Skip to main content

Locking Down a Hitachi ID Password Manager Server

arrowAbstract
Organizations deploying Hitachi ID Password Manager need to understand how to secure its runtime platform. Password Manager is a sensitive part of an organization's IT infrastructure and consequently must be well defended.

This document is a best practices guide for securing a Password Manager server. The objective of is to have a reliable, high availability platform that is difficult or impossible to compromise.

Organizations that are either considering deployment of Hitachi ID Identity and Access Management Suite, or have already deployed it, need to understand how to secure the Hitachi ID Identity and Access Management Suite server. Hitachi ID Identity and Access Management Suite is a sensitive part of an organization's IT infrastructure and consequently must be defended by strong security measures.

It is important to protect not only the Hitachi ID Identity and Access Management Suite server, but also the sensitive data it stores:

  • Administrator credentials used by Hitachi ID Identity and Access Management Suite to connect to target systems.
  • Console user passwords used by the Hitachi ID Identity and Access Management Suite administrator to sign into, configure and manage Hitachi ID Identity and Access Management Suite itself.
  • Passwords to managed accounts on target systems.
  • Password history and security question data for end users.

This document is organized as follows:

  • Basic precautions

    Some common-sense security precautions.

  • Physical access and security

    Provides suggestions on how to control physical access to the Hitachi ID Identity and Access Management Suite server.

  • Employee training

    Explains the importance of security awareness training for all employees.

  • Hardening the operating system

    Explains how to configure a secure Microsoft Windows server for use with Hitachi ID Identity and Access Management Suite.

  • Web server

    Explains how to select and configure the web server that serves the Hitachi ID Identity and Access Management Suite software.

  • Password and key management

    Provides guidance on password management.

  • Communication defenses

    Explains how to protect the data transmitted to and from each Hitachi ID Identity and Access Management Suite server.

  • Auditing

    Explains why auditing is important and provides guidance on monitoring access, events, and changes to Hitachi ID Identity and Access Management Suite.

  • Microsoft Security Compliance Manager Toolkit

    Information on Microsoft Security Compliance Manager.

Basic precautions

Some of the most effective security measures are common sense:

  • Use a single-purpose server for Password Manager. Sharing this server with other applications introduces more complexity and more administrators, each of which carries its own incremental risk.

  • Use strong passwords for every administrative account on the server.

  • Maintain a current, well-patched operating system on the Password Manager server. This eliminates well-known bugs that have already been addressed by the vendor (Microsoft).

  • Automatically apply patches, especially security patches, to the OS, database server and any third party software.

  • Keep the Password Manager server in a physically secure location.

  • Provide security awareness training to all employees.

  • Install, and keep up to date anti-virus software.

  • Do not leave a login session open and unattended on the Password Manager server's console.

  • Attach the Password Manager server to a secure, internal network rather than the public Internet. If access from the Internet is required, mediate it via a reverse web proxy running a different OS an web server platform than Password Manager -- platform diversity reduces the risk of zero-day exploits.

  • Regularly review Password Manager, OS and network logs.

  • Use the Microsoft Security Compliance Manager to learn more about server hardening.

Physical access and security

Password Manager servers should be physically protected, since logical security measures can often be bypassed by an intruder with physical access to the console:

  • Restrict physical access

    Put Password Manager server(s) in a locked and secured room. Restrict access to authorized personnel only. Password Manager administrators should install and configure the server(s) and then only access it remotely via HTTPS to its web portal or RDP to the OS.

  • Connect a UPS

    Ensure that server power is protected, that graceful shutdowns occur when power is interrupted and that there is surge protection at least on incoming power connections.

  • Prevent boot from removable media

    Configure the server to boot from its physical or virtual hard drive and not from USB or optical drives.

Where the Password Manager server is virtualized, apply the above controls to the hypervisor.

Employee training

Security policies are only as effective as user awareness and compliance. Security awareness training should include:

  1. Building security including authorization for visitors and ID badges.
  2. Password policies, regarding complexity, regular changes, non-reuse and not sharing passwords.
  3. Social engineering and phishing attacks, to help users recognize when a person, malicious web site or e-mail tries to trick them into disclosing access or other information.
  4. The consequences of a security breach, including consequences to users who may have supported the breach through action or inaction.
  5. Effective security practices relating to mobile devices, such as laptops, smart phones and tablets.
  6. Not leaving endpoints signed on, unlocked and unattended.

Hardening the operating system

Hitachi ID Identity and Access Management Suite runs on Windows 2012 servers. The first step in configuring a secure Hitachi ID Identity and Access Management Suite server is to harden the operating system:

Service packs

Install the latest service packs, as these frequently include security patches and updates.

Keep up-to-date with the latest Windows security upgrades by subscribing to Microsoft's security bulletin at:

http://www.microsoft.com/technet/security/bulletin/notify.mspx

Limit logins to only legitimate administrators

One way to limit the number of users who can access the Password Manager server is to remove it from any Windows domain. If the Password Manager server is not a member of a domain, it reduces the risk of a security intrusion in the domain being leveraged to gain unauthorized access to the Password Manager server.

  • Remove unused accounts, leaving just psadmin -- the Password Manager service account.
  • Create one administrator account to be used by the Password Manager OS administrator to manage the server and set a strong password on this account.
  • Disable the default administrator account.
  • Remove any Guest or unused service accounts.
  • Remove the terminal services user account TsInternetUser. This account is used by the Terminal Service Internet Connector License.

For any accounts that must remain, limit their access. At a minimum, block access by members of 'Everyone' to files and folders on the server.

Limit remote desktop access

If feasible, turn off the remote access and management features on the server to protect the server from remote access attempts using brute force password attacks. This includes the following:

  • Check that "Enable remote management of this server from other computers" is disabled.
  • Turn off "Remote Desktop Administration".

If remote administration of the OS is required:

  • Edit the local security policy and remove Administrators from the Allow log on through Remote Desktop Services policy.
  • Add an alternate account with lower privileges to the Remote Desktop Users group.

Minimize running services

Disable any unused service. This eliminates potential sources of software bugs that could be exploited to violate the server's security. Only the following Windows 2012R2 services are required on Password Manager servers:

  • Application Information
  • Background Tasks Infrastructure Service
  • DCOM Server Process Launcher
  • DHCP Client
  • Group Policy Client
  • Local Session Manager
  • Network Store Interface Service
  • Power
  • Remote Procedure Call (RPC)
  • RPC Endpoint Mapper
  • Security Accounts Manager
  • SQL Server (MSSQLSERVER)
  • System Events Broker
  • Task Scheduler
  • TCP/IP NetBIOS Helper
  • User Profile Service
  • Windows Process Activation Service
  • Workstation
  • World Wide Web Publishing Service

Additional services should only be enabled if there is a specific need for them.

Packet filtering

Open ports are an exploitable means of system entry. By limiting the number of open ports, you effectively reduce the number of potential entry points into the server. A server can be port scanned to identify available services.

Use packet filtering to block all inbound connections other than the following default ports required by Password Manager:

Default TCP port

Service
443/TCP IIS / HTTPS web service.
5555/TCP Password Manager database service default port number (iddb).
2380/TCP Password Manager file replication service default port (idfilerep).
3334/TCP Password manager service (idpm).
2340/TCP Session monitoring package generation service (idsmpg).
4444/TCP RSA Authentication Manager Service (psace) - if RSA tokens are managed.

 

On Windows Server 2012, packet filtering is accessed by running the wf.msc control.

Anti-Virus/Malware software

Do deploy anti-malware on each Hitachi ID Identity and Access Management Suite server. However, don't allow it to scan database files that belong to the SQL Server database as this can cause filesystem locks and outages.


IIS web server

The IIS web server is a required component since it provides all user interface modules. It should therefore be carefully protected.

Since Hitachi ID Identity and Access Management Suite does not require any web server functionality beyond the ability to serve static documents (HTML, images) and to execute self-contained CGI executable programs, all non-essential web server content can be disabled.

General guidelines

IIS is more than a web server; it is also an FTP server, indexing server, proxy for database applications, and a server for active content and applications. Disable these features as Password Manager does not use them.

Create two separate NTFS partitions - one for the operating system and one for content IIS serves up. This will protect the OS from IIS compromise.

Always deploy a proper, issued-by-a-real-CA SSL certificate to Password Manager servers and disable plaintext HTTP access. Never use a self-signed certificate in a user-facing system, as this may condition users to ignore SSL validity warnings.

Assign the IIS user the right to read from but not write to static HTML, image file and Javascript files used by Password Manager.

Assign the IIS user the right to execute CGI programs but not other executables on the Password Manager filesystem.

Disable directory browsing -- there is no reason why a user connecting to the Password Manager web portal should be able to list files in any folder.

Microsoft Internet Information Server (IIS) 7.0, 7.5

\NOTE{Most of the information for hardening IIS 7.0 was obtained from Windows Server 2008 R2 SP1 Security Guide from Security Compliance Manager, Version 2.0. Published: March 2010, Updated September 2011.}

By default, IIS 7.0 is more secure than IIS 6.0. Instead of installing a variety of features like IIS 6.0 does and then disabling them, IIS 7.0 only installs the following features:

  • Static content module
  • Default document module
  • Directory browsing module
  • HTTP Errors module
  • HTTP Logging module
  • Request Monitor module
  • Request Filtering module
  • Static Content Compression module
  • IIS Management Console module

The default installation only supports serving static content such as HTML and image files.

Hitachi ID Identity and Access Management Suite requires CGI. During the IIS installation, you will have to explicitly select the CGI option, otherwise Hitachi ID Identity and Access Management Suite won't work.

Enable Anonymous Authentication as Hitachi ID Identity and Access Management Suite handles user authentication itself, rather than delegating this to the web server.

Microsoft Internet Information Services (IIS) 8.0

\NOTE{Most of the information for hardening IIS 8.0 was obtained from Windows Server 2012 Security Guide from Security Compliance Manager, Version 1.0. Published: January 2013.}

Follow the same guidelines as in (_label_harden:webserver:iisseven).

Configure dynamic IP restrictions

Windows Server 2012 includes a new feature to help reduce denial-of-service (DoS) attacks and brute-force password attacks. Hitachi ID Systems recommend testing the configuration in a test environment first in order to identify the appropriate thresholds without disrupting the Hitachi ID Identity and Access Management Suite, before deploying into production.

To configure IP based restrictions:

  1. Using the server roles tool, add the IIS / IP and Domain Restrictions role.
  2. From the IIS Manager tool, limit the number of concurrent connections from any given IP address, for example to a maximum of 20 connections every 200ms.
  3. Be careful to allow large numbers of connections from any load balancer or other traffic management infrastructure.


SQL Server Database

Each Hitachi ID Identity and Access Management Suite server is configured with a SQL Server database. Most commonly, the database server software is deployed on the same server as the Hitachi ID Identity and Access Management Suite application. It follows that the database must also be hardened.

There is an excellent overview of how to harden MSSQL databases at:

http://sqlmag.com/database-security/hardening-sql-server.

Following are relevant excerpts from this guide, adapted for Hitachi ID Identity and Access Management Suite:

Remove or disable unused services and components

Don't install anything beyond the core SQL server software. Specifically, leave out or disable:

  • SQL Server Analysis Services (SSAS).
  • SQL Server Integration Services (SSIS).
  • Full-Text Engine.
  • The Filter Daemon Launcher.
  • SQL Server Reporting Services (SSRS).
  • Active Directory Helper.
  • SQL Server VSS Writer service.
  • SQL Server Browser.

Disable TCP/IP access to MSSQL

Password Manager will connect to the database locally, so network access can and should be disabled. Use SQL Configuration manager to disable all but shared memory access to the database.

Limit access to the database

After installing the SQL Server database software and Password Manager, remove access by the OS Administrators group to the database and change the password for the sa account.

Configure a dedicated, local-admin account for use by the The SQL Server Agent service, so that it runs in a different security context than the database itself.

Password and key management

During the installation of Hitachi ID Identity and Access Management Suite, be sure to generate random encryption keys for inter-server communication and for local data storage. Use the same keys on all servers.

Consider periodically changing the communication key. This requires shutting down Hitachi ID Identity and Access Management Suite services on all servers, installing a new key and reactivating the services. Note that key changes may require service interruption on domain controllers that have been configured to trigger password synchronization and on Hitachi ID Identity and Access Management Suite proxy servers.

Be sure to assign strong passwords to all console logins and target credentials and change these regularly.

Communication defenses

Hitachi ID Identity and Access Management Suite sends and receives sensitive data over the network. Its communications include user passwords, administrator credentials, and personal user information.

HTTPS

Require HTTPS only connections to Hitachi ID Identity and Access Management Suite and deploy real (i.e., not self-signed) SSL certificates on each server.

Firewalls

If you Internet access to Hitachi ID Identity and Access Management Suite is required, protect this access using a firewall:

  • Make sure you purchase all network hardware, including the firewall, directly from the manufacturer or from authorized resellers. Third parties may inject malware into products before resale.
  • Keep firewall and network device firmware patched and current.
  • Shut down all unused physical network interfaces.
  • Implement block-by-default policy and specify what protocols and addresses may connect.
  • Find and remove any default user name or passwords on all devices.
  • Monitor outbound traffic and open outbound connections to prevent data exfiltration and malware seeking remote control.
  • Use NTP to synchronize the time on all devices.

Communicating with target systems

Avoid sending sensitive data as plaintext:

  • Where possible, ensure that communications with target systems are encrypted.

    For example, for Oracle target systems, the default setup for the Oracle client is to allow unencrypted communications with Oracle databases. Configure encrypted communication instead.

  • Deploy Hitachi ID Identity and Access Management Suite proxy servers, co-located with the target system, where the target system only allows a plaintext protocol and the network path between Hitachi ID Identity and Access Management Suite and the target system is vulnerable to attack.

Auditing

Audit logs are an important measure to identify and analyze suspicious activity.

Arrange for periodic archive of audit logs to a different server that is managed by different administrators.

As part of the Hitachi ID Identity and Access Management Suite, the Logging Service (idmlogsvc) manages logging sessions for a particular instance. It captures event messages from Hitachi ID Identity and Access Management Suite program execution, and writes them to the configured log file (idmsuite.log by default).

The Logging Service can also write to the Windows event log and to SYSLOGD services. Configure this for sensitive events, including logins to the Hitachi ID Identity and Access Management Suite admin console (psa.exe).

An audit log is only effective if it is examined. Logs provide the best indications of break-ins, fraud and misuse. It is highly recommended that logs be examined on a regular basis.

page top page top