I have a SiteMinder 12.51 deployment with a central login page architecture.
All Web Agents are 12.51 for IIS on Windows 2008 R2.
I've been asked by my employer to minimize the risk of exploiting fcc mechanism and pages by hackers but on the other hand to leave the local login.fcc for troubleshooting purposes.
I though of the following:
1. Block access from the internet to the siteminderagent virtual directory
2. Delete all contents of the example folder, leaving only login.fcc
3. Remove all IIS handler mapping except of *.fcc
4. Secure login.fcc page as described here
Is there anything else I can do or is there a simpler approach?
My 1 cent
Additional Security Consideration for Central Authentication Server.
NOTE : Make sure you check the implication of setting these on a Multi-Domain SSO (with CookieProvider).
Thanks for the fast reply!
I believe that this is sufficient for me.