Security
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Hardened Hitachi ID Identity and Access Management Suite Server Platform

Hitachi ID Identity and Access Management Suite is a security application. It can and should be installed on the most secure server platform possible.

Basic precautions

Some of the most effective security measures are common sense:

  1. Use a single-purpose server for Hitachi ID Identity and Access Management Suite. Sharing this server with other applications introduces more complexity and more administrators, each of which carries its own incremental risk.
  2. Use strong passwords for every administrative account on the server.
  3. Maintain a current, well-patched operating system on the Hitachi ID Identity and Access Management Suite server. This eliminates well-known bugs that have already been addressed by the vendor (Microsoft).
  4. Keep the Hitachi ID Identity and Access Management Suite server in a physically secure location.
  5. Do not leave a login session open and unattended on the Hitachi ID Identity and Access Management Suite server's console.
  6. Place the Hitachi ID Identity and Access Management Suite server on your internal network, rather than on the Internet, if this is at all possible in your environment.
  7. To make Hitachi ID Identity and Access Management Suite available to the Extranet, use a reverse web proxy.

Operating system

The first step in configuring a secure Hitachi ID Identity and Access Management Suite server is to harden its operating system.

Hitachi ID Systems suggests that Hitachi ID Identity and Access Management Suite be installed on the Windows 2000/2003 server operating system. The following are suggestions on how to lock down this operating system.

User authentication

Since the Hitachi ID Identity and Access Management Suite server contains (encrypted) sensitive information, it makes sense to limit the number of users who can access its files.

Domain membership

One way to limit the number of users who can access the Hitachi ID Identity and Access Management Suite server is to remove it from any Windows NT or Active Directory domains. Since the Hitachi ID Identity and Access Management Suite server will not be a member of any domain, this reduces the risk of a security intrusion in the domain being leveraged to gain unauthorized access to the Hitachi ID Identity and Access Management Suite server.

Accounts

The Hitachi ID Identity and Access Management Suite setup program creates one local user on the Hitachi ID Identity and Access Management Suite server, called psadmin.

The account is, by default, a member of the Administrators group. It is the only account needed by Hitachi ID Identity and Access Management Suite. We recommend removing unused accounts, leaving just:

If you must have other accounts on the Hitachi ID Identity and Access Management Suite server, then:

Securing services

An important way to secure a server on any platform is to reduce the amount of software that it runs. This eliminates potential sources of software bugs that could be exploited to violate the server's security.

Only the following services are required on Hitachi ID Identity and Access Management Suite servers:

Service
Notes
DNS Client Required to resolve host names
Event Log Core O.S. component
IIS Admin Service Only required if IIS is used
IPSEC Policy Agent Core O.S. component
Logical Disk Manager Core O.S. component
Network Connections Required to manage network interfaces
Plug and Play Hardware support
Protected Storage Core O.S. component
Remote Procedure Call (RPC) Core O.S. component
Removable Storage Required to open CD-ROM drives
RunAs Service Core O.S. security component
Security Accounts Manager Core O.S. security component
TCP/IP NetBIOS Helper Service Only required if directly managing WinNT, Win2000 or Win2003 passwords
Workstation Only required if directly managing WinNT, Win2000 or Win2003 passwords
World Wide Web Publishing Service Only required if IIS is used

 

All other services should be disabled unless there is some specific reason (not related to Hitachi ID Identity and Access Management Suite) to enable them.

Network and session security

Packet filtering

The Hitachi ID Identity and Access Management Suite server can also take advantage of simple packet filtering services in Windows 2000/2003. These are used to block all inbound connections other than those to the web service, as shown in the figure below:

figure

Open ports are an exploitable means of system entry. By limiting the number of open ports, you effectively reduce the number of potential entry points into the server. Typically only port 443 needs to be open before Hitachi ID Identity and Access Management Suite is installed.


The process table on the same server looks like this:

figure

Note: VMWare entries reflect the fact that this sample was taken from a VMWare virtual PC.

This server was running with just the mandatory services described earlier.

Harden the IP stack

Enable the following TCP/IP registry settings as shown below to make the Hitachi ID Identity and Access Management Suite server resistant to denial of service (DOS) attacks:

The following keys, not present on a default Windows server installation, are also helpful to protect against a variety of attacks against the IP stack:


Web server

The web server is a required component since it provides all user interface modules. It should therefore be carefully protected.

Since Hitachi ID Identity and Access Management Suite does not require any web server functionality beyond the ability to serve static documents (HTML, images) and to execute self-contained CGI executable programs, all non-essential web server content should be removed.

Several web servers are commonly available for Windows servers, including Apache, IIS, Sun ONE and more. Most Hitachi ID Systems customers use Apache or IIS.

Apache

The Apache server is recommended, as it is well supported and has had a very good security track record.

If you select Apache, you can harden it by:

IIS (Internet Information Server)

IIS is more than a web server - it is also an FTP server, indexing server, proxy for database applications and a server for active content / applications.

If you run Hitachi ID Identity and Access Management Suite on IIS, you should disable most of these features, as a bug in any of them would represent a security risk.

Lock down IIS as follows:

Use separate NTFS partitions

Create two separate NTFS partitions - one for the operating system and one for IIS. This will separate most of the operating system files from the application files, allowing a more controlled distribution of permission sets.

Remove non-essential web server content

As stated previously, Hitachi ID Identity and Access Management Suite only requires the web server to serve static documents (HTML, images) and to execute self-contained CGI executable programs. This means all non-essential web server content should be removed. This includes removing IISAdmin, Printers, Scripts and similar folders, as shown in the figure below:

figure

The web server's scripting, indexing and data access subsystems should likewise be removed as shown in the figure below:

figure
Remove RDS registry keys

As an extra precaution, remote data services (RDS) should be disabled by removing the following registry keys:

Remove ODBC drivers

All ODBC drivers that are not required should also be disabled because they can introduce possible security concerns for IIS. To disable the ODBC drivers, remove the data sources manually and add this entry to the registry:

The above registry entry will ensure that no cmd.exe commands can be chained with ODBC queries.

Consult the Microsoft Knowledge Base for more information:

http://support.microsoft.com/support/kb/articles/Q239/1/04.asp

Restrict IUSR and IWAM account permissions

The IUSR account is created during the IIS installation and provides the mechanism that allows web clients to access the web server anonymously. The IWAM account is used to start out-of-process web applications in IIS. Do not add these accounts to a privileged group such as Administrators. Delete these accounts if possible as Hitachi ID Identity and Access Management Suite does not use them.


Service packs

Install the latest service packs, as these frequently include security patches and updates.

We recommend that to be notified of the latest Microsoft security upgrades, you subscribe to the Microsoft's security bulletin at:

http://www.microsoft.com/technet/security/bulletin/notify.asp

Equally important to installing the latest service pack is testing the service pack installation before deployment on a production platform. This will ensure there are no adverse affects on Hitachi ID Identity and Access Management Suite.


Communication defenses

Hitachi ID Identity and Access Management Suite sends and receives sensitive data over the network. Its communications include user passwords, administrator credentials and personal user information. These are all valuable assets that must be defended.

A basic defense against packet sniffers and similar attacks is to ensure that Hitachi ID Identity and Access Management Suite can only be accessed over HTTPS.

Physical security

Hitachi ID Identity and Access Management Suite servers should be physically protected, since any logical security measures can be bypassed by an intruder with physical access to the server, time and skill.

Suggestions for physically securing the Hitachi ID Identity and Access Management Suite server include: