Scribd
Upload
89 views11 pages

NICE Trading Recording 6.7 - Hardening Manual (Chapter 5)

The document outlines the security measures necessary for the NICE Trading Recording web server, emphasizing the importance of using secure HTTPS connections and enabling TLS security. It details the supported security versions, the types of SSL certificates, and the steps required to configure the web server for enhanced security, including setting site bindings and ensuring only HTTPS connections are allowed. Additionally, it advises against the use of self-signed certificates for anything other than testing purposes.

Uploaded by

kv83tk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
89 views11 pages

NICE Trading Recording 6.7 - Hardening Manual (Chapter 5)

The document outlines the security measures necessary for the NICE Trading Recording web server, emphasizing the importance of using secure HTTPS connections and enabling TLS security. It details the supported security versions, the types of SSL certificates, and the steps required to configure the web server for enhanced security, including setting site bindings and ensuring only HTTPS connections are allowed. Additionally, it advises against the use of self-signed certificates for anything other than testing purposes.

Uploaded by

kv83tk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

5

5:Web Server Security


Communication between the NICE Trading Recording web server(Core Server)and the web clients
requires a secure HTTPS connection.
This prevents capturing of any NICE Trading Recording related information
from the network, accidentally orwithmalicious intents. The web client's
temporary internet files cache will not contain any traces of NICE Trading
Recording client sessions.

The first part of this chapterdescribes how to enable TLS security.


The second part contains additional, non-TLS related steps to enhance yourweb serversecurity.
Topics:
Supported SecurityVersions 94
TLS(SSL) Security 96
EnablingHTTPOnlyand SecureCookies 103
PreventingCrossFrameScripting 116
HidingVersionInformationin the ServerHeader 118
Removethe X-Powered-By Header 123
EnforcingAccount Lockout (NTR) 126

Supported Security Versions


TLS / SSL
Transport LayerSecurity (TLS), previously Secure Socket Layersecurity (SSL)are cryptographic
protocols that provide communications security overa computernetwork. ForHTTPS connections you
must enable sucha protocol. The TLS protocol is a more up-to-date and secure version of SSL, and
thereforconsidered as anabsolute requirement.
NOTE: Although the use of SSLis not advised, the term "SSL" is still widely used forbothSSL
and TLS.
Inthis manual we distinguish between bothprotocols, but will adhere to the use of the term
"SSLcertificates", which is still common, forexample inthe IIS windows.
Supported versions:

NICE Trading Recording:


As from version 6.7 PL4, NICE Trading Recording supports TLS 1.2 only. Earlier TLS and SSL
versions are disabled.

Lower NTR versions support TLS 1.0 and TLS 1.1.


COMPASS:
COMPASS 3.3 supports TLS 1.2, except for Reporting and Reconciliation (which are part of the
Advanced package).

COMPASS 3.4 supports TLS 1.2 across all COMPASS modules (Lite, Plus and Advanced licenses).
However, the COMPASS installation needs TLS 1.1 as a minimum. You must apply the TLS 1.2
restrictions after you have finished the installation.
Important! Do notusetheSSL 2.0and 3.0protocols on theOS level. Wedo
notrecommend TLS 1.0and 1.1.
Ciphers
NTR supports all secure ciphers.
Recommended secure ciphers are, as of March 2018: 'AES 128/128', 'AES 256/256'.
These options are set system-wide via the registry. A specific reg file canbe obtained via the NICE
Support Desk, to load the correct values using the command line.
The figure below shows the required settings, using IIS Crypto.
5: Web Server Security
Supported Security Versions

* Incertain cases youneed to select TLS 1.0and 1.1aswell. See Supported versions: onthe previous
page.
When done, reboot the system to make all changes come into effect.
NOTE: NICE Trading Recording remains working when HTTP is completely disabled, orwhen
weak ciphers are disabled ('DES 56/56', 'NULL', 'RC2 128/128', 'RC2 40/128', 'RC2 56/128',
'RC4 40/128', 'RC4 56/128', 'RC4 64/128', 'RC4 128/128', 'Triple DES 168').

TLS (SSL) Security

TLS (SSL) Security


To ensure HTTPS is used forweb connections, youhave to set up a secure binding and disable the
standard 'plain text' binding. When setting up the secure binding youneed to select anSSLcertificate,
which must be created before youset up the binding.

SSL
Certificates96

EnablingTLSSecurity 97
SSL Certificate Settings 98
5: Web Server Security

SSL Certificates
The following types of certificates exist:

Certificate issued by a public orcommercial Certificate Authority (CA). Not necessary forinternal
networks.

Certificate issued bythe company (customer)itself, based ona CA certificate. This is a costeffective and
secure solution forinternal networks.
Self-signed certificate. This is not fully secure. It ensures anencrypted connection, but 'man-
inthe-middle' attacks are still possible. NICE advises against this type of certificate forpurposes
otherthantesting.
InWindows youcancreate a self-signed certificate using Internet Information Services
(IIS)Manager.

Installed certificate
If youhave created and installed a certificate inWindows youcancheck it as follows:
1. Open the Internet Information Services (IIS ) Manager , select Connections > <localhost name> >
Server Certificates .

2. Select the certificate. It will look like the following example:


Enabling TLS Security
5: Web Server Security

If youhave multiple Core Servers, forexample in2N Recording, eachCore Serverrequires its unique
certificate.

Enabling TLS Security


To make sure the connection between web client and web serveralways uses HTTPS, take the following
actions:

Make anSSLcertificate available and install it onthe Core Server(s). .

Onthe NICE Trading Recording Core Server(s),

Set the site binding to secure inthe InternetInformation Services (IIS) Manager.

Set up InternetInformation Services (IIS) Manager to allow only HTTPS connections.

Change the desktop shortcut to HTTPS.

When applicable, youmust re-bind the certificate.

Self-signed certificate
If youuse a self-signed certificate, youhave to perform additional actions. NICE advises against the use
of self-signed certificates forpurposes otherthantesting.

Importing the certificate onthe web client


5: Web Server Security

Setting up the certificate onthe Core Serverforaccess by local services

Setting up the web clients to use this self-signed certificate


5: Web Server Security
SSL Certificate Settings

Internet Information Services (IIS) Manager


Youcanaccess the IIS Manager intwo ways:

Windows Start Administrative Tools > InternetInformation Services (IIS) Manager

Windows Start > ServerManager> IIS > Tools > InternetInformation Services (IIS)

Manager
Fordetails, referto the sections below.

SSL Certificate Settings


Perform the following steps to ensure properfunctioning of the certificate.

Setting Site Binding


To set the secure site binding:
1. Inthe InternetInformation Services (IIS) Manager, navigate to Connections, expand the <local
host name> (below 'Start Page').
2. Expand Sites.
3. Right-click DefaultWeb Site. From the menu, select EditBindings....

The pane Site Bindings appears.


4. Click Add. The pane Add Site Binding appears.
5: Web Server Security
SSL Certificate Settings

5. Type: - From the drop-down menu, select https. The port numberchanges to 443.
IP address: - Leave as is.
6. The field SSL certificate: appears. Select the required certificate. Below anexample is shown.

7. Click OK. Verify inthe Site Bindings pane that the certificate has been added.

The asterisk * indicates 'All Unassigned' IP addresses.


5: Web Server Security
SSL Certificate Settings

Do not remove the port 80binding.


8. Click Close.
9. Restart the website:
Right- click Default Web Site.

10. From the menu, select Manage Web Site► Restart.


Setting up IIS for HTTPS Only
To set up IIS to allow only HTTPS connections:
1. Inthe InternetInformation Services (IIS) Manager, navigate to the web site to be secured.
ForNTR this is Connections > <localhost name> > Sites > DefaultWeb Site.
2. Click the iconSSL Settings.

3. The pane SSLSettings appears. Select Require SSL.

4. UnderClientcertificates:, select the radio button inaccordance withthe company policy.


5. Inthe pane Actions, click Apply.
6. Restart the website: right-click DefaultWeb Site.

From the menu, select Manage Web Site► Restart.


Redirecting the Desktop Shortcut
The NTR Web GUIcanbe opened using the default 'CyberTech Recording Solution
Application' desktop icon. Set this shortcut to HTTPS as follows:
1. Right-click the shortcut icon. From the menu, select Properties.
2. Inthe field Target, add ans to http.

3. Click OK.

Re-binding a Certificate after Upgrading NICE Trading Recording


If youupgrade NICE Trading Recording, the SSLcertificate becomes unbound. Youmust re-bind it,
using the IIS Manager. Referto Setting Site Binding above.
The window Edit Outbound Rule appears.

You might also like