This article applies to:
- Trustwave SEG 10.X
- Management Console website
Question:
- What are the recommended security measures to protect the SEG Management Console website?
Background:
The SEG Management Console website and SEG Config Service website are installed on the SEG 10.X Array Manager computer. These sites allow configuration of email security as well as access to quarantined mail.
By default these sites use HTTPS secured by self-signed certificates.
Procedure:
To ensure security of the Management Console and config service:
Minimize site access from the Internet
For best security do not allow external access to the SEG websites.
- Verify that firewall rules block access to port 443 (Management Console) and port 19007 (Config Service) on the Array Manager from external locations.
- If you are using Windows Firewall on the server, note that port 443 is normally open while port 19007 is normally blocked by Windows Firewall.
- If access to the Management Console is required from external locations, consider setting IP range limits or requiring a VPN connection.
Use Windows Authentication
- Enhance login security by using Windows Authentication (available in SEG 10.0.1 and above).
Set up HTTP Strict Transport Security (HSTS)
HSTS helps to prevent man-in-the-middle redirection of web requests by allowing the client web browser to require HTTPS for a site.
To set up HSTS:
- On the Array Manager server, Open the Internet Information Services (IIS) Manager (Start > Administrative Tools > IIS Manager).
- Expand the SEG Management Console site and select HTTP Response Headers.
- In the Actions panel, click Add.
- In the Add Custom HTTP Response Headers window, enter the following values:
- Name: Strict-Transport-Security
- Value: max-age=31536000
- Save the entry, and exit IIS Manager.
Use strong SSL/TLS
Ensure that older and less secure TLS versions and ciphers are disabled. See Trustwave Knowledgebase article
Q19998.
Use a signed certificate
If you expose the Management Console to the Internet, you should install a SSL certificate signed by a Certificate Authority.