Community

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Certify Vault for use with Hardened IIS Configurations

Nick_Hall
Submitted by Collaborator on ‎03-08-2023 04:17 PM Status: Gathering Support

Certify Vault for use with Hardened IIS Configurations

It is becoming more and more common for IS departments to require that weak cryptography on their servers is disabled. The following is a list of crypto that is currently configured weak:

  • SSL protocol version v2, v3 and PCT v1
  • Symmetric ciphers with keys shorter than 128bit
  • Weak ciphers - like RC2, RC4
  • Weak hash functions - like MD5

Typically a Windows Server would be "hardened" following a procedure similar to that in this document - https://rootsecdev.medium.com/configuring-secure-cipher-suites-in-windows-server-2019-iis-7d1ff1ffe5...

 

It is more than likely that this requirement will affect Vault servers

 

In light of this, Vault should be tested with, and certified to work with a typical, and documented hardened server

 

Report
2 Comments (2 New)
POST A COMMENT
2 Comments
ihayesjr
Community Manager
Community Manager
‎03-13-2023 01:05 PM
‎03-13-2023 01:05 PM

@Nick_Hall 

Thanks for posting the idea. Do you have an office industry standard for IIS Hardening?

Your link example is only one aspect of hardening.

As an example, starting with Vault 2018, we support TLS 1.2. Therefore previous TLS versions can be disabled.

 

What version of TLS does Vault utilize and support? | Vault Products | Autodesk Knowledge Network

Report
0 Votes
Vote
Nick_Hall
Collaborator
Collaborator
‎03-21-2023 12:59 PM
‎03-21-2023 12:59 PM

@ihayesjr 

A bit of background: Over the last couple of months, we have received a few enquiries from customer IT teams asking whether hardening Windows Server will affect Vault in any way. I did some digging, and could only come up with the link you've posted, which answered some questions, but not all of them

 

A couple of customers supplied the following link, which refers to specific actions they would like to take

 

https://auditsquare.com/advisory/windows/iis-disable-weak-crypto

 

I logged a support case (Case No 20191211) which said "The development team test Vault Software based on IIS standard settings and what gets installed and configured during the Server setup", and suggested I raise the matter here

 

I am far from an expert in these matters, but have done some investigation over the last couple of weeks

 

It looks to me that the gold standard for this type of matter is The Center for Internet Security - https://www.cisecurity.org/

 

They supply CIS Benchmarks, which are described as "the product of a community consensus process and consists of secure configuration guidelines developed for Microsoft Windows Server" - https://www.cisecurity.org/benchmark/microsoft_windows_server

 

They also supply CIS Hardened Images - VM images that are pre-configured to meet the robust security recommendations of the associated CIS Benchmark. The full list is available here - https://www.cisecurity.org/cis-hardened-image-list

 

It seems to me that if Vault Server were tested against the relevant VM Image for each supported OS, that would satisfy requirements from any IT team. It also saves Autodesk the time & money for defining & documenting a version of "hardened server", as you could just say "Certified for use with CIS Microsoft Windows Server 2019 Benchmark" and supply a link

 

It also makes life easier for us in the reseller channel, as very few of us will have that sort of in-depth knowledge, and it will be helpful if we can just say "go and look here, they know stuff"

 

Hope that's useful

 

Hope that's

Report
0 Votes
Vote

Forums Links

Can't find what you're looking for? Ask the community or share your knowledge.

Submit Idea  

Report a website issue