Hardening the operating system
Bravura Security requires that Bravura Security Fabric be installed on the latest Microsoft Windows Server operarating system. The first step in configuring a secure Bravura Security Fabric server is to harden its operating system. The following are suggestions on how to lock down the operating system.
Patches
Bravura Security recommends that organizations follow their standard operating patching processes to promptly download and install all vendor-supplied patches for the OS, DB and web server, as these often address security problems. In Bravura Security's experience, there has never been a compatibility problem with Bravura Security Fabric caused by such automated patching.
Limit logins to only legitimate administrators
One way to limit the number of users who can access the Bravura Security Fabric server is to remove it from any Windows domain. If the Bravura Security Fabric server is not a member of a domain, it reduces the risk of a security intrusion in the domain being leveraged to gain unauthorized access to the Bravura Security Fabric server.
Remove unused accounts, leaving just psadmin – the Bravura Security Fabric service account.
Create one administrator account to be used by the Bravura Security Fabric OS administrator to manage the server and set a strong password on this account.
Disable the default administrator account.
Remove any Guest or unused service accounts.
Remove the terminal services user account TsInternetUser. The Terminal Service Internet Connector License uses this account.
For any accounts that must remain, limit their access. At a minimum, block access by members of ’Everyone’ to files and folders on the server.
Minimize running services
Disable any unused service. This eliminates potential sources of software bugs that could be exploited to violate the server’s security.
Only the following Windows services are required on Bravura Security Fabric servers:
Application Information
Background Tasks Infrastructure Service
DCOM Server Process Launcher
DHCP Client
Group Policy Client
Local Session Manager
Network Store Interface Service
Power
Remote Procedure Call (RPC)
RPC Endpoint Mapper
Security Accounts Manager
SQL Server (MSSQLSERVER)
System Events Broker
Task Scheduler
TCP/IP NetBIOS Helper
User Profile Service
Windows Process Activation Service
Workstation
World Wide Web Publishing Service
Additional services should only be enabled if there is a specific need for them.
Packet filtering
Open ports are an exploitable means of system entry. Limiting the number of open ports effectively reduces the number of potential entry points into the server. A server can be port scanned to identify available services.
Use packet filtering to block all inbound connections other than the following default ports required by Bravura Security Fabric:
Default TCP port | Service |
|---|---|
443/TCP | IIS / HTTPS web service. |
5555/TCP | Bravura Security Fabric database service default port number ( |
2380/TCP | Bravura Security Fabric file replication service default port ( |
3334/TCP | Password manager service ( |
2340/TCP | Session monitoring package generation service (idsmpg). |
2540/TCP | Discovery service ( |
6190/TCP | Privileged access service ( |
2240/TCP | Workflow Manager service ( |
2234/TCP | Transaction monitor service ( |