Skip to main content

Windows 2016 Standard - SecureAuth IdP appliance baseline security hardening settings

Introduction

SecureAuth IdP appliances running on Windows Server 2016 (Standard) use the Microsoft-recommended best practices for baseline security hardening settings. However, there are some configuration changes that must be made to these settings to allow the IIS role and the SecureAuth IdP appliance to function; these modifications are explained in this document.

Microsoft Windows security baselines, maintained and published by Microsoft, are based on the Microsoft Security Compliance Toolkit 1.0 content.

Microsoft default permissions and user rights for IIS servers IIS 7.x and 8.x, maintained and published by Microsoft, are found in KB 981949.

Prerequisites

Windows Local Security policy and/or Active Directory Group policy tools are required to modify policies described in this document.

IMPORTANT:If you join the SecureAuth IdP appliance to an Active Directory domain, any Group Policy Objects (GPOs) applied to the appliance can override the pre-configured security settings.

We recommend the following:

  • Do not join your appliance to an existing domain, but if you do, you should check to see how the existing GPOs will interact with the pre-configured security settings and adjust the GPOs as required.

  • Do place the SecureAuth IdP appliance computer account in a separate Organization Unit (OU) and block inheritance of other GPOs to this OU, and then create a custom GPO to apply only the minimum settings required for your corporate Active policies.

Default security policy configuration

All settings from the Microsoft security baseline settings for Windows Server 2016 have been applied with additional configuration settings made, as described below.

IMPORTANT: If you make changes to these policies after deployment of the SecureAuth IdP appliance, it is important to track these changes in case support issues arise in the future.

Required polices

Application

Protocol

Port

Direction

Rights

World Wide Web Services

(HTTPS Traffic-In)

Enable

Remote Desktop

(UDP-In)

Enable

Remote Desktop

(TCP-In)

Enable

Networking

(UDP-Out)

Enable

Networking

(DHCP-In)

Enable

Networking

(DHCP-Out)

Enable

DNS

(TCP-Out)

Enable

Networking

LocalPort (TCP-Out)

80,443

Enable

208.82.207.89, 208.74.31.114, 146.88.110.112, 146.88.110.114

SecureAuth Support services

Application

Protocol

Notes

SecureAuth Support Services

162.209.71.139, 68.225.24.163

  • Allow: SecureAuth Support, SecureAuth Support Services

  • Direction: Outbound

  • LocalPort: 443

  • Protocol: TCP

  • Action: Allow

  • RemoteAddress: 162.209.71.139, 68.225.24.163

  • Description: Allows access to the SecureAuth support resources.

NTP

  • Allow: NTP

  • Direction: Outbound

  • LocalPort: 123

  • Protocol: UDP

  • Action: Allow

  • Group: SecureAuth

  • Description: Allows access to NTP time servers.

Windows Update

  • Allow: Windows Update

  • Direction: Outbound

  • Program: C:\windows\System32\svchost.exe

  • LocalPort: 80, 443

  • Protocol: TCP

  • Action: Allow

  • Group: SecureAuth

  • Description: This rule is required to obtain security updates for the operating system.

Windows Activation

  • Allow: Windows Activation -1

  • Direction: Outbound

  • Program: C:\Windows\System32\Dism.exe

  • LocalPort: 80, 443

  • Protocol: TCP

  • Action: Allow

  • Group: SecureAuth

  • Description: This rule is required to activate the appliances Windows OS license. This rule can be disabled after activation.

Windows Activation

  • Allow: Windows Activation -2

  • Direction: Outbound

  • Program: C:\Windows\System32\changepk.exe

  • LocalPort: 80, 443

  • Protocol: TCP

  • Action: Allow

  • Group: SecureAuth

  • Description: This rule is required to activate the appliances Windows OS license. This rule can be disabled after activation.

SecureAuth Activation

  • Allow: SecureAuth Activation

  • Direction: Outbound

  • Program: C:\Program Files (x86)\SecureAuth\SecureAuth IdP Setup Utility\SecureAuthIdPSetupUtility.exe

  • LocalPort: 80, 443

  • Protocol: TCP

  • Action: Allow

  • Group: SecureAuth

  • Description: This rule is required to activate SecureAuth IdP. This rule can be disabled after activation.

Optional policies

Rule

DisplayName

Notes

New-NetFirewallRule

DisplayName: SecureAuth

  • Allow: SecureAuth Filesync Service (TCP-In)

  • Direction: Inbound

  • LocalPort: 139, 445

  • Protocol: TCP

  • Action: Allow

  • Enable: FALSE

  • Group: SecureAuth

  • Description: This service allows configuration information to be synchronized between members of a cluster.

New-NetFirewallRule

DisplayName: SecureAuth

  • Allow: SecureAuth Filesync Service (UDP-In)

  • Direction: Inbound

  • LocalPort: 137, 138

  • Protocol: UDP

  • Action: Allow

  • Enable: FALSE

  • Group: SecureAuth

  • Description: This service allows configuration information to be synchronized between members of a cluster.

New-NetFirewallRule

DisplayName: SecureAuth

  • Allow: RADIUS

  • Direction: Inbound

  • LocalPort: 18, 121, 813

  • Protocol: UDP

  • Action: Allow

  • Enable: FALSE

  • Group: SecureAuth

  • Description: Required if the SecureAuth RADIUS service is being used.

New-NetFirewallRule

DisplayName: SecureAuth

  • Allow: SecureAuth Filesync Service (TCP-Out)

  • Direction: Outbound

  • LocalPort: 139, 445

  • Protocol: TCP

  • Action: Allow

  • Enable: FALSE

  • Group: SecureAuth

  • Description: This service allows configuration information to be synchronized between members of a cluster.

New-NetFirewallRule

DisplayName: SecureAuth

  • Allow: SecureAuth Filesync Service (UDP-Out)

  • Direction: Outbound

  • LocalPort: 137, 138

  • Protocol: UDP

  • Action: Allow

  • Enable: FALSE

  • Group: SecureAuth

  • Description: This service allows configuration information to be synchronized between members of a cluster.

New-NetFirewallRule

DisplayName: SecureAuth

  • Allow: Active Directory-LDAP (TCP-Out)

  • Direction: Outbound

  • LocalPort: 8, 838, 963, 632, 683, 260

  • Protocol: TCP

  • Action: Allow

  • Enable: FALSE

  • Group: SecureAuth

  • Description: Required if your Data Store is Active Directory or LDAP.

New-NetFirewallRule

DisplayName: SecureAuth

  • Allow: Active Directory-LDAP (UDP-Out)

  • Direction: Outbound

  • LocalPort: 88, 389

  • Protocol: UDP

  • Action: Allow

  • Enable: FALSE

  • Group: SecureAuth

  • Description: Required if your Data Store is Active Directory or LDAP.

New-NetFirewallRule

DisplayName: SecureAuth

  • Allow: Active Directory Password Reset (TCP-Out)

  • Direction: Outbound

  • LocalPort: 139, 445, 464

  • Protocol: TCP

  • Action: Allow

  • Enable: FALSE

  • Group: SecureAuth

  • Description: Required if you have an Active Directory Data Store and want to use a Password Reset realm.

New-NetFirewallRule

DisplayName: SecureAuth

  • Allow: Active Directory Password Reset (UDP-Out)

  • Direction: Outbound

  • LocalPort: 445, 464

  • Protocol: UDP

  • Action: Allow

  • Enable: FALSE

  • Group: SecureAuth

  • Description: Required if you have an Active Directory Data Store and want to use a Password Reset realm.

New-NetFirewallRule

DisplayName: SecureAuth

  • Allow: Domain Membership (TCP-Out)

  • Direction: Outbound

  • LocalPort: 389, 636, 3268, 3269, 88, 445, 139, 1025-5000, 49152-65535

  • Protocol: TCP

  • Action: Allow

  • Enable: FALSE

  • Group: SecureAuth

  • Description: Required if the appliance will be joined to a domain.

New-NetFirewallRule

DisplayName: SecureAuth

  • Allow: Domain Membership (UDP-Out)

  • Direction: Outbound

  • LocalPort: 389, 88, 445, 137, 138, 1025-5000, 49152-65535

  • Protocol: UDP

  • Action: Allow

  • Enable: FALSE

  • Group: SecureAuth

  • Description: Required if the appliance will be joined to a domain.

New-NetFirewallRule

DisplayName: SecureAuth

  • Allow: SQL

  • Direction: Outbound

  • LocalPort: 1433

  • Protocol: TCP

  • Action: Allow

  • Enable: FALSE

  • Group: SecureAuth

  • Description: Required if using ODBC\MSSQL as a Data Store and\or reporting server.

New-NetFirewallRule

DisplayName: SecureAuth

  • Allow: Syslog

  • Direction: Outbound

  • LocalPort: 514

  • Protocol: UDP

  • Action: Allow

  • Enable: FALSE

  • Group: SecureAuth

  • Description: Required if Syslog logging will be used.

New-NetFirewallRule

DisplayName: SecureAuth

  • Allow: SMTP

  • Direction: Outbound

  • LocalPort: 25, 465, 587

  • Protocol: TCP

  • Action: Allow

  • Enable: FALSE

  • Group: SecureAuth

  • Description: Required if you will be using the Email OTP functionality.

Disable unneeded MS Networking Rules

Rule

DisplayName

Notes

Set-NetFirewallRule

DisplayName: Core Networking

  • Group Policy: (LSASS-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Group Policy: (NP-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Group Policy: (TCP-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Internet Group Management Protocol: (IGMP-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • IPHTTPS: (TCP-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • IPv6: (IPv6-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Multicast Listener Done: (ICMPv6-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Multicast Listener Query: (ICMPv6-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Multicast Listener Report: (ICMPv6-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Multicast Listener Report v2: (ICMPv6-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Neighbor Discovery Advertisement: (ICMPv6-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Neighbor Discovery Solicitation: (ICMPv6-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Packet Too Big: (ICMPv6-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Parameter Problem: (ICMPv6-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Router Advertisement: (ICMPv6-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Router Solicitation: (ICMPv6-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Teredo: (UDP-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Time Exceeded: (ICMPv6-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Destination Unreachable: (ICMPv6-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Destination Unreachable Fragmentation Needed: (ICMPv4-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Internet Group Management Protocol: (IGMP-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • IPHTTPS: (TCP-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • IPv6: (IPv6-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Multicast Listener Done: (ICMPv6-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Multicast Listener Query: (ICMPv6-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Multicast Listener Report: (ICMPv6-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Multicast Listener Report v2: (ICMPv6-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Neighbor Discovery Advertisement: (ICMPv6-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Neighbor Discovery Solicitation: (ICMPv6-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Packet Too Big: (ICMPv6-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Parameter Problem: (ICMPv6-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName; Core Networking

  • Router Advertisement: (ICMPv6-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Router Solicitation: (ICMPv6-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Teredo: (UDP-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Time Exceeded: (ICMPv6-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Dynamic Host Configuration Protocol for IPv6: (DHCPV6-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Dynamic Host Configuration Protocol for IPv6: (DHCPV6-Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Windows Remote Management

  • Compatibility Mode: (HTTP-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Windows Remote Management

  • (HTTP-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • Windows Communication Foundation: Net.TCP

  • Listener Adapter: (TCP-In)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • SNMP Service: (UDP Out)

  • Enable: FALSE

Set-NetFirewallRule

DisplayName: Core Networking

  • SNMP Service: (UDP In)

  • Enable: FALSE