Security Best Practices for SUMMIT Application Deployment Denali

On this page: 

Security Best Practices for SummitAI Application Deployment

Changes on SummitAI Components

Vulnerability Type

SummitAI Web Application

SummitAI Data Collector

SummitAI Proxy

SummitAI Asset Agent

SummitAI Server Agent

 

Clickjacking Attack

X

X

X



Poodle vulnerability

X

X

X



SSL Ciphers multiple vulnerabilities

X

X

X



Directory Browsing

X

X

X



Disable HTTP Options, Trace, Head, Copy and Unlock methods in IIS

X

X

X



Disabling TLS 1.0

X

X

X



Please restart the server after the changes are done.

Clickjacking Attack

An attacker can use this technique to trick a user to perform certain actions on an application by hiding clickable elements inside an Invisible Iframe.

Web.Config Change(s)

<httpProtocol>

            <customHeaders>

                        <add name="X-Frame-Options" value="SAMEORIGIN" />

            </customHeaders>

</httpProtocol>

Poodle Vulnerability

A potential attacker, acting as MiTM, can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. The SSL 2.0 and 3.0 are generally considered more vulnerable. All the servers and clients are advised not to connect over such protocols.

  • Copy and import embedded registry file on the server where Poodle vulnerability is found. 
  • After the registry file is imported, navigate to the following registry path and do the following configuration:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    "Enabled"=dword:00000000

SSL Ciphers Multiple Vulnerabilities

An attacker can use this technique to trick a user to perform certain actions on an application by hiding clickable elements inside an Invisible Iframe.

  • Copy and import embedded registry file on the server where RC4 vulnerability is found.
  • Once imported navigate to the following registry path and perform the following configurations:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

Directory Browsing

An attacker can anonymously access information related to the remote server like help files and documentation, which could be further helpful in planning the malicious activities.

How to fix?

  1. Go to IIS.
  2. Select the Website.
  3. Under IIS, select Directory Browsing.
  4. Click on Disable under Actions.

Disable HTTP Options, Trace, Head, Copy and Unlock Methods in IIS

Add the following tags in web.config to disable HTTP options, Trace, Head, Copy and Unlock methods in IIS.

<security>

   <requestFiltering>

    <verbs allowUnlisted="true">

     <add verb="OPTIONS" allowed="false" />

    </verbs>

   </requestFiltering>

  </security>

Disabling TLS 1.0

If TLSv1.0 protocol is enabled on the server, it can compromise the sensitive data in an encrypted session (due to its cryptographic weaknesses). Additionally, the PCI SSC and NIST have determined that the TLSv1.0 protocol no longer meets the definition of strong cryptography. To disable this, we need to follow the steps mentioned in the following steps. This vulnerability is very similar to Poodle and many times the remediation is carried out along with SSL 2.0 and 3.0 connection remediation. While the customers not using HTTPS protocol may not get affected by these changes, turning off SSL (HTTPS) is not advisable as HTTP connections can be eavesdropped into and sensitive data can be stolen.  

Impact on SummitAI Components

  • Web Application
    • Users using desktops with Windows XP, Windows Vista, Windows 2003, and Windows 2008 operating systems will not be able to access the SummitAI web application URL over https protocol.
    • Proxy Agent
      • The Asset Agents installed on Windows XP, Windows Vista, Windows 2003, and Windows 2008 Operating systems will not be able to access the Proxy URL over https protocol.
      • The Server Agents installed on Windows XP, Windows Vista, Windows 2003, and Windows 2008 Operating systems will not be able to access the Proxy URL over https protocol.
      • Data Collector
        • The Proxy Agents installed on Windows XP, Windows Vista, Windows 2003, and Windows 2008 operating systems will not be able to access the Data Collector URL over https protocol.
        • The Asset Agents installed on Windows XP, Windows Vista, Windows 2003 and Windows 2008 operating systems and posting data directly to the Data Collector will not be able to access the URL over https protocol.
        • The Server Agents installed on Windows XP, Windows Vista, Windows 2003, and Windows 2008 operating systems and posting data directly to the Data Collector will not be able to access the URL over https protocol.
        • The Mobile desktop application installed on Windows XP, Windows Vista, Windows 2003, and Windows 2008 operating systems will not be able to access the Data Collector URL over https protocol.

Steps to Disable TLS 1.0

  • Copy and import the embedded registry file on the server where TLS 1.0 vulnerability is found.
  • After the registry file is imported, navigate to the following registry path and do the following configurations:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server