TABLE OF CONTENTS
- 1. Microsoft SQL Server Unsupported Version Detection:
- 2. SMB Signing not required:
- 3. SSL Self-Signed Certificate for port 443:
- 4. SSL Certificate Cannot Be Trusted for port 443:
- 5. SSL Certificate with Wrong Hostname:
- 6. SSL Certificate Signed Using Weak Hashing Algorithm:
- 7. Any SSL Cipher Suites Related Point:
- 8. TLS Version 1.0 and 1.1 Protocol Detection:
- 9. Terminal Services Doesn't Use Network Level Authentication (NLA) Only:
- 10. Remote Desktop Protocol Server Man-in-the-Middle Weakness:
- 11. Microsoft Windows Unquoted Service Path Enumeration
- 12. Windows Speculative Execution Configuration Check
- 13. Security Updates for Windows Defender
- 14. IP Forwarding Enabled
- 15. Terminal Services Encryption Level is not FIPS-140 Compliant
- 16. Any issues reported on port 80 for hyworks controller:
- 17. Hyworks MS-SQL Security Checks:
- 18. SSL Certificate vulnerabilities for port 1433:
- 19. HyWorks Compliance Checklist:
- 20. HSTS Header issue on below Hyworks ports:
- 21. SSL Certificate issue on below Hyworks ports:
- 22. Log4J issue reported for Hyworks:
1. Microsoft SQL Server Unsupported Version Detection:
Accops Comments: Microsoft SQL server can be updated to latest supported version. Hyworks supports MS SQL upto 2019.
2. SMB Signing not required:
Accops Comments: HyWorks has no dependency on this module. Customer can take necessary steps as per their organization policy to close this issue.
3. SSL Self-Signed Certificate for port 443:
Accops Comments:
This can be done by installing SSL certificate in IIS server
Steps if you dont have SSL certificate:
This step contains the steps to be followed to generate a CSR (Certificate Signing Request), get Private key and applying received certificate on the server.
1. Take RDP of the HyWorks Controller machine, and open Run > inetmgr (IIS Admin Console)
2. Please use below link to generate CSR for SSL certificate
Steps if you have SSL certificate:
https://www.digicert.com/kb/ssl-support/certificate-pfx-file-export-import-iis-10.htm
4. SSL Certificate Cannot Be Trusted for port 443:
Accops Comments:
This can be done by installing SSL certificate in IIS server
Steps if you dont have SSL certificate:
This step contains the steps to be followed to generate a CSR (Certificate Signing Request), get Private key and applying received certificate on the server.
1. Take RDP of the HyWorks Controller machine, and open Run > inetmgr (IIS Admin Console)
2. Please use below link to generate CSR for SSL certificate
Steps if you have SSL certificate:
https://www.digicert.com/kb/ssl-support/certificate-pfx-file-export-import-iis-10.htm
5. SSL Certificate with Wrong Hostname:
Accops Comments: This is reported because the server might have scanned using the IP address and not the FQDN. Kindly scan the servers using FQDN
6. SSL Certificate Signed Using Weak Hashing Algorithm:
Accops Comments: HyWorks is deployed internally hence uses Accops Self signed certificate. This is not a security threat.
7. Any SSL Cipher Suites Related Point:
Accops Comments: This can be solved by using IIS crypto Tool. Follow below steps
Steps:
1. Download the tool and install it on HyWorks machine. Download link [https://www.nartac.com/Downloads/IISCrypto/IISCrypto.exe]
2. Open the software and go to Ciphers Suites. Select the below marked ciphers only.
3. Click on apply and reboot the machine
8. TLS Version 1.0 and 1.1 Protocol Detection:
Accops Comments: This can be solved by using IIS crypto Tool. Follow below steps
Steps:
1. Download the tool and install it on HyWorks machine. Download link [https://www.nartac.com/Downloads/IISCrypto/IISCrypto.exe]
2. Open the software and go to Schanel. Select the below marked Points only.
3. Click on apply and reboot the machine
9. Terminal Services Doesn't Use Network Level Authentication (NLA) Only:
Accops Comments: Enable NLA (Control Panel > System and Security > Allow Remote Access)
10. Remote Desktop Protocol Server Man-in-the-Middle Weakness:
Solution: Enable Network Level Authentication (NLA) on the remote RDP server
11. Microsoft Windows Unquoted Service Path Enumeration
Solution:
1. Open up the Registry Editor as an administrator
2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
3. Look for the application name reported by customer.
4. Right click on ImagePath and click on modify
5. Enter double-quotes to the path as below :
"<path>"
6. Exit the registry and reboot the server
12. Windows Speculative Execution Configuration Check
Comments: Customer can apply necessary updates as per their organization policy.
13. Security Updates for Windows Defender
Comments: Customer can apply necessary updates as per their organization policy. This wont affect HyWorks functionality.
14. IP Forwarding Enabled
Solution: Set the key 'IPEnableRouter' to 0 under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
15. Terminal Services Encryption Level is not FIPS-140 Compliant
Solution: Change the RDP encryption level to FIPS compliant:
- Open the Group Policy Management Console.
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
- In the right pane, double-click on ""Set client connection encryption level.""
- Select the ""Enabled"" radio button, and then choose ""FIPS"" from the drop-down menu.
- Click ""OK"" to save your changes."
16. Any issues reported on port 80 for hyworks controller:
Solution: Follow steps mention in below document:
HyWorks_Disable_IIS_port_80.docx
17. Hyworks MS-SQL Security Checks:
Response :
=================
Dear Customer,
We've analyzed the requirement from your end related to Accops HyWorks deployment and can confirm that, implementing row-level security (RLS) and column-level security (CLS) in the underlying MS SQL Server might not be necessary.
Here's why:
Application-Level Security: Since users access data and applications solely through HyWorks clients (HyWorks client and HySecure), RLS in MS SQL Server wouldn't directly impact user access control. HyWorks itself manages user access to specific data through built-in security features.
Non-Sensitive Data: The absence of confidential data like PII (Personally Identifiable Information) in the HyWorks database further reduces the need for RLS/CLS. The existing application-level security is sufficient for managing access to this type of data.
Additional Security Measures:
Auditing and Logging: HyWorks deployment has proper auditing and logging in place. This allows us to track user activity and access to application data, maintaining accountability and helping identify any potential security breaches.
Single-Tenant Environment: On-premise HyWorks deployment is dedicated to individual organization only, eliminating concerns about accessing data from other customers (common in DaaS platforms).
CIS Benchmark Hardening: We've implemented security best practices based on the CIS Benchmark for MS SQL Server instance. This includes hardening various configurations to mitigate potential vulnerabilities. Here's a summary of the implemented CIS controls:
| CIS Checks |
| 1.1 Ensure Latest SQL Server Cumulative and Security Updates are Installed |
| 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' |
| 2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0' |
| 2.8 Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0' |
| 2.9 Ensure 'Trustworthy' Database Property is set to 'Off' |
| 2.17 Ensure 'clr strict security' Server Configuration Option is set to '1' |
| 3.2 Ensure CONNECT permissions on the 'guest' user is Revoked within all SQL Server databases |
| 3.3 Ensure 'Orphaned Users' are Dropped From SQL Server Databases |
| 5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1' |
| 7.2 Ensure Asymmetric Key Size is set to 'greater than or equal to 2048' in non-system databases |
| 3.2 Ensure CONNECT permissions on the 'guest' user is Revoked within all SQL Server databases (Automated) |
| 3.3 Ensure 'Orphaned Users' are Dropped From SQL Server Databases (Automated) |
| 3.8 Ensure only the default permissions specified by Microsoft are granted to the public server role (Automated) |
| 3.10 Ensure Windows local groups are not SQL Logins (Automated) |
| 3.11 Ensure the public role in the msdb database is not granted access to SQL Agent proxies (Automated) |
| 3.12 Ensure the 'SYSADMIN' Role is Limited to Administrative or Built-in Accounts (Manual) |
| 3.13 Ensure membership in admin roles in MSDB database is limited (Automated) |
| 5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1' (Automated) |
| 7.1 Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases (Automated) |
| 7.2 Ensure Asymmetric Key Size is set to 'greater than or equal to 2048' in non-system databases (Automated) |
18. SSL Certificate vulnerabilities for port 1433:
Response :
This issue does not pose a significant threat. In our case, the severity of this issue is low because HyWorks is deployed internally. The MS SQL port 1433 is used internally within the machine and across the HyWorks nodes for communication between the EDC service and MS SQL, utilizing a self-signed Accops certificate. To secure this port, you can block inbound connections from untrusted IPs and allow access only for trusted machines within the network, such as HySecure and other HyWorks nodes.
19. HyWorks Compliance Checklist:
Link to sheet: HyWorks Compliance Checklist.xlsx
Group Policies : Group_Policies.xlsx
20. HSTS Header issue on below Hyworks ports:
tcp/38863
tcp/38865
tcp/38866
tcp/38867
tcp/38870
tcp/38871
tcp/38875
Accops Response:
Please note that HSTS is primarily designed to enhance security for web browsers by enforcing secure connections (HTTPS) with websites. However, in the case of these specific ports, the communication is carried out exclusively through agents or is restricted to internal network usage.
As HSTS instructs web browsers to communicate with a website solely over HTTPS, it helps mitigate the risk of man-in-the-middle attacks. However, since there are no web browsers involved in the interactions on the mentioned ports, there is no need to implement HSTS.
Nevertheless, it is essential to ensure that appropriate security measures are in place for these ports, particularly in terms of encryption and data integrity.
In the case of browser-based applications like the Hyworks Management Console, the necessary security headers have already been implemented. Find a screenshot below confirming the presence of these security headers.
21. SSL Certificate issue on below Hyworks ports:
tcp/38863
tcp/38865
tcp/38866
tcp/38867
tcp/38870
tcp/38871
tcp/38875
Accops Comments: On the above ports, the communication is carried out exclusively through agents or is restricted to internal network usage. Due to this we use Accops self signed certificate on these ports.
22. Log4J issue reported for Hyworks:
Response: HyWorks dont use log4j for its functionality. We can remove the log4j jar file.
Go to this location on hyworks server : C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars
You will see a folder named "log4j-1.2.17.jar". Rename the folder to "log4j-1.2.17.zip" and copy it at another location. No service restart or reboot required.