Skip to main content

IIS web server

The IIS web server is a required component since it provides all user interface modules. It should therefore be carefully protected.

IIS is more than a web server; it is also an FTP server, indexing server, proxy for database applications and a server for active content and applications. Disable these features as Bravura Security Fabric does not use them.

Always deploy a proper, issued-by-a-real-CA SSL certificate to Bravura Security Fabric servers and disable plaintext HTTP access. Never use a self-signed certificate in a user-facing system, as this may condition users to ignore SSL validity warnings.

Assign the IIS user the right to read from but not write to static HTML, image file and Javascript files used by Bravura Security Fabric .

Assign the IIS user the right to execute CGI programs but not other executables on the Bravura Security Fabric filesystem.

Disable directory browsing – there is no reason why a user connecting to the Bravura Security Fabric web portal should be able to list files in any folder.

Secure Content-Security-Policy (CSP) header

The default shipped value of the Content-Security-Policy (CSP) HTTP header has been restricted to limit traffic to only the IIS Web Server (or load balancer) hosting the product. There is one exception, a wildcard (*) in the connect-src policy so that Bravura Security Fabric works upon installation. Bravura Security recommends that the Content-Security-Policy header be further restricted / hardened to replace the wildcard with only valid hostnames for Bravura Security Fabric . Valid hostnames include the individual instance hostnames of each server (ex: https://fabric-server1.company.com and https://fabric-server2.company.com), and the main load balancer hostname (ex: https://fabric.company.com), as well as any special hosts added to the ALLOWED ORIGINS system variable (Manage the system> Maintenance> System variables).

Example

The Content-Security-Policy header has a number of different policies, the one that needs to be further hardened is connect-src, so leave the rest as they are unless you have a reason to change them. Here is an example of the hardened policy with the three URLs from the previous paragraph.

Content-Security-Policy: connect-src 'self' https://fabric-server1.company.com/ https://fabric-server2.company.com/
      https://fabric.company.com/; default-src 'self'; form-action 'self'; frame-ancestors
      'self'; frame-src 'self' https://www.recaptcha.net/; img-src data: 'self'; object-src
      'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.recaptcha.net/
      https://www.gstatic.com/recaptcha/; style-src 'self' 'unsafe-inline'; style-src-elem
      'self' 'unsafe-inline'

The CSP can be set in IIS on each server or may be able to be set globally on the load balancer that rewrites (overwrites) the header. To modify this value in IIS:

  1. Open Internet Information Services (IIS) Manager on each server.

  2. In the left panel, expand the server (named the server computer name).

  3. In the left panel, expand Sites.

  4. In the left panel, expand the website the product was installed under (defaults to Default Web Site).

  5. In the left panel, click on the product instance name.

  6. In the center panel, double click HTTP Response Headers.

  7. In the center panel, double click Content-Security-Policy. Edit the value and then click OK.

Harden form-action

If you are not using SAML, or are not using SAML with a HTTP/HTTPS POST redirect method, the form-action should be secured by removing the wildcard (*):

form-action 'self';

If you are using SAML, the form-action should be hardened to replace the wildcard (*) with the authentication server URL. Replace the wildcard in the CSP with the actual URL.

Shipped CSP snippet:

form-action 'self' *;

Improved security when when using SAML with the HTTP/HTTPS POST redirect method. Note that in our testing, a trailing slash was required on this URL. It can also just be the hostname (pathname not required).

form-action 'self' https://customerid.oktapreview.com/app/instnaceid_xyz_1/

External Images

Occasionally external images are used that will need to be added to the CSP as well. Profile pictures in user profiles and the OrgChart can be uploaded (so they are served by the same server as the product), or can be a link to an external directory of photos. If an external directory is used, the URL must be added to the end of the img-src policy, and would look like this:

img-src data: 'self' http://photos.company.com;

Troubleshooting

Make sure you test the value afterward to ensure Bravura Security Fabric behaves correctly.

Caution

An incorrectly written policy can result in a white screen (due to no scripts or styles being allowed to load). There are CSP validators on the internet that you can paste your value into to have it validated.

You will see the following type of error in the Chrome or Edge console when the CSP has been violated, and that part of the product will not load. Ensure the necessary host names are included.

Refused to connect to 'https://bravuranode2.company.com/bravura/cgi/ajax.exe?guacamoleplay:guacamoleread' because it violates the following Content Security Policy directive: "connect-src 'self' https://fabric-server1.company.com/ https://fabric-server2.company.com/ https://fabric.company.com/".

Upgrading

When upgrading, you will need compare the custom hardened CSP with the new CSP included in the upgrade to make sure all the necessary exceptions are included in the policy. Keep the existing CSP somewhere safe in case the upgrade replaces the CSP.

Read more about the Content-Security-Policy at https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP .

Secure Host header

The Host header in HTTP requests specifies the domain of the resource being requested. If not properly validated, it can be manipulated by attackers, leading to potential security risks. To protect your installation of Bravura Security Fabric , it is crucial to ensure that the Host header is validated correctly. While the product installer does not automatically handle hostnames, you can safeguard the Host header by configuring validation rules.

Recommended Approach

Ideally, Host header validation should be configured on your load balancer to ensure that all incoming traffic is validated before it reaches your Bravura Security Fabric instances. If you are unable to configure this on a load balancer, you can apply the validation directly on each Bravura Security Fabric instance.

Configuring Host header validation on a load balancer

If your load balancer supports URL Rewrite rules or similar features, configure Host header validation at the load balancer level to filter out invalid hostnames. This approach centralizes security and reduces configuration overhead on individual instances.

Configuring Host Header Validation in IIS

If you need to configure Host header validation on each Bravura Security Fabric instance, follow these steps to set up URL Rewrite rules in IIS:

  1. Launch Internet Information Services (IIS) Manager on your server.

  2. Navigate to your site.

    1. In the left panel, expand the server node.

    2. Expand Sites to view the list of sites.

    3. Expand Default Web Site.

    4. Click on the virtual directory where Bravura Security Fabric is installed.

  3. Double click on URL Rewrite in the middle panel.

  4. Add a new rewrite rule.

    1. Click on Add Rule(s)... in the Actions pane on the right.

    2. Select Blank rule and click OK.

  5. Give the rewrite rule a name such as Validate Host header .

  6. In the Match URL section, enter (.*) as the pattern.

  7. Add a condition for Host header validation.

    1. Click Add in the Conditions section.

    2. In the Condition input field, enter {HTTP_HOST} .

    3. From the Check if input string dropdown, select Does Not Match the Pattern.

    4. In the Pattern field, enter *^([a-zA-Z0-9-_]+.)yourdomain.com$ (replace https://yourdomain.com/ with your actual domain).

  8. Set up the action.

    1. In the Action section, choose Redirect as the Action type.

    2. Enter your domain address (e.g., https://yourdomain.com/) in the Redirect URL field.

      Any request with an invalid host will be redirected to the specified domain.

    3. Select Permanent (301) from the Redirect type list.

  9. Click Apply in the Actions pane to save the new rule.

Verification

After configuring Host header validation, verify your setup by testing requests to ensure that only valid Host headers are accepted. This will help prevent unauthorized access and maintain the security of your Bravura Security Fabric installation.

Additional Resources

For further details on Host header vulnerabilities and configuration, refer to Microsoft's documentation on Host Header Vulnerability .

In this section: