Secure Configuration for the SolarWinds Platform

This document describes configuration options for securing your SolarWinds Platform deployment.

Best practices

• Ensure you have installed the latest versions of the SolarWinds^® SolarWinds Platform including hotfixes and service releases.

  If you are not on the latest version of the SolarWinds Platform, you can temporarily protect your environment against the Supernova malware by applying the following security fix: https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip

• Maintain the latest host operating system, application, and network security updates.

• Maintain your SQL Server by applying the latest cumulative updates and service packs.

• Keep your SolarWinds Platform and your SQL database on separate servers.

  SolarWinds recommends that you use a dedicated SQL instance for your SolarWinds Platform database to improve security by segregating the SolarWinds Platform database from other production databases.

• Ensure that the server hosting your SolarWinds Platform Web Console does not host the Default Web Site or the DefaultAppPool application pool. See Secure IIS by removing the default website.

• Be careful not to expose your SolarWinds Platform website on the public Internet.

  If you must enable outbound Internet access from SolarWinds Servers, create a strict allow list and block all other traffic. See SolarWinds Platform Product Features Affected by Internet Access.

• Disable unnecessary ports, protocols, and services on your host operating system and on applications, like SQL Server. For more details, see the SolarWinds Port Requirements guide and Best practices for configuring Windows Defender Firewall (© 2021 Microsoft, available at https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/best-practices-configuring, obtained on January 13, 2021.)

• Apply proper segmentation controls on the network where you have deployed the SolarWinds Platform and SQL Server instances.

• Configure the firewall for the main polling engine to limit and restrict all inbound and outbound access for port 5671. Port 5671 should only communicate to your other SolarWinds Servers (in case of High Availability, both Active and Standby Primary Polling Engine Servers). You can check these by querying the OrionServers table in the SolarWinds Platform database. Ensure this rule is updated when the configuration of SolarWinds Platform changes, for example when you add new servers.

• Reconfigure your firewall settings to only allow traffic for port 5671 between the SolarWinds scalability engines (Additional polling engines, Additional web servers, and High Availability servers).

• Implement strict access control and auditing in your environment at operating system and network layers. Limit access to the SolarWinds Platform server and SQL server instances to only those authorized persons who require access as part of their duties.

• Apply layered network security controls, like leveraging application load balancers, setting appropriate firewall rules to limit who can access or send network traffic to your SolarWinds Platform, and deploying security tools to provide additional monitoring across your SolarWinds Platform and SQL Server instances.

• Purchase additional web servers for segregation and accessing the web console. Unlike your primary polling engine, these do not run many critical services. Once setup, you can disable IIS and web services on your primary polling engine and allow the rest of the services to function independently of IIS.

• If you deploy multiple SolarWinds Platform servers in your environment, dedicate these servers where possible and minimize the installation of any third-party software.

• Do not create local SolarWinds Platform accounts. We recommend at minimum utilizing Windows Authentication, or implementing a SAML v2 based solution, if you cannot integrate Windows or SAML-based authentication.

• Ensure you configure account settings and leverage both account and view limitations, along with module-specific roles only for the tasks they require in their role.

• Follow Microsoft's guidelines for securing SQL Server instances. See Securing SQL Server (© 2021 Microsoft, available at https://docs.microsoft.com/, obtained on January 6, 2021.).

• Before you install the SolarWinds Platform, ensure the servers in your environment are compliant with supported security standards:

  • STIG
  • FIPS
  • Device Guard

• Separate your SolarWinds Platform servers from your infrastructure on managed VLANs/Jumpboxes.

• On servers, leverage SolarWinds agents to ensure secure, encrypted polling over a single port. See Poll devices with SolarWinds Platform Agents.

• On network devices, use SNMP v3. See CISA Alert (TA17-156A) Reducing the risk of SNMP Abuse (© 2021 U.S. Department of Homeland Security, available at https://us-cert.cisa.gov/ncas/alerts/TA17-156A, obtained on January 11, 2021.)

• Ensure you have dedicated security monitoring tools in place. Configure AV, EDR, SIEM, Proxy, IDS, or IPS while leveraging SolarWinds products, such as ARM, NCM, Patch Manager, SCM, SEM, or UDT, to provide additional monitoring across your SolarWinds Platform environment and ensure compliance. Carefully monitor logs, user accounts, rogue devices, configuration changes, and security patches across all of your network devices and servers.

• Rotate credentials (service accounts, SNMP, SSH, and so on) where local policies may not enforce this due to unexpected outages of monitoring. See Manage Orion Service Accounts.

• Assign the Debug Programs user right only to the Administrators group.

• Disable SMBv1. SolarWinds Platform products do not use SMBv1. See How to remove SMBv1... in How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows (© 2023 Microsoft, available at https://msdn.microsoft.com, obtained on February 7, 2023.)

To learn about using built-in security features native to IIS to add an extra layer of security to your deployment with built-in security features native to IIS, see this Success Center article about the IP Address and Domain Restrictions Role Service.

Secure configuration options

Security option	Orion Platform/SolarWinds Platform Version	Default settings
HTTPS	All supported versions	Enabled by default if a suitable certificate is found. » Show me how Recommendations: 2048 bits for RSA (~112bit security) or 256+ bits for ECDSA (128bit security). Over 2048bits, use ECDSA. Renew certificates regularly. Sign certificates with SHA 256 or higher.
FIPS	All supported versions	Disabled by default See Enable FIPS for SolarWinds Platform products.
SQL Encrypted SSL	All supported versions	Disabled by default. To configure the SolarWinds Platform and SQL with an SSL connection, see Encrypt database connections with SSL
HSTS	All supported versions	Disabled by default » Show me how to enable this
CSRF	All supported versions	_AntiXSRFToken enabled by default XSRF-TOKEN enabled by default » Show me how to enable this
Secure Cookies	All supported versions	Enabled by default » Show me how
Session Management	All supported versions	Enabled by default » Show me how
TLS & Cipher Suites	All supported versions	Settings required » Show me how
TLS Certificate validation	All supported versions	Disabled by default » Show me how to enable
SAML signing	All supported versions	Disabled by default » Show me how to enable this
Sensitive Exception Details	All supported versions	Disabled by default » Show me how to disable this
Server Information Headers (Banner)	All supported versions	» Show me how to set this
IIS Request Filtering	All supported versions	See the kb on IIS handler mapping requirements to find out what extensions to allow to use request filtering in IIS.
Session Timeouts	All supported versions	» Show me how to set this
Secure external programs and script alerting actions	All supported versions	Starting with the Orion Platform 2020.2.1 Hotfix 2, you can configure your SolarWinds Platform alert actions to be run in the context of a limited user account. See the article on securing external programs and script actions.
Secure SQL variables used in SolarWinds Platform	All supported versions	Starting with the Orion Platform 2020.2.1 Hotfix 2, you can use the MacroParserisSecuringSQLMacroEnabled setting to improve the overall security of your SolarWinds Platform by restricting specific SQL macros. See the article on securing SQL variables.
Content Security Policy Headers	All supported versions	Enabled by default » Show me how to set this
Browser Auto-Complete	2020.2.6 and later	» Show me how to set this
Brute force protection (account lockout)	2020.2.6 and later	SolarWinds Platform individual accounts (or SQL-based accounts) are automatically locked. By default, accounts are locked after 10 failed login attempts for 15 minutes. See Unlock user accounts for details.

HTTPS

HTTPS is configured on fresh installs only when a suitable certificate is found on the system. SolarWinds recommends that you do not use a self-signed certificate.

Recommendations for Certificates

• SolarWinds recommends using strong private keys: 2,048 bits for RSA (~112 bits of security) or 256+ bits for ECDSA (128 bits fo security).
• RSA doesn't scale well above 2,048 so after that ECDSA should be preferred.
• Renew certificates (including private keys) regularly because revocation mechanisms are not reliable.
• Sign your certificates with SHA256 or higher.

How to enable

1. Run the Configuration wizard, click Next to use defaults until you reach the Website Settings step.

2. Select the Enable HTTPS option. See Configure the SolarWinds Platform Web Console to use HTTPS for details.

HSTS

HTTPS Strict Transport Security (HSTS) protects your deployment against protocol downgrade attacks (MITM SSL strip). HSTS headers instruct a client's browser to communicate only on HTTPS for a specified period of time. SolarWinds Platform uses 1 year as a default.

How to enable

1. In the SolarWinds Platform Web Console, click Settings > All Settings, and then click Web Console Settings in the Product Specific Settings (/Orion/Admin/Settings.aspx).

2. Select the STRICT TRANSPORT SECURITY (HSTS) option and submit your changes.

CSRF Protection

Cross-Site Request Forgery (CSRF) is an attack where the user performs unwanted action while being authorized. SolarWinds Platform uses two separate CSRF tokens/cookies.

• __AntiXSRFToken - Used by ASP.NET for postback validation, validation enabled by default
• XSRF-TOKEN - Used by .asmx and WebAPI, validation enabled by default

How to enable

1. Log in to the SolarWinds Platform Web Console as an administrator and go to Advanced Configuration. Adjust the SolarWinds Platform Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx

2. Select the EnableXsrfProtection option and save your changes.

Secure Cookies

Secure flag helps to protect cookies from MITM attacks. This is enabled by default.

How to enable

1. Log in to the SolarWinds Platform Web Console as an administrator and go to Advanced Configuration. Adjust the SolarWinds Platform Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx

2. Select the EnableCookieSecureFlag option and save your changes.

Session Management

To prevent session fixation attacks and provide persistent logout. Session management binds the session ID with its owner and validates it on each request. It manages the session lifecycle from login, logout, and expiration.

How to enable

1. Log in to the SolarWinds Platform Web Console as an administrator and go to Advanced Configuration. Adjust the SolarWinds Platform Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx
2. Select the EnableSessionCoupling option and save your changes.

TLS & Cipher Suites

See TLS Compatibility with SolarWinds Platform products for details.

How to enable

SolarWinds recommends that you enable TLS machine-wide. You can use IISCrypto or alter Windows registry keys on your own:

• IIS Crypto (© 2020 Nartac Software, obtained from https://www.nartac.com/Products/IISCrypto on October 1, 2020).
• Restrict the use of certain cryptographic algorithms and protocols in Schannel.dll (© 2020 Microsoft, obtained from https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc on October 1, 2020).

It is also possible to configure protocols for SolarWinds Platform services only.

RabbitMQ

You can configure all cipher suites that RabbitMQ accepts (and which TLS version) in \ProgramData\SolarWinds\Orion\RabbitMQ\rabbitmq.config configuration file.

Every time you run the Configuration Wizard, the \ProgramData\SolarWinds\Orion\RabbitMQ\rabbitmq.config file is overwritten. If you run the Configuration Wizard on the main polling engine, you need to re-do any changes to this file.

Go to the ssl_options section and find the following subsections:

• _ciphers: You can set cipher suites that RabbitMQ accepts, these should correspond with your system-wide settings (set by IIS Crypto).
• _versions: You can specify TLS versions here.

See TLS Support for details (© 2007-2020 VMware Inc. or its affiliates, obtained from https://www.rabbitmq.com/ssl.html#tls-versions on October 1, 2020).

SolarWinds uses the classic config format of the config file (there is section on how the setting of cipher suites must look like).

Recommended Crypto setting

Global machine setting: NON DEFAULT

Server/Client Protocol: TLS 1.2

Ciphers: AES 128 / 128, AES 256/256

Hashes: SHA1, SHA256, SHA384, SHA512

Key exchanges: Diffie-Hellman, PKCS, ECDH (DHE Miminum key length 2048 bit)

RabbitMQ Config: DEFAULT

RabbitMQ config has two default cipher suites settings which are configured by FIPS Manager.

Cipher suites for 2024.1

• FIPS Mode On Ciphers

  {ecdhe_ecdsa, aes_256_gcm, aead, sha384}
  {ecdhe_ecdsa, aes_128_gcm, aead, sha256}
  {dhe_dss, aes_256_gcm, aead, sha384}
  {dhe_rsa, aes_256_gcm, aead, sha384}
  {dhe_rsa, aes_128_gcm, aead, sha256}

• FIPS Mode Off Ciphers

  {ecdhe_rsa, aes_256_gcm, aead, sha384}
  {ecdhe_ecdsa, aes_256_gcm, aead, sha384}
  {ecdhe_rsa, aes_256_cbc, sha384, sha384}
  {ecdhe_ecdsa, aes_256_cbc, sha384, sha384}
  {ecdhe_rsa, aes_128_gcm, aead, sha256}
  {ecdhe_ecdsa, aes_128_gcm, aead, sha256}
  {ecdhe_rsa, aes_128_cbc, sha256, sha256}
  {ecdhe_ecdsa, aes_128_cbc, sha256, sha256}
  {ecdh_rsa, aes_256_gcm, aead, sha384}
  {ecdh_ecdsa, aes_256_gcm, aead, sha384}
  {ecdh_rsa, aes_256_cbc, sha384, sha384}
  {ecdh_ecdsa, aes_256_cbc, sha384, sha384}
  {ecdh_rsa, aes_128_gcm, aead, sha256}
  {ecdh_ecdsa, aes_128_gcm, aead, sha256}
  {ecdh_rsa, aes_128_cbc, sha256, sha256}
  {ecdh_ecdsa, aes_128_cbc, sha256, sha256}
  {dhe_rsa, aes_256_gcm, aead, sha384}
  {dhe_dss, aes_256_gcm, aead, sha384}
  {dhe_rsa, aes_256_cbc, sha256}
  {dhe_dss, aes_256_cbc, sha256}
  {dhe_rsa, aes_128_gcm, aead, sha256}
  {dhe_dss, aes_128_gcm, aead, sha256}
  {dhe_rsa, aes_128_cbc, sha256}
  {dhe_dss, aes_128_cbc, sha256}

Cipher suites for 2022.4 - 2023.4

• FIPS Mode On Ciphers

  {dhe_dss,aes_256_gcm,aead,sha384}
  {dhe_rsa,aes_128_gcm,aead,sha256}

• FIPS Mode Off Ciphers

  {ecdhe_rsa, aes_256_gcm, aead, sha384}
  {ecdhe_ecdsa, aes_256_gcm, aead, sha384}
  {ecdhe_rsa, aes_256_cbc, sha384, sha384}
  {ecdhe_ecdsa, aes_256_cbc, sha384, sha384}
  {ecdhe_rsa, aes_128_gcm, aead, sha256}
  {ecdhe_ecdsa, aes_128_gcm, aead, sha256}
  {ecdhe_rsa, aes_128_cbc, sha256, sha256}
  {ecdhe_ecdsa, aes_128_cbc, sha256, sha256}
  {ecdh_rsa, aes_256_gcm, aead, sha384}
  {ecdh_ecdsa, aes_256_gcm, aead, sha384}
  {ecdh_rsa, aes_256_cbc, sha384, sha384}
  {ecdh_ecdsa, aes_256_cbc, sha384, sha384}
  {ecdh_rsa, aes_128_gcm, aead, sha256}
  {ecdh_ecdsa, aes_128_gcm, aead, sha256}
  {ecdh_rsa, aes_128_cbc, sha256, sha256}
  {ecdh_ecdsa, aes_128_cbc, sha256, sha256}
  {dhe_rsa, aes_256_gcm, aead, sha384}
  {dhe_dss, aes_256_gcm, aead, sha384}
  {dhe_rsa, aes_256_cbc, sha256}
  {dhe_dss, aes_256_cbc, sha256}
  {dhe_rsa, aes_128_gcm, aead, sha256}
  {dhe_dss, aes_128_gcm, aead, sha256}
  {dhe_rsa, aes_128_cbc, sha256}
  {dhe_dss, aes_128_cbc, sha256}

Cipher suites for SolarWinds Platform 2022.3 and earlier

• FIPS Mode On Ciphers

  {dhe_rsa,aes_256_gcm,aead,sha384}
  {dhe_dss,aes_256_gcm,aead,sha384}
  {dhe_rsa,aes_256_cbc,sha256}
  {dhe_dss,aes_256_cbc,sha256}
  {dhe_rsa,aes_128_gcm,aead,sha256}
  {dhe_dss,aes_128_gcm,aead,sha256}
  {dhe_rsa,aes_128_cbc,sha256}
  {dhe_dss,aes_128_cbc,sha256}

• FIPS Mode Off Ciphers

  {ecdhe_rsa, aes_256_gcm, aead, sha384}
  {ecdhe_ecdsa, aes_256_gcm, aead, sha384}
  {ecdhe_rsa, aes_256_cbc, sha384, sha384}
  {ecdhe_ecdsa, aes_256_cbc, sha384, sha384}
  {ecdhe_rsa, aes_128_gcm, aead, sha256}
  {ecdhe_ecdsa, aes_128_gcm, aead, sha256}
  {ecdhe_rsa, aes_128_cbc, sha256, sha256}
  {ecdhe_ecdsa, aes_128_cbc, sha256, sha256}
  {ecdh_rsa, aes_256_gcm, aead, sha384}
  {ecdh_ecdsa, aes_256_gcm, aead, sha384}
  {ecdh_rsa, aes_256_cbc, sha384, sha384}
  {ecdh_ecdsa, aes_256_cbc, sha384, sha384}
  {ecdh_rsa, aes_128_gcm, aead, sha256}
  {ecdh_ecdsa, aes_128_gcm, aead, sha256}
  {ecdh_rsa, aes_128_cbc, sha256, sha256}
  {ecdh_ecdsa, aes_128_cbc, sha256, sha256}
  {dhe_rsa, aes_256_gcm, aead, sha384}
  {dhe_dss, aes_256_gcm, aead, sha384}
  {dhe_rsa, aes_256_cbc, sha256}
  {dhe_dss, aes_256_cbc, sha256}
  {dhe_rsa, aes_128_gcm, aead, sha256}
  {dhe_dss, aes_128_gcm, aead, sha256}
  {dhe_rsa, aes_128_cbc, sha256}
  {dhe_dss, aes_128_cbc, sha256}

TLS Certificate Validation

As required by CC PP, TLS certificates should be fully validated.

How to enable

1. Log in to the SolarWinds Platform Web Console as an administrator and go to Advanced Configuration. Adjust the SolarWinds Platform Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx)

2. Select the following options and save your changes:

   • CheckOnCertificateChainErrors
   • CheckOnCertificateNameMismatch
   • CheckOnCertificateRevocation

SAML Signing

Applicable when Single sign-on is used. By default, only one signature is required and validated (assertion or SAML response).

You can configure the SolarWinds Platform to require a specific validation or both validations.

See Authenticate SolarWinds Platform users with SAML v2 for configuration details.

How to enable

1. Log in to the SolarWinds Platform Web Console as an administrator and go to Advanced Configuration. Adjust the SolarWinds Platform Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx)

2. Select the following options and save your changes:

   • SamlAssertionSigningRequired

   • SamlResponseSigningRequired

Sensitive Exception Details

By default, only users with Administrator rights can see detailed exceptions. This setting protects you from disclosing sensitive information (variable names, SQL strings, system path information, and source/program code or call stacks) to SolarWinds Platform users. It is disabled by default.

How to disable

1. Log in to the SolarWinds Platform Web Console as an administrator and go to Advanced Configuration. Adjust the SolarWinds Platform Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx

2. Clear the IncludeErrorDetail option and save your changes.

Server Information Headers (Banner)

Not to disclose server information in headers (Server - Specifies the webserver version. X-Powered-By - Indicates that the website is "powered by ASP.NET." X-AspNet-Version - Specifies the version of ASP.NET used), apply additional configuration on IIS.

How to configure

See Disable the IIS web banner and other IIS headers in the SolarWinds Platform for details.

Session Timeouts

You can configure your SolarWinds Platform sessions to time out after a shorter time than the default 25 minutes.

1. Log in to the SolarWinds Platform Web Console as an administrator and click Settings > All Settings in the menu bar.

2. In the Product Specific Settings grouping, click Web Console Settings.

3. In Session Timeout, type a shorter time period than the default, and save your changes. The default is 25 minutes.