Windows 2012 R2 Certification Authority installation guide

This step-by-step guide explains how to install and configure public key infrastructure, based on:

  • Windows 2012 R2 Server core – offline Root CA
  • Windows 2012 R2 domain controller
  • Windows 2012 R2 standard edition – Subordinate Enterprise CA server

Offline Root CA – OS installation phase

  1. Boot the server using Windows 2012 R2 bootable DVD.
  2. From the installation option, choose “Windows Server 2012 R2 Standard (Server Core Installation)” -> click Next.
  3. Accept the license agreement -> click Next.
  4. Choose “Custom: Install Windows Only (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
  5. Allow the installation phase to continue and restart the server automatically.
  6. To login to the server for the first time, press CTRL+ALT+DELETE
  7. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
  8. From the command prompt window, run the command bellow:
    sconfig.cmd
  9. Press “2″ to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
  10. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  11. From the command prompt window, run the command bellow:
    sconfig.cmd
  12. Press “5″ to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
  13. Press “6″ to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
  14. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  15. From the command prompt window, run the command bellow:
    sconfig.cmd
  16. In-case you need to use RDP to access and manage the server, press “7″ to enable “Remote Desktop” -> choose “E” to enable -> choose either “1″ or “2″ according to your client settings -> Press OK.
  17. Press “8″ to configure “Network settings” -> select the network adapter by its Index number -> press “1″ to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2″ to configure the DNS servers -> click OK -> press “4″ to return to the main menu.
  18. Press “9″ to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
  19. Press “11″ to restart the server to make sure all settings take effect -> click “Yes” to restart the server.
  20. 20. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  21. From the command prompt window, run the command bellow:
    powershell
  22. Run the commands bellow to enable remote management of the Root CA:
    Enable-NetFirewallRule -DisplayGroup "Remote Service Management"
    Note: The above command should be written in single line.
    Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Offline Root CA – Certificate Authority server installation phase

  1. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  2. From the command prompt window, run the command bellow:
    powershell
  3. Run the command below to create CA policy file:
    notepad c:\windows\capolicy.inf
  4. Specify the following data inside the capolicy.inf file:
    [Version]
    Signature="$Windows NT$"
    [Certsrv_Server]
    RenewalKeyLength=4096
    RenewalValidityPeriod=Years
    RenewalValidityPeriodUnits=20
    CRLPeriod=Weeks
    CRLPeriodUnits=26
    CRLDeltaPeriod=Days
    CRLDeltaPeriodUnits=0
    LoadDefaultTemplates=0
    AlternateSignatureAlgorithm=1
    [PolicyStatementExtension]
    Policies=LegalPolicy
    [LegalPolicy]
    OID=1.2.3.4.1455.67.89.5
    Notice="Legal Policy Statement"
    URL=http://www/CertEnroll/cps.asp
  5. Run the commands below to install Certification Authority using Powershell:
    Import-Module ServerManagerAdd-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
    Note: The above command should be written in single line.
  6. Run the command below to install the Root CA:
    Install-AdcsCertificationAuthority -CAType StandaloneRootCA -KeyLength 4096 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 20 -CACommonName <CA_Server_Name> -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"
    Note 1: The above command should be written in single line.
    Note 2: Replace “CA_Server_Name” with the Root CA NetBIOS name.
  7. Run the command below to remove all default CRL Distribution Point (CDP):
    $crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};
    Note: The above command should be written in single line.
  8. Run the commands below to configure new CRL Distribution Point (CDP):
    Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8.crl -PublishToServer -Force
    Note: The above command should be written in single line.
    Add-CACRLDistributionPoint -Uri http://www/CertEnroll/%3%8.crl -AddToCertificateCDP -Force
    Note: The above command should be written in single line.
  9. Run the command below to remove all default Authority Information Access (AIA):
    $aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};Note: The above command should be written in single line.
  10. Run the command below to configure new Authority Information Access (AIA):
    Add-CAAuthorityInformationAccess -AddToCertificateAia -uri http://www/CertEnroll/%1_%3.crt
    Note: The above command should be written in single line.
  11. Run the commands below to configure the Root CA settings:
    certutil.exe -setreg CA\CRLPeriodUnits 26
    certutil.exe -setreg CA\CRLPeriod "Weeks"
    certutil.exe -setreg CA\CRLDeltaPeriodUnits 0
    certutil.exe -setreg CA\CRLDeltaPeriod "Days"
    certutil.exe -setreg CA\CRLOverlapPeriodUnits 12
    certutil.exe -setreg CA\CRLOverlapPeriod "Hours"
    certutil.exe -setreg CA\ValidityPeriodUnits 20
    certutil.exe -setreg CA\ValidityPeriod "Years"
    certutil.exe -setreg CA\KeySize 4096
    certutil.exe -setreg CA\AuditFilter 127
  12. Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory:
    certutil.exe -setreg ca\DSConfigDN "CN=Configuration, DC=mycompany,DC=com"
    Note 1: The above command should be written in single line.
    Note 2: Replace “DC=mycompany,DC=com” according to your domain name.
    certutil.exe -setreg ca\DSDomainDN "DC=mycompany,DC=com"
    Note: Replace “DC=mycompany,DC=com” according to your domain name.
  13. Run the command bellow to stop the CertSvc service:
    Restart-Service certsvc
  14. Run the command below to publish new CRL’s:
    certutil.exe -CRL

Enterprise Subordinate CA – OS installation phase
Pre-requirements:

  • Active Directory (Forest functional level – Windows 2012 R2)
  • Add “A” record for the Root CA to the Active Directory DNS.
  1. Boot the server using Windows 2012 R2 bootable DVD.
  2. From the installation option, choose “Windows Server 2012 R2 Standard (Server with a GUI)” -> click Next.
  3. Accept the license agreement -> click Next.
  4. Choose “Custom: Install Windows Only (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
  5. Allow the installation phase to continue and restart the server automatically.
  6. To login to the server for the first time, press CTRL+ALT+DELETE
  7. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
  8. From the “Welcome to Server Manager”, click on “Configure this local server” -> replace the “Computer name” -> restart the server.
  9. From the “Welcome to Server Manager”, click on “Configure this local server” -> click on Ethernet -> right click on the network interface -> properties -> configure static IP address.
  10. Enable “Remote Desktop”
  11. From the command prompt window, run the command bellow:
    powershell
  12. Run the commands bellow to enable remote management of the Root CA:
    Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Enterprise Subordinate CA – Certificate Authority server installation phase
Pre-requirements:

  • DNS CNAME record named “www” for the Enterprise Subordinate CA.
  • Make sure the clocks of the Offline Root CA and the Subordinate CA are synched.
  1. To login to the server, press CTRL+ALT+DELETE -> specify the credentials of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
  2. Copy the files bellow from the Offline Root CA server to a temporary folder on the subordinate CA:
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
    C:\Windows\System32\CertSrv\CertEnroll\*.crl
  3. Run the command below to publish the Root CA in the Active Directory:
    certutil.exe -dspublish -f "<CACertFileName.crt>" RootCA
    Note: Replace “CACertFileName” with the actual CRT file.
  4. Run the commands below to add the Root CA certificate to the subordinate CA certificate store:
    certutil.exe -addstore -f root "<CACertFileName.crt>"
    certutil.exe -addstore -f root "<CACertFileName.crl>"

    Note: Replace “CACertFileName” with the actual CRT and CRL files.
  5. From the command prompt window, run the command bellow:
    powershell
  6. Run the command below to create CA policy file:
    notepad c:\windows\capolicy.inf
  7. Specify the following data inside the capolicy.inf file:
    [Version]
    Signature="$Windows NT$"
    [Certsrv_Server]
    RenewalKeyLength=2048
    RenewalValidityPeriod=Years
    RenewalValidityPeriodUnits=5
    LoadDefaultTemplates=0
    AlternateSignatureAlgorithm=1
  8. Run the commands below to install Certification Authority using Powershell:
    Import-Module ServerManagerAdd-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
    Note: The above command should be written in single line.
    Add-WindowsFeature Web-Mgmt-Console
    Add-WindowsFeature Adcs-Web-Enrollment
  9. Open Server Manager -> From the “Welcome to Server Manager”, click on notification icon -> click on “Configure Active Directory Certificate Services on the destination server”
  10. Specify credentials and click on Next.
  11. Select both “Certification Authority” and “Certification Authority Web Enrollment” roles and click on Next.
  12. Select “Enterprise CA” -> click on Next.
  13. Select “Subordinate CA” -> click on Next.
  14. Select “Create a new private key” -> click on Next.
  15. Cryptography:
    Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider
    Key length: 2048
    Hash algorithm: SHA256
  16. CA Name:
    Common name: specify here the subordinate server NetBIOS name
    Distinguished name suffix: leave the default domain settings
  17. Select “Save a certificate request to file on the target machine” -> click Next
  18. Specify the database location and click Next.
  19. Click on Configure -> wait until the process completes and click on Close.
    Note: If asked, choose not to configure additional role services.
  20. Copy the request file (*.req) to the Offline Root CA.
  21. Login to the Offline Root CA using administrative account.
  22. Run the command below to approve the subordinate CA certificate request:
    certreq -submit "<CACertFileName>.req"
    Note: Replace “CACertFileName” with the actual request file.
  23. Run the command below to approve the subordinate CA request:
    certutil -resubmit 2
    Note: Replace “2″ with the request ID.
  24. Run the command below to command to download the new certificate.
    certreq -retrieve 2 "C:\<CACertFileName>.cer"
    Note 1: Replace “CACertFileName” with the actual CER file.
    Note 2: Replace “2″ with the request ID.
  25. Logoff the Root CA and power it off for up to 179 days (for CRL update).
  26. Return to the Subordinate CA.
  27. Copy the file “c:\<CACertFileName>.cer” from the Offline Root CA to the Subordinate CA.
    Note: Replace “CACertFileName” with the actual CER file.
  28. Run the commands below to complete the Subordinate CA installation process:
    powershell
    Certutil -installcert "<CACertFileName>.cer"

    Note: Replace “CACertFileName” with the actual CER file.
  29. Run the command below to restart the CA service:
    start-service certsvc
  30. Run the command below to remove all default CRL Distribution Point (CDP):
    $crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};
    Note: The above command should be written in single line.
  31. Run the commands below to configure new CRL Distribution Point (CDP):
    Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8%9.crl -PublishToServer -PublishDeltaToServer -Force
    Note: The above command should be written in single line.
    Add-CACRLDistributionPoint -Uri http://www/CertEnroll/%3%8%9.crl -AddToCertificateCDP -Force
    Note: The above command should be written in single line.
    Add-CACRLDistributionPoint -Uri file://\\<SubordinateCA_DNS_Name>\CertEnroll\%3%8%9.crl -PublishToServer -PublishDeltaToServer -Force
    Note 1: The above command should be written in single line.
    Note 2: Replace “<SubordinateCA_DNS_Name>” with the actual Subordinate CA DNS name.
  32. Run the command below to remove all default Authority Information Access (AIA):
    $aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};
    Note: The above command should be written in single line.
  33. Run the commands below to configure new Authority Information Access (AIA):
    Add-CAAuthorityInformationAccess -AddToCertificateAia http://www/CertEnroll/%1_%3%4.crt -Force
    Note: The above command should be written in single line.
    Add-CAAuthorityInformationAccess -AddToCertificateAia "ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11"Note: The above command should be written in single line.
    Add-CAAuthorityInformationAccess -AddToCertificateOcsp http://www/ocsp -Force
    Note: The above command should be written in single line.
  34. Run the commands below to configure the Root CA settings:
    Certutil -setreg CA\CRLPeriodUnits 2
    Certutil -setreg CA\CRLPeriod "Weeks"
    Certutil -setreg CA\CRLDeltaPeriodUnits 1
    Certutil -setreg CA\CRLDeltaPeriod "Days"
    Certutil -setreg CA\CRLOverlapPeriodUnits 12
    Certutil -setreg CA\CRLOverlapPeriod "Hours"
    Certutil -setreg CA\ValidityPeriodUnits 5
    Certutil -setreg CA\ValidityPeriod "Years"
    certutil -setreg CA\AuditFilter 127
    certutil -setreg CA\EncryptionCSP\CNGEncryptionAlgorithm AES
    certutil -setreg CA\EncryptionCSP\SymmetricKeySize 256
    certutil -setreg CA\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
    certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
    Note: The above command should be written in single line.
  35. Run the command bellow to stop the CertSvc service:
    Restart-Service certsvc
  36. Run the command below to public new CRL’s:
    certutil.exe -CRL
  37. Copy the files bellow from the Root CA to the subordinate CA (same location):
    C:\Windows\System32\CertSrv\CertEnroll\*.crl
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
  38. Create CPS (Certificate Practice Statement), save it as “cps.asp” inside the subordinate CA under the folder below:
    C:\Windows\System32\CertSrv\CertEnroll
    Note: For more information about Certificate Practice Statement, see:
    http://technet.microsoft.com/en-us/library/cc780454(v=ws.10).aspx
  39. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
  40. Open Server Manager -> Tools -> Active Directory Users and Computers.
  41. From the left pane, expand the domain name -> choose an OU and create the following groups:
    Group name: CA Admins
    Group description/purpose: Manage CA server
    Group name:
    CA Issuers
    Group description/purpose: Issue certificates
  42. Logoff the domain controller.
  43. Login to the Subordinate CA using administrative account, who is also member of the “CA Admins” group.
  44. Open Server Manager -> Tools -> Certification Authority.
  45. From the left pane, right click on the CA server name -> Properties -> Security tab -> Add -> add the “CA Admins” group -> grant the permissions “Issue and Manage Certificates” and “Manage CA” and remove all other permissions -> click on OK.
    Note: As best practices, it is recommended to remove the default permissions of “Domain Admins” and “Enterprise Admins”.
  46. From the left pane, expand the CA server name -> right click on Certificate Templates -> Manage -> from the main pane, right click on “User” certificate -> Duplicate Template -> General tab -> rename the template to “Custom User Certificate” -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read”, “Enroll” and “Autoenroll” -> click on OK.
  47. From the main pane, right click on “Web Server” certificate -> Duplicate Template -> General tab -> rename the template to “Custom Web Server Certificate” -> Request Handling tab -> select “Allow private key to be exported” -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read” and “Enroll” -> remove the permissions for the built-in Administrator account -> click on OK.
    Note: All computer accounts requesting the “Custom Web Server Certificate” certificate must be member of the “CA Issuers” group.
  48. From the main pane, right click on “OCSP Response Signing” certificate -> Duplicate Template -> General tab -> rename the template to “Custom OCSP Response Signing” -> Security tab -> add the subordinate CA computer account -> grant “Read”, “Enroll” and “Autoenroll” -> click OK.
  49. From the main pane, right click on “Web Server” certificate -> Properties -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read” and “Enroll” -> click OK
  50. Close the Certificate Templates Console.
  51. From the Certification Authority console left pane, right click on Certificate Templates -> New -> Certificate Template to issue -> select the following certificate templates:
    Web Server
    Custom User Certificate
    Custom Web Server Certificate
    Custom OCSP Response Signing
  52. Click OK.
  53. Close the Certification Authority console.
  54. Open Server Manager -> Manage -> Add Roles and Features -> click Next 3 times -> expand “Active Directory Certificate Services” -> select “Online Responder” -> click on Add Features -> click Next twice -> click on Install -> click on Close
  55. From the upper pane, click on notification icon -> click on “Configure Active Directory Certificate Services on the destination server”
  56. Specify credentials and click on Next.
  57. Select “Online Responder” -> click Next -> click on Configure -> click Close.
  58. From the left pane, right click on “Online Responder” -> Responder Properties -> Audit tab -> select “Changes to the Online Responder configuration”, “Changes to the Online Responder security settings” and “Requests submitted to the Online Responder” -> click OK -> close the “Online Responder Configuration” console.
  59. Open Server Manager -> Tools -> Local Security Policy -> from the left pane, expand “Advanced Audit Policies” -> expand “System Audit Policies – Local Group Policy Object” -> click on Object Access -> from the main pane, double click on “Audit Certification Services” -> select “Configure the following audit events” -> select both Success and Failure -> click OK -> close the Local Security policy console.
  60. Run from command line:
    certutil -CRL
  61. Run from command line:
    certutil -v -setreg policy\editflags +EDITF_ENABLEOCSPREVNOCHECK
    Note: The above command should be written in single line.
  62. Run the commands bellow to stop the CertSvc service:
    powershell
    Restart-Service certsvc
  63. Open Server Manager -> Tools -> Online Responder Management
  64. From the left pane, right click on “Revocation Configuration” -> Add revocation configuration -> click Next -> on the name field, specify “Custom Revocation Configuration” -> click Next -> select “Select a certificate for an Existing enterprise CA” -> click Next -> click Browse -> select the subordinate CA -> click OK -> Automatically select a signing certificate -> click Next -> click Finish
  65. Close the Online Responder Management console
  66. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
  67. Copy the files bellow from the subordinate CA server to a temporary folder on the domain controller:
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
    Note: Copy the newest files
  68. Open Server Manager -> Tools -> Group Policy Management.
  69. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
  70. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Trusted Root Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Root CA server -> click Open -> click Next twice -> click Finish -> click OK.
  71. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Intermediate Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Subordinate CA server -> click Open -> click Next twice -> click Finish -> click OK.
  72. From the main pane, right click on the certificate name -> Properties -> OCSP tab -> inside the empty “Add URL” field, specify:
    http://www/ocsp
    Click on Add URL -> Click OK.
  73. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> click on “Public Key Policies” -> from the main pane, right click on “Certificate Services Client – Certificate Enrollment Policy” -> Properties -> change the “Configuration Model” to “Enabled” and click OK.
  74. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> click on “Public Key Policies” -> from the main pane, right click on “Certificate Services Client – Auto-Enrollment” -> Properties -> change the “Configuration Model” to “Enabled” -> select “Renew expired certificates, update pending certificates, and remove revoked certificates” and “Update certificates that use certificate templates” -> click OK.
  75. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Administrative Templates” -> expand “Windows Components” -> expand “Internet Explorer” -> expand “Internet Control Panel” -> expand “Security Page” -> double click on “Site to zone assignment list” -> click on “Enabled” -> under Options, click on “Show” -> inside “Value name”, specify the Subordinate CA DNS name -> inside “Value”, specify 2 -> click OK twice.
  76. Close the “Group Policy Management”.
  77. Logoff the domain controller.
  78. Login to the Subordinate CA using administrative account.
  79. Open Server Manager -> Tools -> Internet Information Services (IIS) Manager.
  80. From the left pane, expand the server name -> expand Sites -> click on “Default Web Site” -> from the right pane, click on “Bindings” -> click on Add -> from the Type, select HTTPS -> under “SSL Certificate”, select the Subordinate CA certificate -> click OK -> click on Close.
  81. From the left pane, expand “Default Web Site” -> click on “CertSrv” -> from the main pane, double click on “Request Filtering” -> click Edit Feature Settings -> select “Allow Double Escaping” -> click OK
  82. From the main pane, double click on “SSL Settings” -> select “Require SSL” -> click on Apply.
  83. Close the Internet Information Services (IIS) Manager console.
  84. Run PKIVIEW.msc to make sure the entire PKI structure is fully functional.
  85. Logoff the Subordinate CA.

 

The original article can be found at:

http://security-24-7.com/windows-2012-r2-certification-authority-installation-guide/

Share

Hardening guide for NGINX 1.5.8 on RedHat 6.4 (64bit edition)

This document explains the process of installation, configuration and hardening of NGINX server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack
 
Some of the features explained in this document are supported by only some of the Internet browsers:

  • X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
  • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
    1. Installation Phase

    2. Login to the server using Root account
    3. Install pre-requirement packages:
      yum install policycoreutils-python-* -y
      yum install setools-libs-* -y
      yum install libcgroup-* -y
      yum install audit-libs-python-* -y
      yum install libsemanage-python-* -y
      yum install setools-libs-python-* -y
      yum install gcc* -y
    4. Create a new account:
      groupadd nginx

      useradd -g nginx -d /dev/null -s /sbin/nologin nginx

    5. Upgrade the Openssl build:
      rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm

      yum --enablerepo=axivo update openssl -y

    6. Download Openssl source files:
      cd /opt

      wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz

    7. Extract Openssl source files:
      tar zxvf /opt/openssl-1.0.1e.tar.gz -C /opt
    8. Remove Openssl source file:
      rm -rf /opt/openssl-1.0.1e.tar.gz
    9. Download PCRE source file into /tmp, from:
      http://sourceforge.net/projects/pcre/files/pcre/
    10. Compile PCRE from source file:
      tar zxvf /tmp/pcre-8.34.tar.gz -C /tmp

      mv /tmp/pcre-8.34 /usr/local/pcre

      cd /usr/local/pcre

      ./configure --prefix=/usr/local/pcre

      make

      make install

    11. Remove PCRE package:
      rm -rf /tmp/pcre-8.34.tar.gz
    12. Download Nginx 1.5.8:
      cd /tmp

      wget http://nginx.org/download/nginx-1.5.8.tar.gz

    13. Extract the nginx-1.5.8.tar.gz file:
      tar -zxvf /tmp/nginx-1.5.8.tar.gz -C /tmp
    14. Move to the Nginx source folder:
      cd /tmp/nginx-1.5.8
    15. Edit using VI, the file
      /tmp/nginx-1.5.8/src/http/ngx_http_header_filter_module.c and replace the following section, from:
      static char ngx_http_server_string[] = "Server: nginx" CRLF;

      static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
      To:
      static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF;
      static char ngx_http_server_full_string[] = "Server: Secure Web Server" NGINX_VER CRLF;

    16. Run the commands bellow to compile the Nginx environment:
      ./configure --with-openssl=/opt/openssl-1.0.1e --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module --with-pcre=/usr/local/pcre
      Note: The command above should be written as one line.
      make

      make install

    17. Remove the Nginx source files:
      cd /

      rm -rf /tmp/nginx-1.5.8

      rm -f /tmp/nginx-1.5.8.tar.gz

    18. Remove Default Content
      rm -rf /usr/local/nginx/html
    19. Updating Ownership and Permissions on Nginx folders:
      chown -R root:root /usr/local/nginx

      chmod 750 /usr/local/nginx/sbin/nginx

      chmod -R 640 /usr/local/nginx/conf

      chmod -R 770 /usr/local/nginx/logs

    20. Create folder for the web content:
      mkdir -p /www
    21. Updating Ownership and Permissions on the web content folder:
      chown -R root /www

      chmod -R 775 /www

    22. Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
      From:
      #user nobody;
      To:
      user nginx nginx;

      From:
      #error_log logs/error.log notice;
      To:
      error_log logs/error.log notice;

      From:
      server_name localhost;
      To:
      server_name Server_FQDN;
      Note: Replace Server_FQDN with the actual server DNS name.

      From:
      root html;
      To:
      root /www;

    23. Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file (before the last “}” character):
      ## turn off nginx version number ##
      server_tokens off;
      ## Size Limits & Buffer Overflows ##
      client_body_buffer_size 1K;
      client_header_buffer_size 1k;
      client_max_body_size 1k;
      large_client_header_buffers 2 2k;
      ## Timeouts ##
      client_body_timeout 10;
      client_header_timeout 10;
      send_timeout 10;
    24. Create using VI, the file /etc/init.d/nginx with the following content:
      #!/bin/sh
      #
      # nginx - this script starts and stops the nginx daemon
      #
      # chkconfig: - 85 15
      # description: Nginx is an HTTP(S) server, HTTP(S) reverse \
      # proxy and IMAP/POP3 proxy server
      # processname: nginx
      # config: /usr/local/nginx/conf/nginx.conf
      # config: /etc/sysconfig/nginx
      # pidfile: /var/run/nginx.pid

      # Source function library.
      . /etc/rc.d/init.d/functions

      # Source networking configuration.
      . /etc/sysconfig/network

      # Check that networking is up.
      [ "$NETWORKING" = "no" ] && exit 0

      nginx="/usr/local/nginx/sbin/nginx"
      prog=$(basename $nginx)

      NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"

      [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

      lockfile=/var/lock/subsys/nginx

      start() {
      [ -x $nginx ] || exit 5
      [ -f $NGINX_CONF_FILE ] || exit 6
      echo -n $"Starting $prog: "
      daemon $nginx -c $NGINX_CONF_FILE
      retval=$?
      echo
      [ $retval -eq 0 ] && touch $lockfile
      return $retval
      }

      stop() {
      echo -n $"Stopping $prog: "
      killproc $prog -QUIT
      retval=$?
      echo
      [ $retval -eq 0 ] && rm -f $lockfile
      return $retval
      }

      restart() {
      configtest || return $?
      stop
      sleep 1
      start
      }

      reload() {
      configtest || return $?
      echo -n $"Reloading $prog: "
      killproc $nginx -HUP
      RETVAL=$?
      echo
      }

      force_reload() {
      restart
      }

      configtest() {
      $nginx -t -c $NGINX_CONF_FILE
      }

      rh_status() {
      status $prog
      }

      rh_status_q() {
      rh_status >/dev/null 2>&1
      }

      case "$1" in
      start)
      rh_status_q && exit 0
      $1
      ;;
      stop)
      rh_status_q || exit 0
      $1
      ;;
      restart|configtest)
      $1
      ;;
      reload)
      rh_status_q || exit 7
      $1
      ;;
      force-reload)
      force_reload
      ;;
      status)
      rh_status
      ;;
      condrestart|try-restart)
      rh_status_q || exit 0
      ;;
      *)
      echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
      exit 2
      esac

    25. Change the permissions of the file /etc/init.d/nginx
      chmod +x /etc/init.d/nginx
    26. To start Nginx service at server start-up, run the command:
      chkconfig nginx on
    27. To manually start the Nginx service, use the command:
      /etc/init.d/nginx start
    28. Configure IPTables:
      service iptables stop

      iptables -P INPUT DROP

      iptables -A INPUT -i lo -j ACCEPT

      iptables -A OUTPUT -o lo -j ACCEPT

      iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    29. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
      iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
      Note: Replace 10.0.0.0/8 with the internal segment and subnet mask.
    30. Allow HTTP access from the Internet on the public interface (i.e. eth0)
      iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
      Note: Replace eth0 with the public interface name.
    31. Save the IPTables settings:
      service iptables save
      SSL Configuration Phase

    1. Login to the server using Root account.
    2. Create folder for the SSL certificate files:
      mkdir -p /usr/local/nginx/ssl

      chmod 600 /usr/local/nginx/ssl

    3. Run the command bellow to generate a key pair:
      /usr/bin/openssl genrsa -aes256 -out /usr/local/nginx/ssl/server-sec.key 2048
      Note: Specify a complex pass phrase for the private key (and document it)
    4. Run the command bellow to generate the CSR:
      /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -days 1095 -key /usr/local/nginx/ssl/server-sec.key -out /tmp/server.csr
      Note: The command above should be written as one line.
    5. Send the file /tmp/server.csr to a Certificate Authority server.
    6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt”
    7. Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
    8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
    9. Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
    10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
      cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pem
      Note: The command above should be written as one line.
    11. Remove the key store passphrase:
      /usr/bin/openssl rsa -in /usr/local/nginx/ssl/server-sec.key -out /usr/local/nginx/ssl/server.key
      Note: The command above should be written as one line.
    12. Remove the original “server.crt”, “server.csr” and “ca-bundle.crt” files:
      rm -f /tmp/server.csr

      rm -f /usr/local/nginx/ssl/server.crt

      rm -f /usr/local/nginx/ssl/ca-bundle.crt

    13. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
      # HTTPS server
      #
      #server {
      # listen 443 ssl;
      # server_name localhost;
      # ssl_certificate cert.pem;
      # ssl_certificate_key cert.key;
      # ssl_session_cache shared:SSL:1m;
      # ssl_session_timeout 5m;
      # ssl_ciphers HIGH:!aNULL:!MD5;
      # ssl_prefer_server_ciphers on;
      # location / {
      # root html;
      # index index.html index.htm;
      # }
      #}

      To:
      # HTTPS server
      #
      server {
      listen 443;
      server_name Server_FQDN;
      ssl on;
      ssl_certificate /usr/local/nginx/ssl/server.pem;
      ssl_certificate_key /usr/local/nginx/ssl/server.key;
      ssl_session_timeout 5m;
      ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
      ssl_prefer_server_ciphers on;
      # HTTP Strict Transport Security #
      add_header Strict-Transport-Security max-age=63072000;
      # X-Frame-Options header #
      add_header X-Frame-Options SAMEORIGIN;
      location / {
      root /www;
      index index.html index.htm;
      }
      }

      Note: Replace Server_FQDN with the actual server DNS name.
    14. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
      iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPT
      Note: Replace eth0 with the public interface name
    15. Remove HTTP access from the Internet on the public interface (i.e. eth0)
      iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
      Note: Replace eth0 with the public interface name
    16. Save the IPTables settings:
      service iptables save
    17. Restart the nginx:
      service nginx restart

    The original article can be found on:
    http://security-24-7.com/hardening-guide-for-nginx-1-5-8-on-redhat-6-4-64bit-edition/

    Share

    Hardening guide for Postfix 2.x

    1. Make sure the Postfix is running with non-root account:
      ps aux | grep postfix | grep -v '^root'
    2. Change permissions and ownership on the destinations below:
      chmod 755 /etc/postfix
      chmod 644 /etc/postfix/*.cf
      chmod 755 /etc/postfix/postfix-script*
      chmod 755 /var/spool/postfix
      chown root:root /var/log/mail*
      chmod 600 /var/log/mail*
    3. Edit using VI, the file /etc/postfix/main.cf and add make the following changes:
      • Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example:
        myhostname = myserver.example.com
      • Configure network interface addresses that the Postfix service should listen on, for example:
        inet_interfaces = 192.168.1.1
      • Configure Trusted Networks, for example:
        mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1
      • Configure the SMTP server to masquerade outgoing emails as coming from your DNS domain, for example:
        myorigin = example.com
      • Configure the SMTP domain destination, for example:
        mydomain = example.com
      • Configure to which SMTP domains to relay messages to, for example:
        relay_domains = example.com
      • Configure SMTP Greeting Banner:
        smtpd_banner = $myhostname
      • Limit Denial of Service Attacks:
        default_process_limit = 100
        smtpd_client_connection_count_limit = 10
        smtpd_client_connection_rate_limit = 30
        queue_minfree = 20971520
        header_size_limit = 51200
        message_size_limit = 10485760
        smtpd_recipient_limit = 100
    4. Restart the Postfix daemon:
      service postfix restart

    The article can also be found at: http://security-24-7.com/hardening-guide-for-postfix-2-x

    Share

    Hardening guide for BIND9 (Debian platform)

    1. Make sure the Bind is running with non-root account:
      ps aux | grep bind | grep -v '^root'
    2. Change permissions and ownership on the destinations below:
      chown -R root:bind /etc/bind
      chown root:bind /etc/bind/named.conf*
      chmod 640 /etc/bind/named.conf*
    3. Edit using VI, the file /etc/bind/named.conf.options and add the following settings under the “Options” section:
      • Add the line below to replace DNS version banner:
        version "Secured DNS server";
        Note: In-order to test, run the command below:
        dig +short @localhost version.bind chaos txt
      • Add the line below to restrict recursive queries to trusted clients:
        allow-recursion { localhost; 192.168.0.0/24; };
        Note 1: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask.
        Note 2: In-order to test, run the command below:
        nslookup www.google.com <BIND_DNS_Server_IP>
      • Add the line below to restrict query origins to trusted clients:
        allow-query { localhost; 192.168.0.0/24; };
        Note: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask.
      • Add the line below to Nameserver ID:
        server-id none;
      • Add the line below to restrict which hosts can perform zone transfers:
        allow-transfer { 192.168.1.1; };
        Note: Replace 192.168.1.1 with the trusted DNS server.
      • Add the line below to restrict the DNS server to listen to specific interfaces:
        listen-on port 53 { 127.0.0.1; 192.168.1.1; };
        Note: Replace 192.168.1.1 with the IP address of the DNS server.
    4. Restart the DNS daemon:
      service bind9 restart

    The article can also be found at: http://security-24-7.com/hardening-guide-for-bind9-debian-platform/

    Share

    DLP

    One of the most common definitions for the term DLP (Data Loss Prevention or Data Leakage Prevention) is “systems that identify, monitor, and protect data through deep content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing and recipient/destination and so on) and with a centralized management framework.”

    Purpose of this article
    Organizations are interested to protect their sensitive data, and DLP provides them with the framework to do that. So far no news… However, the DLP world is a bit more complicated than that and the purpose of this article is to highlight few basic domains and areas that are worth thinking about when considering DLP solutions.

    Common Data Locations and States

    • Data in motion – Any data that is moving through the network to destinations outside the local / corporate LAN via the Internet
    • Data at rest – Data that resides in files systems, databases and other storage methods
    • Data at the endpoint – Data at the endpoints of the network (e.g. data on USB devices, external drives, MP3 players, laptops, and other highly-mobile devices)

    Examples of sensitive data:

    • Confidential and/or proprietary data, for example: processes, methodologies, development code and etc.
    • Customer and employee data
    • Financial data
    • Data that is regulated by regional and national laws such as HIPAA, SOX and GLBA

    Common Data Leakage Channels:
    Technical side:

    • Email Traffic – SMTP from mail servers
    • Web mail (Gmail, Yahoo, etc)
    • Uploading files to internet destinations (HTTP, HTTPS, FTP)
    • Posting on internet sites (blogs, social media, forums)
    • Instant messaging (gTalk, MSN, Yahoo, Skype)
    • P2P networks
    • Wi-Fi networks
    • Key loggers, Trojan horses
    • Multiple platform (Windows, Linux, MAC, etc)
    • Application permissions (ERP, database, SaaS platforms, SharePoint)

    Physical:

    • Mobile devices
    • Non-encrypted hard drives
    • USB drives (Disk on key, external hard drives)
    • Portable media (CD/DVD, floppy drive, backup tapes)
    • Physical security (hard copy of documents)

    Human factor:

    • Lack of employee awareness to security risks
    • Partners, suppliers, temporary employees and visitors
    • Working from home, remote locations, internet cafe

    Company’s needs to protect themselves from scenarios as mentioned below:

    • Inadvertent forwarding of email containing product development or business plans to another email recipient
    • An employee extracts data from a secure system and conducts the analysis on a less secure system
    • Sending unreleased pricing information to the wrong email address
    • Customer or competitive information sent by an employee to a third-party for financial gain
    • A disgruntled employee with privileged access to sensitive information acts maliciously and steals information
    • Proprietary information sent to a distributor, who might then forward it on to competitors
    • Backup tapes are stored in a non-secure environment and curious intruder removes the tape to examine the content
    • Incorrect settings of permissions of file and directory structure could allow anyone access the information

    DLP solutions prevent confidential data loss by:

    • Monitoring communications going outside of the organization
    • Encrypting email containing confidential content
    • Enabling compliance with global privacy and data security mandates
    • Securing outsourcing and partner communications
    • Protecting intellectual property
    • Preventing malware-related data harvesting
    • Enforcing acceptable use policies
    • Providing a deterrent for malicious users (by creating the possibility of being caught)

    How to implement DLP solution:

    1. Perform risk assessment to find out:
      •    

      • What type of data exists in the organization?
      •  

      • Where is the data located/saved?
      •  

      • How valuable is the data to the organization?
      •  

      • What type of loss is the organization willing to accept?
      •  

      • What are the regulatory and privacy gaps for the organization?
    2. Classify the organization data:
      •    

      • Top secret
      •  

      • Secret
      •  

      • Confidential
      •  

      • Restricted
      •  

      • Unclassified
    3. Decide what information does the organization would like to search and protect:
      •    

      • Pattern, keyword matching and dictionaries
      •  

      • Document fingerprinting
      •  

      • Database fingerprinting
    4. Prepare data loss prevention plan:
      •    

      • How to limit the damage to the organization
      •  

      • How to avoid similar incidents from happening in the future
      •  

      • How to report to the management, stock holders and media on the current data loss incident
    5. Prepare policies, standards and procedures for handling data loss incidents:
      •    

      • Scan HTTPS traffic on the gateway
      •  

      • Block data from leaving the organization
      •  

      • Encrypt sensitive information inside database
      •  

      • Full disk encryption
      •  

      • Encrypt data before sending to partners/suppliers
      •  

      • Prevent use of portable media
      •  

      • Employee awareness training
    6. Deploy the DLP solution:
      •    

      • Install a product on the gateway
      •  

      • Configure SSL termination – recommended
      •  

      • Configure encryption gateway for SMTP traffic – recommended
      •  

      • Deploy agents on the end-points – highly recommended
    7. Ongoing monitoring:
      •    

      • Review incidents on regular basis (daily/weekly)
      •  

      • Fine-tune the product to raise alerts on important incidents and collect all other incidents.
      •  

      • Create reports on regular basis to locate top senders/targets
      •  

      • Perform data discovery on regular basis (daily/weekly/month) on network shares, servers, end-points, etc.

    The article can also be found at: http://security-24-7.com/dlp

    Share

    Hardening guide for Hyper-V on Windows 2008 R2 server core platform

    OS installation phase

    1. Boot the server using Windows 2008 R2 bootable DVD.
    2. Specify the product ID -> click Next.
    3. From the installation option, choose “Windows Server 2008 R2 (Server Core Installation)” -> click Next.
    4. Accept the license agreement -> click Next.
    5. Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
    6. Allow the installation phase to continue and restart the server automatically.
    7. To login to the server for the first time, press CTRL+ALT+DELETE
    8. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
    9. From the command prompt window, run the command bellow:
      sconfig.cmd
    10. Press “2″ to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
    11. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
    12. From the command prompt window, run the command bellow:
      sconfig.cmd
    13. Press “1” to join the server to the domain -> press “D” to join to domain -> specify the domain name -> click “Yes” to restart the server.
    14. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
    15. From the command prompt window, run the command bellow:
      sconfig.cmd
    16. Press “5″ to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
    17. Press “6″ to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
    18. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
    19. From the command prompt window, run the command bellow:
      sconfig.cmd
    20. In-case you need to use RDP to access and manage the server, press “7″ to enable “Remote Desktop” -> choose “E” to enable -> choose either “1″ or “2″ according to your client settings -> Press OK.
    21. Press “8″ to configure “Network settings” -> select the network adapter by its Index number -> press “1″ to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2″ to configure the DNS servers -> click OK -> press “4″ to return to the main menu.
    22. Press “9″ to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
    23. Press “11″ to restart the server to make sure all settings take effect -> click “Yes” to restart the server.
    24. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
    25. To install the Hyper-V role, run the command bellow:
      start /w ocsetup Microsoft-Hyper-V
    26. Click “Yes” to allow the server to restart.
    27. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
    28. To check that the installation completed, run the command: oclist | find /i "Microsoft-Hyper-V"
    29. Run the commands bellow to enable remote management of the Hyper-V:
      netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes  

      netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

    30. In case you install antivirus for Server Core, add the following to the antivirus exclusions:
      • Virtual machine configuration files directory. By default, it is C:\ProgramData\Microsoft\Windows\Hyper-V.
      • Virtual machine virtual hard disk files directory. By default, it is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks.
      • Snapshot files directory. By default, it is %systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots.
      • Vmms.exe
      • Vmwp.exe

    Manage Hyper-V VMs from Windows 7

    1. Login to a Windows 7 client using administrative account.
    2. Download and install the Remove Server Administration (RSAT) tools for Windows 7 from:
      http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
    3. Open Control Panel and click Programs.
    4. Click Turn Window features on or off.
    5. Under Remote Server Administration Tools Role -> Administration Tools check Hyper-V Tools.
    6. Launch to tools by either typing Hyper-V Manager at the Start menu or go to Start ->Administrative Tools ->Hyper-V Manager.

    Virtual Machine Servicing Tool 3.0

      Virtual Machine Servicing Tool 3.0 helps to update offline virtual machines, templates, and virtual hard disks with the latest operating system and application patches. Download link:
      http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23300

    Using Authorization Manager for Hyper-V Security

      Authorization Manager provides a flexible framework for integrating role-based access control into applications. It enables administrators who use those applications to provide access through assigned user roles that relate to job functions. Link for more information:
      http://technet.microsoft.com/en-us/library/cc726036.aspx
      The article can be found on:
      http://security-24-7.com/hardening-guide-for-hyper-v-on-windows-2008-r2-server-core-platform/
    Share

    Hardening guide for Drupal 7.7

    This guide can also be found at http://security-24-7.com/hardening-guide-for-drupal-7-7/
    Pre-installation notes The guide bellow is based on CentOS 5.5 (i386), Apache 2.2.19, MySQL 5.5.15

    The guide bellow is based on the previous guides:

    PHP installation phase

    1. Login to the server using Root account.
    2. Before compiling the PHP environment, install the following RPM from the CentOS 5.5 DVD source folder:
      rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
      rpm -ivh glibc-headers-2.5-49.i386.rpm
      rpm -ivh glibc-devel-2.5-49.i386.rpm
      rpm -ivh gmp-4.1.4-10.el5.i386.rpm
      rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
      rpm -ivh gcc-4.1.2-48.el5.i386.rpm
      rpm -ivh libxml2-2.6.26-2.1.2.8.i386.rpm
      rpm -ivh zlib-devel-1.2.3-3.i386.rpm
      rpm -ivh libxml2-devel-2.6.26-2.1.2.8.i386.rpm
      rpm -ivh pkgconfig-0.21-2.el5.i386.rpm
      rpm -ivh libpng-devel-1.2.10-7.1.el5_3.2.i386.rpm
      rpm -ivh libjpeg-devel-6b-37.i386.rpm
    3. Download MySQL development RPM from: http://download.softagency.net/MySQL/Downloads/MySQL-5.5/
    4. Download PHP 5.3.8 source files from: http://php.net/downloads.php
    5. Download the latest libxml2 for PHP from: http://xmlsoft.org/sources/
    6. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
    7. Copy the PHP 5.3.8 source files using PSCP (or SCP) into /tmp
    8. Move to /tmp cd /tmp
    9. Install the MySQL development RPM:
      rpm -ivh MySQL-devel-5.5.15-1.rhel5.i386.rpm
    10. Remove MySQL development RPM:
      rm -f MySQL-devel-5.5.15-1.rhel5.i386.rpm
    11. Extract the php-5.3.8.tar.gz file: tar -zxvf php-5.3.8.tar.gz
    12. Extract the libxml2 source file: tar -zxvf libxml2-2.7.7.tar.gz
    13. Move the libxml2-2.7.7 folder: cd /tmp/libxml2-2.7.7
    14. Run the commands bellow to compile the libxml2: ./configuremakemake install
    15. Move to the PHP source folder: cd /tmp/php-5.3.8
    16. Run the commands bellow to compile the PHP environment:
      ./configure --with-mysql=mysqlnd --with-libdir=lib --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --enable-pdo --with-pdo-mysql=mysqlnd --enable-ftp
      make
      make install
    17. Edit using VI, the file /usr/local/apache2/conf/httpd.conf Add the following string, to the end of the AddType section:
      AddType application/x-httpd-php .php       

      Replace the line from:
      DirectoryIndex index.html
      To:
      DirectoryIndex index.php index.html index.htm

      Replace the value of the string, from:
      LimitRequestBody 10000
      To:
      LimitRequestBody 600000

    18. Copy the PHP.ini file cp /tmp/php-5.3.8/php.ini-development /etc/php.ini
    19. Change the permissions on the php.ini file: chmod 640 /etc/php.ini
    20. Edit using VI, the file /etc/php.ini Replace the value of the string, from:
      mysql.default_host =
      To:
      mysql.default_host = 127.0.0.1:3306       

      Replace the value of the string, from:
      pdo_mysql.default_socket=
      To:
      pdo_mysql.default_socket=127.0.0.1

      Replace the value of the string, from:
      allow_url_fopen = On
      To:
      allow_url_fopen = OffReplace the value of the string, from:
      expose_php = On
      To:
      expose_php = Off

      To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:Replace the value of the string, from:To:Replace the value of the string, from:To:To:Replace the value of the string, from:To:Replace the value of the string, from:
      memory_limit = 128M
      To:
      memory_limit = 64MReplace the value of the string, from:
      ;open_basedir =
      To:
      open_basedir = "/www"

      Replace the value of the string, from:To:Replace the value of the string, from:
      post_max_size = 8M
      To:
      post_max_size = 2MReplace the value of the string, from:
      disable_functions =
      To:
      disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid

      Replace the value of the string, from:To:Replace the value of the string, from:
      ;include_path = ".:/php/includes"
      To:
      include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"

      Replace the value of the string, from:
      display_errors = On
      To:
      display_errors = Off

      Replace the value of the string, from:
      display_startup_errors = On
      To:
      display_startup_errors = Off

      Replace the value of the string, from:
      ;gd.jpeg_ignore_warning = 0
      To:
      gd.jpeg_ignore_warning = 1

    21. Run the commands bellow to restart the Apache service:
      /usr/local/apache2/bin/apachectl stop       

      /usr/local/apache2/bin/apachectl start

      /usr/local/apache2/bin/apachectl start

      /usr/local/apache2/bin/apachectl start

      /usr/local/apache2/bin/apachectl start

      /usr/local/apache2/bin/apachectl start

      /usr/local/apache2/bin/apachectl start

      /usr/local/apache2/bin/apachectl start

      /usr/local/apache2/bin/apachectl start

    22. Remove the PHP source and test files:
      rm -f /tmp/php-5.3.8.tar.gz
      rm -f /tmp/libxml2-2.7.7.tar.gz
      rm -rf /tmp/php-5.3.8
      rm -rf /tmp/libxml2-2.7.7
      rm -rf /tmp/pear
      rm -rf /usr/local/apache2/lib/php/test
      rm -rf /usr/local/lib/php/test

    Drupal installation phase

    1. Login to the server using Root account.
    2. Run the command bellow to login to the MySQL:
      /usr/bin/mysql -uroot -pnew-password       

      Note: Replace the string “new-password” with the actual password for the root account.

       

    3. Run the following commands from the MySQL prompt:
      CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2'; SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
      CREATE DATABASE Z5J6Dw1;
      GRANT ALL PRIVILEGES ON Z5J6Dw1.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
      FLUSH PRIVILEGES;
      quit       

      Note 1: Replace “blgusr” with your own MySQL account to access the database.
      Note 2: Replace “password2” with complex password (at least 14 characters).
      Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

      Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

      Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

      Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

      Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

      Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

      Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

      Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

    4. Download Drupal 7.7 from: http://drupal.org/project/drupal
    5. Copy the Drupal 7.7 source files using PSCP (or SCP) into /www
    6. Move to /www cd /www
    7. Extract the file bellow:
      tar -zxvf drupal-7.7.tar.gz
    8. Remove Drupal source file:
      rm -f /www/drupal-7.7.tar.gz
    9. Rename the Drupal folder:
      mv /www/drupal-7.7 /www/drupal
    10. Remove default content:
      rm -f /www/drupal/CHANGELOG.txt
      rm -f /www/drupal/COPYRIGHT.txt
      rm -f /www/drupal/INSTALL.pgsql.txt
      rm -f /www/drupal/LICENSE.txt
      rm -f /www/drupal/UPGRADE.txt
      rm -f /www/drupal/INSTALL.mysql.txt
      rm -f /www/drupal/INSTALL.sqlite.txt
      rm -f /www/drupal/INSTALL.txt
      rm -f /www/drupal/MAINTAINERS.txt
      rm -f /www/drupal/sites/example.sites.php
    11. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
      Replace the line from:
      DocumentRoot "/www"
      To:
      DocumentRoot "/www/drupal"
    12. Run the commands bellow to restart the Apache service:
      /usr/local/apache2/bin/apachectl stop  /usr/local/apache2/bin/apachectl start    

       

       

    13. Create the following folders:
      mkdir /www/drupal/sites/default/files  mkdir /www/private    

       

       

    14. Copy the settings.php file:
      cp /www/drupal/sites/default/default.settings.php /www/drupal/sites/default/settings.php
    15. Change permissions on the settings.php file:
      chmod a+w /www/drupal/sites/default/settings.php       

      chmod -R 777 /www/drupal/sites/default/fileschmod -R 777 /www/private

    16. Open a web browser from a client machine, and enter the URL bellow:
      http://Server_FQDN/install.php
    17. Select “Standard” installation and click “Save and continue”.
    18. Choose the default “English” and click “Save and continue”.
    19. Specify the following details:
      • Database type: MySQL
      • Database name: Z5J6Dw1
      • Database username: blgusr
      • Database password: password2
      • Click on Advanced Options
      • Database host: 127.0.0.1
      • Table prefix: Z5J6Dw1_

      Note 1: Replace “Z5J6Dw1” with your own Drupal database name.
      Note 2: Replace “blgusr” with your own MySQL account to access the database.
      Note 3: Replace “password2” with complex password (at least 14 characters).

    20. Click “Save and Continue”.
    21. Specify the following information:
      • Site name
      • Site e-mail address (for automated e-mails, such as registration information)
      • Username (for the default administrator account)
      • E-mail address
      • Password
    22. Select “Default country” and “Default time zone”.
    23. Unselect the “Update Notifications” checkboxes.
    24. Click “Save and Continue”.
    25. Close the web browser.
    26. Create using VI the file /www/config.php with the following content:
      $databases = array ( ‘default’–>  $databases = array (
      ‘default’ =>
      array (
      ‘driver’ => ‘mysql’,
      ‘database’ => ‘Z5J6Dw1′,
      ‘username’ => ‘blgusr’,
      ‘password’ => ‘password2′,
      ‘host’ => ’127.0.0.1′,
      ‘port’ => ”,
      ‘prefix’ => ‘Z5J6Dw1_’,
      ),
      ),
      );
      ?>    

      Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag.
      Note 2: Replace “blgusr” with your own MySQL account to access the database.
      Note 3: Replace “password2” with complex password (at least 14 characters).
      Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

      Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

      Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

      Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

      Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

      Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    27. Edit using VI, the file /www/drupal/sites/default/settings.php Add the following line:
      include('/www/config.php');       

      Remove the following section:
      $databases = array ( 'default' => array ( 'default' => array ( 'driver' => 'mysql', 'database' => 'Z5J6Dw1', 'username' => 'blgusr', 'password' => 'password2', 'host' => '127.0.0.1', 'port' => '', 'prefix' => 'Z5J6Dw1_', ), ), );Replace the string from:
      ini_set('session.cookie_lifetime', 2000000);
      To:
      ini_set('session.cookie_lifetime', 0);

      To:To:To:To:To:Remove the following section:To:Replace the string from:To:

    28. Change permissions on the settings.php file:
      chmod a-w /www/drupal/sites/default/settings.php
    29. Add the following lines to the /www/drupal/.htaccess file:
      # Block any file that starts with "."

           Order allow,deny


           Order allow,deny

      # Allow "." files with safe content types

           Order deny,allow
    30. Run the command bellow to change permissions on the /www/drupal/.htaccess file:
      chmod 444 /www/drupal/.htaccess
    31. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
    32. From SSH session, move to the folder /www/drupal/sites/all/modules.
    33. Extract the downloaded above modules:
      tar zxvf dfw-7.x-1.1.tar.gz       

      tar zxvf spamspan-7.x-1.1-beta1.tar.gz

      tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gz

      tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gz

      tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gz

      tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gz

      tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gz

      tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gz

      tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gztar zxvf secure_permissions-7.x-1.5.tar.gz

      tar zxvf security_review-7.x-1.x-dev.tar.gz

      tar zxvf system_perm-7.x-1.x-dev.tar.gz

      tar zxvf blockanonymouslinks-7.x-1.1.tar.gz

    34. Remove the modules source files:
      rm -f /www/drupal/sites/all/modules/dfw-7.x-1.1.tar.gz       

      rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gz

      rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gz

      rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gz

      rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gz

      rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gz

      rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gz

      rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gz

      rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/secure_permissions-7.x-1.5.tar.gz

      rm -f /www/drupal/sites/all/modules/security_review-7.x-1.x-dev.tar.gz

      rm -f /www/drupal/sites/all/modules/system_perm-7.x-1.x-dev.tar.gz

      rm -f /www/drupal/sites/all/modules/blockanonymouslinks-7.x-1.1.tar.gz

    35. Open a web browser from a client machine, and enter the URL bellow:
      http://Server_FQDN/?q=user/login
    36. From the upper menu, click on Configuration -> People -> Account Settings -> “Who can register accounts”: select Administrators only -> click on “Save configuration”.
    37. From the upper menu, click on Configuration -> Media -> File system -> “Private file system path”: specify /www/private -> click on “Save configuration”.
    38. From the upper menu, click on Configuration -> Development -> Logging and errors -> “Error messages to display”: select None -> click on “Save configuration”.
    39. From the upper menu, click on Modules -> from the list of modules, select “Update manager” -> click on “Save configuration”.
    40. From the upper menu, click on Modules -> from the main page, select the following modules:
      • Drupal firewall
      • SpamSpan
      • Content Security Policy
      • Content Security Policy Reporting
      • GoAway
      • IP anonymize
      • Flood control
      • Password change tab
      • Password policy
      • Persistent Login
      • Secure Permissions
      • Security Review
      • System Perms
      • BlockAnonymousLinks
    41. Click on Save configuration.

    Drupal SSL configuration phase

    1. Add the following line to the /www/drupal/sites/default/settings.php file:
      $conf['https'] = TRUE;
    2. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
    3. From SSH session, move to the folder /www/drupal/sites/all/modules.
    4. Extract the downloaded above modules:
      tar zxvf securepages-7.x-1.x-dev.tar.gz       

      tar zxvf securelogin-7.x-1.2.tar.gz

      tar zxvf securelogin-7.x-1.2.tar.gz

      tar zxvf securelogin-7.x-1.2.tar.gz

      tar zxvf securelogin-7.x-1.2.tar.gz

      tar zxvf securelogin-7.x-1.2.tar.gz

      tar zxvf securelogin-7.x-1.2.tar.gz

      tar zxvf securelogin-7.x-1.2.tar.gz

      tar zxvf securelogin-7.x-1.2.tar.gz

    5. Remove the modules source files:
      rm -f /www/drupal/sites/all/modules/securepages-7.x-1.x-dev.tar.gz       

      rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

      rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

      rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

      rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

      rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

      rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

      rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

      rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

    6. Open a web browser from a client machine, and enter the URL bellow:
      https://Server_FQDN/?q=user/login
    7. From the upper menu, click on Modules -> from the main page, select the following modules:
      • Secure Login
      • Secure Pages
    8. Click on Save configuration.
    9. From the upper menu, click on Configuration -> from the main page, click on the link Secure Pages -> under Enable Secure Pages -> choose Enabled -> click on Save configuration.

     

    Share

    Hardening guide for Squid 3.1.8 on CentOS 5.5

    1.      Login to the server using Root account.
    2.      Create a new account:
    groupadd squid
    useradd -g squid -d /var/spool/squid -s /sbin/nologin squid
    3.      Install the following RPM files from the CentOS DVD:
    rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
    rpm -ivh glibc-headers-2.5-49.i386.rpm
    rpm -ivh glibc-devel-2.5-49.i386.rpm
    rpm -ivh gmp-4.1.4-10.el5.i386.rpm
    rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
    rpm -ivh cpp-4.1.2-48.el5.i386.rpm
    rpm -ivh gcc-4.1.2-48.el5.i386.rpm
    rpm -ivh libstdc++-devel-4.1.2-48.el5.i386.rpm
    rpm -ivh gcc-c++-4.1.2-48.el5.i386.rpm
    4.      Download the latest Squid source files from:
    http://www.squid-cache.org/Versions/
    5.      Copy using SCP (or PSCP), Squid source files into /tmp
    6.      Move to /tmp
    cd /tmp
    7.      Extract Squid source file:
    tar zxvf squid-3.1.8.tar.gz
    8.      Move to the Squid source folder:
    cd /tmp/squid-3.1.8
    9.      Run the commands bellow to compile Squid from source files:
    ./configure –bindir=/usr/sbin –sbindir=/usr/sbin –libexecdir=/usr/lib/squid –with-logdir=/var/log/squid –with-pidfile=/var/run/squid.pid –with-default-user=squid –sysconfdir=/etc/squid –datarootdir=/usr/share/squid  –enable-http-violations
    make all
    make install
    10.  Move one folder up and remove Squid source files and default content:
    cd ..
    rm -rf /tmp/squid-3.1.8
    rm -f /tmp/squid-3.1.8.tar.gz
    rm -rf /usr/share/squid/man
    rm -f /etc/squid/cachemgr.conf.default
    rm -f /etc/squid/errorpage.css.default
    rm -f /etc/squid/mime.conf.default
    rm -f /etc/squid/msntauth.conf.default
    rm -f /etc/squid/squid.conf.default
    rm -f /etc/squid/squid.conf.documented
    11.  Change ownership and permissions on the log folder:
    chown squid:root /var/log/squid
    chmod 770 /var/log/squid
    12.  Edit using VI, the file /etc/squid/squid.conf and add the following lines to the end of the file:
    cache_access_log /var/log/squid/access.log
    cache_store_log none
    shutdown_lifetime 1 second
    icp_port 0
    htcp_port 0
    icp_access deny all
    htcp_access deny all
    forwarded_for off
    request_header_access Allow allow all
    request_header_access Authorization allow all
    request_header_access WWW-Authenticate allow all
    request_header_access Proxy-Authorization allow all
    request_header_access Proxy-Authenticate allow all
    request_header_access Cache-Control allow all
    request_header_access Content-Encoding allow all
    request_header_access Content-Length allow all
    request_header_access Content-Type allow all
    request_header_access Date allow all
    request_header_access Expires allow all
    request_header_access Host allow all
    request_header_access If-Modified-Since allow all
    request_header_access Last-Modified allow all
    request_header_access Location allow all
    request_header_access Pragma allow all
    request_header_access Accept allow all
    request_header_access Accept-Charset allow all
    request_header_access Accept-Encoding allow all
    request_header_access Accept-Language allow all
    request_header_access Content-Language allow all
    request_header_access Mime-Version allow all
    request_header_access Retry-After allow all
    request_header_access Title allow all
    request_header_access Connection allow all
    request_header_access Proxy-Connection allow all
    request_header_access User-Agent allow all
    request_header_access Cookie allow all
    request_header_access All deny all
    visible_hostname server1
    maximum_object_size 4096 KB
    minimum_object_size 1 KB
    dns_nameservers DNS_value
    client_lifetime 360 minutes
    pconn_timeout 360 minutes
    Note 1: Replace “server1” with the Squid server DNS name.
    Note 2: Replace “DNS_value” with IP addresses of DNS servers
    13.  Run the command bellow to initialize the Squid:
    /usr/sbin/squid -z
    14.  In-order to manually start the Squid service, run the command bellow:
    /usr/sbin/squid
    15.  In-order to start the Squid service at server startup, add the command bellow to the /etc/rc.local file:
    /usr/sbin/squid
    16.  Uninstall the following RPM:
    rpm -e gcc-c++-4.1.2-48.el5
    rpm -e libstdc++-devel-4.1.2-48.el5
    rpm -e gcc-4.1.2-48.el5
    rpm -e cpp-4.1.2-48.el5
    rpm -e libgomp-4.4.0-6.el5
    rpm -e gmp-4.1.4-10.el5
    rpm -e glibc-devel-2.5-49
    rpm -e glibc-headers-2.5-49

    rpm -e kernel-headers-2.6.18-194.el5

    The article can also be found at:
    http://security-24-7.com/hardening-guide-for-squid-3-1-8-on-centos-5-5/

    Share

    Generating self-signed SSL certificate using OpenSSL

    OpenSSL allows you to request, sign, generate, export and convert digital certificates.
    OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc).
    The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform).
    The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.
     

    Download link for Windows binaries:
    http://www.slproweb.com/products/Win32OpenSSL.html
    Download link for Linux source files (pre-compiled):
    http://www.openssl.org/source/
    1. Install OpenSSL.
    2. Run the command bellow to generate a new key store called “server.key”
    openssl genrsa -des3 -out /tmp/server.key 1024
    3. Run the commands bellow to request a new SSL certificate:
    openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key > /tmp/server.crt openssl x509 -noout -fingerprint -text /tmp/server.info
    4. Run the command bellow to backup the key store file that has a password: cp /tmp/server.key /tmp/server.key.bak
    5. Run the command bellow to generate a new key store without a password:
    openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key
    6. Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file:
    cat /tmp/no.pwd.server.key /tmp/server.crt > /tmp/no.pwd.server.pem
    7. Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform)
    openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx
    Appendix:
    server.key – Key store file
    server.crt – Server SSL public key file
    no.pwd.server.key – Key store file (without a password)
    no.pwd.server.pem – Key store file + server SSL public key file (without a password)
    server.pfx – Private key + public key, exportable for Windows platform (i.e IIS server)

    The article can also be found at:
    http://security-24-7.com/generating-self-signed-ssl-certificate-using-openssl/

    Share