With several of our deployments to state government, law enforcement agencies and corporations with strict compliance objectives we find ourselves from time to time having to give guidance on the best way to harden an AuthAnvil installation.
In its default configuration, AuthAnvil already reduces its attack surface to an acceptable level for most businesses. However, if you find yourself in a position where you may need to separate duties and responsibilities and harden your AuthAnvil deployment even further, this blog post is for you. What follows are simple steps (in no particular order) that you can take to harden AuthAnvil in such cases.
1. Store your AuthAnvil data in a SQL Server on physically different machines.
By default AuthAnvil is installed using a local instance of SQL Server Express. Of course, you can always target an existing SQL Server anywhere on the network. One hardening technique is to separate the data from the web services by placing them on physically different servers, and ensuring that no one person has administrative privileges on both systems. AuthAnvil already uses a restricted access control set using Windows impersonation to limit access to the AuthAnvil data. We take advantage of the SQL Server security permissions and roles to control privileges within the SQL Server for that account. We then utilize column level encryption so a SQL Server administrator will NOT be able to read sensitive data without first getting the cipher keys from the web server, which will reside on a separate server he or she should not have access to.
We also recommend that if you have the license for it, to use SQL Server 2008 Enterprise Edition and use transparent database encryption (TDE). This will further protect the data at rest and prevent an administrator from being able to take that database from the server and mount it on an entirely different system for post-event analysis.
2. Enforce IP restrictions on the AuthAnvil administrative web services.
Unless you absolutely need to, there is no reason for external entities to be sending requests to the administrative web services. As such, you can reduce this attack vector by only allowing the local system for making the request. Typically you can do this by simply allowing 127.0.0.1 and the IP address of your FQDN that is matched to your SSL certificate for the AuthAnvil services. This way, only the AuthAnvil Manager and the web services itself will be able to communicate across this channel. Of course, if you have external management systems (such as IT automation systems like System Center or Kaseya) that may leverage powerful scripting like PowerShell or VBScript to communicate and update administratively, you may decide to also include the IP addresses of these systems.
If you have installed AuthAnvil for IIS6 on Windows Server 2003, you can find guidance on setting up IP restrictions here. If you have installed AuthAnvil for IIS7 on Windows Server 2008, you can find guidance here.
3. Use the AuthAnvil Logon Agent to protect the infrastructure.
It goes without saying that your AuthAnvil server and the database where its information reside is extremely important to protect. As such, you should deploy the AuthAnvil Windows Logon Agent on Windows Server 2003, or the AuthAnvil Credential Provider on Windows Server 2008. This will ensure that no one is logging into these systems that is not authorized to do so, and you have identity assurance controls in place to help enforce audit controls to ensure you know who may be doing so.
4. Use IT automation tools to monitor the health and state of the installation.
Once you have deployed AuthAnvil you shouldn't just forget about it. It is important to make sure it continues to function as you expect it. If you run IT automation tools like Kaseya, you can use our AuthAnvil Management Pack to watch for the health and state of the system. You can even enable the tamper resistancechecks to ensure people are not trying to modify the behavior of AuthAnvil in an effort to bypass it. If you have an RMM tool that we do not currently have a management pack for, please contact us. We would be happy to work with you to find the best way to monitor and manage your AuthAnvil deployment.
5. Reduce privileges to configuration data.
You can adjust the access permissions of the configuration data for AuthAnvil to reduce write access to these files and registry keys. Primarily, it is important to ensure that only authorized personnel can write to:
- The AuthAnvil Licensing Manager Configuration file (%PROGRAMFILES%\Scorpion Software\AuthAnvil\AuthAnvil Configuration Wizard\AuthAnvilLicensingManager.exe.config)
- The AuthAnvil Web Service web.config files (%PROGRAMFILES%\Scorpion Software\AuthAnvil\*\web.config)
- The AuthAnvil registry keys (HKLM\SOFTWARE\Scorpion Software\AuthAnvil)
To learn how to adjust the NTFS permissions of files on disk, please read this TechNet article. To learn how to adjust permissions on registry hives, please read this TechNet article.
Conclusion
If any of this seems daunting, don't fret. Simply open a case in the Customer Portal and we would be happy to help you understand the security posture of your server, and provide guidance on how best to harden your system to your specifications.
Comments