Symantec Access Management

Expand all | Collapse all

How to strip FCC capabilities of an IIS WebAgent to the minimum needed?

Jump to Best Answer
  • 1.  How to strip FCC capabilities of an IIS WebAgent to the minimum needed?

    Posted 05-19-2015 01:20 PM

    Hello All,

     

    I have a SiteMinder 12.51 deployment with a central login page architecture.

    All Web Agents are 12.51 for IIS on Windows 2008 R2.

     

    I've been asked by my employer to minimize the risk of exploiting fcc mechanism and pages by hackers but on the other hand to leave the local login.fcc for troubleshooting purposes.

     

    I though of the following:

    1. Block access from the internet to the siteminderagent virtual directory

    2. Delete all contents of the example folder, leaving only login.fcc

    3. Remove all IIS handler mapping except of *.fcc

    4. Secure login.fcc page as described here

     

    Is there anything else I can do or is there a simpler approach?

     

    Thanks,

    Michael.



  • 2.  Re: How to strip FCC capabilities of an IIS WebAgent to the minimum needed?
    Best Answer

    Posted 05-19-2015 02:33 PM

    Michael

     

    My 1 cent

     

    Harden.

    1. SSL / https termination on Server rather than on GLBs or DNS or ISA Server (Microsoft).
    2. ACO Parameter : IgnoreExtn (remove the siteminder extensions, please understand what each extension refers to and then remove)
    3. ACO Parameter : IgnoreURL (Add login.fcc to IgnoreURL; because we removed .fcc from IgnoreExtn)
    4. May be needed copy and rename the siteminderagent folder and login.fcc. Try to use the renamed ones and test (thus they are not obvious).
      • A different variant would be URL masking using GLBs
      • e.g. You do a post to /login.do.
        • When the request reach GLB, the GLB behind translate /login.do into /siteminderagent/forms/login.fcc.
        • Hence this is not exposed out.

     

     

    Additional Security Consideration for Central Authentication Server.

    1. ACO Parameter : UseSecureCookies=Yes.
    2. ACO Parameter : UseHTTPOnlyCookies=Yes.
    3. ACO Parameter : UseSecureURLs=Yes.
    4. ACO Parameter : EncryptAgentName=Yes.

     

    NOTE : Make sure you check the implication of setting these on a Multi-Domain SSO (with CookieProvider).

     

     

    Regards

    Hubert



  • 3.  Re: How to strip FCC capabilities of an IIS WebAgent to the minimum needed?

    Posted 05-20-2015 03:05 AM

    Hubert,

     

    Thanks for the fast reply!

     

    I believe that this is sufficient for me.

     

    Regards,

    Michael.