This article kicks off a new series about security. And more specifically, about how you can make sure your DataMiner system is configured as securely as possible.
Let’s start by stating the obvious: it is recommended to keep your system up to date and to run the most recent version of the chosen release track. Any improvements for known vulnerabilities and any new security-related features are always available in the latest version.
For more information about the most recent version, see DataMiner Software downloads.
In this first post, we’ll talk about securing client-server communication in your DataMiner system.
Communication between DataMiner and any client application is encrypted by default since DataMiner 10.1.7.0. On lower versions, it is recommended to enable the ‘RequireEncryptedConnections‘ setting. This can be done by adding the following tag to the MaintenanceSettings.xml:
Communication is encrypted by the Rijndael algorithm using a 256-bit key, which is negotiated over a 1024-bit RSA encrypted communication channel.
For more information, see Encrypted Connections.
From 10.0.11 and 10.0.0 (CU6) onwards, Web Service connections are considered insecure and deprecated. In older versions, it is recommended to use Remoting instead. This can be configured in the connection settings on the login page.
When the ‘RequireEncryptedConnections’ setting is enabled, it is recommended to make sure clients connect over Remoting, making their connection encrypted. To ensure clients automatically use Remoting, verify the following line contains ‘type=RemotingConnection’ in your ConnectionSettings.txt. This is also an opportune time to revise any exceptions added to this file.
This file is located in C:\Skyline DataMiner\Webpages\ConnectionSettings.txt
When SLNet is running on port 8004 (the default port) and you have disabled Webservices (or use a DataMiner version higher than 10.0.11.0-CU0), you can also block requests to Endpoints.txt. This prevents exposing unnecessary information about the services on your Web Server to potential attackers.
To do this, add an Application Request Filtering Rule that denies requests to Endpoints.txt.
By default, web applications connect to DataMiner over HTTP (80) or HTTPS (443). HTTP is unencrypted and vulnerable to man-in-the-middle attacks. HTTPS mitigates this by using TLS (Transport Layer Security) to encrypt the HTTP traffic.
It is recommended to block all HTTP requests in IIS and redirect all HTTP requests to the HTTPS binding. Follow these steps to enable HTTPS on your DataMiner system. It is recommended to use certificates issued by a trusted Certificate Authority (CA). TLS is considered the upgraded version of SSL (Secure Sockets Layer). In the following matrix, any version of SSL/TLS older than 1.2 is deprecated and thus insecure.
|SSL 2.0||1995||Deprecated since 2011|
|SSL 3.0||1996||Deprecated since 2015|
|TLS 1.0||1999||Deprecated since 2020|
|TLS 1.1||2006||Deprecated since 2020|
|TLS 1.3||2018||Supported (most secure)|
At the time of writing, all major browsers support TLS 1.2, and most of them already support TLS 1.3. Therefore, we recommend disabling all versions of SSL and TLS 1.0/1.1. On systems where all clients support TLS 1.3, it is possible to disable TLS 1.2 as well.
For more information on how to disable SSL/TLS, see:
- Disabling SSL 2.0 by default
- Disabling SSL 3.0 by default
- Disabling TLS 1.0 by default
- Disabling TLS 1.1 by default
- Disabling TLS 1.2 by default
In our next article about the firewall, we will show you how to harden your servers hosting DataMiner.