Additional Hardening Measures

Change the Default /admin URL

•Recommendation: Change the default /admin URL to a custom, non-predictable URL to reduce the risk of brute force or automated attacks targeting the administration portal.

•Example: Instead of using https://<Gateway-IP>/admin, use something like https://<Gateway-IP>/<customAdminPath>.

•Configuring this adds an additional layer of obscurity, making it harder for attackers to locate the management interface.

Disable ICS Management on Internal and External Interfaces When Management Interface is Enabled

•Recommendation: If the dedicated management interface is enabled, disable ICS management access on both the Internal and External interfaces.

•This approach ensures that management access does not interfere with user traffic or the VPN tunnel flow. Without this configuration, a VPN user with an active tunnel could potentially loop back to access the internal interface for administrative purposes.

•This reduces the attack surface and ensures a clear segregation of user and admin traffic.

Enforce Strong Password and Account Management for Local Admins

•Recommendations:

•Change local admin account passwords regularly.

•Ensure each ICS gateway has a unique local admin account password to prevent lateral movement if one gateway is compromised.

•Use a password management solution to generate and store randomized, complex passwords.

•Implement an organization-wide policy for password expiration intervals.

Utilize a Single "Break Glass" Local Admin Account

•Recommendation: Maintain only one break-glass local admin account per device for emergencies (such as recovery during an AD or Radius outage).

•All other admin accounts should authenticate through Active Directory (AD) groups, RADIUS, or certificate-based authentication methods.

•MFA (Multifactor Authentication) must be enabled for all external and internal admin access.

•This reduces dependency on local accounts and enforces centralized management with enhanced monitoring and controls.

Enable CSP (Content Security Policy) Filters

•Recommendation: Enable CSP (Content Security Policy) filters to protect against content injection attacks such as Cross-Site Scripting (XSS) and mitigates the risk of browser-based vulnerabilities.

•By limiting which scripts, styles, and objects can be loaded by the web interface, this provides an added security layer for the ICS admin portal.

•Review Ivanti's documentation for details on configuring CSP settings.

Leverage Web Application Firewall (WAF) Features

•Recommendation: Prepare and plan for leveraging WAF (Web Application Firewall) functionality as WAF features are expected to be introduced in ICS. A WAF will further enhance security by:

•Protecting against advanced threats such as SQL injection, XSS, and zero-day vulnerabilities.

•Allowing administrators to create custom security policies for application-layer traffic management.

Enable Logging for "Unauthenticated Access" (If Needed, With Caution)

•Recommendation: Consider enabling the logging option for "unauthenticated access" to monitor and capture unauthorized attempts to access the ICS gateway.

•Caution: Be aware that enabling this may impact system performance, especially in high-traffic environments.

•Ensure logs are forwarded to an external syslog server (or SIEM solution) for aggregation, monitoring, and analysis.

•Regularly review these logs to detect potential reconnaissance or unauthorized access attempts.

•Disable administrative access to the ICS VPN appliance(s) from the external (internet-facing) port.

•Administrator > Admin Realms > Select Realm > Authentication Policy > Source IP > Ensure that “Enable administrators to sign in on the External Port” is not enabled.

•Minimize the scope of internal connectivity paths that could be leveraged for lateral movement from the management interface of ICS VPN appliance(s).

•Ensure the appliance(s) is configured with a minimum two-arm or three-arm topology,

The following hardening measures should be considered:

•Enable Source IP Based Restrictions for the Administrator Realm.
Administrators > Admin Realms > Admin Users > Authentication Policy > Source IP

•Enable MFA for the administrator sign-in URL.

•Configure the Management interface to allow administrators to sign in and disable administrators to sign in on the Internal Port.
Administrators > Admin Realms > Admin Users > Authentication Policy > Administrator sign in ports

•Disable Session Roaming - which can mitigate the impact of a stolen session cookie being reused by a different IP address that does not correlate to the initial user who logged in.

•Users: Users > User Roles > <role name> > General > Session Options: Roaming Session, select Disabled

•Admins: Administrators > Admin Roles > <role name> > General > Session Options: Roaming Session, select Disabled

•Enforce Session Lifetime Limits - to reduce the risk of a stolen session being continuously reused by an attacker. Mandiant recommends session lengths of 8-12 hours, although this may need to be adjusted based upon business needs and requirements.

•Users: Users > User Roles > <role name> > General > Session Options: Session lifetime lengths

•Admins: Administrators > Admin Roles > <role name> > General > Session Options: Session lifetime lengths

•Do not allow Persistent Sessions to reduce the risk of a stolen session being continuously reused by an attacker.

•Users: Users > User Roles > <role name> > General > Session Options: Persistent Session, select Disabled

•Admins: Administrators > Admin Roles > <role name> > General > Session Options: Persistent Session, select Disabled

•Enable Remove Browser Session Cookies to reduce the risk of stealing browser session cookies.

•Users: Users > User Roles > <role name> > General > Session Options: Remove Browser Session Cookie, select Enabled

•Admins: Administrators > Admin Roles > <role name> > General > Session Options: Remove Browser Session Cookie, select Enabled

•Enable HTTP Only Device Cookie to reduce the risk of cookie stealing.

•Users: Users > User Roles > <role name> > General > Session Options: HTTP Only Device Cookie, select Enabled

•Admins: Administrators > Admin Roles > <role name> > General > Session Options: HTTP Only Device Cookie, select Enabled