Baseline security hardening settings for Identity Platform virtual appliances
SecureAuth® Identity Platform virtual appliances running on Windows Server 2022 or Windows Server 2019 use Microsoft-recommended best practices for baseline security hardening. This topic describes the configuration changes to these settings that allow the IIS role and Identity Platform appliance to function.
Microsoft maintains and publishes Windows security baselines based on the Microsoft Security Compliance Toolkit 1.0.
Prerequisites
You need Windows Local Security Policy or Active Directory Group Policy tools to modify the policies described in this topic.
IMPORTANT: If you join the Identity Platform appliance to an Active Directory domain, any Group Policy Objects (GPOs) in the domain can override the pre-configured security settings.
SecureAuth recommends the following:
Do not join your appliance to an existing domain. If you do, review how the existing GPOs interact with the pre-configured security settings and adjust the GPOs as needed.
Place the Identity Platform appliance computer account in a separate Organizational Unit (OU). Block inheritance of other GPOs to this OU, then create a custom GPO to apply the required minimum settings for your corporate Active Directory policies.
Default security policy configuration
SecureAuth applies all settings from the Microsoft security baseline for Windows Server 2022 or Windows Server 2019, plus the configuration settings described in this section.
Important
After you deploy the Identity Platform appliance, track any changes to security policies. Documenting these changes helps troubleshoot potential support issues.
Required polices
Application | Protocol | Port | Direction | Rights |
|---|---|---|---|---|
World Wide Web Services | HTTPS Traffic-In | Enable | ||
Remote Desktop | UDP-In | Enable | ||
Remote Desktop | TCP-In | Enable | ||
Networking | UDP-Out | Enable | ||
Networking | DHCP-In | Enable | ||
Networking | DHCP-Out | Enable | ||
DNS | TCP-Out | Enable | ||
Networking | LocalPort (TCP-Out) | 80, 443 | Enable | 208.82.207.89, 208.74.31.114, 146.88.110.112, 146.88.110.114 |
SecureAuth support services
Rule name | Direction | Protocol | Port | Remote address | Description |
|---|---|---|---|---|---|
SecureAuth Support Services | Outbound | TCP | 443 | 162.209.71.139, 68.225.24.163 | Allows access to SecureAuth support resources. |
NTP | Outbound | UDP | 123 | Allows access to NTP time servers. | |
Windows Update | Outbound | TCP | 80, 443 | Required to get security updates for the operating system. Program: | |
Windows Activation - 1 | Outbound | TCP | 80, 443 | Required to activate the Windows OS license on the appliance. You can disable this rule after activation. Program: | |
Windows Activation - 2 | Outbound | TCP | 80, 443 | Required to activate the Windows OS license on the appliance. You can disable this rule after activation. Program: | |
SecureAuth Activation | Outbound | TCP | 80, 443 | Required to activate the Identity Platform. You can disable this rule after activation. Program: |
Optional policies
These rules are disabled by default. Enable them based on your environment.
Rule name | Direction | Protocol | Port | Description |
|---|---|---|---|---|
SecureAuth FileSync Service (TCP-In) | Inbound | TCP | 139, 445 | Allows synchronization of configuration information between members of a cluster. |
SecureAuth FileSync Service (UDP-In) | Inbound | UDP | 137, 138 | Allows synchronization of configuration information between members of a cluster. |
RADIUS | Inbound | UDP | 18, 121, 813 | Required if you use the SecureAuth RADIUS service. |
SecureAuth FileSync Service (TCP-Out) | Outbound | TCP | 139, 445 | Allows synchronization of configuration information between members of a cluster. |
SecureAuth FileSync Service (UDP-Out) | Outbound | UDP | 137, 138 | Allows synchronization of configuration information between members of a cluster. |
Active Directory - LDAP (TCP-Out) | Outbound | TCP | 88, 389, 636, 3268, 3269 | Required if your data store is Active Directory or LDAP. |
Active Directory - LDAP (UDP-Out) | Outbound | UDP | 88, 389 | Required if your data store is Active Directory or LDAP. |
Active Directory Password Reset (TCP-Out) | Outbound | TCP | 139, 445, 464 | Required if you have an Active Directory data store and use a password reset realm. |
Active Directory Password Reset (UDP-Out) | Outbound | UDP | 445, 464 | Required if you have an Active Directory data store and use a password reset realm. |
Domain Membership (TCP-Out) | Outbound | TCP | 389, 636, 3268, 3269, 88, 445, 139, 1025-5000, 49152-65535 | Required if you join the appliance to a domain. |
Domain Membership (UDP-Out) | Outbound | UDP | 389, 88, 445, 137, 138, 1025-5000, 49152-65535 | Required if you join the appliance to a domain. |
SQL | Outbound | TCP | 1433 | Required if you use ODBC/MSSQL as a data store or reporting server. |
Syslog | Outbound | UDP | 514 | Required if you use Syslog logging. |
SMTP | Outbound | TCP | 25, 465, 587 | Required if you use email one-time password (OTP) functionality. |
Disabled networking rules
The following Microsoft networking rules are disabled on the appliance because they are not required for Identity Platform operation.
Outbound rules (disabled)
Display name | Rule |
|---|---|
Core Networking - Group Policy (LSASS-Out) | Disabled. |
Core Networking - Group Policy (NP-Out) | Disabled. |
Core Networking - Group Policy (TCP-Out) | Disabled. |
Core Networking - Internet Group Management Protocol (IGMP-Out) | Disabled. |
Core Networking - IPHTTPS (TCP-Out) | Disabled. |
Core Networking - IPv6 (IPv6-Out) | Disabled. |
Core Networking - Multicast Listener Done (ICMPv6-Out) | Disabled. |
Core Networking - Multicast Listener Query (ICMPv6-Out) | Disabled. |
Core Networking - Multicast Listener Report (ICMPv6-Out) | Disabled. |
Core Networking - Multicast Listener Report v2 (ICMPv6-Out) | Disabled. |
Core Networking - Neighbor Discovery Advertisement (ICMPv6-Out) | Disabled. |
Core Networking - Neighbor Discovery Solicitation (ICMPv6-Out) | Disabled. |
Core Networking - Packet Too Big (ICMPv6-Out) | Disabled. |
Core Networking - Parameter Problem (ICMPv6-Out) | Disabled. |
Core Networking - Router Advertisement (ICMPv6-Out) | Disabled. |
Core Networking - Router Solicitation (ICMPv6-Out) | Disabled. |
Core Networking - Teredo (UDP-Out) | Disabled. |
Core Networking - Time Exceeded (ICMPv6-Out) | Disabled. |
Inbound rules (disabled)
Display name | Rule |
|---|---|
Core Networking - Destination Unreachable (ICMPv6-In) | Disabled. |
Core Networking - Destination Unreachable Fragmentation Needed (ICMPv4-In) | Disabled. |
Core Networking - Internet Group Management Protocol (IGMP-In) | Disabled. |
Core Networking - IPHTTPS (TCP-In) | Disabled. |
Core Networking - IPv6 (IPv6-In) | Disabled. |
Core Networking - Multicast Listener Done (ICMPv6-In) | Disabled. |
Core Networking - Multicast Listener Query (ICMPv6-In) | Disabled. |
Core Networking - Multicast Listener Report (ICMPv6-In) | Disabled. |
Core Networking - Multicast Listener Report v2 (ICMPv6-In) | Disabled. |
Core Networking - Neighbor Discovery Advertisement (ICMPv6-In) | Disabled. |
Core Networking - Neighbor Discovery Solicitation (ICMPv6-In) | Disabled. |
Core Networking - Packet Too Big (ICMPv6-In) | Disabled. |
Core Networking - Parameter Problem (ICMPv6-In) | Disabled. |
Core Networking - Router Advertisement (ICMPv6-In) | Disabled. |
Core Networking - Router Solicitation (ICMPv6-In) | Disabled. |
Core Networking - Teredo (UDP-In) | Disabled. |
Core Networking - Time Exceeded (ICMPv6-In) | Disabled. |
Core Networking - Dynamic Host Configuration Protocol for IPv6 (DHCPv6-In) | Disabled. |
Core Networking - Dynamic Host Configuration Protocol for IPv6 (DHCPv6-Out) | Disabled. |
Other rules (disabled)
Display name | Rule |
|---|---|
Windows Remote Management - Compatibility Mode (HTTP-In) | Disabled. |
Windows Remote Management (HTTP-In) | Disabled. |
Windows Communication Foundation - Net.TCP Listener Adapter (TCP-In) | Disabled. |
SNMP Service (UDP-Out) | Disabled. |
SNMP Service (UDP-In) | Disabled. |