Configure Public Facing CloudM Migrate Web Application

The following is a guide to setup a public facing instance of the CloudM Migrate web application. This document contains a list of recommendations for improving the security of your IIS web/windows server. While following these recommendations does not guarantee freedom from security issues, these recommendations can significantly reduce your risk.

CloudM Migrate Web Installation Defaults

When the web interface for CloudM Migrate is first installed, it is configured for local access via HTTPS at https://cloudm.local. This configuration allows web access from the machine running IIS. To access the CloudM Migrate web interface securely from the Internet, further configuration is required within IIS to configure SSL and expose the web server to the Internet. Using SSL reduces security risks of accessing data via a web browser.

CloudM Migrate comes pre-configured with a self-signed SSL certificate which is tied to the hostname or IP address running the server. We encourage the usage of industry standard SSL certificates as described below when configuring public facing URLs.

DNS (Domain Name System)

How do I add A records?

For your public facing instance of CloudM Migrate to resolve via DNS and therefore be accessible via a hostname (https://www.thecloudm-migrate.com, for example) you will be required to add an  'A' record. Depending on your 'DNS' provider (eg CloudFlare, GoDaddy), you will need to modify your zone file. This can be done by going to the DNS Settings for the domain and add an 'A' record with the IP address of the server that will be hosting CloudM Migrate. The following links are for guidance and may vary on your provider. (CloudFlare add 'A' record) and (GoDaddy add 'A' record)

Obtaining an SSL Certificate

SSL certificates can be purchased via Symantec, CloudFlare, Thawte, Comodo or another SSL provider. When purchasing an 'SSL' certificate you will normally be asked for the fully qualified domain name that clients will use to reach your server. For example, to secure https://www.example.com, your common name must be www.example.com or *.example.com for a wildcard certificate. Following purchase of an SSL certificate, you will normally be provided with a .pfx file which is the certificate.

It is possible to use self-signed certificates to expose CloudM Migrate via SSL, but this is not considered as secure as a real certificate.

Configuring the Web Server

Importing a SSL Certificate

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add.
    • Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  4. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder.
  5. Right-click on the ‘Certificates’ and select ALL TASKS > Import.
  6. Follow the certificate import wizard to import your primary certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.

Enabling SSL Bindings

When upgrading CloudM Migrate, IIS will be reset to its default configuration. You should reapply any custom configurations you have made to the https://cloudm.local site after an upgrade or reinstallation. Most commonly, this will effect SSL bindings to public facing URLs.
  • On the Start menu click Run and then type inetmgr.
  • In the IIS Manager, click the server name.
  • Expand the sites folder.
  • Select https://cloudm.local
  • Right click and then click Edit Bindings...
  • Edit the existing https binding for hostname CloudM.local and tick the 'Require Server Name Indication' checkbox. Then click OK.

unnamed__1_.png

  • Click Add… in the Site Bindings window and fill out the information. In the type drop-down choose https. Set the IP address to the IP address of the site or choose All Unassigned. The port for SSL traffic is usually 443. Enter the recently imported certificate in the SSL Certificate field. Then click OK.
  • Navigate to your https:// address from an external web browser to test.

Windows Server/IIS Security

The following settings can help improve the security of your server and website by removing certain public information from the server responses.

IIS 6.0 Management Compatibility

  1. On the Start menu click Run and then type control.
  2. Click Turn Windows features on or off
  3. Role-based or feature-based installation, click next
  4. Select server from list and click next
  5. Scroll down to Web Server (IIS) and expand Web Server and Management Tools
  6. Check Web Server and IIS Management Compatibility. Click Next on the following prompts.

URL Scan

  1. Download and Install the following application URL Scan on your server.
  2. Run Notepad as Administrator and open the following file C:\Windows\System32\inetsrv\urlscan\UrlScan.ini
  3. Find the value for RemoveServerHeader and change from 0 to 1 

HTTP Response Headers

  1. If not open, click on the Start menu click Run and then type inetmgr
  2. In the IIS Manager, click the server name.
  3. Expand the sites folder.
  4. Select http://cloudm.local
  5. Click on HTTP Response Headers
  6. Right Click on X-Powered-By and Click Remove 

Disable the OPTIONS method

The OPTIONS method can provide valuable information to an attacker and it is recommended that this is disabled. More detailed information can be found on the official IIS website

  1. If not open, click on the Start menu click Run and then type inetmgr
  2. In the IIS Manager, click the server name.
  3. Expand the sites folder.
  4. Select http://cloudm.local
  5. Double click on ‘Request Filtering’
    1. Change to the HTTP Verbs tab
    2. From the Actions pane, select ‘Deny Verb’
    3. Insert ‘OPTIONS’ in the Verb, and press OK to save changes

Enable and Configure Request Filtering Rules

It is good practice to restrict some types of HTTP requests that will be processed by IIS. Exclusions rules can be setup to prevent this.

  1. If not open, click on the Start menu click Run and then type inetmgr.
  2. In the IIS Manager, click the server name.
  3. Expand the sites folder.
  4. Select https://cloudm.local
  5. Double click on ‘Request Filtering’
  6. Change to the Rules tab
  7. From the Actions pane, select ‘Add Filtering Rule’
  8. Set the required rules, and press OK to save changes

The following rule will check for the provided strings in requests for .asp and .aspx pages. IIS will block any requests containing these strings.

filtering-rule.jpeg

filtering-rule-2.png

More information on this can be found here http://technet.microsoft.com/en-us/library/hh831621.aspx

SSL Test

  1. Navigate to the following URL https://www.ssllabs.com/ssltest/analyze.html and enter your domain
  2. Make a note of the grading
  3. Download IIS Crypto GUI from https://www.nartac.com/Products/IISCrypto/ and run the following on your server.
    • Click ‘Best Practices’ and then apply.
    • Reboot server
  4. Repeat step 1 and check the overall rating. This should now be grade ‘A’.

More information about cryptographic algorithms can be found in this article 'How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll' published on Microsoft Support website.

Firewall

Depending on your server setup, the following rules could be disabled if you only have sites running https.

  1. Click Start, click All Programs, click Administrative Tools, and then click Windows Firewall with Advanced Security.
  2. Select Inbound Rules
  3. Locate the below rules and right click on each and then Disable Rule
    • World Wide Web Services (HTTP Traffic-In)
    • Web Management Service (HTTP Traffic-In)

Windows Updates

Once installing the CloudM Migrate web application, it is recommended that you follow the below steps.

  1. Perform a Windows update. (This may include fixes for SQL Server 2014)
  2. Once all the updates have been applied, reboot server, if necessary.

 

Was this article helpful?
0 out of 0 found this helpful