Background
There are a number of configuration settings that should be enabled in order to "harden" the CentreStack Cluster. For example, in order for the system to pass a penetration test these settings will most likely be required. WARNING: Review CentreStack Support for TLS 1.1 and TLS 1.2 before performing the steps in this article.
Checklist
- There must be a valid server certificate bound to TCP 443 in IIS Manager.
- Verify that the system responds to the https://<fqdn> URL, where <fqdn> is the fully qualified domain name of the CentreStack cluster.
- Verify that the server certificate reported by the browser is valid and there are no certificate errors.
- Navigate to Cluster Dashboard > Server Farm > Worker Node Count
- Click the pencil icon (Edit)
. Set the External URL to be the fully qualified domain name of the CentreStack cluster.
- Click the gray gear icon (Advanced Settings)
.
- Enable Always force SSL on Login
- Always force SSL for Native Clients
- Click the pencil icon (Edit)
- Navigate to Cluster Dashboard > Cluster Settings > Cluster Settings
- Enable: Hide login failure message details
- Enable: Hide build number from login page
- Click the disk icon in the lower right to save the settings
- Restrict Management Access to Private Networks
- Navigate to Cluster Dashboard > Tenant Manager > My Tenant
- Go to Settings > Data Leak Protection > Client Access Policy
- Click Add New Access Policy and give it a name
- Choose "Not Access from Customer-Defined Network", enter the private IP Range that will be allowed to access the Management Options and click Next
- Choose the option "Deny following checked permission(s)", check the Web Management" option and click COMMIT.
Update machine key
Centrestack installation contains a default machine key. To enhance security, change the default machine key. Keep in mind new Centrestack installation will update the machine key automatically.
- On Centrestack server, go to Centrestack installation folder C:\Program Files (x86)\Gladinet Cloud Enterprise\root
- Make a backup of web.config
- open IIS Manager
- Select Sites, Default Web Site. In the middle ASP.NET section, double click Machine Key
- It shows the current machine key used. Click 'Generate Keys' on the right pane
- A new machine key is generated. Click Apply to save it to root\web.config
- If you have multiple worker nodes, all nodes need to use the same machine key. Follow the above procedure to generate a new machine key on one node. Copy the new machine key on root\web.config on the node.
- Go to all other nodes. Make a backup of root\web.config. Edit root\web.config to use the same machine key as the first node. Save the change.
- Restart IIS.
TLS Setup
- Download IISCrypto and apply the PCI 3.1 template which disable all SCHANNEL protocols except TLS 1.1 and TLS 1.2.
- Additional in IISCrypto, disable TLS_RSA_WITH_3DES_EDE_CBC_SHA as it is considered a medium strength cipher:
Other Configurations
For all the configurations below, only do them when it is necessary. Record what you have done. If you see strange behaviors after enabling them, disable the newly updated configuration first to see whether the issue disappears.
1. Hide server details in response headers
Some penetration tests will insist that the server response headers should not display version or platform information about the server. For example this curl command will display the response headers:
curl -I https://cspentest.hadroncloud.com/portal/loginpage.aspx
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 44437
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
Set-Cookie: y-glad-lsid=; domain=cspentest.hadroncloud.com; path=/; secure
Set-Cookie: y-glad-state=; domain=cspentest.hadroncloud.com; path=/; secure
Set-Cookie: y-glad-token=; domain=cspentest.hadroncloud.com; path=/; secure
Set-Cookie: y-glad-sharetoken=; domain=cspentest.hadroncloud.com; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 27 Aug 2018 16:58:33 GMT
The theory is that the response fields, Server, X-AspNet-Version, and X-Powered-By contain information about the server that could be used to attack it.
-
- To disable the X-AspNet-Version:
- Start PowerShell as Administrator (elevated) and execute this command:
Set-WebConfigurationProperty -filter /system.web/httpRuntime -name enableVersionHeader -value false -PSPath 'IIS:\Sites\Default Web Site'
- Start PowerShell as Administrator (elevated) and execute this command:
-
Use this at your own risk. It hasn't been fully tested. To return empty strings for the Server and X-Powered-By response headers:
- Install the URLRewrite tool on the CentreStack server: http://www.iis.net/downloads/microsoft/url-rewrite
- In IIS Manager click on the server name (this setting will be server wide in scope)
- Open the URL Rewrite feature.
- In the Actions pane, click View Server Variables
- In the Actions pane, click Add...
- In the Add Server Variable dialog type: RESPONSE_SERVER
- Again in the Actions pane, click Add...
- In the Add Server Variable dialog type: RESPONSE_X-POWERED-BY
- The middle pane will look like this after both server variables are added:
- In the Actions pane, click Back to Rules
- In the Actions pane, click Add Rule(s)...
- In the Outbound rules section click Blank rule then click the OK button.
- For the first outbound rule match this screen:
- In the Actions pane, click Apply
- In the Actions pane, click Back to Rules
- In the Actions pane, click Add Rule(s)...
- In the Outbound rules section click Blank rule then click the OK button.
- For the second outbound rule match this screen:
- In the Actions pane, click Apply
- In the Actions pane, click Back to Rules
- The two rules will be displayed as:
- Use curl or similar tool to verify the response headers are empty:
curl -I https://cspentest.hadroncloud.com/portal/loginpage.aspx HTTP/1.1 200 OK Cache-Control: private Content-Length: 44437 Content-Type: text/html; charset=utf-8 Server: Set-Cookie: y-glad-lsid=; domain=cspentest.hadroncloud.com; path=/; secure Set-Cookie: y-glad-state=; domain=cspentest.hadroncloud.com; path=/; secure Set-Cookie: y-glad-token=; domain=cspentest.hadroncloud.com; path=/; secure Set-Cookie: y-glad-sharetoken=; domain=cspentest.hadroncloud.com; path=/; secure X-Powered-By: Date: Mon, 27 Aug 2018 17:21:42 GMT
- To disable the X-AspNet-Version:
2. Protect Against Clickjacking
To protect against clickjacking attacks add the The X-Frame-Options header (or XFO header):
-
- In IIS Manager select the Default Web Site node in the tree pane.
- In the middle pane double-click HTTP Response Headers
- In the Action pane click Add...
- In the Add Custom HTTP Response Header dialog:
Name: X-Frame-Options
Value: SAMEORIGIN - Click the OK button
- Again, in the Action pane click Add...
- In the Add Custom HTTP Response Header dialog:
Name: Content-Security-Policy
Value: frame-ancestors 'self'
- Click the OK button
3. Reject Empty Response Headers
Use this at your own risk. It hasn't been fully tested. The server may return it's private IP address if an response header is submitted to the server. To reject empty response headers:
-
- Install the URLRewrite tool on the CentreStack server: http://www.iis.net/downloads/microsoft/url-rewrite
- In IIS Manager click on the Default Web Site
- Open the URL Rewrite feature.
- In the Actions pane click Add Rule(s)...
- In the Add Rule(s) dialog select Request blocking then click the OK button:
- In the Add Request Blocking Rule:
- Block access based on: Host Header
- Block request that: Does Not Match the Pattern
- Pattern (Host Header): *.<yourdomainname>
- Using: Wildcards
- How to block: Send an HTTP 403 (Forbidden) Response
Comments
0 comments
Please sign in to leave a comment.