What are Waters' recommendations for securing a NuGenesis web server? - WKB202497
Article number: 202497
ENVIRONMENT
- NuGenesis 9
- Windows Server 2019/2016
- NuGenesis 8 SR2
- Windows Server 2016/2012
ANSWER
- In IIS:
- Add a CA-issued certificate for the web server's fully qualified domain name to the Web Hosting certificate store in Windows and bind that certificate to the HTTPS sites in IIS.
- Though self-signed certificates can work for SDMS web servers, and they can be added to the trusted certificates store on client machines, these certificates are inherently insecure and should be avoided whenever possible.
- Use a certificate with a key length of at least 2048 bits.
- Ensure that the "httptohttpsredirect" and "auditrule" server-level URL Rewrite rules are present and enabled.
- By default, SDMS WebVision still listens on HTTP/port 80, so as to accept requests from legacy WebVision URLs. Prior to NG8 SR2, WebVision was served only by HTTP, and URLs that had been saved outside of SDMS retained the "http:" protocol in the URL. In order for SDMS to respond to these legacy URLs, the server must listen on HTTP, and this URL Rewrite rule redirects the web browser to a secure protocol. If this rule is not present/disabled/lower in the rule list, the WebVision site could be served over HTTP, which is NOT recommended.
- Add the following HTTP headers to the sites as specified in the following linked articles:
- Strict-Transport-Security: max-age=30000000
- X-Content-Type-Options: nosniff
- X-Frame-Options: sameorigin
- Setting this header to "deny" is NOT recommended for the Default Web Site (legacy SDMS web apps)
- Content-Security-Policy
- Referrer-Policy: sameorigin
- Remove the following HTTP headers from all sites:
- Restrict the list of allowed HTTP Verbs to the minimum (typically POST and GET)
- Restrict the length of the URL and query string to 2048 bytes and 1024 bytes, respectively
- Enable Anonymous Access for the NuGenesis sites and configure a service account as the anonymous user. This account should have minimal privileges in the file system
- Use an HTTPS site, not FTP, for SDMS WebVision downloads
- Install only the IIS Roles and Features as listed in the Installation and Configuration Guide for NuGenesis 9.0/9.1/9.3. Do not install any IIS role or feature outside of those lists
- Add a CA-issued certificate for the web server's fully qualified domain name to the Web Hosting certificate store in Windows and bind that certificate to the HTTPS sites in IIS.
- In Windows Firewall with Advanced Security:
- Enable the Windows Firewall on the server and allow inbound connections to the HTTPS and HTTP ports for NuGenesis:
- Block all ports that are not necessary for the functions of the NuGenesis web server (in case the server performs additional functions in NuGenesis)
- Restrict inbound connections on the HTTPS ports to only the IP addresses for user client machines, Citrix servers, or virtual desktop servers, as appropriate
- Outbound connections initiated by NuGenesis servers should be allowed only to the IP addresses/ports for NuGenesis databases, mail servers, and LDAP authentication servers (LMS servers send email via the "NuGenesis LMS Job Manager" service, while SDMS sends email via PL/SQL procedures in the Oracle database)
- In NuGenesis SampleShare:
- Configure the SampleShare site for HTTPS
- Enable the Secure attribute for the Session cookies.
- In NuGenesis LMS Server (WildFly/JBOSS):
- Disable the "Server" and "x-powered-by" HTTP headers
- Delete the "welcome-content" files
- Disable insecure algorithms in the Java runtime
- NuGenesis 9.0, 9.1, 9.2: Disable port 8443 in nugenesis-lms.xml (N/A to NuGenesis 9.3 and later versions)
- In Windows:
- Enable the TLS 1.2 and 1.3 protocols (as applicable) and disable SSL 2.0 and 3.0 and TLS 1.0 and 1.1 in the OS.
- Disable weak cipher suites/algorithms in the available TLS protocols. This list changes over time as cryptographic weaknesses in hash functions are discovered. The most common ones to avoid are NULL, RC4, MD5, and SHA1
- Install only the Server Features, options, and IIS modules as specified in the NuGenesis Installation and Configuration Guide, pages 55-56 (NuGenesis 8 ICG, NuGenesis 9.0 ICG, NuGenesis 9.1 ICG). Remove any installed features/options/IIS modules present on the server that are not listed in the document.
- Exception: if UNIFYps is or will be installed, install the LPR Port Monitor option. UNIFYps requires this option.
- Print Spooler service ("PrintNightmare"):
- If printing is not required on the web server, then disable the Print Spooler service
- If printing is required, then block remote connections to the spooler; see instructions in the "PrintNightmare" article
- NuGenesis RPC service:
- If the server does NOT run the SDMS file capture modules (Archive Agent, Data Management, OSM), configure the NG RPC service to run as NetworkService.
- If the server does run the file capture modules, configure the NG RPC service to run with a domain account with minimal privileges.
- NuGenesis VISION service:
- Disable the SMB v1 protocol
- Delete the ms-msdt URL protocol handler ("Follina" vulnerability)
- In Apache Tomcat:
- Upgrade to a newer version of Apache Tomcat.
- Upgrade to a newer version of Java Runtime.
- Disable the AJP port (8009, a.k.a. "GhostCat").
- N/A for NuGenesis 9.1 and later releases; this port is disabled by default
- Applicable to NuGenesis 9.0 and NuGenesis 8
- Enable HTTPOnly and Secure cookies for the WebVision servlet.
- Remove the default web apps from Apache Tomcat.
- Remove detailed error reports and server info from the HTML replies from Apache Tomcat servers
- On client machines:
- Use group policies to disable auto-filling of remembered passwords by the web browser. The HTML autocomplete="off" attribute does NOT prevent web browsers from remembering and reusing user passwords.
ADDITIONAL INFORMATION
See also: What are the security recommendations for Waters software systems?
id202497, SUPNG