What are Waters' recommendations for securing a NuGenesis web server? - WKB202497

ENVIRONMENT

NuGenesis 9
- Windows Server 2019/2016
NuGenesis 8 SR2
- Windows Server 2016/2012

ANSWER

In IIS:
1. Add a CA-issued certificate for the web server's fully qualified domain name to the Web Hosting certificate store in Windows and bind that certificate to the HTTPS sites in IIS.
  - Though self-signed certificates can work for SDMS web servers, and they can be added to the trusted certificates store on client machines, these certificates are inherently insecure and should be avoided whenever possible.
2. Use a certificate with a key length of at least 2048 bits.
3. Ensure that the "httptohttpsredirect" and "auditrule" server-level URL Rewrite rules are present and enabled.
  - By default, SDMS WebVision still listens on HTTP/port 80, so as to accept requests from legacy WebVision URLs. Prior to NG8 SR2, WebVision was served only by HTTP, and URLs that had been saved outside of SDMS retained the "http:" protocol in the URL. In order for SDMS to respond to these legacy URLs, the server must listen on HTTP, and this URL Rewrite rule redirects the web browser to a secure protocol. If this rule is not present/disabled/lower in the rule list, the WebVision site could be served over HTTP, which is NOT recommended.
4. Add the following HTTP headers to the sites as specified in the following linked articles:
  - Strict-Transport-Security: max-age=30000000
  - X-Content-Type-Options: nosniff
  - X-Frame-Options: sameorigin
    - Setting this header to "deny" is NOT recommended for the Default Web Site (legacy SDMS web apps)
  - Content-Security-Policy
  - Referrer-Policy: sameorigin
5. Remove the following HTTP headers from all sites:
6. Restrict the list of allowed HTTP Verbs to the minimum (typically POST and GET)
7. Restrict the length of the URL and query string to 2048 bytes and 1024 bytes, respectively
8. Enable Anonymous Access for the NuGenesis sites and configure a service account as the anonymous user. This account should have minimal privileges in the file system
9. Use an HTTPS site, not FTP, for SDMS WebVision downloads
10. Install only the IIS Roles and Features as listed in the Installation and Configuration Guide for NuGenesis 9.0/9.1/9.3. Do not install any IIS role or feature outside of those lists
In Windows Firewall with Advanced Security:
1. Enable the Windows Firewall on the server and allow inbound connections to the HTTPS and HTTP ports for NuGenesis:
  - List of ports for NuGenesis 9
  - List of ports for NuGenesis 8
2. Block all ports that are not necessary for the functions of the NuGenesis web server (in case the server performs additional functions in NuGenesis)
3. Restrict inbound connections on the HTTPS ports to only the IP addresses for user client machines, Citrix servers, or virtual desktop servers, as appropriate
4. Outbound connections initiated by NuGenesis servers should be allowed only to the IP addresses/ports for NuGenesis databases, mail servers, and LDAP authentication servers (LMS servers send email via the "NuGenesis LMS Job Manager" service, while SDMS sends email via PL/SQL procedures in the Oracle database)
In NuGenesis SampleShare:
- Configure the SampleShare site for HTTPS
- Enable the Secure attribute for the Session cookies.
In NuGenesis LMS Server (WildFly/JBOSS):
- Disable the "Server" and "x-powered-by" HTTP headers
- Delete the "welcome-content" files
- Disable insecure algorithms in the Java runtime
- NuGenesis 9.0, 9.1, 9.2: Disable port 8443 in nugenesis-lms.xml (N/A to NuGenesis 9.3 and later versions)
In Windows:
1. Enable the TLS 1.2 and 1.3 protocols (as applicable) and disable SSL 2.0 and 3.0 and TLS 1.0 and 1.1 in the OS.
2. Disable weak cipher suites/algorithms in the available TLS protocols. This list changes over time as cryptographic weaknesses in hash functions are discovered. The most common ones to avoid are NULL, RC4, MD5, and SHA1
3. Install only the Server Features, options, and IIS modules as specified in the NuGenesis Installation and Configuration Guide, pages 55-56 (NuGenesis 8 ICG, NuGenesis 9.0 ICG, NuGenesis 9.1 ICG). Remove any installed features/options/IIS modules present on the server that are not listed in the document.
  - Exception: if UNIFYps is or will be installed, install the LPR Port Monitor option. UNIFYps requires this option.
4. Print Spooler service ("PrintNightmare"):
  - If printing is not required on the web server, then disable the Print Spooler service
  - If printing is required, then block remote connections to the spooler; see instructions in the "PrintNightmare" article
5. NuGenesis RPC service:
  - If the server does NOT run the SDMS file capture modules (Archive Agent, Data Management, OSM), configure the NG RPC service to run as NetworkService.
  - If the server does run the file capture modules, configure the NG RPC service to run with a domain account with minimal privileges.
6. NuGenesis VISION service:
  - Enclose the image path for the NuGenesis VISION Service in double-quotes.
7. Disable the SMB v1 protocol
8. Delete the ms-msdt URL protocol handler ("Follina" vulnerability)
In Apache Tomcat:
1. Upgrade to a newer version of Apache Tomcat.
2. Upgrade to a newer version of Java Runtime.
3. Disable the AJP port (8009, a.k.a. "GhostCat").
  - N/A for NuGenesis 9.1 and later releases; this port is disabled by default
  - Applicable to NuGenesis 9.0 and NuGenesis 8
4. Enable HTTPOnly and Secure cookies for the WebVision servlet.
5. Remove the default web apps from Apache Tomcat.
6. Remove detailed error reports and server info from the HTML replies from Apache Tomcat servers
On client machines:
- Use group policies to disable auto-filling of remembered passwords by the web browser. The HTML autocomplete="off" attribute does NOT prevent web browsers from remembering and reusing user passwords.

ADDITIONAL INFORMATION

id202497, SUPNG