Windows 2016 Standard - SecureAuth IdP appliance baseline security hardening settings
Introduction
SecureAuth IdP appliances running on Windows Server 2016 (Standard) use the Microsoft-recommended best practices for baseline security hardening settings. However, there are some configuration changes that must be made to these settings to allow the IIS role and the SecureAuth IdP appliance to function; these modifications are explained in this document.
Microsoft Windows security baselines, maintained and published by Microsoft, are based on the Microsoft Security Compliance Toolkit 1.0 content.
Microsoft default permissions and user rights for IIS servers IIS 7.x and 8.x, maintained and published by Microsoft, are found in KB 981949.
Prerequisites
Windows Local Security policy and/or Active Directory Group policy tools are required to modify policies described in this document.
IMPORTANT:If you join the SecureAuth IdP appliance to an Active Directory domain, any Group Policy Objects (GPOs) applied to the appliance can override the pre-configured security settings.
We recommend the following:
Do not join your appliance to an existing domain, but if you do, you should check to see how the existing GPOs will interact with the pre-configured security settings and adjust the GPOs as required.
Do place the SecureAuth IdP appliance computer account in a separate Organization Unit (OU) and block inheritance of other GPOs to this OU, and then create a custom GPO to apply only the minimum settings required for your corporate Active policies.
Default security policy configuration
All settings from the Microsoft security baseline settings for Windows Server 2016 have been applied with additional configuration settings made, as described below.
IMPORTANT: If you make changes to these policies after deployment of the SecureAuth IdP appliance, it is important to track these changes in case support issues arise in the future.
Required polices
Application | Protocol | Port | Direction | Rights |
---|---|---|---|---|
World Wide Web Services | (HTTPS Traffic-In) | Enable | ||
Remote Desktop | (UDP-In) | Enable | ||
Remote Desktop | (TCP-In) | Enable | ||
Networking | (UDP-Out) | Enable | ||
Networking | (DHCP-In) | Enable | ||
Networking | (DHCP-Out) | Enable | ||
DNS | (TCP-Out) | Enable | ||
Networking | LocalPort (TCP-Out) | 80,443 | Enable | 208.82.207.89, 208.74.31.114, 146.88.110.112, 146.88.110.114 |
SecureAuth Support services
Application | Protocol | Notes |
---|---|---|
SecureAuth Support Services | 162.209.71.139, 68.225.24.163 |
|
NTP |
| |
Windows Update |
| |
Windows Activation |
| |
Windows Activation |
| |
SecureAuth Activation |
|
Optional policies
Rule | DisplayName | Notes |
---|---|---|
New-NetFirewallRule | DisplayName: SecureAuth |
|
New-NetFirewallRule | DisplayName: SecureAuth |
|
New-NetFirewallRule | DisplayName: SecureAuth |
|
New-NetFirewallRule | DisplayName: SecureAuth |
|
New-NetFirewallRule | DisplayName: SecureAuth |
|
New-NetFirewallRule | DisplayName: SecureAuth |
|
New-NetFirewallRule | DisplayName: SecureAuth |
|
New-NetFirewallRule | DisplayName: SecureAuth |
|
New-NetFirewallRule | DisplayName: SecureAuth |
|
New-NetFirewallRule | DisplayName: SecureAuth |
|
New-NetFirewallRule | DisplayName: SecureAuth |
|
New-NetFirewallRule | DisplayName: SecureAuth |
|
New-NetFirewallRule | DisplayName: SecureAuth |
|
New-NetFirewallRule | DisplayName: SecureAuth |
|
Disable unneeded MS Networking Rules
Rule | DisplayName | Notes |
---|---|---|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName; Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Windows Remote Management |
|
Set-NetFirewallRule | DisplayName: Windows Remote Management |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|