Hello,
I have few questions and I failed to find the answers for all of them so can we summarize it here, please?
1) Can we disable HTTP OPTIONS options method for IIS?
2) Can IIS default welcome page be removed?
3) Can we disable weak ciphers on all web servers (Batch, Web, Inventory, Beacon)?
Thank you!
Regards,
Pavol
‎May 18, 2022 09:21 AM
Hi Pavol,
Best regards,
Markward
PS: Have you checked the "HTTP Response Headers" as well?
‎May 19, 2022 04:57 AM - edited ‎May 19, 2022 05:05 AM
Hi Markward,
thanks for the reply.
I've had to apply all three points yesterday.
Regarding all questions please take into consideration that Beacons, Inventory Server, Batch server, Web server are also usually running on ISS. Not only the "Application server" which we don't have because we have large implementation. We are already redirecting users from root to /Suite on the Web server.
"HTTP Response Headers" doesn't ring a bell now...
Thanks!
Regards,
Pavol
‎May 19, 2022 05:24 AM - edited ‎May 19, 2022 06:46 AM
"HTTP Response Headers" do come up in security audits from time to time, because they can reveal to attackers the nature of the webserver, like the default "X-Powered-By" with "ASP.NET". Therefore some companies require to remove them. This is also part of Microsofts best practice: https://techcommunity.microsoft.com/t5/itops-talk-blog/windows-server-101-hardening-iis-via-security-control/ba-p/329979
There's a whole lot of other things on that list, that I never applied, so cannot tell much about them.
There's also some cross site scripting (XSS) that can be set (see origin-when-cross-origin), but is not mentioned in the Microsoft list.
‎May 19, 2022 05:38 AM - edited ‎May 19, 2022 05:38 AM
Ah, I see, thanks for the info. I don't need to apply all security settings by myself, because our CyberSecurity is doing that for us in some cases by applying the Group Policy and their scripts etc. I'm only doing some additional things which were captured by the Vulnerabilities scan.
To the topic - I just found that Beacons have issues with communicating to the Inventory server because of denied OPTIONS:
From IIS log on the Inventory server (IPs are redacted):
2022-05-19 11:43:09 1.1.1.1 OPTIONS /ManageSoftRL - 443 - 2.2.2.2 FlexNet+Manager+Platform/16.0.1+(Windows+x86) - 404 6 0 119
At the end you can see the 404 response. And this goes for:
/ManageSoftDL/
/ManageSoftRL/BeaconStatus
/ManageSoftRL/Inventories
/ManageSoftRL/ActiveDirectory
/ManageSoftDL/
etc.
So I've left denied OPTIONS on the Default Web Page site and I've removed denial for the ManageSoftDL and ManageSoftRL sites on the Inventory servers.
‎May 19, 2022 06:51 AM
@pavol_holes
Agents initiate communicate with Beacons using GET, PUT and OPTIONS.
Beacons initiate communicate with App/Batch Server using GET, PUT and OPTIONS.
‎May 19, 2022 08:50 AM