Windows 2016 Standard - SecureAuth IdP appliance baseline security hardening settings

Introduction

SecureAuth IdP appliances running on Windows Server 2016 (Standard) use the Microsoft-recommended best practices for baseline security hardening settings. However, there are some configuration changes that must be made to these settings to allow the IIS role and the SecureAuth IdP appliance to function; these modifications are explained in this document.

Microsoft Windows security baselines, maintained and published by Microsoft, are based on the Microsoft Security Compliance Toolkit 1.0 content.

Microsoft default permissions and user rights for IIS servers IIS 7.x and 8.x, maintained and published by Microsoft, are found in KB 981949.

Prerequisites

Windows Local Security policy and/or Active Directory Group policy tools are required to modify policies described in this document.

IMPORTANT:If you join the SecureAuth IdP appliance to an Active Directory domain, any Group Policy Objects (GPOs) applied to the appliance can override the pre-configured security settings.

We recommend the following:

Do not join your appliance to an existing domain, but if you do, you should check to see how the existing GPOs will interact with the pre-configured security settings and adjust the GPOs as required.
Do place the SecureAuth IdP appliance computer account in a separate Organization Unit (OU) and block inheritance of other GPOs to this OU, and then create a custom GPO to apply only the minimum settings required for your corporate Active policies.

Default security policy configuration

All settings from the Microsoft security baseline settings for Windows Server 2016 have been applied with additional configuration settings made, as described below.

IMPORTANT: If you make changes to these policies after deployment of the SecureAuth IdP appliance, it is important to track these changes in case support issues arise in the future.

Required polices

Application	Protocol	Port	Direction	Rights
World Wide Web Services	(HTTPS Traffic-In)		Enable
Remote Desktop	(UDP-In)		Enable
Remote Desktop	(TCP-In)		Enable
Networking	(UDP-Out)		Enable
Networking	(DHCP-In)		Enable
Networking	(DHCP-Out)		Enable
DNS	(TCP-Out)		Enable
Networking	LocalPort (TCP-Out)	80,443	Enable	208.82.207.89, 208.74.31.114, 146.88.110.112, 146.88.110.114

SecureAuth Support services

Application	Protocol	Notes
SecureAuth Support Services	162.209.71.139, 68.225.24.163	Allow: SecureAuth Support, SecureAuth Support Services Direction: Outbound LocalPort: 443 Protocol: TCP Action: Allow RemoteAddress: 162.209.71.139, 68.225.24.163 Description: Allows access to the SecureAuth support resources.
NTP		Allow: NTP Direction: Outbound LocalPort: 123 Protocol: UDP Action: Allow Group: SecureAuth Description: Allows access to NTP time servers.
Windows Update		Allow: Windows Update Direction: Outbound Program: C:\windows\System32\svchost.exe LocalPort: 80, 443 Protocol: TCP Action: Allow Group: SecureAuth Description: This rule is required to obtain security updates for the operating system.
Windows Activation		Allow: Windows Activation -1 Direction: Outbound Program: C:\Windows\System32\Dism.exe LocalPort: 80, 443 Protocol: TCP Action: Allow Group: SecureAuth Description: This rule is required to activate the appliances Windows OS license. This rule can be disabled after activation.
Windows Activation		Allow: Windows Activation -2 Direction: Outbound Program: C:\Windows\System32\changepk.exe LocalPort: 80, 443 Protocol: TCP Action: Allow Group: SecureAuth Description: This rule is required to activate the appliances Windows OS license. This rule can be disabled after activation.
SecureAuth Activation		Allow: SecureAuth Activation Direction: Outbound Program: C:\Program Files (x86)\SecureAuth\SecureAuth IdP Setup Utility\SecureAuthIdPSetupUtility.exe LocalPort: 80, 443 Protocol: TCP Action: Allow Group: SecureAuth Description: This rule is required to activate SecureAuth IdP. This rule can be disabled after activation.

Optional policies

Rule	DisplayName	Notes
New-NetFirewallRule	DisplayName: SecureAuth	Allow: SecureAuth Filesync Service (TCP-In) Direction: Inbound LocalPort: 139, 445 Protocol: TCP Action: Allow Enable: FALSE Group: SecureAuth Description: This service allows configuration information to be synchronized between members of a cluster.
New-NetFirewallRule	DisplayName: SecureAuth	Allow: SecureAuth Filesync Service (UDP-In) Direction: Inbound LocalPort: 137, 138 Protocol: UDP Action: Allow Enable: FALSE Group: SecureAuth Description: This service allows configuration information to be synchronized between members of a cluster.
New-NetFirewallRule	DisplayName: SecureAuth	Allow: RADIUS Direction: Inbound LocalPort: 18, 121, 813 Protocol: UDP Action: Allow Enable: FALSE Group: SecureAuth Description: Required if the SecureAuth RADIUS service is being used.
New-NetFirewallRule	DisplayName: SecureAuth	Allow: SecureAuth Filesync Service (TCP-Out) Direction: Outbound LocalPort: 139, 445 Protocol: TCP Action: Allow Enable: FALSE Group: SecureAuth Description: This service allows configuration information to be synchronized between members of a cluster.
New-NetFirewallRule	DisplayName: SecureAuth	Allow: SecureAuth Filesync Service (UDP-Out) Direction: Outbound LocalPort: 137, 138 Protocol: UDP Action: Allow Enable: FALSE Group: SecureAuth Description: This service allows configuration information to be synchronized between members of a cluster.
New-NetFirewallRule	DisplayName: SecureAuth	Allow: Active Directory-LDAP (TCP-Out) Direction: Outbound LocalPort: 8, 838, 963, 632, 683, 260 Protocol: TCP Action: Allow Enable: FALSE Group: SecureAuth Description: Required if your Data Store is Active Directory or LDAP.
New-NetFirewallRule	DisplayName: SecureAuth	Allow: Active Directory-LDAP (UDP-Out) Direction: Outbound LocalPort: 88, 389 Protocol: UDP Action: Allow Enable: FALSE Group: SecureAuth Description: Required if your Data Store is Active Directory or LDAP.
New-NetFirewallRule	DisplayName: SecureAuth	Allow: Active Directory Password Reset (TCP-Out) Direction: Outbound LocalPort: 139, 445, 464 Protocol: TCP Action: Allow Enable: FALSE Group: SecureAuth Description: Required if you have an Active Directory Data Store and want to use a Password Reset realm.
New-NetFirewallRule	DisplayName: SecureAuth	Allow: Active Directory Password Reset (UDP-Out) Direction: Outbound LocalPort: 445, 464 Protocol: UDP Action: Allow Enable: FALSE Group: SecureAuth Description: Required if you have an Active Directory Data Store and want to use a Password Reset realm.
New-NetFirewallRule	DisplayName: SecureAuth	Allow: Domain Membership (TCP-Out) Direction: Outbound LocalPort: 389, 636, 3268, 3269, 88, 445, 139, 1025-5000, 49152-65535 Protocol: TCP Action: Allow Enable: FALSE Group: SecureAuth Description: Required if the appliance will be joined to a domain.
New-NetFirewallRule	DisplayName: SecureAuth	Allow: Domain Membership (UDP-Out) Direction: Outbound LocalPort: 389, 88, 445, 137, 138, 1025-5000, 49152-65535 Protocol: UDP Action: Allow Enable: FALSE Group: SecureAuth Description: Required if the appliance will be joined to a domain.
New-NetFirewallRule	DisplayName: SecureAuth	Allow: SQL Direction: Outbound LocalPort: 1433 Protocol: TCP Action: Allow Enable: FALSE Group: SecureAuth Description: Required if using ODBC\MSSQL as a Data Store and\or reporting server.
New-NetFirewallRule	DisplayName: SecureAuth	Allow: Syslog Direction: Outbound LocalPort: 514 Protocol: UDP Action: Allow Enable: FALSE Group: SecureAuth Description: Required if Syslog logging will be used.
New-NetFirewallRule	DisplayName: SecureAuth	Allow: SMTP Direction: Outbound LocalPort: 25, 465, 587 Protocol: TCP Action: Allow Enable: FALSE Group: SecureAuth Description: Required if you will be using the Email OTP functionality.

Disable unneeded MS Networking Rules

Rule	DisplayName	Notes
Set-NetFirewallRule	DisplayName: Core Networking	Group Policy: (LSASS-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Group Policy: (NP-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Group Policy: (TCP-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Internet Group Management Protocol: (IGMP-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	IPHTTPS: (TCP-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	IPv6: (IPv6-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Multicast Listener Done: (ICMPv6-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Multicast Listener Query: (ICMPv6-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Multicast Listener Report: (ICMPv6-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Multicast Listener Report v2: (ICMPv6-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Neighbor Discovery Advertisement: (ICMPv6-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Neighbor Discovery Solicitation: (ICMPv6-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Packet Too Big: (ICMPv6-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Parameter Problem: (ICMPv6-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Router Advertisement: (ICMPv6-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Router Solicitation: (ICMPv6-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Teredo: (UDP-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Time Exceeded: (ICMPv6-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Destination Unreachable: (ICMPv6-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Destination Unreachable Fragmentation Needed: (ICMPv4-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Internet Group Management Protocol: (IGMP-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	IPHTTPS: (TCP-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	IPv6: (IPv6-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Multicast Listener Done: (ICMPv6-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Multicast Listener Query: (ICMPv6-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Multicast Listener Report: (ICMPv6-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Multicast Listener Report v2: (ICMPv6-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Neighbor Discovery Advertisement: (ICMPv6-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Neighbor Discovery Solicitation: (ICMPv6-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Packet Too Big: (ICMPv6-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Parameter Problem: (ICMPv6-In) Enable: FALSE
Set-NetFirewallRule	DisplayName; Core Networking	Router Advertisement: (ICMPv6-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Router Solicitation: (ICMPv6-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Teredo: (UDP-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Time Exceeded: (ICMPv6-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Dynamic Host Configuration Protocol for IPv6: (DHCPV6-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Dynamic Host Configuration Protocol for IPv6: (DHCPV6-Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Windows Remote Management	Compatibility Mode: (HTTP-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Windows Remote Management	(HTTP-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	Windows Communication Foundation: Net.TCP Listener Adapter: (TCP-In) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	SNMP Service: (UDP Out) Enable: FALSE
Set-NetFirewallRule	DisplayName: Core Networking	SNMP Service: (UDP In) Enable: FALSE

In this section: