Security
Security should be a key consideration during the installation and configuration of Safran Web Access. This article outlines important security details to keep in mind. Additional details may exist beyond those mentioned here; generally, it is advisable to follow Microsoft's recommendations for setting up applications on IIS
Secure your firewall.
- Block Port 80: This will prevent HTTP traffic.
- Open Port 443: This will allow HTTPS traffic.
- Close unused Ports for improved security.
- Follow the Microsoft guidelines for detailed instructions.
- Configure Firewall Rules With Group Policy | Microsoft Learn
Database Connection Security
- Avoid Using SAFRANSA: Do not use SAFRANSA as the database user in your web.config file.
- Create a New User: Set up a new user with restricted access for database connections.
- Follow the guide from Safran on how to create a new user.
Encrypt Your Connection String
- Use aspnet_regiis.exe: Encrypt the connection string in your web.config file using this Microsoft tool.
- Make a backup of the file prior encryption and store in a secure place.
- Detailed instructions can be found in the Microsoft documentation.
- Encrypting and Decrypting Configuration Sections | Microsoft Learn
Restrict IIS User Access
- Limit Directory Access: Ensure the IIS user associated with your API only has access to the necessary directories on your server.
- Follow the Microsoft guide for setting up these permissions.
- Default permissions and user rights in IIS - Internet Information Services | Microsoft Learn
IIS configuration
It is recommended to configure the following settings for IIS:
- "Enable Parent Paths" -> False / Disable
The IIS setting asp enableParentPaths allows Classic ASP applications to use relative paths that include .. to refer to parent directories. This feature is disabled by default for security reasons. When enabled, it lets developers use paths like ..\example.asp to access files or folders in parent directories
<system.webServer>
<asp enableParentPaths="false" />
</system.webServer>
- "Allow double escaping" -> False / Disable
The IIS setting allowDoubleEscaping allows URLs that contain double escape sequences (e.g., %2520 for a space) to be processed by the server. This setting is disabled by default to prevent certain types of attacks that exploit double-encoded characters. When enabled, it permits the server to handle URLs with double-escaped characters, which can be useful in specific scenarios but may introduce security risks.
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="false" />
</security>
</system.webServer>
- "Directory browsing" -> False / Disable
The IIS setting directoryBrowse controls whether directory browsing is enabled for a website or application. When enabled, it allows users to see a list of files and directories within a specified directory on the web server. This can be useful for development or troubleshooting but may pose security risks if left enabled on a production server.
<system.webServer>
<directoryBrowse enabled="false" />
</system.webServer>
- "Always Allowed Urls" -> Should be empty
The IIS setting alwaysAllowedUrls specifies a collection of URLs that are allowed through request filtering, regardless of other filtering rules. This means that even if certain URL sequences are generally denied, the URLs listed in alwaysAllowedUrls will be permitted.
<system.webServer>
<security>
<alwaysAllowedUrls>
</alwaysAllowedUrls>
</security>
</system.webServer>