Secure your Web Help Desk deployment

This section provides recommendations and best practices for securing your Web Help Desk deployment.

Web Help Desk server

Below are best practices you can implement on the Web Help Desk server and a supported database.

• Review the latest release notes. They describe the new features, improvements, and fixed issues implemented in each version. They also provide information about upgrades and describe workarounds for known issues.
• Install the latest Web Help Desk version, including all hotfixes. This ensures that the server is running the latest Transport Layer Security (TLS) protocol for added Apache Tomcat security hardening. It also ensures that you are running the latest Open Java Development Kit (OpenJDK) version, which provides additional security hardening.
• If your environment does not support SAML or ADFS authentication, SolarWinds recommends configuring Web Help Desk single sign-on (SSO) authentication with WAFFLE. This SSO method obtains the authentication information from AD/LDAP.
• Set up the SSL certificates to create a secure connection between the server and all external resources. Use certificates issued from a qualified Certificate Authority (CA), such as Verisign or GlobalSign. For maximum security, avoid using a self-signed certificate.
• Disable all unnecessary ports, protocols, and services in your deployment.
• Use secure ports for all communications between the Web Help Desk server and the following external resources:
  • LDAP connections
  • Incoming and outgoing email accounts
  • External databases
• Configure the log settings to provide an archeological record of events that occur in the application. Administrators and technical support personnel can use the log files to pinpoint when security events occur and resolve issues in the application.

• Configure the email options to prevent Web Help Desk from creating accounts from unrecognized or unknown senders, enable Web Help Desk to create accounts if the email matches an accepted domain. This will help minimize phishing emails that may contain viruses, malicious attachments, or links to malicious code.

• Configure the authentication settings to enforce how techs and clients can access the application.

• Deactivate tech accounts for techs who move to another department or leave your organization. When completed, their status should be Inactive. This ensures that unauthorized personnel cannot access the application using an unused account. It also ensures that you have enough seats available for your license tier.

  Avoid deleting inactive accounts. This will prevent tickets assigned to those accounts from being deleted.
  All tech and administrator accounts require a password to edit and save the account information. If you enter an incorrect password after five attempts, Web Help Desk times out for 30 seconds before you can re-enter your password. This feature prevents unauthorized access to these accounts.
• Update all tech and administrator passwords with strong passwords that do not include personal information or common words.
• Define all tech permissions based on their approved access to the Web Help Desk Administrator Console. See this KB article for additional guidance.
• Avoid running any additional applications in the Apache Tomcat instance included with your release.
• Configure the server behind a web application firewall (WAF).
• Configure a virtual private network (VPN) to the server and enable all authorized administrators and techs to connect to the server using the VPN.

• If your organization requires SSO for all approved personnel, configure SSO on for Web Help Desk using Active Directory Federation Services (ADFS).

  You can also configure Web Help Desk single sign-on authentication with WAFFLE. This authentication type obtains user information from Active Directory and LDAP connections. Consider this method if SAML or ADFS is not supported in your environment.

• (Version 12.7.2 and earlier) Replace the cipher suites used for SSL or upgrade to the latest release.
• If required by your security policy, you can update OpenJDK to another version. Both versions must be identical. For example, if you are running OpenJDK 11.0.11, you can install another OpenJDK 11 version.

PostgreSQL server database

If your deployment is connected to a supported PostgreSQL server database, SolarWinds recommends the following:

• Change the default PostgreSQL database credentials. This prevents unauthorized users from accessing your Web Help Desk database.
• Create a backup schedule that indicates the days of the week and time of day when Web Help Desk automatically backs up the database.

• (Version 12.7.9 and later) Customize the database connection with a path to an executable file containing the backup command. This prevents an unauthorized user from accessing your backup file.

• If your PostgreSQL database is installed on an external server, enable SSL encryption to the external database.

• If you are upgrading from version 12.7.6 or earlier, upgrade to version 12.7.7 first. This version contains significant updates required for later versions. After you complete the upgrade, then upgrade to the latest version.

SQL Server database

If your deployment is connected to an external database server running a supported Microsoft SQL Server version, SolarWinds recommends the following: 

• Update the database server with the latest hotfixes, cumulative updates, and service packs.
• Enable SSL encryption on the database server.
• When you create and configure your SQL Server database, verify that the server collation is set to case insensitive. This ensures that Web Help Desk initializes the database correctly and prevents database errors when you configure the application.
• Limit access to the SQL Server instance to authorized personnel (such as an administrator) who require access as part of their duties.

MySQL server database

If your deployment is connected to an external database server running a supported MySQL database version, SolarWinds recommends enabling SSL encryption to the MySQL database.

Secure configuration options

This section describes the configuration options you can implement in your Web Help Desk deployment.

The following table lists the supported options.

Option	Version	Default setting
HTTPS	12.4 and later	Disabled by default on Web Help Desk 12.6 and earlier. Enabled by default on Web Help Desk 12.7.1 and later.
HSTS	12.7.4 and later	Enabled by default after you import a signed certificate from a trusted Certificate Authority (CA). Web Help Desk 12.7.4 and later is signed with a new digital code-signing certificate.
FIPS	12.4 and later	Disabled by default.

HTTPS

Hypertext Transfer Protocol Secure (HTTPS) is a security enhancement that is supported on Web Help Desk 12.4 and later. Beginning with Web Help Desk 12.7.1, HTTPS is enabled by default on port 8443.

HTTPS implements Secure Socket Layer (SSL) to provide end-to-end data security over a computer network. HTTPS is configured on fresh installs only when a suitable certificate is found on the system.

When you obtain a certificate, SolarWinds recommends the following:

• Renew the certificates (including private keys) regularly, as revocation systems are not reliable.
• Use Portecle (Windows server) or Keystore Explorer (non-Windows server) to generate a new keypair using SHA-256 with RSA, generate a new certificate signing request (CSR), and submit the CSR to your CA provider.
• Avoid using a self-signed certificate.

To enable HTTPS:

1. Configure the server options to enable the listening port to listen for HTTP or HTTPS requests. Additionally, configure the port number used to monitor the requests. Include the port number in URLs that refer to Web Help Desk.

   To ensure all incoming requests use a secure connection, enable Redirect HTTP requests to HTTPS. When enabled, all incoming requests redirect to a secure HTTPS port.

2. Configure the general options to force HTTPS for all requests.

HSTS

HTTP Strict Transport Security (HSTS) is a web server policy that prevents unauthorized users from capturing data shared between the server and your clients, techs, and administrators. Enable this web policy by importing a signed certificate from a trusted Certificate Authority (such as Verisign or GlobalSign).

Beginning in Web Help Desk 12.7.4, the HSTS web policy is included in the application. After you download and import a signed certificate from a trusted Certificate Authority (CA), Web Help Desk forces a secure HTTPS connection with TLS between a supported web browser and the Web Help Desk server.

To enable HSTS, import a signed certificate from a trusted Certificate Authority. When you restart the server, Web Help Desk forces a secure HTTPS connection with TLS between a supported web browser and the Web Help Desk server. Unauthorized users cannot access data shared between the Web Help Desk server and your clients, techs, and administrators.

FIPS

Federal Information Processing Standard (FIPS) 140-2 compliant cryptography are standards developed by the National Institute of Standards and Technology. FIPS is required for computer systems installed in U.S. Federal Government agencies and companies in a regulated industry (such as healthcare and financial institutions) that share and distribute sensitive but unclassified (SBU) information.

FIPS is supported on Web Help Desk 12.4 and later. Beginning in WHD 12.7.5, FIPS implements an updated FIPS-approved cryptography that supports Transport Layer Security (TLS) 1.2. This implementation provides enhanced end-to-end data security over a computer network.

See Enable FIPS 140-2 compliant cryptography for details on how to enable FIPS in your environment.

Use the Password Security Migration Tool to encrypt all client and tech account passwords to FIPS 140-2 cryptography prior to activation. The migration tool invalidates all stored client and tech passwords that use a weaker cryptography standard.