Web Plus Security Features and Recommendations



Similar documents
Windows IIS Server hardening checklist

Application Security Policy

FileCloud Security FAQ

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

SECURITY DOCUMENT. BetterTranslationTechnology

SonicWALL PCI 1.1 Implementation Guide

SQL Server Hardening

A Decision Maker s Guide to Securing an IT Infrastructure

Xerox DocuShare Security Features. Security White Paper

Understanding Microsoft Web Application Security

MIGRATIONWIZ SECURITY OVERVIEW

Global Partner Management Notice

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Hardening IIS Servers

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

GFI White Paper PCI-DSS compliance and GFI Software products

Locking down a Hitachi ID Suite server

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Advantage for Windows Copyright 2012 by The Advantage Software Company, Inc. All rights reserved. Client Portal blue Installation Guide v1.

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Catapult PCI Compliance

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Web Security School Entrance Exam

by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

How to Secure a Groove Manager Web Site

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Achieving PCI-Compliance through Cyberoam

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Security Guidelines for MapInfo Discovery 1.1

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

RemotelyAnywhere. Security Considerations

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

Implementation Guide

Sitefinity Security and Best Practices

Security IIS Service Lesson 6

Security Controls for the Autodesk 360 Managed Services

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

PCI DSS Requirements - Security Controls and Processes

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

Vendor Questionnaire

Embedded Document Accounting Solution (edas) for Cost Recovery. Administrator's Guide

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Columbia University Web Security Standards and Practices. Objective and Scope

Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

What is Web Security? Motivation

Installation Guide for Pulse on Windows Server 2012

Lotus Domino Security

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

How To Secure An Rsa Authentication Agent

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

All rights reserved. Trademarks

IIS Web Server Hardening

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

ShareFile Security Overview

Chapter 4 Application, Data and Host Security

Criteria for web application security check. Version

Introduction. PCI DSS Overview

System Administration Training Guide. S100 Installation and Site Management

SysPatrol - Server Security Monitor

Cloud Security:Threats & Mitgations

Windows Operating Systems. Basic Security

Passing PCI Compliance How to Address the Application Security Mandates

Check list for web developers

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

E-Commerce for IT Advanced. Louis Aguila & Matt Burt

How To Manage Web Content Management System (Wcm)

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

NNT CIS Microsoft SQL Server 2008R2 Database Engine Level 1 Benchmark Report 0514a

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

multiple placeholders bound to one definition, 158 page approval not match author/editor rights, 157 problems with, 156 troubleshooting,

74% 96 Action Items. Compliance

Business ebanking Fraud Prevention Best Practices

WEBCONNECT INSTALLATION GUIDE. Version 1.96

Management Center. Installation and Upgrade Guide. Version 8 FR4

CITY UNIVERSITY OF HONG KONG Network and Platform Security Standard

Installation Guide for Pulse on Windows Server 2008R2

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

SharePlus Enterprise: Security White Paper

Windows Remote Access

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

Security White Paper The Goverlan Solution

Windows Server 2008/2012 Server Hardening

Enterprise Security Critical Standards Summary

Secret Server Qualys Integration Guide

WS_FTP Server. User s Guide. Software Version 3.1. Ipswitch, Inc.

Description of Microsoft Internet Information Services (IIS) 5.0 and

Password Reset Server User Guide

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

GE Measurement & Control. Cyber Security for NEI 08-09

Transcription:

Web Plus Security Features and Recommendations (Based on Web Plus Version 3.x) Centers for Disease Control and Prevention National Center for Chronic Disease Prevention and Health Promotion Division of Cancer Prevention and Control National Program of Cancer Registries Registry Plus Software for Cancer Registries

Web Plus has been designed as a highly secure application that can be used to transmit confidential patient data between reporting locations and a central registry safely over the public Internet. Security is achieved by a combination of software features and network infrastructure. This document outlines the security features of the application and recommendations for the operating environment to ensure a secure installation. Web Plus is a form-authenticated, ASP.NET application that is hosted on Internet Information Services (IIS) running on Microsoft Windows 2000 or later server operating systems. In a typical setting, the Web server sits in the demilitarized zone between the external and internal firewalls while SQL Server, where the Web Plus database is stored, resides inside the internal firewall as part of the trusted network. Web Plus User Internet Internet Information Services External Firewall hosting Web Plus Internal Firewall SQL Server Web Plus database Demilitarized zone The security of Web Plus depends to a large extent on the security of the client computer, the communication channel between the client and the Web server, the Web server, the base operating system, and the configuration of the firewalls on either side of the Web server. It is very important that the hosting agency have a security policy in place and document the users who have access to Web Plus and the database, and their assigned roles. The hosting agency is responsible for encrypting the Web Plus database if required. Security breaches by social engineering attacks are always a consideration; special attention is required in all parts of the system to prevent such attacks. Use of strong passwords is highly recommended, and users should be expressly prohibited from sharing accounts. Security Features of the Web Plus Application Authentication Web Plus uses form-based authentication where users must enter their user ID and password to be authenticated by the application. Multi-factor authentication can be implemented by requiring users to enter a personal identification number (PIN) and/or answer challenge questions in addition to providing their user ID and password. Passwords The central registry administrator can configure the following password attributes Enforce password complexity by using a regular expression. Keep a password history and require new passwords to be different from the ones used before. Set an expiration date to force users to change their password after a specified time interval. The administrator can reset forgotten passwords. Web Plus then forces the user to change the password after the first login. Web Plus Security Features and Recommendations, October 2012 Page 2 of 6

Personal Identification Number (PIN) The PIN is an optional security feature to accommodate two-factor user authentication. When enabled on the systems preference page, the central registry administrator can generate a random and unique Web Plus PIN matrix for every user. At login, in addition to his or her user ID and password, the user must enter the four-digit PIN based on coordinates from their Web Plus PIN matrix. Note: PIN matrix coordinates are provided on login. The hosting agency must mail the matrices to users. Challenge Questions Challenge questions are another optional security feature. When enabled on the systems preference page, the central registry administrator can enter challenge questions to be answered by each user when the feature is enabled initially, and then used upon login to validate the user s identity. The number of challenge questions for initial setup and login can be specified. Role-Based Access Web Plus also implements a role-based access, where users are granted different levels of access depending on the role or roles assigned to them. Eght roles are defined in Web Plus: Facility abstractor: Works in a local facility or doctor's office and handles patients' medical records. When a patient is diagnosed with cancer, the facility abstractor reports the case to the state's central cancer registry. The facility abstractor also completes and submits any follow-back abstracts that the central registry has posted for their facility. Central registry abstractor/reviewer: Reviews abstracts submitted to the central registry for completeness and accuracy and may abstract additional data items from submitted text; also abstracts new cases. Central registry administrator: Sets up facilities with access to Web Plus to report their data, manages facility accounts and users at both central registry and facilities, configures display types, edit sets, and system preferences, manages assignment of abstracts to central registry staff, exports data, and views reports. Local administrator: Locally manages the users who are allowed to access Web Plus at one facility. File uploader: Uploads either files of abstracts in the appropriate NAACCR format that were not abstracted using Web Plus or non-naaccr files in any format; views EDITS error reports for uploaded files in NAACCR format; cleans, or works with abstractors to clean, errors on rejected abstracts prior to resubmitting; downloads files posted by the central registry; and views reports. Follow-back supervisor: Uploads files of partially-filled follow-back abstracts, manually adds follow-back abstracts online, tracks follow-back abstracts by uploaded file or by facility, and generates and views Web Plus follow-back reports. Follow-back monitor: Tracks follow-back abstracts by assigned facility and generates and views Web Plus follow-back reports. File upload supervisor: Monitors upload of files to the central registry, tracks file uploads by facility, communicates with facilities to ensure resubmission of rejected files, and views reports. Prevention of Web Application Vunerabilities Web Plus prevents Web application vulnerabilities including SQL injection and cross-site scripting attacks. This security component in Web Plus scans the incoming HTTP requests for malicious Web Plus Security Features and Recommendations, October 2012 Page 3 of 6

characters. If malicious characters are found in the incoming request, the application page is redirected to a "blocked" page and the user is alerted about suspect input data. Other Application Security Features Other security features of the application include Facilities and offices have access only to the abstracts entered at their facility or office. Web Plus keeps an extensive log of user logins, data accesses, and updates for auditing purposes. User accounts can be locked out if invalid login attempts exceed a threshold value configurable by the central administrator. An administrator can deactivate a user account temporarily. The central administrator can see users' activities through the Current User Activities page. Display types and edit set configurations are controlled centrally. Passwords are stored in the database using a one-way hash algorithm. The Web Plus configuration file can store the connection string to the SQL Server database in encrypted format. Security of the Operating Infrastructure Security on the Client Computer The client computer should be protected from any kind of Trojan horse or spyware attacks by installing anti-virus and anti-spyware software, and ensuring that these programs are up-to-date. Secure Communication Channel and Server Certificate Web Plus relies on a Secure Sockets Layer (SSL) channel between the Web server and client browser for the protection of data exchanged over the Internet. To set up an SSL channel, the Web server needs to have a server certificate installed and the Web site containing the application should have SSL encryption turned on. The certificate for the server can either be created in-house, if a certificate server is available, or can be purchased from a commonly trusted third-party commercial organization called a certificate authority. A certificate of 128-bit cyber strength is the industry standard for secure communication over the Internet and is highly recommended. Two-Factor Authentication Using Client Certificates The form-based authentication of Web Plus may be supplemented with a two-factor authentication scheme in which users are authenticated based upon what they know and what they have. The what they know part of the scheme is fulfilled by the login page of Web Plus, as users need to know their user ID and password to log into the system. Additionally, you can configure IIS to require users to have certificates to connect to the Web Plus site. When the Web Plus site is configured this way, the hosting agency is responsible for creating and distributing client certificates to users. When installed on users' computers, the client certificates form the what they have part of the two-factor authentication scheme. Note: Multi-factor authentication can be implemented using the personal identification number (PIN) security feature, which requires that users enter a PIN in addition to their user ID and password. Web Plus Security Features and Recommendations, October 2012 Page 4 of 6

Hardening of the Web Server and Operating System Windows 2003 Server with IIS6 is highly recommended because of enhanced security over Windows 2000 server. Follow Microsoft's guidelines harden the Web server and the base operating system. The IISLockdown tool available from Microsoft s download site can be used to automate several security steps to reduce the vulnerability of the Windows 2000 Web server. Recommendations from Microsoft include Applying the latest patches to the operating system and Internet Information Services (IIS). Use the Microsoft Baseline Security Analyzer to detect patches and updates that may be missing from the current installation. Do not install IIS as part of the operating system installation. Rather, install it later, after you have updated and patched the base operating system. Then install IIS, apply patches, and harden the IIS configuration. When installing IIS, do not install File Transfer Protocol (FTP) Server, Microsoft FrontPage 2000 server extensions, Internet Service Manager (HTML), NNTP service, or Visual InterDev RAD remote deployment support. However, install SMTP to support Web Plus' e-mail capability. Disable NetBIOS and SMB on the Internet-facing network interface card and remove Web Distributed Authoring and Versioning (WebDAV). Delete or disable unused accounts: rename the administrator account, disable the guest and IUSR accounts, create a custom anonymous Web account, enforce strong password policies, restrict remote logons, and disable null sessions. The custom anonymous account created to replace the IUSR account should have the least privilege. If you run IISLockdown, add your custom user to the Web Anonymous Users group. IISLockdown denies access to system utilities and the ability to write to Web content directories for the Web Anonymous Users group. Use strong access controls to protect sensitive files and directories. Set access at the directory level whenever possible. Ensure that only the.net Framework Redistributable package is installed on the server, and no SDK utilities are installed. Do not install Visual Studio.NET on production servers. Debugging tools should not be available on the Web server. Ensure that access is restricted to powerful system tools and utilities such as those contained in the \Program Files directory. Remove all of the sample files. Relocate Web roots and virtual directories to a non-system partition to protect against directory traversal attacks. Secure Connection to the Database If SQL server authentication is used, the user ID and password are embedded in the connection string, but the connection string is stored in encrypted form (using DPAPI) in Web.config. If Windows authentication is used, the user s credentials are not included in the connection string; the connection string is still encrypted hiding the database server s IP address and port number. Windows authentication is the preferred method because it does not transmit the user s credentials over the network. For Windows authentication to work, a mirrored ASPNET process account must be created as a local Windows account with the same name and password on the database server. ASPNET is a least-privileged account created when.net Framework is installed on the Web server. By default, all ASP.NET applications run under this account's security context. After creating the account in Windows, create a SQL Server login for the account and grant it access to Web Plus database. Web Plus Security Features and Recommendations, October 2012 Page 5 of 6

It is recommended that the SQL Server listen on a port number different from the default port (1433). This port then should be opened in the internal firewall to allow Web server to access the database. Configuring ASP.NET for Security Various security options can be configured in the Web.config and machine.config files. The settings depend on local security requirements and administrative preferences. In most cases, leaving the settings at the default values should provide the required security. Web Plus Security Features and Recommendations, October 2012 Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information