System Security

OS hardening

The security hardening policies of operating systems achieve the following:

• Minimization: With a customized operating system hardening policy, the enabled ports, access permission, and services of a universal operating system are all subject to certain limitations. This ensures the normal running of only the basic services of the server and improves the security capability of the operating system.
• Dedication: A dedicated security hardening policy is provided for an operating system.
• Serviceability: Security hardening policies are strictly tested and provided, ensuring smooth service operations.
• Auditability: Customized security hardening policies support logging. When policies are changed, a user can audit the customized policies using policy logs.

Antivirus

Virus attacks and spread pose a great challenge on security of the network to which the eSight clients connect. Security customization and integrity protection can improve the system attack defending capabilities and effectively restrain viruses and worms. However, antivirus software controlled and managed in a centralized manner still needs to be deployed for Windows-based servers and devices, because Windows OS is vulnerable to viruses. This improves the virus processing capabilities of the devices that are connected to the eSight clients.Anti-virus policies must be customized for the eSight based on actual conditions.

Web Container Security Hardening

Default settings for the Web container may pose security risks. Therefore, the eSight modifies these default settings, including:

• SSL channel for untrusted domains: Sensitive service data is all transmitted through SSL channels to ensure security.
• SSL hardening: Insecure SSL protocols and algorithms are excluded.
• HTTP request size: The eSight supports 5 MB HTTP requests, and the size limit is configurable.
• Jetty directory listing: After a user enters a directory name to access a Web application of Jetty, all files in that directory will be listed if the named directory has no welcome file available. This way of sensitive information leak is forbidden.
• Jetty error message: By default, Jetty shows software version information in error messages. Based on the version information, attackers can obtain current default configurations and take advantage of vulnerabilities.

Web Application Firewall

Web application firewalls provide common functions including protocol anomaly detection, input verification, status management and exception-based protection. Web application firewalls can be deployed between a web server and a browser to reduce the impact of abnormal external requests, injection attack, brute force attack, and other abnormal behaviors on the web, ensuring the security of web applications.