Post Installation Hardening

From iDENprotect Knowledge Base
Jump to: navigation, search

If you have not yet installed the idenprotect Core Platform, please Start Here - idenprotect Core Platform. This guide is also relevant to the idenprotect Authentication Portal and iDENprotect User Portal if they are installed on separate servers. If you need to install those applications, please Start Here - idenprotect Authentication Portal or Start Here - idenprotect User Portal


Once the idenprotect Core Platform has been installed and configured and it is ready for testing/deployment. There are a number of steps we recommend taking to harden and secure your installation. This guide will advise you of those steps.

Trusted SSL Certificate

The idenprotect Core Platform will normally run on HTTPS. To secure the connection from the server to your web browser, please follow our guidance on installing a Trusted SSL Certificate. It is strongly recommended that you configure the server to use TLS v1.2 for security reasons.

Hardening The NGINX Component

The NGINX configuration file /etc/nginx/nginx.conf holds the configurations needed for NGINX to operate. Within the configuration file, security parameters can be set to remove known vulnerabilities associated with weak and insecure ciphers and cryptographic usage. To harden the configuration file, the following settings can be added or further secured depending on the deployment. The standard NGINX config file with idenprotect requires the administrator to harden. The following settings balance compatibility with all known browsers and security. It is possible to secure further, however, careful consideration will need to be taken to ensure that you are satisfied that only the very latest devices and applications can use the latest and strongest ciphers.

It is recommended that a backup of the /etc/nginx/nginx.conf file is taken first before configuring the file. As a baseline that the following configurations should be added to the file. Once the configurations have been added, you will need to restart NGINX using the Systemctl restart nginx. Any errors after the restart would indicate an issue with the nginx.conf file and further diagnosis will be needed to determine where the issue would be in the file.

 server {
        server_name localhost;
        listen 443;

        ssl on;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1.2;
        #make sure you already have this certificate pair!
        ssl_certificate /var/certs/hosted_idenprotect_net_bundle.crt;
        ssl_certificate_key /var/certs/hosted_idenprotect_com.key;
        ssl_session_cache shared:SSL:10m;
        ssl_prefer_server_ciphers on;'''

#For DH Forward Secrecy - to enable this, a OpennSSL command will need to be run first. This will take a long time to generate. The command is - openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ecdh_curve secp384r1;

# Secure Ciphers


Changing Administrator Passwords

During the idenprotect Core Platform installation, a few default accounts are added. Some of these enable communication between applications but we recommend that the default password for the built-in administrator account is always changed. See our guidance on Changing Admin Passwords