Skip to content

Steps to Harden the Network

Network hardening is recommended to protect against vulnerabilities involved in establishing connection and communication from the primary server to the secondary server, the session manager to the primary server, and the server to the endpoints. You can use secure communication protocols and restrict access to network devices to eliminate network-based vulnerabilities.

Use secure protocols for communication

The use of insecure protocols can easily render other controls invalid. To reduce the risk of eavesdropping and other network-based attacks, use the following encrypted and authenticated protocols for secure communication.

  • HTTPS for REST APIs
  • LDAPS for the Digital Vault LDAP integration
  • RDP/TLS for connections to the SSM
  • SSH (instead of Telnet) for Password Management
  • TLS for RDP, SMTP, and Syslog

We recommend that you only utilize TLS V 1.2t as a best practice. The steps to do so are outlined below. Navigate to /conf and open the server to enable TLS 1.2 in Securden. Open the properties ˜le in a text editor of your choice and change the value to True, as shown below.

SERVER_TLS_V1.2_ONLY = False to SERVER_TLS_V1.2_ONLY = True, and ensure to save the changes before closing the text editor.

Validate proper server roles

Server roles can be set using the Server Manager. Ensure that the unnecessary roles are not installed on the server

Restrict network protocols

Install only the required protocols and remove unnecessary ones.

For example, only TCP/IP is necessary, and ensure that no additional protocols such as IPX or NetBEUI are allowed.

Restrict access to the UI by blacklisting and whitelisting IP addresses

Users, APIs, native mobile applications, and browser extensions will attempt to communicate with the Securden Unified PAM server once it has been installed in your environment.

You can impose IP address-based limitations on this kind of communication using Securden. We strongly advise you to limit the number of client systems that can connect to the Securden Interface.

To set up IP address-based restrictions, go to Admin >> Security >> IP Address Restrictions. The IP restrictions can be configured at different levels and in different ways - for example, using defined IP ranges, specific IP addresses, or CIDR notation. Specific IP ranges and addresses can be added to the Restrict Access list if you prefer to restrict access rather than just allow it. If you want to impose additional restrictions you can block access to any of the above features. To block extensions, APIs, and mobile apps, navigate to Admin >> Block Access.

Restrict Securden web server to a bound IP address

Securden's web server will automatically bind to all of the accessible IP addresses on the server where the application is installed. As a result, Securden PAM will be accessible via any IP address using the configured port (5959). To restrict this, we advise you to configure the web server up to bind to a single IP address and only accept incoming communications from that IP address. To configure the bound IP address, follow the steps below.

  1. Stop ‘Securden PAM Service’ from services.msc if running.
  2. Open the “server.properties” ˜le present in the \conf folder.
  3. Change the value of “ENABLE_SERVER_SPECIFIC_HOSTNAME_ONLY_ACCESS” from False to True. Specify the IP address/FQDN or the server name against “SERVER_ACCESS_HOSTNAMES =” (If you are specifying multiple hostnames, ensure that it is specified in the comma-separated form)0