Background

There are a number of configuration settings that should be enabled in order to "harden" the CentreStack Cluster. For example, in order for the system to pass a penetration test these settings will most likely be required. WARNING: Review CentreStack Support for TLS 1.1 and TLS 1.2 before performing the steps in this article. 

Checklist

1. There must be a valid server certificate bound to TCP 443 in IIS Manager.
2. Verify that the system responds to the https://<fqdn> URL, where <fqdn> is the fully qualified domain name of the CentreStack cluster.
3. Verify that the server certificate reported by the browser is valid and there are no certificate errors.
4. Navigate to Cluster Control Panel > Worker Nodes 
   1. Click the pencil icon (Edit) . Set the External URL to be the fully qualified domain name of the CentreStack cluster.
   2. Click the gray gear icon (Advanced Settings).  
      1. Enable Always force SSL on Login
      2. Always force SSL for Native Clients
5. Navigate to Cluster Control Panel > Settings > Cluster Settings
   1. Enable: Hide login failure message details
   2. Enable: Hide build number from login page
   3. Click the disk icon in the lower right to save the settings
6. Navigate to Default Group Policy > Common Settings > Security
   1. Enable: Accessing management related pages from Intranet Only
7. Download IISCrypto and apply the PCI 3.1 template which disable all SCHANNEL protocols except TLS 1.1 and TLS 1.2. 
8. Additional in IISCrypto, disable TLS_RSA_WITH_3DES_EDE_CBC_SHA as it is considered a medium strength cipher:
   
9. Some penetration tests will insist that the server response headers should not display version or  platform information about the server. For example this curl command will display the response headers:
   

   curl -I https://cspentest.hadroncloud.com/portal/loginpage.aspx
   HTTP/1.1 200 OK
   Cache-Control: private
   Content-Length: 44437
   Content-Type: text/html; charset=utf-8
   Server: Microsoft-IIS/10.0
   X-AspNet-Version: 4.0.30319
   Set-Cookie: y-glad-lsid=; domain=cspentest.hadroncloud.com; path=/; secure
   Set-Cookie: y-glad-state=; domain=cspentest.hadroncloud.com; path=/; secure
   Set-Cookie: y-glad-token=; domain=cspentest.hadroncloud.com; path=/; secure
   Set-Cookie: y-glad-sharetoken=; domain=cspentest.hadroncloud.com; path=/; secure
   X-Powered-By: ASP.NET
   Date: Mon, 27 Aug 2018 16:58:33 GMT

   The theory is that the response fields, Server, X-AspNet-Version, and X-Powered-By contain information about the server that could be used to attack it. 

   1. To disable the X-AspNet-Version: 
      1. Start PowerShell as Administrator (elevated) and execute this command: 
         

         Set-WebConfigurationProperty -filter /system.web/httpRuntime -name enableVersionHeader -value false -PSPath 'IIS:\Sites\Default Web Site'

   2. Use this at your own risk. It hasn't been fully tested. To return empty strings for the Server and X-Powered-By response headers:
      1. Install the URLRewrite tool on the CentreStack server: http://www.iis.net/downloads/microsoft/url-rewrite
      2. In IIS Manager click on the server name (this setting will be server wide in scope)
      3. Open the URL Rewrite feature.
      4. In the Actions pane, click View Server Variables
      5. In the Actions pane, click Add...
      6. In the Add Server Variable dialog type: RESPONSE_SERVER
      7. Again in the Actions pane, click Add...
      8. In the Add Server Variable dialog type: RESPONSE_X-POWERED-BY
      9. The middle pane will look like this after both server variables are added:
         
      10. In the Actions pane, click Back to Rules
      11. In the Actions pane, click Add Rule(s)...
      12. In the Outbound rules section click Blank rule then click the OK button.
      13. For the first outbound rule match this screen:
          
      14. In the Actions pane, click Apply
      15. In the Actions pane, click Back to Rules
      16. In the Actions pane, click Add Rule(s)...
      17. In the Outbound rules section click Blank rule then click the OK button.
      18. For the second outbound rule match this screen:
          
      19. In the Actions pane, click Apply
      20. In the Actions pane, click Back to Rules
      21. The two rules will be displayed as:
          
      22. Use curl or similar tool to verify the response headers are empty:
          

          curl -I https://cspentest.hadroncloud.com/portal/loginpage.aspx
          HTTP/1.1 200 OK
          Cache-Control: private
          Content-Length: 44437
          Content-Type: text/html; charset=utf-8
          Server:
          Set-Cookie: y-glad-lsid=; domain=cspentest.hadroncloud.com; path=/; secure
          Set-Cookie: y-glad-state=; domain=cspentest.hadroncloud.com; path=/; secure
          Set-Cookie: y-glad-token=; domain=cspentest.hadroncloud.com; path=/; secure
          Set-Cookie: y-glad-sharetoken=; domain=cspentest.hadroncloud.com; path=/; secure
          X-Powered-By:
          Date: Mon, 27 Aug 2018 17:21:42 GMT

10. Use this at your own risk. It hasn't been fully tested. Some penetration tests will insist that "HTTP Strict Transport Security" (HSTS) be enabled on the web site. For more information see: https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts. To enable HSTS for the CentreStack web server:
    1. Install the URLRewrite tool on the CentreStack server: http://www.iis.net/downloads/microsoft/url-rewrite
    2. Start a text editor (such as Notepad) running as Administrator (i.e. "elevated") and open "C:\Program Files (x86)\Gladinet Cloud Enterprise\root\web.config".
    3. Near the end of the file, locate the line that reads: </system.webServer>
    4. Insert the following text just prior to </system.webServer>:

       <rewrite>
           <rules>
               <rule name="Redirect HTTP to HTTPS" stopProcessing="true">
                   <match url="(.*)" />
                   <conditions>
                       <add input="{HTTPS}" pattern="off" />
                       <add input="{HTTP_HOST}" pattern="^localhost(:\d+)?$" negate="true" />
                       <add input="{HTTP_HOST}" pattern="^127\.0\.0\.1(:\d+)?$" negate="true" />
                   </conditions>
                   <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
               </rule>
           </rules>
           <outboundRules>
              <rule name="Add the STS header in HTTPS responses">
                  <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                  <conditions>
                      <add input="{HTTPS}" pattern="on" />
                  </conditions>
                  <action type="Rewrite" value="max-age=31536000" />
              </rule>
           </outboundRules>
       </rewrite>

    5. Save "C:\Program Files (x86)\Gladinet Cloud Enterprise\root\web.config"
11. To protect against clickjacking attacks add the The X-Frame-Options header (or XFO header): 
    1. In IIS Manager select the Default Web Site node in the tree pane. 
    2. In the middle pane double-click HTTP Response Headers
    3. In the Action pane click Add...
    4. In the Add Custom HTTP Response Header dialog:
       Name: X-Frame-Options
       Value: SAMEORIGIN
       
    5. Click the OK button
    6. Again, in the Action pane click Add...
    7. In the Add Custom HTTP Response Header dialog:
       Name: Content-Security-Policy
       Value: frame-ancestors 'self'
       
       
    8. Click the OK button
12. Use this at your own risk. It hasn't been fully tested. The server may return it's private IP address if an response header is submitted to the server. To reject empty response headers:
    1. Install the URLRewrite tool on the CentreStack server: http://www.iis.net/downloads/microsoft/url-rewrite
    2. In IIS Manager click on the Default Web Site
    3. Open the URL Rewrite feature.
    4. In the Actions pane click Add Rule(s)...
    5. In the Add Rule(s) dialog select Request blocking then click the OK button:
       
    6. In the Add Request Blocking Rule:
       • Block access based on: Host Header
       • Block request that: Does Not Match the Pattern
       • Pattern (Host Header): *.<yourdomainname>
       • Using: Wildcards
       • How to block: Send an HTTP 403 (Forbidden) Response