FNMS Security related questions
I have few questions and I failed to find the answers for all of them so can we summarize it here, please?
1) Can we disable HTTP OPTIONS options method for IIS?
2) Can IIS default welcome page be removed?
3) Can we disable weak ciphers on all web servers (Batch, Web, Inventory, Beacon)?
- Not sure.
- Should be possible, I see 2-3 options:
- Disable the "Default Document" option.
- Use "HTTP Redirect" to guide all trafic to "/Suite"
- Maybe both.
- Should be possible, but I guess needs testing.
PS: Have you checked the "HTTP Response Headers" as well?
thanks for the reply.
I've had to apply all three points yesterday.
Regarding all questions please take into consideration that Beacons, Inventory Server, Batch server, Web server are also usually running on ISS. Not only the "Application server" which we don't have because we have large implementation. We are already redirecting users from root to /Suite on the Web server.
"HTTP Response Headers" doesn't ring a bell now...
"HTTP Response Headers" do come up in security audits from time to time, because they can reveal to attackers the nature of the webserver, like the default "X-Powered-By" with "ASP.NET". Therefore some companies require to remove them. This is also part of Microsofts best practice: https://techcommunity.microsoft.com/t5/itops-talk-blog/windows-server-101-hardening-iis-via-security-control/ba-p/329979
There's a whole lot of other things on that list, that I never applied, so cannot tell much about them.
There's also some cross site scripting (XSS) that can be set (see origin-when-cross-origin), but is not mentioned in the Microsoft list.
Ah, I see, thanks for the info. I don't need to apply all security settings by myself, because our CyberSecurity is doing that for us in some cases by applying the Group Policy and their scripts etc. I'm only doing some additional things which were captured by the Vulnerabilities scan.
To the topic - I just found that Beacons have issues with communicating to the Inventory server because of denied OPTIONS:
From IIS log on the Inventory server (IPs are redacted):
2022-05-19 11:43:09 220.127.116.11 OPTIONS /ManageSoftRL - 443 - 18.104.22.168 FlexNet+Manager+Platform/16.0.1+(Windows+x86) - 404 6 0 119
At the end you can see the 404 response. And this goes for:
So I've left denied OPTIONS on the Default Web Page site and I've removed denial for the ManageSoftDL and ManageSoftRL sites on the Inventory servers.