Windows Server 2019 or 2016 - Identity Platform virtual appliance baseline security hardening settings

SecureAuth® Identity Platform virtual appliances running on Windows Server 2019 or Windows Server 2016 use the Microsoft-recommended best practices for baseline security hardening settings. This document explains the configuration changes to these settings to allow the IIS role and Identity Platform appliance to function.

Microsoft maintains and publishes the following information:

Prerequisites

Requires Windows Local Security policy and/or Active Directory Group policy tools to modify policies described in this document.

IMPORTANT:If you join the Identity Platform appliance to an Active Directory domain, any Group Policy Objects (GPOs) set up in the appliance can override the pre-configured security settings.

We recommend the following:

  • Do not join your appliance to an existing domain. If you do, review how the existing GPOs interact with the pre-configured security settings. Then, adjust the GPOs as required.

  • Put the Identity Platform appliance computer account in a separate Organization Unit (OU). Block inheritance of other GPOs to this OU. Then, create a custom GPO to apply the required minimum settings for your corporate Active Directory policies.

Default security policy configuration

We apply all settings from the Microsoft security baseline settings for Windows Server 2019 or Windows Server 2016 with more configuration settings, as described next.

Important

After deployment of the Identity Platform appliance, make sure to track any changes to security policies. Documenting these changes will help troubleshoot potential support issues.

Required polices

Application

Protocol

Port

Direction

Rights

World Wide Web Services

(HTTPS Traffic-In)

Enable

Remote Desktop

(UDP-In)

Enable

Remote Desktop

(TCP-In)

Enable

Networking

(UDP-Out)

Enable

Networking

(DHCP-In)

Enable

Networking

(DHCP-Out)

Enable

DNS

(TCP-Out)

Enable

Networking

LocalPort (TCP-Out)

80, 443

Enable

208.82.207.89, 208.74.31.114, 146.88.110.112, 146.88.110.114

SecureAuth Support services

Application

Protocol

Notes

SecureAuth Support Services

162.209.71.139, 68.225.24.163

Allow

SecureAuth Support, SecureAuth Support Services

Direction

Outbound

LocalPort

443

Protocol

TCP

Action

Allow

RemoteAddress

162.209.71.139, 68.225.24.163

Description: Allows access to SecureAuth support resources.

NTP

Allow

NTP

Direction

Outbound

LocalPort

123

Protocol

UDP

Action

Allow

Group

SecureAuth

Description: Allows access to NTP time servers.

Windows Update

Allow

Windows Update

Direction

Outbound

Program

C:\windows\System32\svchost.exe

LocalPort

80, 443

Protocol

TCP

Action

Allow

Group

SecureAuth

Description: Required rule to get security updates for the operating system.

Windows Activation

Allow

Windows Activation -1

Direction

Outbound

Program

C:\Windows\System32\Dism.exe

LocalPort

80, 443

Protocol

TCP

Action

Allow

Group

SecureAuth

Description: Required rule to activate Windows OS license on the appliance. You can disable this rule after activation.

Windows Activation

Allow

Windows Activation -2

Direction

Outbound

Program

C:\Windows\System32\changepk.exe

LocalPort

80, 443

Protocol

TCP

Action

Allow

Group

SecureAuth

Description:Required rule to activate Windows OS license on the appliance. You can disable this rule after activation.

SecureAuth Activation

Allow

SecureAuth Activation

Direction

Outbound

Program

C:\Program Files (x86)\SecureAuth\SecureAuth IdP Setup Utility\SecureAuthIdPSetupUtility.exe

LocalPort

80, 443

Protocol

TCP

Action

Allow

Group

SecureAuth

Description: Required rule to activate the Identity Platform. You can disable this rule after activation.

Optional policies

Rule

DisplayName

Notes

New-NetFirewallRule

DisplayName: SecureAuth

Allow

SecureAuth FileSync Service (TCP-In)

Direction

Inbound

LocalPort

139, 445

Protocol

TCP

Action

Allow

Enable

FALSE

Group

SecureAuth

Description: Allows the synchronization of configuration information between members of a cluster.

New-NetFirewallRule

DisplayName: SecureAuth

Allow

SecureAuth FileSync Service (UDP-In)

Direction

Inbound

LocalPort

137, 138

Protocol

UDP

Action

Allow

Enable

FALSE

Group

SecureAuth

Description: Allows the synchronization of configuration information between members of a cluster.

New-NetFirewallRule

DisplayName: SecureAuth

Allow

RADIUS

Direction

Inbound

LocalPort

18, 121, 813

Protocol

UDP

Action

Allow

Enable

FALSE

Group

SecureAuth

Description: Required if using the SecureAuth RADIUS service.

New-NetFirewallRule

DisplayName: SecureAuth

Allow

SecureAuth Filesync Service (TCP-Out)

Direction

Outbound

LocalPort

139, 445

Protocol

TCP

Action

Allow

Enable

FALSE

Group

SecureAuth

Description: Allows the synchronization of configuration information between members of a cluster.

New-NetFirewallRule

DisplayName: SecureAuth

Allow

SecureAuth Filesync Service (UDP-Out)

Direction

Outbound

LocalPort

137, 138

Protocol

UDP

Action

Allow

Enable

FALSE

Group

SecureAuth

Description: Allows the synchronization of configuration information between members of a cluster.

New-NetFirewallRule

DisplayName: SecureAuth

Allow

Active Directory-LDAP (TCP-Out)

Direction

Outbound

LocalPort

8, 838, 963, 632, 683, 260

Protocol

TCP

Action

Allow

Enable

FALSE

Group

SecureAuth

Description: Required if your data store is Active Directory or LDAP.

New-NetFirewallRule

DisplayName: SecureAuth

Allow

Active Directory-LDAP (UDP-Out)

Direction

Outbound

LocalPort

88, 389

Protocol

UDP

Action

Allow

Enable

FALSE

Group

SecureAuth

Description: Required if your data store is Active Directory or LDAP.

New-NetFirewallRule

DisplayName: SecureAuth

Allow

Active Directory Password Reset (TCP-Out)

Direction

Outbound

LocalPort

139, 445, 464

Protocol

TCP

Action

Allow

Enable

FALSE

Group

SecureAuth

Description: Required if you have an Active Directory data store and want to use a Password Reset realm.

New-NetFirewallRule

DisplayName: SecureAuth

Allow

Active Directory Password Reset (UDP-Out)

Direction

Outbound

LocalPort

445, 464

Protocol

UDP

Action

Allow

Enable

FALSE

Group

SecureAuth

Description: Required if you have an Active Directory data store and want to use a Password Reset realm.

New-NetFirewallRule

DisplayName: SecureAuth

Allow

Domain Membership (TCP-Out)

Direction

Outbound

LocalPort

389, 636, 3268, 3269, 88, 445, 139, 1025-5000, 49152-65535

Protocol

TCP

Action

Allow

Enable

FALSE

Group

SecureAuth

Description: Required if joining the appliance to a domain.

New-NetFirewallRule

DisplayName: SecureAuth

Allow

Domain Membership (UDP-Out)

Direction

Outbound

LocalPort

389, 88, 445, 137, 138, 1025-5000, 49152-65535

Protocol

UDP

Action

Allow

Enable

FALSE

Group

SecureAuth

Description: Required if joining the appliance to a domain.

New-NetFirewallRule

DisplayName: SecureAuth

Allow

SQL

Direction

Outbound

LocalPort

1433

Protocol

TCP

Action

Allow

Enable

FALSE

Group

SecureAuth

Description: Required if using ODBC\MSSQL as a data store and\or reporting server.

New-NetFirewallRule

DisplayName: SecureAuth

Allow

Syslog

Direction

Outbound

LocalPort

514

Protocol

UDP

Action

Allow

Enable

FALSE

Group

SecureAuth

Description: Required if using Syslog logging.

New-NetFirewallRule

DisplayName: SecureAuth

Allow

SMTP

Direction

Outbound

LocalPort

25, 465, 587

Protocol

TCP

Action

Allow

Enable

FALSE

Group

SecureAuth

Description: Required if using the Email one-time password (OTP) functionality.

Disable unneeded MS Networking Rules

Rule

DisplayName

Notes

Set-NetFirewallRule

DisplayName: Core Networking

Group Policy

(LSASS-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Group Policy

(NP-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Group Policy

(TCP-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Internet Group Management Protocol

(IGMP-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

IPHTTPS

(TCP-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

IPv6

(IPv6-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Multicast Listener Done

(ICMPv6-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Multicast Listener Query

(ICMPv6-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Multicast Listener Report

(ICMPv6-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Multicast Listener Report v2

(ICMPv6-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Neighbor Discovery Advertisement

(ICMPv6-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Neighbor Discovery Solicitation

(ICMPv6-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Packet Too Big

(ICMPv6-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Parameter Problem

(ICMPv6-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Router Advertisement

(ICMPv6-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Router Solicitation

(ICMPv6-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Teredo

(UDP-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Time Exceeded

(ICMPv6-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Destination Unreachable

(ICMPv6-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Destination Unreachable Fragmentation Needed

(ICMPv4-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Internet Group Management Protocol

(IGMP-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

IPHTTPS

(TCP-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

IPv6

(IPv6-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Multicast Listener Done

(ICMPv6-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Multicast Listener Query

(ICMPv6-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Multicast Listener Report

(ICMPv6-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Multicast Listener Report v2

(ICMPv6-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Neighbor Discovery Advertisement

(ICMPv6-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Neighbor Discovery Solicitation

(ICMPv6-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Packet Too Big

(ICMPv6-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Parameter Problem

(ICMPv6-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName; Core Networking

Advertisement

(ICMPv6-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Router Solicitation

(ICMPv6-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Teredo

(UDP-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Time Exceeded

(ICMPv6-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Dynamic Host Configuration Protocol for IPv6

(DHCPv6-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Dynamic Host Configuration Protocol for IPv6

(DHCPv6-Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Windows Remote Management

Compatibility Mode

(HTTP-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Windows Remote Management

(HTTP-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

Windows Communication Foundation

Net.TCP

Listener Adapter

(TCP-In)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

SNMP Service

(UDP Out)

Enable

FALSE

Set-NetFirewallRule

DisplayName: Core Networking

SNMP Service

(UDP In)

Enable

FALSE