Windows Server 2019 or 2016 - Identity Platform virtual appliance baseline security hardening settings
SecureAuth® Identity Platform virtual appliances running on Windows Server 2019 or Windows Server 2016 use the Microsoft-recommended best practices for baseline security hardening settings. This document explains the configuration changes to these settings to allow the IIS role and Identity Platform appliance to function.
Microsoft maintains and publishes the following information:
Microsoft Windows security baselines based on the Microsoft Security Compliance Toolkit 1.0 content
Microsoft default permissions and user rights for IIS servers IIS 7.x and 8.x, found in KB 981949
Prerequisites
Requires Windows Local Security policy and/or Active Directory Group policy tools to modify policies described in this document.
IMPORTANT:If you join the Identity Platform appliance to an Active Directory domain, any Group Policy Objects (GPOs) set up in the appliance can override the pre-configured security settings.
We recommend the following:
Do not join your appliance to an existing domain. If you do, review how the existing GPOs interact with the pre-configured security settings. Then, adjust the GPOs as required.
Put the Identity Platform appliance computer account in a separate Organization Unit (OU). Block inheritance of other GPOs to this OU. Then, create a custom GPO to apply the required minimum settings for your corporate Active Directory policies.
Default security policy configuration
We apply all settings from the Microsoft security baseline settings for Windows Server 2019 or Windows Server 2016 with more configuration settings, as described next.
Important
After deployment of the Identity Platform appliance, make sure to track any changes to security policies. Documenting these changes will help troubleshoot potential support issues.
Required polices
Application | Protocol | Port | Direction | Rights |
|---|---|---|---|---|
World Wide Web Services | (HTTPS Traffic-In) | Enable | ||
Remote Desktop | (UDP-In) | Enable | ||
Remote Desktop | (TCP-In) | Enable | ||
Networking | (UDP-Out) | Enable | ||
Networking | (DHCP-In) | Enable | ||
Networking | (DHCP-Out) | Enable | ||
DNS | (TCP-Out) | Enable | ||
Networking | LocalPort (TCP-Out) | 80, 443 | Enable | 208.82.207.89, 208.74.31.114, 146.88.110.112, 146.88.110.114 |
SecureAuth Support services
Application | Protocol | Notes |
|---|---|---|
SecureAuth Support Services | 162.209.71.139, 68.225.24.163 |
Description: Allows access to SecureAuth support resources. |
NTP |
Description: Allows access to NTP time servers. | |
Windows Update |
Description: Required rule to get security updates for the operating system. | |
Windows Activation |
Description: Required rule to activate Windows OS license on the appliance. You can disable this rule after activation. | |
Windows Activation |
Description:Required rule to activate Windows OS license on the appliance. You can disable this rule after activation. | |
SecureAuth Activation |
Description: Required rule to activate the Identity Platform. You can disable this rule after activation. |
Optional policies
Rule | DisplayName | Notes |
|---|---|---|
New-NetFirewallRule | DisplayName: SecureAuth |
Description: Allows the synchronization of configuration information between members of a cluster. |
New-NetFirewallRule | DisplayName: SecureAuth |
Description: Allows the synchronization of configuration information between members of a cluster. |
New-NetFirewallRule | DisplayName: SecureAuth |
Description: Required if using the SecureAuth RADIUS service. |
New-NetFirewallRule | DisplayName: SecureAuth |
Description: Allows the synchronization of configuration information between members of a cluster. |
New-NetFirewallRule | DisplayName: SecureAuth |
Description: Allows the synchronization of configuration information between members of a cluster. |
New-NetFirewallRule | DisplayName: SecureAuth |
Description: Required if your data store is Active Directory or LDAP. |
New-NetFirewallRule | DisplayName: SecureAuth |
Description: Required if your data store is Active Directory or LDAP. |
New-NetFirewallRule | DisplayName: SecureAuth |
Description: Required if you have an Active Directory data store and want to use a Password Reset realm. |
New-NetFirewallRule | DisplayName: SecureAuth |
Description: Required if you have an Active Directory data store and want to use a Password Reset realm. |
New-NetFirewallRule | DisplayName: SecureAuth |
Description: Required if joining the appliance to a domain. |
New-NetFirewallRule | DisplayName: SecureAuth |
Description: Required if joining the appliance to a domain. |
New-NetFirewallRule | DisplayName: SecureAuth |
Description: Required if using ODBC\MSSQL as a data store and\or reporting server. |
New-NetFirewallRule | DisplayName: SecureAuth |
Description: Required if using Syslog logging. |
New-NetFirewallRule | DisplayName: SecureAuth |
Description: Required if using the Email one-time password (OTP) functionality. |
Disable unneeded MS Networking Rules
Rule | DisplayName | Notes |
|---|---|---|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName; Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Windows Remote Management |
|
Set-NetFirewallRule | DisplayName: Windows Remote Management |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|
Set-NetFirewallRule | DisplayName: Core Networking |
|