Overview of the Common Criteria Hardening Guide in Secret Server

The Common Criteria Hardening Guide for Secret Server provides detailed instructions for configuring Secret Server to comply with the Common Criteria (CC) for Information Technology Security Evaluation (ISO/IEC 15408). This international standard ensures that security attributes of the evaluated product are independently verified in a specific environment. Below are the key aspects covered in the guide.

This document and all related information are legacy entries. It is the user's responsibility to test everything before making changes in a production environment.

Introduction

  • Purpose: The guide is designed to help administrators configure Secret Server in compliance with Common Criteria standards.
  • Audience: Intended for administrators responsible for installing, configuring, and operating enterprise infrastructure.
  • Common Criteria: An international standard for security certification of computer systems, networks, and application software.

Security Hardening Checklist

  • Reports: Navigate to Reports > Security Hardening in Secret Server to follow the checklist for securing your environment.

Configuring TLS

  • TLS Requirement: Common Criteria certification requires enabling Transport Security Layer (TLS).
  • Disabling TLS 1.0: TLS 1.0 must be disabled as it is no longer considered secure.
  • Diffie-Hellman Hardening: Configure servers with stronger Ephemeral Diffie-Hellman settings.
  • Restricting Cipher Suites: Only specific cipher suites are allowed for TLS communication.
  • IIS Crypto Tool: Use the IIS Crypto tool to change cipher suites.
  • HTTPS/SSL: All connections to the Secret Server web page must use HTTPS/SSL.
  • TLS Auditing: Enable auditing for TLS connections and failures.
  • Active Directory: Ensure TLS is configured with Active Directory.
  • Syslog: Configure TLS with Syslog for secure logging.

Additional Common Criteria Configurations

  • X.509v3 Certificates: Install and configure certificates following the X.509v3 standard.
  • DPAPI: Enable the Windows Data Protection API (DPAPI) to protect the master encryption key file.
  • FIPS Mode: Enable Federal Information Processing Standard (FIPS) mode for cryptographic functionality.
  • Zero Information Disclosure: Configure Secret Server to hide unnecessary information, such as detailed error messages and application version numbers.
  • Login Banner: Configure a login banner to display the user policy agreement.
  • Account Lockout: Implement account lockouts to prevent repeated unsuccessful login attempts.
  • Disabling "Remember Me": Disable the "Remember Me" login function for security reasons.
  • SQL Server Configuration: Install Microsoft SQL Server on the same machine as Secret Server and use Windows authentication mode.
  • Service Account: Create a service account to run the Secret Server IIS Application Pool and configure necessary permissions.