HOPEX V4 Doc EN

In order to encrypt the information sent between the users' workstation and the web server, the first step is to activate the SSL on the Hopex website.

The minimum level of certificate that is recommended is a certificate signed by a trusted third party. If internally, a root certificate exists and allows the applications to generate their own certificate, it is also a possibility.

When you obtained that certificate, the steps to import it on your website are multiple. You will find hereafter one way to do it, and make sure that your website will be attainable only through HTTPS.

The following step-by-step procedure was done on a Windows Server 2012, with IIS 8.0. You need to adapt it based on your OS version.

1. Copy the certificate on your server.

2. Open the “Internet Information Services (IIS) Manager” through the Administrative Tools of the server.

3. Go to the root of IIS :

4. Double-click « Server Certificates ».

5. Once this feature is opened, on the right pane, click on the « Import » link :

6. Click the button where the cursor is located, in order to look for the certificate :

7. Select the certificate. Provide a password if necessary, and click « OK » to import the certificate :

A new line will appear in the “Server Certificates” window. You can have a look at the imported certificate by double-clicking on the certificate :

8. Locate the website where you want to create an HTTPS binding with the newly imported certificate. In this example, it is done on the “Test Hopex” website. Click the website to see its features.

9. Right-click the website and select Edit Bindings.

10. Add a new binding, for HTTPS, on a specific port (in this example, as the port 443 is already used, we will choose 444). Use the default port 443 whenever possible, as it permits you quite easily to make the URL of the website user-friendly :

11. Use the dropdown list to select your certificate and click OK.

12. You see that a new binding exists. You can click Close.

13. Install the application. Choose the appropriate website (here “test hopex”), and let the installation completes.

14. Whenever a URL is requested in the installation steps, make sure that you provide the HTTPS link, with possibly the port number, and that the address is relevant with the “Issued To” parameter when you open the certificate. Otherwise, you will receive some error messages in the application:

15. Once this is done, go back to IIS to force the use of SSL for your website. To do that, start by going back to the previous window to edit the bindings.

16. Select the “http” binding, and click Remove.

17. Check that only the https binding remains, and click Close.

18. Select your website, and open the « SSL Settings » feature :

19. Click « Require SSL » and apply :

20. Install the Hopex Web front-end application on your server.

21. Last step, after the installation, is to check that the configuration files of the application all contain the proper URL. You can also install the application without SSL, and then decide to activate it. In that second scenario, you need to update the following files. If you installed with SSL activated, you just need to check the configuration with the next steps. Two locations contain such strings: the web.config file of the “Hopex” web application, and the MegaSite.ini in the “Cfg” folder of the installation folder of the application:

a. In the MegaSite.ini file, the URL, WebApplicationPath, and WebApplicationPath2 parameters need to reflect that use :

b. Application settings of the Hopex web application (two techniques), the parameters MegaSiteProvider, and MegaWebAccessProvider, also need to be switched to HTTPS with the proper port :

i. In the web.config file :

ii. Through the « Application settings » feature in IIS :

You can select a line and click the Edit link on the right pane to update a URL :

Lastly, a you need to edit the « web.config » file of the HOPEX web application.

In the <system.web> element, add the following element:

An example of the file properly configured:

Note that in the latest CPs of the different versions of HOPEX, that line might already be present in the file, commented. Remove the comment brackets if it is:

Save the file to apply that modification. IIS will automatically restart.

Disabling SSL v2, v3, TLS 1.0 and TLS 1.1, Triple DES 128, RC4 128/128

On Windows Server 2008 R2 and Windows Server 2012, the SSL V2 and V3 are activated by default. As there are known vulnerabilities with those, as well as with TLS 1.0, as well as TLS 1.1, we disable those, and then activate only TLS 1.2.

First, Download Secure Server Toolkit at the following location:

https://megaintl.sharepoint.com/:u:/r/sites/rd/dev/km/Security/Secure%20server%20toolkit.zip?csf=1&web=1&e=yPO2VI

Execute all reg files on the server.

Validate the above protocols are effectively disactivated:

On top of that, Follow the steps below:

For SSL V2:

1. Through the Startup menu, go to “Run” and type :

regedit.exe

2. Browse through the registry until you reach the following key :

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0

3. In the “SSL 2.0” key, create a new one, of type DWORD (32 bit) with the following details :

a. Name : Enabled

b. Value : 0

4. If it does not exist, create a sub-key in “SSL 2.0” called “Client”. Otherwise, go to 5. Directly.

5. In the key “CLIENT”, create a DWORD (32 bit) with the following details:

a. Name : DisabledByDefault

b. Value : 1

For SSL V3:

1. Through the Startup menu, go to “Run” and type :

regedit.exe

2. Browse through the registry until you reach the following key :

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0

3. In the “SSL 3.0” key, create a new one, of type DWORD (32 bit) with the following details :

a. Name : Enabled

b. Value : 0

4. If it does not exist, create a sub-key in “SSL 3.0” called “Client”. Otherwise, go to 5. Directly.

5. In the key “Client”, create a DWORD (32 bit) with the following details:

a. Name : DisabledByDefault

b. Value : 1

6. If it does not exist, create a sub-key in “SSL 3.0” called “Server”. Otherwise, go to 7. Directly.

7. In the key “Server”, create a DWORD (32 bit) with the following details:

a. Name : DisabledByDefault

b. Value : 1

For TLS 1.0:

1. Through the Startup menu, go to “Run” and type :

regedit.exe

2. Browse through the registry until you reach the following key :

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

3. Create the “TLS 1.0” key, and in that key, create a new entry of type DWORD (32 bit) with the following details :

a. Name : Enabled

b. Value : 0

4. Create a sub-key in “TLS 1.0” called “Server”.

5. In the key “Server”, create a DWORD (32 bit) with the following details:

a. Name : DisabledByDefault

b. Value : 1

For TLS 1.1:

1. Through the Startup menu, go to “Run” and type :

regedit.exe

2. Browse through the registry until you reach the following key :

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

3. Create the “TLS 1.1” key, and in that key, create a new entry of type DWORD (32 bit) with the following details :

a. Name : Enabled

b. Value : 0

4. Create a sub-key in “TLS 1.1” called “Server”.

5. In the key “Server”, create a DWORD (32 bit) with the following details:

a. Name : DisabledByDefault

b. Value : 1

To activate TLS 1.2 :

1. Through the Startup menu, go to “Run” and type :

regedit.exe

2. Browse through the registry until you reach the following key :

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

3. Create the “TLS 1.2” key, and in that key, create a new entry, of type DWORD (32 bit) with the following details :

a. Name : Enabled

b. Value : 1

4. Create a sub-key in “TLS 1.2” called “Client”.

5. In the key “Client”, create a DWORD (32 bit) with the following details:

a. Name : DisabledByDefault

b. Value : 0

6. Create a sub-key in “TLS 1.2” called “Server”.

7. In the key “Server”, create a DWORD (32 bit) with the following details:

a. Name : DisabledByDefault

b. Value : 0

Now we need to make sure that the .Net layer will accept to use TLS 1.2. To do that:

1. Through the Startup menu, go to “Run” and type :

regedit.exe

2. Browse through the registry until you reach the following key :

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319

8. In that key, create a entry of type DWORD (32 bit) with the following details :

a. Name : SchUseStrongCrypto

b. Value : 1

Lastly, we need to make sure that Internet Explorer will allow the use of TLS 1.2. To do that, open the “Internet Options” of Internet Explorer, and go to the Advanced tab.

In the Security section, check the box “Use TLS 1.2” and uncheck TLS 1.0 and TLS 1.1:

Close Internet Explorer and the registry, and reboot the server to take everything into account.

Block the TRACE HTTP request

To perform this action, three steps are needed:

At the root of IIS, open the “Request Filtering” feature:

In the “HTTP Verbs” section, add a deny rule for the word “TRACE”:

Then, open the “web.config” file at the root of your website:

And add the following lines :

</authorization>

Lastly, open the “applicationHost.config” file located in the “%SystemRoot%\System32\inetsrv\config” folder:

In the “handlers” section, comment the lines for “TRACEVerbHandler” and “OPTIONSVerbHandler”:

Remove the default install page in IIS

After the application is installed, you can disable the “Default Document” feature for the website on which the application is deployed.

To do that :

1. Open the IIS Manager console.

2. Locate the website where the Hopex and/or Advisor web application is installed.

3. On the website, double-click Default Document to open this feature.

4. In the “Actions” pane on the right, click Disable. You should have this kind of screen after it is done :

5. Make sure that the « Default Document » feature is enabled for the Hopex/Hopex2/Advisor web applications. Since it was disabled at the root level, you will have to :

a. Select each web application (here Hopex), and open the “Default Document” feature :

b. Click Enable.

c. This way, the URL https://servername won't reply,

whereas the URL https://servername/hopex will redirect the users to the login page of Mega :

Securing the RDP access (Terminal Services)

Only valid for Windows Server 2008 R2. For later versions, we restrict the RDP access to the IPs of valid people or teams.

On a server hosted on a Windows 2008 R2 Operating System, you can secure the RDP layer by changing the security layer and the encryption layer of the Remote Desktop Protocol.

To do that:

1. Firstly, you have to open Remote Desktop Session Host Configuration the by clicking on “Start”, point to “Administrative Tools”, point to “Remote Desktop Services”, and then click “Remote Desktop Session Host Configuration”.

2. In the “Connections” section, do a right-lick on the “RDP-tcp” entry, and select “Properties” :

3. In the “General tab”, as shown above, you can see the two security parameters that can be modified.

4. Change the “Security Layer” option to “SSL (TLS 1.0)”. Be aware that you will need to have a specific certificate installed on your server to switch to that level. The “Select” button allows you to browse your installe certificates and choose the proper one:

5. Then, modify the « Encryption level » option and upgrade it to at least “High”, and possibly “FIPS Compliant” :

6. Click OK to validate this modification and exit the configuration tool.

There are also numerous ways of securing the RDP protocol, whether it is using the Remote Desktop Gateway, filtering by IP address and user, etc.

Configuring the firewall

To avoid letting some unwanted users connect to the server or retrieve information from the server, some actions can/need to be taken on the firewall:

- If possible, restrict the access to port 3389 (RDP) to only the valid IP addresses of the System Administration, Application Administrators, and maybe the users that need to launch the Desktop client of Mega through Terminal Services.

- Restrict external access to all SMB services and ports, including TCP and UDP 135, TCP and UDP 139, and TCP and UDP 445.

- Regarding the ICMP protocol, block the following type of requests: ICMP timestamp requests (13), and ICMP timestamp replies (14).

- Limit the number of opened ports on the server to the least amount possible. Globally the server needs to be accessed through RDP, the SSL port needs to be opened, the SMB port also, and the communication port to the database server. All other ports need to be assessed in order to check that those are relevant.

Configuring the default error page of the application to hide application errors

Note that this section is necessary in the case of a remote access. While the application is only reachable through a secure network, this is not mandatory, and can make things more complex for administrators to understand what is happening on the application while errors occur on the system.

The configuration is as follows.

First, we put in the default folder of the web application a custom error file that will redirect, whenever a page doesn't respond, or a wrong page is accessed, to the default page of the application.

An example can be find below:

Note that with the latest CPs of the HOPEX different versions, this file is most likely already in the below folder.

By default, it is located on the C:\inetput\wwwroot\HOPEX folder. In case you installed the “HOPEX (IIS)” feature and web application in a different location, target this path and copy the file there.

Next, we remove the default error pages of the website.

Go to IIS Manager, locate your website, and open the “Error Pages” feature:

Remove all lines to have this in the end:

Lastly, in the same location in IIS, click on “Edit Feature Settings…” (for the “Error Pages” feature), and specify the following parameters, using the full URL of the custom error page you want to redirect to in case of error:

This will be reflected in the “web.config” of the website, where you will find this section (“your_url” being either the alias targeting the web server, of the name of the web server itself, depending on how the certificate was implemented) :

</httpErrors>

Depending on the version of IIS, you may need to first deactivate the locking of that default page. You will have to do this if you get a “lock violation” error when validating the previous setting popup.

To do this, open the “Configuration Editor” at the root level of IIS :

In “Section”, browse to “system.webServer/httpErrors”, and unlock the “defaultPath” attribute:

Apply the same configuration on the attribute.

Also, Open the c:\inetpub\wwwroot\web.config file and add the following lines in the system.web section:

</customErrors>

Protection against ClickJacking

To prevent the use of ClickJacking, through Frame-Sniffing, we can configure the website.

To do so, go to IIS manager, and go to the website hosting the application.

Select and open the “HTTP Response Headers” feature :

Click on « Add » in the Actions panel :

In the dialog box, type “X-Frame-Options” for the Name field, and “SAMEORIGIN” for the Value field, and validate :

Securing the ASP.NET session cookies

Prerequisite: requires the use of SSL on your website (see previous section in this document).

This feature is delivered by default with Hopex V1R2/R3 CP15, or Hopex V2 CP03.

For previous versions, a specific line will need to be added manually.

The goal is to secure the cookies of the users sessions.

1. To do that, your website requires to be configured in HTTPS.

2. Then, you need to update your web.config file of the “HOPEX” web application:

Browse through the file and go to the <system.web> section.

If you are using a version as shown at the beginning of this section, you will see the commented line hightlighted below:

Remove the comments, and save the file. It will automatically restart the application pool. You can then check if your website is still working:

If you have previous version of Hopex, you will need to insert this line, as shown above, and save your file :

To prevent CSRF inside your application, define your cookies with the SameSite attribute set to the “Strict” value.

To do that, navigate to the <system.webServer> section of the web.config and add the following section:

</conditions>

</rule>

</preCondition>

</preConditions>

</outboundRules>

</rewrite>

Save the file. It will automatically restart the application pool. You can then check if your website is still working.

Hide ASP.Net version header

To prevent people from discovering some information about the platform and the application versions, a specific setting can be put in place to hide the ASP.Net headers.

This way, when checking the headers, people won't be able to detect that ASP.net is used, in which version. It also hides the build number of the application.

The steps to perform this setting are:

1. Update your “web.config” file of the “HOPEX” web application:

2. Browse through the file and go to the “<system.web>” section and locate the line where the “httpRuntime” is setup.

3. In that line, add this value:

enableVersionHeader="false"

4. Save the file (this will restart the application pool).

Remove IIS Server version HTTP Response Header

To prevent people from discovering some information about the platform and the IIS version, a specific setting can be put in place to hide the server headers.

This way, when checking the headers, people won't be able to detect IIS information.

The steps to perform this setting are:

1. Update your “web.config” file of the “HOPEX” web application:

2. Browse through the file and go to the “<system.webServer>” section

3. Add the following lines:

</security>

Strict-Transport-Security HTTP header

Prerequisite: only if SSL is activated on the web site.

If you are accessing your website through HTTPS, you may want to properly define the above header.

The steps to perform this setting are:

1. Update your “web.config” file of the “HOPEX” web application:

2. Browse through the file and go to the “<system.webServer>” section.

3. Add the following line in that section:

</customHeaders>

</httpProtocol>

The “max-age” value, in this example set up to one year, can be adapted depending on the internal policies.

4. Save the file (this will restart the application pool).

Manage content type options

Depending on your version of the application, this section might already be activated by default. Review and check.

To prevent the user agent to render the site content in a different fashion to the MIME type:

1. Update your “web.config” file of the “HOPEX” web application:

2. Browse through the file and go to the “<httpprotocol>” section and its “<customheaders>” subsection.

3. Add the following line in that section:

4. Save the file (this action will restart the application pool).

Restrict Cross Origin Ressource Sharing to Trusted Domains

UAS defines a default CORS policy to *.

It is important to reduce the policy to your company's trusted domains.

In UAS web.config, in the <system.webServer>\<httpProtocol>\<customHeaders> section, modify the “Access-Control-Allow-Origin” value and restrict the policy to the company's trusted domains.

Search engine protection

HOPEX Application does not require to be indexed by an external search engine.

To prevent such action, create a robots.txt file in the application's webroot and write the following lines in the file content:

User-Agent: *

Disallow: /