Symantec Access Management

Hello All,

I have a SiteMinder 12.51 deployment with a central login page architecture.

All Web Agents are 12.51 for IIS on Windows 2008 R2.

I've been asked by my employer to minimize the risk of exploiting fcc mechanism and pages by hackers but on the other hand to leave the local login.fcc for troubleshooting purposes.

I though of the following:

1. Block access from the internet to the siteminderagent virtual directory

2. Delete all contents of the example folder, leaving only login.fcc

3. Remove all IIS handler mapping except of *.fcc

4. Secure login.fcc page as described here

Is there anything else I can do or is there a simpler approach?

Thanks,

Michael.

Michael

My 1 cent

Harden.

1. SSL / https termination on Server rather than on GLBs or DNS or ISA Server (Microsoft).
2. ACO Parameter : IgnoreExtn (remove the siteminder extensions, please understand what each extension refers to and then remove)
3. ACO Parameter : IgnoreURL (Add login.fcc to IgnoreURL; because we removed .fcc from IgnoreExtn)
4. May be needed copy and rename the siteminderagent folder and login.fcc. Try to use the renamed ones and test (thus they are not obvious).
   • A different variant would be URL masking using GLBs
   • e.g. You do a post to /login.do.
     • When the request reach GLB, the GLB behind translate /login.do into /siteminderagent/forms/login.fcc.
     • Hence this is not exposed out.

Additional Security Consideration for Central Authentication Server.

1. ACO Parameter : UseSecureCookies=Yes.
2. ACO Parameter : UseHTTPOnlyCookies=Yes.
3. ACO Parameter : UseSecureURLs=Yes.
4. ACO Parameter : EncryptAgentName=Yes.

NOTE : Make sure you check the implication of setting these on a Multi-Domain SSO (with CookieProvider).

Regards

Hubert

Hubert,

Thanks for the fast reply!

I believe that this is sufficient for me.

Regards,

Michael.