Overview

The document outlines security hardening measures for ICS Server, emphasizing the best practices and secure-by-default approach and enforcing the options that are secured.

Adhering to the outlined deployment best practices helps organizations maintain a secure and resilient IT environment, safeguarding sensitive data and minimizing the impact of potential security threats.

Security Compliance: Following these practices helps organizations comply with security standards and regulations, ensuring that sensitive data is protected against unauthorized access.

Risk Mitigation: By encrypting configuration files and changing passwords regularly, businesses reduce the risk of data breaches and minimize the potential impact of any security incidents.

Operational Continuity: Secure practices maintain the operational continuity of IT systems by preventing unauthorized changes or disruptions that could result from compromised credentials or configurations.

Maintenance and software upgrades:

Ensure regular software updates

Keeping software and systems up to date is one of the most effective ways to patch vulnerabilities and improve security.

Review EOS policies

Systems that have reached End-of-Support (EOS) are no longer updated, leaving them vulnerable to attacks.

Subscribe to product notifications via forums, blogs, security advisory

Staying informed about potential risks, updates, and product advisories is crucial for proactive security management.

Best Practices to Secure and Manage ICS Deployment Environments

Best Practices

Description

Standard Protection Steps for Network and Filesystems

This typically includes measures like firewall configurations, network segmentation, intrusion detection/prevention systems  and secure file permissions on filesystems. These are fundamental to protecting against unauthorized access and attacks.

Encryption of ICS Configuration XML and Secure Storage

Encrypting sensitive configuration files such as ICS configuration XML ensures that even if an attacker gains access to the file, they cannot easily decipher its contents. Storing these encrypted files in a secure repository or vault adds another layer of protection against unauthorized access.

Recommended way for Configuration Export is Binary Export if the Admin is not able to secure the XML contents as suggested.

The recommended way to transfer the configuration and settings is through the export of binary configurations as the files can be password protected during config export itself.

Changing Passwords if ICS Configuration XML is Exposed

If the ICS configuration XML (which likely contains sensitive information like passwords) is compromised, it's crucial to change the passwords of internal servers or services that the ICS communicates with. This prevents unauthorized access using the exposed credentials.

Implementing Healthy Password Rotation Policy

Having a policy that enforces regular password changes enhances security by minimizing the risk associated with leaked or outdated credentials. If older versions of the ICS config XML become obsolete due to password changes and updates, the value to potential hackers is reduced.

Certificate Expiry and Revocation

Certificate management is a critical component of maintaining security Proper handling of certificate expiry and revocation ensures the system isn't vulnerable to threats like impersonation, data interception, or denial of service. Below are best practices tailored for Ivanti Connect Secure environments:

Use Certificates from a Reputable Certificate Authority (CA)

  • Always use certificates from a trusted and well-recognized Certificate Authority (CA). Self-signed certificates are generally discouraged except in isolated test environments.

  • Ensure the CA is compliant with industry standards such as CA/Browser Forum guidelines.

Implement a Certificate Lifecycle Management Process

  • Use automated tools to track certificate expiration dates to avoid disruptions.

  • Configure reminders for administrators to renew certificates well in advance (e.g., at least 30-60 days prior to expiration).

  • Regularly review and audit certificate usage.

Verify Certificate Expiration Policy

  • Before deploying or renewing a certificate, ensure the validity is reasonable. Industry standards often recommend a maximum expiration period of 1–2 years, though shorter durations (e.g., 90 days with automation) are increasingly common for better security.

  • Consider subscribing to services like Let's Encrypt for automated short-lifecycle certificates.

Enable Online Certificate Status Protocol (OCSP)

  • OCSP ensures real-time verification of certificate revocation status. Ivanti Connect Secure supports the use of OCSP responders to validate certificates.

  • Configure OCSP settings in Ivanti to ensure invalid certificates (revoked by CA) are automatically blocked.

Implement Certificate Revocation List (CRL) Checking

  • Ensure Ivanti Connect Secure regularly downloads and checks the CA’s Certificate Revocation Lists (CRLs).

  • Set up automated CRL updates and validation testing during deployment.

Enforce Strong Encryption Standards

  • Validate that the certificates used on Ivanti Connect Secure meet strong encryption standards (minimum 2048-bit RSA keys or comparable ECC keys).

  • Ensure that TLS configuration aligns with best practices:

    • Support only TLS 1.2 and TLS 1.3.

    • Disable legacy protocols such as SSL and TLS 1.0/1.1.

Avoid Wildcard Certificates (Where Possible)

  • Use individual certificates for specific domains rather than wildcard certificates to minimize exposure.

  • Consider using SAN (Subject Alternative Name) certificates for environments requiring multiple domain support.

Certificate Renewal

  • Certificate should be renewed before expiry.

Configure Alerts for Expired or Revoked Certificates

  • Configure Ivanti Connect Secure to send alerts if:

    • A certificate is about to expire (e.g., within 30 days).

    • A certificate is determined to be revoked.

Use Role-Based Access Control (RBAC)

  • Restrict access to certificate management functionality based on role-based access control (RBAC) principles.

  • Only administrators with explicit privileges should have access to certificate installation or renewal features in Ivanti Connect Secure.

Use High-Assurance Certificates for Critical Systems

  • For sensitive deployments (e.g., authentication portals or endpoints handling sensitive data), use Extended Validation (EV) or Organization Validation (OV) certificates for increased trust and assurance.

Regularly Update Ivanti Connect Secure

  • Keep Ivanti Connect Secure up to date with the latest patches to ensure compatibility with recent certificate standards and security improvements.

 Audit and Report Compliance

  • Regularly audit certificates and their configurations for compliance with organizational policies and external regulations (e.g., PCI-DSS, HIPAA).

Console Access Protection

Protect the console with a password especially for virtual environments, which will have remote console access when deployed in the cloud.