6.4. (Reference): Configuring the Normal Security Level Settings upon the OS.

Here are examples of recommended Security settings. You need to run Security to prevent against any malicious attacks from external environments when connecting a Baremetal Server or a Virtual Server directly to Internet Gateways.

Note

Almost all parts of this page describe operations outside of Support Coverage provided by NTT Com. Therefore, we strongly advise making backups of relevant settings in advance.


6.4.1. Setting a Secure Password for the Guest OS Password

You are STRONGLY advised to change the password after initially signing into the Virtual Server. We recommend configuring strong and secure passwords based on the following password policy.

  • Password length of 8 characters or more.

  • Password to include the following three character types: uppercase letters, lowercase letters (both of the ISO Latin alphabetic character (A to Z, a to z), and non-alphabetic characters.

  • Password must NOT use common words, such as “password” & “admin” which are known by everyone, your full name or others full name, and/or partially changing any of the preceding.

6.4.2. IP Filter and Firewall Access Limitations with Guest OS

We STRONGLY advise you set up the Guest OS Firewall without opening any unnecessary ports. The following examples show how to set it up on CentOS7.1 and Windows Server 2012 R2. Since both the Virtual Server and Baremetal Server don’t need direct access to a global network, security can be enhanced by deploying a dedicated gateway via a dedicated network.

6.4.2.1. Example: CentOS 7.1

1.Change “firewalld”. On the command line verify “firewalld” is “Active(Running)” and “Enabled”.

$ /bin/systemctl start firewalld
$ /bin/systemctl status firewalld
          firewalld.service - firewalld - dynamic firewall daemon
            Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
            Active: active (running) since Sun 2015-12-27 13:56:12 UTC; 1s ago
           Main PID: 9844 (firewalld)
           CGroup: /system.slice/firewalld.service
                   9844 /usr/bin/python -Es /usr/sbin/firewalld --nofork –nopid

$ /bin/systemctl enable firewalld
    ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
    ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/basic.target.wants/firewalld.service'

$ /bin/systemctl list-unit-files -t service | grep firewalld
     firewalld.service   enabled

2.Add required services. Following shows adding the “https” service. Verify the service was set with the “–list-service” option.

$ /bin/firewall-cmd --list-service
      dhcpv6-client ssh

$ /bin/firewall-cmd --add-service=https --permanentsuccess

NOTE 1: If you find any unnecessary services, you can delete them with “/bin/firewall-cmd –remove-service=XXX –permanent”. Replace XXX with the service to be deleted.

$ /bin/firewall-cmd --reload
     success

$ /bin/firewall-cmd --list-service
     dhcpv6-client https ssh

NOTE 2: If you would like to add any services, we recommend adding only required services paying careful attention to authentications and vulnerabilities.

6.4.2.2. Example: Windows Server 2012 R2 Settings

1.Firewall is available in the Windows default settings.

Verify settings, by opening “Server Manager” then “Local Server”. Click the link to open the Windows Firewall setting screen.

Server Manager

2.After the Windows Firewall screen has opened, click “Advanced Settings” as shown below:

Windows Firewall

3.At the “Windows Firewall with Advanced Security” screen, click on “Inbound Rules” as shown below:

Windows Firewall Detail

4.After the “Inbound Rules” screen opens, click “New Rules”.

Windows Firewall Add Rule

5.Add a new inbound rule as shown below:

We recommend limiting ports and scope IP Addresses as much as possible. For more information, please refer to the Microsoft website: https://technet.microsoft.com/en/library/cc753558.aspx

Example: The Setting Procedure
i.Select “Custom (C)” then “Next (N)” at rule type steps.
ii.Specify “All Programs (A)” at the program step.
iii.Specify both “Protocol Types” and “Local Port” at the protocol and the port step. NOTE: We recommend you limit the range as much as possible.
iv.Specify “Local IP Address” and “Remote IP Address” at the scope step. NOTE: We recommend that you specify the range.
v.Select “Permits to Access” at the operation step.
vi.Specify a state from “Domain”, “Private”, and “Public” at the “Profile” step. If you can not specify one, you need to select all of three types.
vii.Specify a name at the name step.