Hello all,
I upgraded to the latest version of DM (v10.4.5.0-14239) and ran the security BPA as part of Kata #29, but the BPA keeps coming back saying it’s still insecure, even though I’ve followed the hardening guides.
Please note HTTP is open, but redirects to https as per the hardening guide.
Screenshot attached.
Am I doing something wrong or is the BPA checker faulty?
Thanks!
Hi James,
I had a look at how the BPA checks for the redirection and it does so by making an http call to http://127.0.0.1 and verifying the returned http status code.
This does not work in your case, since IIS only accepts http calls to ‘dataminer’, ‘dataminer.[REDACTED].local’ and ‘localhost’ (the bindings) and not to ‘127.0.0.1’ (returning a 4XX status code).
I will make add an item to the backlog to make the redirect detection more robust. As a workaround for this issue, you can remove all http bindings except for one, and to make the hostname of that binding blank. This will make IIS accept http calls to every hostname and then redirect them to https.
Kind regards,
It is expected that the HTTP headers test still shows up, since it is valid for both http and https.
What I mean is that the http headers test is coming back still saying I’ve not set the correct headers as per the hardening guide, but I have.
Excuse me for the misunderstanding. It’s a bit difficult to tell what the problem is without looking at the system, but there are several things you can check:
– did you restart IIS after making the changes?
– Can you check in a browser with the developer tools if the changes you made to the headers actually took affect?
– IIS has server level and site level settings, depending on where you made your changes, they can be overwritten by the settings of the other level.
Yeah, I restarted IIS and even a server reboot, looks like they have taken, but could you confirm? https://i.imgur.com/9zN4SHZ.png
Hi all, Seppe and I have looked at this and the new version of DM (10.4.8) will resolve the issues I raised here.
Thanks Seppe, as a means to suppress this message I have added a * http binding, and that’s now cleared the http warning, but not the HTTP Headers test.