PVWA post-hardening tasks
This topic describes on-going tasks that you must perform manually after running the hardening script, and on a periodic basis, for example, if you change something in the environment (add servers, upgrade a version), after an operating system upgrade, or as part of general maintenance activities.
These tasks are necessary for all types of deployments and are part of maintaining your system.
Update your operating system
Microsoft releases periodic updates (security updates and service packs) to address security issues that have been discovered in their software. Make sure your operating system is updated to the latest version.
You can install the updates in either of the following ways:
- Manually install updates and service packs.
- Automatically install with Server Update Services (WSUS), which is located on a corporate network.
Install an anti-virus solution
In today’s world, the pace of virus development is very fast. Servers without anti-virus protection are exposed to two risks:
- Server infected with viruses that might damage the server and the entire network.
- Trojan horses that are planted to allow remote control of the server and to all the information on it.
Install an anti-virus solution and update it as needed.
Validate proper server roles
Server roles can be set using the Server Manager. Ensure that unnecessary roles are not installed on the server
Restrict network protocols
Install only the required protocols and remove unnecessary ones.
For example, only TCP/IP protocols are necessary. Ensure that no additional protocols such as IPX or NetBEUI are allowed.
Rename default accounts
We recommend that you change the names of both the Administrator and the guest account to names that don't provide information about their permissions.
We also recommend that you create a new locked and unprivileged Administrator user name as bait.
Secure PKI authentication
Public Key Infrastructure (PKI) authentication is a common authentication for smart card or other client certificate authentication types to IIS applications. PVWA supports PKI authentication using different types of smart cards.
Each PKI certificate is signed by a certificate authority and is trusted by the server. In order to make PKI authentication more secure, we recommend removing all other trusted CAs from the certificate store on the PVWA server, except the CA that the organization uses to verify the client's certificate.
In addition, as the machine’s certificate store can be updated via Windows Updates, make sure that no trusted CA was added after the Windows Updates installation.
Remove unneeded application pools
It is important to remove all unnecessary application pools that are installed by default with the IIS server. In addition, all application pools must be configured as Integrated, because Classic mode has known vulnerabilities.
Keep the following application pools only:
- DefaultAppPool (Managed Pipeline Mode = Integrated)
- PasswordVaultWebAccess (Managed Pipeline Mode = Integrated)
The PVWA application pool name can be changed.
To remove all other application pools:
In the run window, run inetmgr.
Expand your site node and open Application Pools.
Remove all application pools, except for DefaultAppPool and PasswordVaultWebAccessPool.
If you changed the PasswordVaultWebAccessPool application pool name, make sure that you do not delete it.