The following document shows multiple options to install a Relay Server on a Windows Server and secure it. There are multiple options to harden the server and there will be new ways after this document is published.

Foundation


Prerequisites

Prepare the Windows Server

Setup the Firewall

Depending on your use case, you need to open the following TCP ports

  • Your SSL port inbound from everywhere, a device would connect (e.g. 443)
  • Your HTTP port inbound from everywhere, a device would connect (e.g. 80)
  • Your SSL port inbound from the backend servers
  • Your HTTP port inbound from the backend servers
  • Your RDP port inbound from the administrative network, if you cannot work on the machine with VMware Player

if you want, you can use custom ports for http and SSL

RS FW 01.pngRS FW 02.pngRS FW 03.pngRS FW 04.pngRS FW 05.png

Create a local user

  • Create a local user with a strong password as a service user for the Relay Server
  • The password should not expire
  • The user must be member of the Administrators group during the installation
  • The user must be removed from this group after the installation

Relay Server Installation

Preparation

  • Download the script files and unzo it
  • Create the following folder
    • D:\RelayServer
    • D:\RelayServer\RsConfig
    • D:\Logs\RelayServer
    • D:\Logs\IIS
  • Edit the settings.ini file to manage the file and folder locations of the relay server installation

RS inst 01.pngRS inst 01.png

  • Copy the RS.config into the D:\RelayServer\RSConfig folder

RS inst 02.png

Installation

  • Run CMD as Administrator
  • Run setup.cmd in the installation folder
  • SetupMode=1 and your Parameters of Settings.ini should be correct.
  • Press Y to confirm
  • A long list of configuration parameter and installation log is shown
  • Enter the RelayServer Service User Account and confirm with Enter
  • Enter the Password of the Account and confirm with Enter

The relay server will start, if the RS.config is configured correctly. If it starts, remove the Relay Server User Account from the Administrator Group

IIS Post Configuration

Bindings

  • Install the Servers SSL certificate to “Server Certificates”
    • Ensure, that the certificate chain is installed in Windows intermediate and/or trusted root certificate store
  • Configure Bindings
    • Only the required Bindings should be configured. If only SSL is used, http should not be configured
    • The IP Address (*) can be configured. this should be done, if the access should be restricted

RS IIS 01.png

Logging

  • Change the log file destination folder to D:\Logs\IIS and Apply the change.

Security Settings

Move Web Content to D drive

  • Create D:\IIS\wwwroot
  • Move Data from C:\inetpub\wwwroot to this folder
  • Configure the physical path of the default website [Basic Settings…]
  • Test with CMD:  %systemroot%\system32\inetsrv\appcmd list vdir
  • Nothing should be on C:\

Remove Or Rename Well Known URLs

  1. Remove the %systemdrive%\inetpub\AdminScripts folder if it exists
  2. Remove the %systemdrive%\inetpub\scripts\IISSamples folder if it exists
  3. Remove the iissamples Virtual Directory mapping if it exists
  4. Restrict access to the iisadmpwd Virtual Directory to Windows Authenticated users if exists or remove the Virtual Directory mapping
  5. Remove the IISHelp Virtual Directory mapping if it exists
  6. Remove the Printers Virtual Directory mapping if it exists
  7. Remove the %programfiles%\Common Files\System\msadc folder if it exists
    renamed to ____msadc

Disable Directory Browsing

  • Open Server Manager
  • Remove Roles
  • Uncheck Directory Browsing
  • Click Next… Next… Finish
  • Restart the Server

DirectoryBrowsing.png

Set Default Application Pool Identity To Least Least Privilege Principal

  • Execute the following command to determine if the DefaultAppPool identity has been changed to ApplicationPoolIdentity:
  • %systemroot%\system32\inetsrv\appcmd list config /section:applicationPools

Ensure Unique Application Pools for Sites, Configure Application Pools to Run As Application Pool Identity

  • Change Application Pool for the monitor and admin folder to “RelayServer_Server”
  • Default Admin Pool should have
    • Default Web Site
    • ias_relay_server
  • RelayServer_Client should have
    • Client
  • RelayServer_Server should have
    • Server
    • Monitor
    • Admin

Use Only Strong Encryption Protocols, Disable Weak Cipher Suites

  TLS 1.0 should NOT be deactivated, because the RDP connection only works with TLS 1.0

  • The tool IISCrypto can be used to manage the allowed cipher suites
  • After applying the changes, the Server must be restarted
  • Test cipher protocols depending on device requirements. Use the SSL test site to check the handshake protocols for your devices. Only the strongest cipher suites should be active for your connecting devices. It is possible to see the handshakes with https://www.ssllabs.com/ssltest/analyze.html

IISCryptoBP.png

Configure Global Authorization Rule to restrict access, Ensure Access to Sensitive Site Features Is Restricted To Authenticated Principals Only,

  • Install the Role IP and Domain Restrictions

IADRInstall.png

  • Use “Deny Action Type” Not Found
  • Configure the IP and Domain Restrictions Feature for the Admin and Monitor application […]/monitor and […]/admin
    • Add Afaria, SMP and Admin Station IP addresses to allow access
  • […]/server folder
    • Add only Afaria, SMP and other backend machine addresses to allow access

IADRDeny.png

IADRAllow.png

  • […]/ias_relay_server folder
    • deny all
  • […]/client folder
    • allow all connections from IP addresses that should access the Relay Server as a client. Usually you can allow all IP addresses here and let the firewall do the rest

IADRAllowClient.png

  • If you do not use the root folder of the Relay Server for any other purpose like certificate download, client download, deny access to it, too.


Ensure Custom Error Messages Are Not Off, Detailed Error Only Showed Locally

  • Use “Detailed errors for local requests and custom error pages for remote requests during productive usage. In test phases you can send detailed error messages, if required, but set it back to custom error pages, if you finished testing and return to productive usage.
  • If you have standard error messages, use them else use simple error messages like you can find e.g. at http://www.404errorpages.com/

EPSetting.png


Ensure Failed Request Tracing is Not Enabled    

Verify Failed Request Tracing is turned off by using the IIS Manager GUI:

  1. On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager
  2. In the Connections pane, select the server connection, site, application, or directory on which failed request tracing will be configured
  3. In the Actions pane, click Failed Request Tracing…
  4. In the Edit Web Site Failed Request Tracing Settings dialog box, verify that the Enable check box is not checked

RTS.png


Disallow Unlisted File Extensions

  1. Open Internet Information Services (IIS) Manager
  2. In the Connections pane, select the server
  3. In the Home pane, double-click Request Filtering
  4. Click Edit Feature Settings… in the Actions pane
  5. Under the General section, uncheck Allow unlisted file name extensions

Request Filtering

  • Disallow unlisted file name extensions and unlisted verbs in Request filtering globally

RF#.png

  • Allow .dll for execution in the […]/ias_relay_server/ folder and its subfolders

RFDLL.png

  • Allow only GET, HEAD, POST, PUT, DELETE for all Relay Server Sites globally

RFias_relay_server.png

  • Allow Only POST and CONNECT for server folder

RFServer.png

Additional Tasks

Scheduled Job: Log Cleanup

  • Copy the “LogCleaner.bat” and the “Log Cleaner.xml” from the Setup Folder to the folder D:\Logs. Executing the .bat file would delete all log files that are older than 45 days.
    • Open the LogCleaner.bat to check, if folder settings and file locations are correct

LC 01.png

  • Open the Windows Task Scheduler and Import the Task
    • Choose Log Cleaner.xml file
    • Confirm
    • Check, if file location is correct and choose the correct one, if necessary
  • Activate the schedule, if necessary

LC02.png

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply