive of audit logs to a different server that is managed by different administrators.

For Hitachi ID Identity and Access Management Suite administrators with appropriate privileges can run operation reports.

As part of the Hitachi ID Identity and Access Management Suite, the Logging Service (idmlogsvc) manages logging sessions for a particular instance. It captures event messages from Hitachi ID Identity and Access Management Suite program execution, and writes them to the configured log file (idmsuite.log by default).

The Logging Service also has the ability to write to the Windows events logs. See the "Hitachi ID Identity and Access Management Suite Reference Manual" for further information.

Windows also provides various audit logs through the Event Viewer. And IIS provides configurable logging information with W3C Extended Log File Format.

Ensure you review the logs of your network devices, such as the firewall, on a regular basis.

Accurate logging requires an accurate time stamp. It is recommended that the server set its time using a reliable network time server.

An audit log is only effective if it is examined. Logs provide the best indications of break-ins, fraud and misuse. It is highly recommended that logs be examined on a regular basis.

Use syslog or rsyslog

Syslog, and rsyslog (an extension of syslog), is open source software that enables network administrators to collect logs from various sources, such as switches and firewalls, and consolidate the logs onto a single server. There are also tools available that plug-in to syslog or rsyslog that can can extract the logs from Windows Event Log and IIS and forward them to the syslog server.

You can enable the Hitachi ID Identity and Access Management Suite Logging Service to log to a syslog service on a remote system. See the "Hitachi ID Identity and Access Management Suite Reference Manual" for details.

Software on the syslog server can be configured generate alerts, or simply filter and view important log messages, simplifying the process of checking logs.

For more information:

http://www.rsyslog.com

Security information and event management (SIEM) software

"Security information and event management (SIEM) is a term for software and products services combining security information management (SIM) and security event management (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM is sold as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes." ("SIEM: A Market Snapshot". Dr.Dobb's Journal. 5 February 2007.)

SIEM products simplify log management, provide alerts, dashboards and the ability to analyse the logs from various nodes all form one location. Functionality that can reduce the time and effort required to continuously monitor the network.

Hitachi ID Systems recommend using a SIEM solution if you have a large network, or many sources of logs.

Microsoft Security Compliance Manager Toolkit

For environments that require added security, there are additional measures that can be taken to harden the servers. However, it is very important to conduct thorough testing in a test environment before implementing them in production.

Microsoft Security Compliance Manager Toolkit has replaced all previous Microsoft security guides. Once installed you will have access to a myriad of guides and tools provided by Microsoft's security experts including:

  • Windows Server 2003, 2008 and 2012 Security Guides
  • Security Compliance Manager
  • Microsoft recommended security baselines
  • Tools to customize and export a security baseline for deployment

Further information

For further information on network security and server hardening refer to the following:

  • The SANS Institute - An industry trusted organization that provides extensive collection of research documents in relation to information security.
  • National Security Agency (NSA)
  • National Institute of Standards and Technology (NIST)
  • Internet Security Alliance (ISA) - information on industry best practices.
  • The Center for Internet Security (CIS) - industry accepted hardening standards.
  • International Organisation for Standardization (ISO) - industry accepted hardening standards.
  • National Institute of Standards Technology (NIST) - industry accepted hardening standards.
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act 2002 (GLBA)

Note:

The listed organizations provide information on computer security. Any mention of a commercial product is for informational purposes only and does not imply a recommendation or endorsement by Hitachi ID Systems.

page top page top