Search

User: System administrator

Prerequisites

- not applicable

Introduction

Hardening recommendations when using Futurama.

 

Description

Futurama is a development platform for calculation and communication applications. It can be used to create three different kinds of applications:

  1. Website applications: to create interactive webapplications (edition Futurama Website)
  2. Webservice applications: to create webservices that return the result of a calculation made in Futurama (edition Futurama Webservice)
  3. Export applications: to make an export of personalized data, such as PDF-files containing personal financial information (edition Futurama Export)

In many applications Futurama will be used to communicate about personal financial information. It is important to secure the access to this sensitive data. At this page a number of tips are given that can be used to harden the server where the data is installed. Most of these hardening tips are not Futurama specific, but are industry wide.  

Changes

Changes in hardening
Version Change
21.08 Change redirect in customErrors tag to include ?
21.08 Define a new setting: nonSlidingSessionTimeOut
21.08 Specify to use the Application Pool Identity as the identity for the application pool

Subjects

Mentioned below are several security subjects. Dependable on the Futurama edition that is used these subjects are more applicable. For each of the subjects in the next table is given whether they are applicable for each of the three Futurama edition. The subjects are treated more detailed in the next paragraph.

Subject Website Webservice Export
Disable trace X    
Disable system diagnostics   X  
Logging X X X
Secure webservice communication X X X
Encryption data X X X
Encryption web.config X X X
HTTPS X X  
Define nonSlidingSessionTimeOut X    
Use cookies X    
Security Management Site X X X
Identity application pool X    
Firewall X X X
Network Intrusion Detection X X X
HSTS policy X    
Securing cookies X    
Maximizing number of sessions X    
Verify session on every request X    
Document/Folder restriction X X  
Disable download of XML, XLS and XLSX-files X    
Remove comments in files X    
Don't use a version number X X  
Use customErrors X    
Use robots.txt X    
Disable header options X    
Set X-Frame-Options Header X    
Remove X-AspNet-Version response header X    
Change value server response header X    
Add rel property to hyperlinks X    
Upgrade jQuery version X    
Disable version.aspx X    
Caching static content X    
Increase length SessionID Cookie X    

Subjects - more detailed

In the paragraph mentioned above a list of hardening subjects is given. In this paragraph each of these subjects is treated more detailed. For each of the subjects a risk profile (low, medium, high) is given.

Disable trace

Risk

High

Explanation

When developing websites the trace setting in the web.config can be used for debugging purposes. The trace information can be retrieved by visiting the trace.axd page of your application. Generally you should not enable trace in a production situation, because this can display sensitive configuration information to anyone who views the website. So enable the trace only for debugging purposes and disable this as soon as your website moves to an (pre)production server.

Solution

Within the section disable the trace:

 <trace enabled="false"></trace>

Disable system diagnostics

Risk

Low

Explanation

It is possible to log every message that is sent to a webservice or is received by a webservice. See the paragraph 'Logging webservice messages' at the Configuration - Log page for more information. The logging of these webservice can contain sensitive information. As these logging information will be stored on a secured server location this isn't a high secure risk.

Solution

Disable/remove the section in the configuration file.

Logging

Risk

Low

Explanation

It is possible to log errors, warnings, information messages and debug messages while developing with Futurama. This information can be used during the development process to troubleshoot. In production this logging also can be used to monitor error messages. This logging information can contain sensitive data. As these logging information will be stored on a secured server location it isn't a high secure risk. However it isw recommendable to disable the information and debug logging messages. The warning and error messages can be enabled in order to monitor and solve errors that can occur during session of your web application.

Solution

See the Configure - Log page for the logging configuration. Set and

Secure webservice communication

Risk

Medium

Explanation

Part of the Futurama functionality is the communication with webservices. There are several situations:

Frequently sensitive data is sent to and from these webservices. It is recommended to secure this communication.

Solution

Futurama supports WCF webservices. This enables you to choose among a wide variety of security options, such as wsHttp-binding with transport or message encryption, wsHttp-binding with a certificate as a credential for the service, basisHttp-binding with authentication, rest services with an authorization header. See the applicable supportpages for more information about hte configuration of these WCF webservices.

Encryption data

Risk

Medium

Explanation

Futurama Vision can be used to store your data. This data usually is private. Although your Futurama Vision Database will be securely installed, and not publicly available you can take some extra action to protect your data by encrypt them.  

Solution

It is possible to import encrypted data into Futurama Vision. See 'Importing data into Futurama Vision', paragraph 'Encryption' for more information. All sensitive data except the unique identifier of your persons can be encrypted. The passwords to decrypt this information will be stored in the configuration file of the Futurama Vision Management Site. To extra protect this configuration file, encrypt the section which contains the password. See also at this page 'Encryption web.config' how to encrypt a web.config.   

Encryption web.config

Risk

Low

Explanation

Part of the installation of Futurama HTML and the installation of the Futurama Management Site is the configuration of the web.config. The web.config is a special ASP.NET file to be used in all kinds of ASP.NET web applications. It is possible to encrypt (sections of) this web.config. This could make sense in the situation that the web.config contains sensitive information. Although the web.config is a standard ASP.NET file, already protected to be seen by others, encrypting this file is an extra protection against malicious use. In the situation the Futurama Management Site is used, and the XML data is saved encrypted in the Futurama Vision Database (see paragraph 'Settings for encryption/decryption'), the web.config of the Management Site contains the passwords to encrypt (and decrypt) the data. In this situation encryption the web.config makes sense.     

Solution

Encryption of the web.config can be done by using the Aspnet_regiis.exe tool. Decryption of an encrypted config is only possible at the same server where the file is encrypted. This is an extra protection agains mailcious use. Command for the encryption of (for example) the appSettings section of the config is:

 %WINDIR%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pef "appSettings" "location_config", 

where location_config is the location where the web.config is saved. To decrypt the web.config use the next command:

 %WINDIR%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pdf "appSettings" "location_config"

HTTPS

Risk

High

Explanation

When visiting a website, the traffic exchanged between your browser and the web server is sent in clear text. Therefore if a malicious third party intercepts the traffic exchanged between the two parties, he or she can read what is being exchanged, such as authentication details or other sensitive personal information. So make sure to encrypt the connection between the browser and the server where your Futurama (web)application is installed.

Solution

Use the HTTPS protocol for your application instead of HTTP.

Define non-sliding session timeout

Risk

High

Explanation

From Futurama version 21.08 and up you can define a hard limit on the session timeout. The default timeout configuration is sliding, that means that if a user performs actions on the website, the session will be extended. With this new setting you can define a hard limit. The value is in minutes. So for example, if you want a timeout of two hours, you specify the value 120. If you combine this with a session timeout of 15 minutes, the behavior will ben that if a user performs no actions, the session will expire after 15 minutes. If a users performs an action every 5 minutes the session will be extended up till the maximum of 120 minutes. 

Solution

This setting can be configured in the Futurama specific security-section of the web.config. See this page for information how to define a non-sliding session timeout.

Use cookies

Risk

High

Explanation

Futurama supports sessions with and without cookies. When cookies are used, the session ID is stored in a cookie at the client of an user. This session ID is used to recognize an individual visitor between all the visits. Alternative is to use cookiesless sessions. In this situation the page link will contain the session id string (for example https://myapplication/(22b5c4zyybphaw2mt3hjni2n)/default.aspx). Main security problem when working with sessions is a possibility that malicious user will find out others' session id. If two users share same session id, they share same session variables too and website is considering them as one visitor. This could be a security risk if session is used for any private or sensitive data, or to allow access to restricted areas of web site. When cookies are used, session id can be protected using SSL and by marking a cookie as secure. But, in case of cookieless session, session id is part of URL and is much more vulnerable. Attacker could use network monitoring tool to see requested URLs. Because session id is part of URL, if you know requested URL you know session id too. Also, if malicious user get access to recent web server's logs, it is possible to read recent requested URLs and visit website with still active session.

So it is strongly recommended to use cookies.

Solution

Within the section enable cookies:

 <sessionState cookieless="false">
</sessionState>

Security Management Site

Risk

Low

Explanation

When using the Futurama Management Site to import and analyze data, and to monitor the use of your Futurama applications it is important to give users of the Management Site only access to pages that are relevant for them. It is possible to define which users can access which pages of the Management Site.

Solution

Use the security section of the Futurama Management Site to set up the advanced security.

Identity application pool

Risk

Medium

Explanation

An Internet Information Services (IIS) application pool is a grouping of URLs that is routed to one or more worker processes. Because application pools define a set of web applications that share one or more worker processes, they provide a convenient way to administer a set of websites and applications and their corresponding worker processes. During the installation of your Futurama web application in IIS a new application has to be created including an application pool.

Solution

Make sure you use the application pool identity, and follow the principle of least privilige so that you assign only the required permissions to this application pool identity. 

Firewall

Risk

High

Explanation

A firewall is a network security systems that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. Firewall can be used to secure the server with your (sensitive) data

Solution

Use a firewall and allow only incoming and outgoing traffic that is necessary for the use of your application.

Network Intrusion Detection

Risk

High

Explanation

Network Intrusion Detection monitors a network or systems for malicious activity or policy violations.

Solution

Use Network Intrusion Detection to monitor whether malicious activity at your server occurs.

HSTS policy

Risk

Medium

Explanation

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks. It allows webservers to declare that webbrowsers should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. Even when your webapplication is only accessible via HTTPS, it is possible for hackers to downgrade to the insecure HTTP.

Solution

In order to use HSTS-policy, in the web.config of your application within the system.webserver section the next configuration has to be made:

<httpProtocol> 
	<customHeaders> 
		<add name="Strict-Transport-Security" value="max-age=31536000"/> 
	</customHeaders> 
</httpProtocol> 

Securing cookies

Risk

Low

Explanation

It is possible to set a secure flag on an ASP.NET session cookie, so that it will only be transmitted over HTTPS and never over plain HTTP.

Solution

Within the system.web section the next configuration has to be made:

 <httpCookies httpOnlyCookies="true" requireSSL="true"></httpCookies>

Furthermore in case forms authentication is used this will override the setting in httpCookies, setting is back to the default 'false'. In order to avoid this, an extra attribute has to added to the forms element as well:

 <forms requireSSL="true"></forms>

Maximizing number of sessions

Risk

Medium

Explanation

When hosting a web application usually the maximum number of parallel sessions can be estimated. Exceeding this maximum of parallel session can be an indication of a hachers attack to your website. To avoid this, the allowed number of parallel session can be defined. 

Solution

This setting can be configured in the Futurama specific security-section of the web.config. See this page for information how to set the maximum number of parallel sessions.

Verify session on every request

Risk

Medium

Explanation

During a session within your web application subsequently request will be made, after each user action. To be sure that each of these requests are made by the user who started the session (and is authenticated to see the personal data) it is possible to verify session on every request. This prevents that the session is hijacked and cloned on a different machine.

Solution

This setting can be configured in the Futurama specific security-section of the web.config. See this page for information how to enable verify session on every request. It is possible to include or exclude a verification of the IP-address.

Document/Folder restriction

Risk

Medium

Explanation

In the configuration mapping section of Futurama it is possible to define which default folder and which default document Futurama should use. It is possible to override these default settings by setting this parameters in the URL (see for example the previous mentioned configuration mapping section’.  This implies that it might be possible for a user to open a different document by guessing possible values of the document and folder parameters.

Solution

This can be prevented from Futurama 16.11 onwards by specifying a list of allowed folder- and document-names in the mapping setting. Whenever a user enters a value that is not in this list, then a security error will be shown. For more information, visit this page.

Disable download of XML, XLS and XLSX-files

Risk

Medium

Explanation

When a user can download XML, XLS or XLSX-files, the user can also see the contents of the Futurama models. These models can contain sensitive information, such as the version number and the location where the document has last been edited.

Solution

You can prevent downloading of these files by adding the following code to the web.config

<system.webServer> 
	<security> 
		<requestFiltering> 
			<fileExtensions> <add allowed="false" fileextension=".xml"/> 
				<add allowed="false" fileextension=".xls"/> 
				<add allowed="false" fileextension=".xlsx"/> 
			</fileExtensions> 
		</requestFiltering> 
	</security> 
</system.webServer>

Remove comments in files

Risk

Low

Explanation

A Futurama application consists of files of different types. The Futurama models are stored in XML-files, but for example CSS-files, XSLT-files, HTML-files and js-files can be used. In these files it is possible to add comments. This comments can be useful in order to explain the code specified in these files. However it also can give hackers potential information.

Solution

Remove the comments from your files.

Don't use a version number

Risk

Low

Explanation

In your Futurama models version numbers can be used to identify the successive releases of your application. However this information can be used by potential hackers. So it is recommended not to show the version number of your application. 

Solution

Don’t show the version number of your application. If you actually do want to use a version number it is recommended only to show this version number at the private pages of your application (so, not at the login page of your application that might be accessible for everyone).

Use customErrors

Risk

Medium

Explanation

When browsing your Futurama Web application errors can occur. For instance when your page cannot be found (404 error) or when access to tour site is not allowed (403 error). When errors occur it is recommended to redirect the user to an error page. 

Solution

Use the customError element in the web.config. See https://support.futurama.eu/docs/all/page/305 for more information.

Use robots.txt

Risk

Low

Explanation

Search engines are browsing the internet to search for files. This generates traffic to your application, you maybe don’t want to have.

Solution

Use the robots.txt file to avoid this. This file is a simple textfile placed in the rootfile of your application. Engine spiders check in this robots.txt if they should access a file or not. To block all access use the next robots.txt file:

User-agent: *

Disallow: /

Disable header options

Risk

Low

Explanation

At your webserver default header options like OPTIONS, GET, POST, TRACE, HEAD will be supported. For the Futurama web applications in general only the POST en GET headers are relevant. Disable the other header options.

Solution

In the web.config the headers TRACE, OPTIONS and HEAD can be disabled by the next configuration, to be placed with system.webserver element

<security> 
	<requestFiltering> 
		<verbs allowUnlisted="true"> 
			<add allowed="false" verb="OPTIONS"/> 
			<add allowed="false" verb="HEAD"/> 
			<add allowed="false" verb="TRACE"/> 
		</verbs> 
	</requestFiltering> 
</security>

Set X-Frame-Options Header

Risk

Low

Explanation

Clickjacking attacks are malicious attacks of tricking a webuser into clicking on something different from what the user perceives they are clicking on.

Solution

It is possible to protect your website against clickjacking attacks by including a X-Frame-Options header in the HTTP-response. See this page for the possible directives for X-Frame-Options. The SAME-ORIGIN value is recommended to use as in some situations the DENY option will not work correctly.

Remove X-AspNet-Version response header

Risk

Low

Explanation

Default in the header response from the server the X-AspNet-Version is given. This is information that can be used by hackers.

Solution

It is possible to remove the X-AspNet-Version response header. This can be configured within the section of the web.config:

 <httpRuntime enableVersionHeader="false"></httpRuntime>

Change value server response header

Risk

Low

Explanation

Default in the header response from the server the server version is given. This is information that can be used by hackers.

Solution

It is possible to change the value of the server version. For example change the value to an empty string. This can be done in IIS by using the URL Rewrite module. Once installed follow the next steps:

  1. head to the IIS Manager and select your site, then URL Rewrite;
  2. select Server Variables and the add a new Server Variable called RESPONSE_SERVER
  3. once you have your new server variable, go back to the rules page, add a new rule and select a blank outbound rule
  4. give the rule a name, set the Matching Scope to Server Variable, the Variable name is RESPONSE_SERVER and set the Pattern to .* to match any content. Hit Apply to create your new rule.

These changes will now remove the content of the Server response header.

Add rel property to hyperlinks

Risk

Low

Explanation

When a hyperlink opens up a new window by using the

 target="_blank"

it is vunerable for phising attacks. Because hackers could lead the website to other pages.

Solution

Within the extension (xsl) all the hyperlinks which has the property target blank are injected with the following attribute:

 rel="noopener noreferrer"

Upgrade jQuery version

Risk

Low

Explanation

Using a jQuery version that is not up-to-date is  a security risk and should be updated  to an up-to-date version.

Solution

Within the extension file the jquery version is updated to version 1.12.1. From Futurama version 17.02 a jQuery file is included within the Futurama modules folder. When upgrading make sure the jQuery file within the 1702 of the Futurama modules map is used.

Disable version.aspx

Risk

Low

Explanation

The version.aspx page is a page that gives information regarding the Futurama documents that are used for the application, inclusing the version number, the save date and the user that has saved this document. This page gives potentially information that can be used by hackers.

Solution

Disable the version.aspx page in the web.config of your application. This can be done by including the next configuration within the configuration element:

<location path="version.aspx">
	<system.web>
		<authorization>
			<deny users="*"/>
		</authorization>
	</system.web>
</location>

Caching static content

Risk

Low

Explanation

This feature is more a performance rather than a security improvement. The goals is to ensure that the web content (images, javascripts etc) will be cached so that the web application becomes faster because it does not have to retrieve the same data every time.

Solution

In this example we configure that the content of the example folder "Showcase/img" will be cached:
1) Add caching to the web.config
- Add the following content to the web.config of the web application, within the configuration element.

<location path="Showcase/img"> 
	<system.webServer> 
		<staticContent> 
			<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="00:10:00" /> 
		</staticContent> 
	</system.webServer>
</location>

2) Set overrideModeDefault to "Allow" in the applicationHost.config
- The access to the static content is locked by default and therefore we have to unlock it manually first.
- Go to the folder

C:\Windows\System32\inetsrv\config

and open the file

applicationHost.config


- Search for the code:

<section name="staticContent" overrideModeDefault="Deny" />

and change Deny to Allow.
You have now configured that images for your application will be cached by the browser for 10 minutes.

Increase length SessionID Cookie

Risk

Low

Explanation

The default length of the SessionID cookie is 24 characters. For better security, the length of the SessionID cookie should be increased.

Solution

Within the sessionState section the sessionIDManagerType should be defined, which will increase the length of the SessionID to 36 characters:

<sessionState sessionIDManagerType="ActuIT.Futurama.Web.FuturamaSessionIDManager"> </sessionState>

Feedback

If you have any questions about this subject or if you want to provide us feedback please send us an e-mail.

Updated: 2021-07-05