Overview
The document outlines security hardening measures for ICS Server, emphasizing the best practices and secure-by-default approach and enforcing the options that are secured.
Adhering to the outlined deployment best practices helps organizations maintain a secure and resilient IT environment, safeguarding sensitive data and minimizing the impact of potential security threats.
•Security Compliance: Following these practices helps organizations comply with security standards and regulations, ensuring that sensitive data is protected against unauthorized access.
•Risk Mitigation: By encrypting configuration files and changing passwords regularly, businesses reduce the risk of data breaches and minimize the potential impact of any security incidents.
•Operational Continuity: Secure practices maintain the operational continuity of IT systems by preventing unauthorized changes or disruptions that could result from compromised credentials or configurations.
•Maintenance and software upgrades:
•Ensure regular software updates
•Keeping software and systems up to date is one of the most effective ways to patch vulnerabilities and improve security.
•Review EOS policies
•Systems that have reached End-of-Support (EOS) are no longer updated, leaving them vulnerable to attacks.
•Subscribe to product notifications via forums, blogs, security advisory
•Staying informed about potential risks, updates, and product advisories is crucial for proactive security management.
Best Practices to Secure and Manage ICS Deployment Environments
Best Practices |
Description |
---|---|
Standard Protection Steps for Network and Filesystems |
This typically includes measures like firewall configurations, network segmentation, intrusion detection/prevention systems and secure file permissions on filesystems. These are fundamental to protecting against unauthorized access and attacks. |
Encryption of ICS Configuration XML and Secure Storage |
Encrypting sensitive configuration files such as ICS configuration XML ensures that even if an attacker gains access to the file, they cannot easily decipher its contents. Storing these encrypted files in a secure repository or vault adds another layer of protection against unauthorized access. |
Recommended way for Configuration Export is Binary Export if the Admin is not able to secure the XML contents as suggested. |
The recommended way to transfer the configuration and settings is through the export of binary configurations as the files can be password protected during config export itself. |
Changing Passwords if ICS Configuration XML is Exposed |
If the ICS configuration XML (which likely contains sensitive information like passwords) is compromised, it's crucial to change the passwords of internal servers or services that the ICS communicates with. This prevents unauthorized access using the exposed credentials. |
Implementing Healthy Password Rotation Policy |
Having a policy that enforces regular password changes enhances security by minimizing the risk associated with leaked or outdated credentials. If older versions of the ICS config XML become obsolete due to password changes and updates, the value to potential hackers is reduced. |
Certificate Expiry and Revocation |
Certificate management is a critical component of maintaining security Proper handling of certificate expiry and revocation ensures the system isn't vulnerable to threats like impersonation, data interception, or denial of service. Below are best practices tailored for Ivanti Connect Secure environments: Use Certificates from a Reputable Certificate Authority (CA)
Implement a Certificate Lifecycle Management Process
Verify Certificate Expiration Policy
Enable Online Certificate Status Protocol (OCSP)
Implement Certificate Revocation List (CRL) Checking
Enforce Strong Encryption Standards
Avoid Wildcard Certificates (Where Possible)
Certificate Renewal
Configure Alerts for Expired or Revoked Certificates
Use Role-Based Access Control (RBAC)
Use High-Assurance Certificates for Critical Systems
Regularly Update Ivanti Connect Secure
Audit and Report Compliance
|
Console Access Protection |
Protect the console with a password especially for virtual environments, which will have remote console access when deployed in the cloud. |