Best Practices for Security

General security best practices

The following list gives you some general best practices for securely administering a web application like SquaredUp DS for SCOM. The list gives you recommendations only and is not comprehensive.

  1. Authentication
    The best way to ensure secure authentication is to choose multifactor authentication. Requirements:
    1. You need to enable Windows (SSO) authentication. See User authentication methods for SquaredUp DS for SCOM for how to enable Windows authentication in different environments.

    2. You need to set up multifactor authentication for your Active Directory. Learn more about the different ways to do that in this external article: https://www.microsoft.com/en-gb/security/business/identity-access-management/mfa-multi-factor-authentication
  2. Check your Active Directory security policies.
    In addition to your existing Active Directory Password Policy, you should define an Account Lockout Policy. While your Password Policy ensures that your passwords are safe, an Account Lockout Policy defines what happens when the password is incorrectly entered. It secures accounts against brute force attacks by locking an account after a defined number of false login attempts.
  3. Use HTTPS instead of HTTP.
    See How to configure TLS/SSL (HTTPS)
    After you configured HTTPS, you have two options:
    a) The less secure option is to keep using HTTP alongside with HTTPS. In that case, you should redirect HTTP requests to HTTPS.
    b) The more secure option is to only allow HTTPS by enabling HSTS. This option "disables" HTTP, meaning it is not possible to use HTTP anymore.
  4. Disable outdated TLS and SSL
    SquaredUp DS uses TLS 1.2, but offers connections with TLS 1.0 and TLS 1.1, which are deprecated. Outdated TLS and SSL can pose a security risk and can be disabled to make using SquaredUp DS more secure.
    Note: Disabling TLS 1.0 and TLS 1.1 can cause compatibility issues which might restrict older devices from being able to connect to the server.
    You can change the settings manually via script or via the IIS Crypto tool.
  5. Remove unwanted HTTP response headers.
  6. Block requests without a Host header.

    HTTP version 1.0 request to the server (for any URI) without the Host header set will cause the server to reveal its internal IP address.

    This vulnerability is known as Client Access Server Information Disclosure. The issue applies to IIS after 6.0 and before 10.0. You can find more information in this external article: https://www.cyberis.co.uk/blog/cas_info_disclosure.html

  7. Use secure cookies.

    By default, SquaredUp DS works over HTTP and requires a manual setup to enable HTTPS. If you use secure cookies, they will be sent to the browser with the secure flag, which means the browser will never send the cookies over HTTP.

    Since cookies won't be send over HTTP when the cookie setting is set to requireSSL="true", SquaredUp DS will not function over HTTP with this setting. Your SquaredUp DS instance needs to be setup with HTTPS.

  8. Prevent embedding via iframe.
    By default, SquaredUp DS can be embedded in other pages via iframe. This applies to authenticated SquaredUp DS links (a dashboard that needs signing it to be viewed) as well as unauthenticated links (Open Access dashboards). To prevent clickjacking, you can restrict embedding.

    You have two options to restrict embedding:

    • prevent all embedding for authenticated and unauthenticated links (DENY option)
    • restrict embedding so that SquaredUp DS content can only be embedded within SquaredUp DS (SAMEORIGIN option)

Security best practices for administering SquaredUp DS for SCOM

The following list gives you best practices for securely administering SquaredUp DS for SCOM.

  1. PowerShell tiles:
    1. PowerShell Run As accounts

      PowerShell scripts are very powerful and can cause damage when not properly configured. Your Run As accounts contain the credentials a script uses to run as, which means the Run As determines the permissions a PowerShell script has when it is executed. When you are creating Run As accounts, you want to give your PowerShell scripts the minimum permissions needed so that they can do what you intended for them to do without giving them permissions that can be exploited and could lead to security risks.

    2. Disable PowerShell V2.
      PowerShell V2 has been deprecated and is now recognized as a security risk that can be used to run malicious scripts. Disable PowerShell V2 to prevent the risk of users being able to bypass various security measures.
    3. Enable PowerShell script block logging for improved monitoring.
    4. Configure AppLocker or WDAC to control and restrict access to scripts, executables and libraries only trusted by Microsoft.
      You can find more info in this external article: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview
    5. Disable the PowerShell tile feature if you don't need to use it.
  2. Check the security settings in the security.json file.
    There are multiple settings you can define in the security.json file that affect SquaredUp DS security. Check those settings and change them if needed.
    Properties you can set in the security.json file

    Property
    Description
    enable-visio-svg-sanitization

    SVG files uploaded to the Visio tile are sanitized by SquaredUp DS to prevent cross-site scripting (XSS) attacks, such as redirecting to a phishing site. If an SVG is failing to display correctly, then it is likely that certain tags are being removed by the sanitizer.

    If you are unable to modify the original SVG then it is possible to disable SVG sanitization. This method is only available for SquaredUp DS v4.2 and above. Please be aware that disabling this feature presents a security risk and that it affects all SVGs uploaded to Visio tiles across the whole of SquaredUp DS.

    Please ensure that if you choose to disable SVG sanitization, users are advised to remain vigilant and must be cautious of any strange behavior on pages containing uploaded SVGs.

    Affected features: Visio tile
    Possible values:true, false
    Secure option:true
    enable-all- embedded-scripts
    enable-embedded-scripts-whitelist

    For security reasons scripts cannot be run in Web Content tiles (iframes) in SquaredUp DS v4.6 onwards.

    If a site uses scripts, the web content tile might displaying nothing for that site, display the site in a poorly formatted manner, or there may be a message from the site itself indicating that it requires JavaScript to function correctly.

    You can at your own risk override this security setting by whitelisting trusted sites.

    To embed another SquaredUp DS dashboard using the Web Content tile you will need to whitelist your SquaredUp DS site.

    Affected features: Web Content tile
    Possible values: websites in the format https://squaredupserver1.squaredup.com/
    Secure option: no whitelisting
    enable-powershell-execution
    Enables or disables the whole PowerShell feature (PowerShell tiles are turned off, no PowerShell script will be executed).
    Affected features: PowerShell tile
    Possible values:true, false
    Secure option:false (if you are not using the PowerShell feature)
    enable-powershell-run-as-app-pool
    Enables or disables the ability to run PowerShell scripts as the SquaredUp DS app pool.
    Affected features: PowerShell Run As accounts
    Possible values:true, false
    Secure option:false
    enable-display-version
    Enables or disables the display of the SquaredUp DS version number in the footer of the product. The default is for the version number to be shown. The edition text will still present e.g. SquaredUp DS for SCOM.
    Possible values:true, false
    Secure option:false
    disable-view-drafts
    Enables or disables the ability for non-admin users to create dashboards. The default is for normal users on v5.9 onwards to be able to create dashboards, but not be able to publish them.
    Possible values:true, false
    Secure option:true

    You can copy the code template below and use it for your security settings in the security.json file.

    Make sure to replace the values with the values that match your desired settings!

    {
    "enable-visio-svg-sanitization": true,
    "enable-all-embedded-scripts": false,
    "enable-embedded-scripts-whitelist": [
    "https://squaredupserver1.squaredup.com/",
    "https://squaredupserver1.squaredup.com/"
    ],
    "enable-powershell-execution": true,
    "enable-powershell-run-as-app-pool": false,
    "enable-display-version": false,
    "disable-view-drafts": true				
    }

Was this article helpful?


Have more questions or facing an issue?