If your dbFront installation is going to be public, then we strongly recommend signing up for a free Probely account to validate that your dbFront configuration is secure.
When preparing Probely to scan your dbFront install, you should enter the following details:
NOTE: Replace the values in RED with values appropriate to your environment.
- Address (URL): https://%YourDomain%/dbFront/default.aspx,
- Target Authentication: Select Form Login,
- Login URL: https://%YourDomain%/dbFront/default.aspx,
- Login Field Names:
- @FF0: %YourUsername%,
- @FF1: %YourPassword%,
- submit_button: button[mh="bLogIn"]
Once Probely is properly configured, then you can scan your site repeatedly and eliminate any security issues.
Secure Root Web.config
As part of securing your server, we recommend adding the following web.config contents to the root of your web server. These web.config additions will deal with four issues that the penetration scan is sure to find if not already addressed.
<!-- Block Click Jacking -->
<add name="X-Frame-Options" value="SAMEORIGIN" />
<!-- Enforce HSTS header -->
<add name="Strict-Transport-Security" value="max-age=31536000;includeSubdomains"/>
<!-- Prevent Browser content sniffing -->
<add name="X-Content-Type-Options" value="nosniff"/>
<!-- Prevent the leaking of URL params via Referrer -->
<add name="Referrer-Policy" value="same-origin" />
The suggested web.config changes in the preceding section should have dealt with a good portion of the issues raised by the security scan. Some further issues are covered below.
NOTE: As of dbFront 220.127.116.1101, we have dealt with all detected application issues except that dbFront uses an older version of the jQuery library. This issue will be fixed in a near-future release.
Secure Cookie Flag Required
If dbFront is installed on an SSL secured web server then you should add the following to the dbFront web.config file. The default path is [c:\inetpub\dbFront\web.config].
<httpCookies requireSSL="true" />
Weak cipher suites enabled / Outdated TLS protocol version 1.0 supported
Both preceding errors refer to the fact that older insecure protocols are enabled on your web server.
If your web server is directly exposed to the internet, you will need to remove/disable these protocols. For instructions see the following Microsoft article:
If Cloudflare protects your web server, you will need to make a Cloudflare configuration change.
- Set the Minimum TLS Version to 1.1.
- The Minimum TLS Version setting is found in the menu [SSL/TLS] and submenu [Edge Certificates].
NOTE: Cloudflare automatically exposes patched versions of older protocols to maximize your client reach. Therefore, this change may not actually improve server security. It just cleans up the Penetration Report.