Locking down a Hitachi ID Suite server

Similar documents
Integrating Password Management with Enterprise Single Sign-On

1 Modular architecture

1 Hitachi ID Mobile Access. 2 The BYOD challenge. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Managed Administration Service (MAS): Hitachi ID Password Manager

Cyber security tips and self-assessment for business

CS 356 Operating System Security. Fall 2013

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

HikCentral V1.3 for Windows Hardening Guide

SERVER HARDENING CHECKLIST

1 Hitachi ID Password Manager

2 Me. 3 The Problem. Speaker. Company. Ed Breay Sr. Sales Engineer, Hitachi ID Systems.

ClearPath OS 2200 System LAN Security Overview. White paper

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Integrating Hitachi ID Suite with WebSSO Systems

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Security+ SY0-501 Study Guide Table of Contents

Service Offering: Outsourced IdM Administrator Service

epldt Web Builder Security March 2017

10 FOCUS AREAS FOR BREACH PREVENTION

Easy-to-Use PCI Kit to Enable PCI Compliance Audits

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

CIS Controls Measures and Metrics for Version 7

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Dynamic Datacenter Security Solidex, November 2009

PCI DSS Compliance. White Paper Parallels Remote Application Server

IPM Secure Hardening Guidelines

CIS Controls Measures and Metrics for Version 7

Advanced Security Measures for Clients and Servers

Seqrite Endpoint Security

ANATOMY OF AN ATTACK!

GUIDE. MetaDefender Kiosk Deployment Guide

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

HikCentral V.1.1.x for Windows Hardening Guide

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

IndigoVision. Control Center. Security Hardening Guide

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Privileged Identity App Launcher and Session Recording

UC for Enterprise (UCE) Management System (UNIVERGE MA4000)

CYAN SECURE WEB Installing on Windows

Google Cloud Platform: Customer Responsibility Matrix. December 2018

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Securing ArcGIS Services

Security Architecture


Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

How Breaches Really Happen

SECURITY PRACTICES OVERVIEW

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

W H IT E P A P E R. Salesforce Security for the IT Executive

SECURITY & PRIVACY DOCUMENTATION

the SWIFT Customer Security

Web Cash Fraud Prevention Best Practices

MigrationWiz Security Overview

California State Polytechnic University, Pomona. Server and Network Security Standard and Guidelines

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Google Cloud Platform: Customer Responsibility Matrix. April 2017

HIPAA Assessment. Prepared For: ABC Medical Center Prepared By: Compliance Department

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

Training UNIFIED SECURITY. Signature based packet analysis

Payment Card Industry (PCI) Data Security Standard

Grandstream Networks, Inc. UCM6100 Security Manual

Solutions Business Manager Web Application Security Assessment

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Juniper Vendor Security Requirements

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Cyber Essentials Questionnaire Guidance

Unified Security Platform. Security Center 5.4 Hardening Guide Version: 1.0. Innovative Solutions

Securing CS-MARS C H A P T E R

Security in Bomgar Remote Support

Network security session 9-2 Router Security. Network II

Education Network Security

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Recommendations for Device Provisioning Security

Implementing security from the inside out in a PeopleSoft environment System hardening with reference to the additional concern for insider threat

Using Windows 2000 with Service Pack 3 in a Managed Environment: Controlling Communication with the Internet

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Kaseya 2. Installation guide. Version R8. English

1. Security of your personal information collected and/or processed through AmFIRST REIT s Web Portal; and

CYBERSECURITY RISK LOWERING CHECKLIST

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

C1: Define Security Requirements

AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security.

Minimum Security Standards for Networked Devices

Sophos Enterprise Console

IC32E - Pre-Instructional Survey

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Sophos Central Admin. help

User Identity Sources

RSA Authentication Manager 8.0 Security Configuration Guide

Dolby Conference Phone 3.1 configuration guide for West

Information Security Controls Policy

Sophos Enterprise Console

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

ForeScout Extended Module for Carbon Black

Are You Avoiding These Top 10 File Transfer Risks?

Critical Hygiene for Preventing Major Breaches

1 The intersection of IAM and the cloud

Transcription:

Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved.

Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime platform. Hitachi ID Suite is a sensitive part of an organization s IT infrastructure and consequently must be well defended. This document is a best practices guide for securing a Hitachi ID Suite server. The objective of is to have a reliable, high availability platform that is difficult or impossible to compromise. Contents 1 Introduction 1 2 Basic precautions 2 3 Physical access and security 3 4 Employee training 3 5 Hardening the operating system 4 5.1 Service packs............................................ 4 5.2 Limit logins to only legitimate administrators........................... 4 5.3 Limit remote desktop access.................................... 4 5.4 Minimize running services..................................... 5 5.5 Packet filtering............................................ 5 5.6 Anti-Virus/Malware software.................................... 6 6 IIS web server 7 6.1 General guidelines......................................... 7 6.2 Microsoft Internet Information Server (IIS) 7.0, 7.5........................ 7 6.3 Microsoft Internet Information Services (IIS) 8.0......................... 8 6.3.1 Configure dynamic IP restrictions........................... 8 7 SQL Server Database 9 7.1 Remove or disable unused services and components...................... 9 7.2 Disable TCP/IP access to MSSQL................................. 9 7.3 Limit access to the database.................................... 9 8 Password and key management 10 i

9 Communication defenses 10 9.1 HTTPS................................................ 10 9.2 Firewalls............................................... 10 9.3 Communicating with target systems................................ 11 10 Auditing 12 2016 Hitachi ID Systems, Inc. All rights reserved.

1 Introduction Organizations that are either considering deployment of Hitachi ID Identity and Access Management Suite, or have already deployed it, need to understand how to secure the Hitachi ID Suite server. Hitachi ID Suite is a sensitive part of an organization s IT infrastructure and consequently must be defended by strong security measures. It is important to protect not only the Hitachi ID Suite server, but also the sensitive data it stores: Administrator credentials used by Hitachi ID Suite to connect to target systems. Console user passwords used by the Hitachi ID Suite administrator to sign into, configure and manage Hitachi ID Suite itself. Passwords to managed accounts on target systems. Password history and security question data for end users. This document is organized as follows: Basic precautions Some common-sense security precautions. Physical access and security Provides suggestions on how to control physical access to the Hitachi ID Suite server. Employee training Explains the importance of security awareness training for all employees. Hardening the operating system Explains how to configure a secure Microsoft Windows server for use with Hitachi ID Suite. Web server Explains how to select and configure the web server that serves the Hitachi ID Suite software. Password and key management Provides guidance on password management. Communication defenses Explains how to protect the data transmitted to and from each Hitachi ID Suite server. Auditing Explains why auditing is important and provides guidance on monitoring access, events, and changes to Hitachi ID Suite. Microsoft Security Compliance Manager Toolkit Information on Microsoft Security Compliance Manager. 2016 Hitachi ID Systems, Inc. All rights reserved. 1

2 Basic precautions Some of the most effective security measures are common sense: Use a single-purpose server for Hitachi ID Identity and Access Management Suite. Sharing this server with other applications introduces more complexity and more administrators, each of which carries its own incremental risk. Use strong passwords for every administrative account on the server. Maintain a current, well-patched operating system on the Hitachi ID Suite server. This eliminates well-known bugs that have already been addressed by the vendor (Microsoft). Automatically apply patches, especially security patches, to the OS, database server and any third party software. Keep the Hitachi ID Suite server in a physically secure location. Provide security awareness training to all employees. Install, and keep up to date anti-virus software. Do not leave a login session open and unattended on the Hitachi ID Suite server s console. Attach the Hitachi ID Suite server to a secure, internal network rather than the public Internet. If access from the Internet is required, mediate it via a reverse web proxy running a different OS an web server platform than Hitachi ID Suite platform diversity reduces the risk of zero-day exploits. Regularly review Hitachi ID Suite, OS and network logs. Use the Microsoft Security Compliance Manager to learn more about server hardening. 2016 Hitachi ID Systems, Inc. All rights reserved. 2

3 Physical access and security Hitachi ID Identity and Access Management Suite servers should be physically protected, since logical security measures can often be bypassed by an intruder with physical access to the console: Restrict physical access Put Hitachi ID Suite server(s) in a locked and secured room. Restrict access to authorized personnel only. Hitachi ID Suite administrators should install and configure the server(s) and then only access it remotely via HTTPS to its web portal or RDP to the OS. Connect a UPS Ensure that server power is protected, that graceful shutdowns occur when power is interrupted and that there is surge protection at least on incoming power connections. Prevent boot from removable media Configure the server to boot from its physical or virtual hard drive and not from USB or optical drives. Where the Hitachi ID Suite server is virtualized, apply the above controls to the hypervisor. 4 Employee training Security policies are only as effective as user awareness and compliance. Security awareness training should include: 1. Building security including authorization for visitors and ID badges. 2. Password policies, regarding complexity, regular changes, non-reuse and not sharing passwords. 3. Social engineering and phishing attacks, to help users recognize when a person, malicious web site or e-mail tries to trick them into disclosing access or other information. 4. The consequences of a security breach, including consequences to users who may have supported the breach through action or inaction. 5. Effective security practices relating to mobile devices, such as laptops, smart phones and tablets. 6. Not leaving endpoints signed on, unlocked and unattended. 2016 Hitachi ID Systems, Inc. All rights reserved. 3

5 Hardening the operating system Hitachi ID Identity and Access Management Suite runs on Windows 2012 servers. The first step in configuring a secure Hitachi ID Suite server is to harden the operating system: 5.1 Service packs Install the latest service packs, as these frequently include security patches and updates. Keep up-to-date with the latest Windows security upgrades by subscribing to Microsoft s security bulletin at: http://www.microsoft.com/technet/security/bulletin/notify.mspx 5.2 Limit logins to only legitimate administrators One way to limit the number of users who can access the Hitachi ID Identity and Access Management Suite server is to remove it from any Windows domain. If the Hitachi ID Suite server is not a member of a domain, it reduces the risk of a security intrusion in the domain being leveraged to gain unauthorized access to the Hitachi ID Suite server. Remove unused accounts, leaving just psadmin the Hitachi ID Suite service account. Create one administrator account to be used by the Hitachi ID Suite OS administrator to manage the server and set a strong password on this account. Disable the default administrator account. Remove any Guest or unused service accounts. Remove the terminal services user account TsInternetUser. This account is used by the Terminal Service Internet Connector License. For any accounts that must remain, limit their access. At a minimum, block access by members of Everyone to files and folders on the server. 5.3 Limit remote desktop access If feasible, turn off the remote access and management features on the server to protect the server from remote access attempts using brute force password attacks. This includes the following: Check that "Enable remote management of this server from other computers" is disabled. Turn off "Remote Desktop Administration". 2016 Hitachi ID Systems, Inc. All rights reserved. 4

If remote administration of the OS is required: Edit the local security policy and remove Administrators from the Allow log on through Remote Desktop Services policy. Add an alternate account with lower privileges to the Remote Desktop Users group. 5.4 Minimize running services Disable any unused service. This eliminates potential sources of software bugs that could be exploited to violate the server s security. Only the following Windows 2012R2 services are required on Hitachi ID Identity and Access Management Suite servers: Application Information Background Tasks Infrastructure Service DCOM Server Process Launcher DHCP Client Group Policy Client Local Session Manager Network Store Interface Service Power Remote Procedure Call (RPC) RPC Endpoint Mapper Security Accounts Manager SQL Server (MSSQLSERVER) System Events Broker Task Scheduler TCP/IP NetBIOS Helper User Profile Service Windows Process Activation Service Workstation World Wide Web Publishing Service Additional services should only be enabled if there is a specific need for them. 5.5 Packet filtering Open ports are an exploitable means of system entry. By limiting the number of open ports, you effectively reduce the number of potential entry points into the server. A server can be port scanned to identify available services. Use packet filtering to block all inbound connections other than the following default ports required by Hitachi ID Identity and Access Management Suite: 2016 Hitachi ID Systems, Inc. All rights reserved. 5

Default TCP port 443/TCP 5555/TCP 2380/TCP 3334/TCP 2340/TCP 4444/TCP Service IIS / HTTPS web service. Hitachi ID Suite database service default port number (iddb). Hitachi ID Suite file replication service default port (idfilerep). Password manager service (idpm). Session monitoring package generation service (idsmpg). RSA Authentication Manager Service (psace) - if RSA tokens are managed. On Windows Server 2012, packet filtering is accessed by running the wf.msc control. 5.6 Anti-Virus/Malware software Do deploy anti-malware on each Hitachi ID Identity and Access Management Suite server. However, don t allow it to scan database files that belong to the SQL Server database as this can cause filesystem locks and outages. 2016 Hitachi ID Systems, Inc. All rights reserved. 6

6 IIS web server The IIS web server is a required component since it provides all user interface modules. It should therefore be carefully protected. Since Hitachi ID Identity and Access Management Suite does not require any web server functionality beyond the ability to serve static documents (HTML, images) and to execute self-contained CGI executable programs, all non-essential web server content can be disabled. 6.1 General guidelines IIS is more than a web server; it is also an FTP server, indexing server, proxy for database applications, and a server for active content and applications. Disable these features as Hitachi ID Identity and Access Management Suite does not use them. Create two separate NTFS partitions - one for the operating system and one for content IIS serves up. This will protect the OS from IIS compromise. Always deploy a proper, issued-by-a-real-ca SSL certificate to Hitachi ID Suite servers and disable plaintext HTTP access. Never use a self-signed certificate in a user-facing system, as this may condition users to ignore SSL validity warnings. Assign the IIS user the right to read from but not write to static HTML, image file and Javascript files used by Hitachi ID Suite. Assign the IIS user the right to execute CGI programs but not other executables on the Hitachi ID Suite filesystem. Disable directory browsing there is no reason why a user connecting to the Hitachi ID Suite web portal should be able to list files in any folder. 6.2 Microsoft Internet Information Server (IIS) 7.0, 7.5 Note: Most of the information for hardening IIS 7.0 was obtained from "Windows Server 2008 R2 SP1 Security Guide" from Security Compliance Manager, Version 2.0. Published: March 2010, Updated September 2011. By default, IIS 7.0 is more secure than IIS 6.0. Instead of installing a variety of features like IIS 6.0 does and then disabling them, IIS 7.0 only installs the following features: Static content module Default document module Directory browsing module HTTP Errors module HTTP Logging module 2016 Hitachi ID Systems, Inc. All rights reserved. 7

Request Monitor module Request Filtering module Static Content Compression module IIS Management Console module The default installation only supports serving static content such as HTML and image files. Hitachi ID Identity and Access Management Suite requires CGI. During the IIS installation, you will have to explicitly select the CGI option, otherwise Hitachi ID Suite won t work. Enable Anonymous Authentication as Hitachi ID Suite handles user authentication itself, rather than delegating this to the web server. 6.3 Microsoft Internet Information Services (IIS) 8.0 Note: Most of the information for hardening IIS 8.0 was obtained from Windows Server 2012 Security Guide from Security Compliance Manager, Version 1.0. Published: January 2013. Follow the same guidelines as in Subsection 6.2 on Page 7. 6.3.1 Configure dynamic IP restrictions Windows Server 2012 includes a new feature to help reduce denial-of-service (DoS) attacks and bruteforce password attacks. Hitachi ID Systems recommend testing the configuration in a test environment first in order to identify the appropriate thresholds without disrupting the Hitachi ID Identity and Access Management Suite, before deploying into production. To configure IP based restrictions: 1. Using the server roles tool, add the IIS / IP and Domain Restrictions role. 2. From the IIS Manager tool, limit the number of concurrent connections from any given IP address, for example to a maximum of 20 connections every 200ms. 3. Be careful to allow large numbers of connections from any load balancer or other traffic management infrastructure. 2016 Hitachi ID Systems, Inc. All rights reserved. 8

7 SQL Server Database Each Hitachi ID Identity and Access Management Suite server is configured with a SQL Server database. Most commonly, the database server software is deployed on the same server as the Hitachi ID Suite application. It follows that the database must also be hardened. There is an excellent overview of how to harden MSSQL databases at: http://sqlmag.com/database-security/hardening-sql-server. Following are relevant excerpts from this guide, adapted for Hitachi ID Suite: 7.1 Remove or disable unused services and components Don t install anything beyond the core SQL server software. Specifically, leave out or disable: SQL Server Analysis Services (SSAS). SQL Server Integration Services (SSIS). Full-Text Engine. The Filter Daemon Launcher. SQL Server Reporting Services (SSRS). Active Directory Helper. SQL Server VSS Writer service. SQL Server Browser. 7.2 Disable TCP/IP access to MSSQL Hitachi ID Identity and Access Management Suite will connect to the database locally, so network access can and should be disabled. Use SQL Configuration manager to disable all but shared memory access to the database. 7.3 Limit access to the database After installing the SQL Server database software and Hitachi ID Identity and Access Management Suite, remove access by the OS Administrators group to the database and change the password for the sa account. Configure a dedicated, local-admin account for use by the The SQL Server Agent service, so that it runs in a different security context than the database itself. 2016 Hitachi ID Systems, Inc. All rights reserved. 9

8 Password and key management During the installation of Hitachi ID Identity and Access Management Suite, be sure to generate random encryption keys for inter-server communication and for local data storage. Use the same keys on all servers. Consider periodically changing the communication key. This requires shutting down Hitachi ID Suite services on all servers, installing a new key and reactivating the services. Note that key changes may require service interruption on domain controllers that have been configured to trigger password synchronization and on Hitachi ID Suite proxy servers. Be sure to assign strong passwords to all console logins and target credentials and change these regularly. 9 Communication defenses Hitachi ID Identity and Access Management Suite sends and receives sensitive data over the network. Its communications include user passwords, administrator credentials, and personal user information. 9.1 HTTPS Require HTTPS only connections to Hitachi ID Identity and Access Management Suite and deploy real (i.e., not self-signed) SSL certificates on each server. 9.2 Firewalls If you Internet access to Hitachi ID Identity and Access Management Suite is required, protect this access using a firewall: Make sure you purchase all network hardware, including the firewall, directly from the manufacturer or from authorized resellers. Third parties may inject malware into products before resale. Keep firewall and network device firmware patched and current. Shut down all unused physical network interfaces. Implement block-by-default policy and specify what protocols and addresses may connect. Find and remove any default user name or passwords on all devices. Monitor outbound traffic and open outbound connections to prevent data exfiltration and malware seeking remote control. Use NTP to synchronize the time on all devices. 2016 Hitachi ID Systems, Inc. All rights reserved. 10

9.3 Communicating with target systems Avoid sending sensitive data as plaintext: Where possible, ensure that communications with target systems are encrypted. For example, for Oracle target systems, the default setup for the Oracle client is to allow unencrypted communications with Oracle databases. Configure encrypted communication instead. Deploy Hitachi ID Identity and Access Management Suite proxy servers, co-located with the target system, where the target system only allows a plaintext protocol and the network path between Hitachi ID Suite and the target system is vulnerable to attack. 2016 Hitachi ID Systems, Inc. All rights reserved. 11

10 Auditing Audit logs are an important measure to identify and analyze suspicious activity. Arrange for periodic archive of audit logs to a different server that is managed by different administrators. As part of the Hitachi ID Identity and Access Management Suite, the Logging Service (idmlogsvc) manages logging sessions for a particular instance. It captures event messages from Hitachi ID Suite program execution, and writes them to the configured log file (idmsuite.log by default). The Logging Service can also write to the Windows event log and to SYSLOGD services. Configure this for sensitive events, including logins to the Hitachi ID Suite admin console (psa.exe). An audit log is only effective if it is examined. Logs provide the best indications of break-ins, fraud and misuse. It is highly recommended that logs be examined on a regular basis. 500, 1401-1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@hitachi-id.com www.hitachi-id.com Date: February 18, 2015 File: / pub/ wp/ documents/ harden/ server-hardening-10.tex

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback