How To Secure The Fastvue Sophos Reporter Web Site

By default, Fastvue Sophos Reporter is open and unrestricted for anonymous users to view. For a number of privacy related reasons you might need to restrict access to the site. You may also want to further restrict access to the Settings tab to prevent unauthorised users from making configuration changes to Sophos Reporter. To improve security even further, it is a good idea to add SSL encryption for authentication.

In this article I will show you how to restrict access to the Sophos Reporter website, and further restrict access to the Settings tab using Windows Authentication and Authorization Rules in IIS, and how to enable SSL (HTTPS) for the site.

Restricting User Access

The simplest way of achieving this is by using IIS authorization rules. There a few prerequisites. All of the following needs to be performed on the Fastvue Sophos Reporter server.

Create Groups

1. Open Server Manager and browse to Configuration | Local Users and Groups
2. Create a group for Fastvue Viewers
3. Populate this group with the AD users and groups that need to view Sophos Reporter’s dashboards and reports
4. Create a group for Fastvue Admins
5. Populate this group with the AD users and groups that need access to the Settings Tab

Configuring IIS

All the following steps will be performed in the IIS Management Console on the Fastvue Sophos Reporter server.  Depending on your configuration you may need to install the ‘Windows Authentication’ and ‘URL Authorization’ Role Services for IIS in Server Manager.

Enable Authentication

Authorization rules require that users authenticate. We will therefore first enable Windows Authentication.

1. Select the Fastvue Sophos Reporter IIS site (in this case it is Default Web Site)
2. Select Authentication
3. Select and Disable Anonymous Authentication
4. Select and Enable Windows Authentication

Allow Access to the Site

1. Select the Fastvue Sophos Reporter IIS site again
2. Select Authorization Rules
3. Select Add an Allow Rule
4. In the specified roles or users group, add the Fastvue Viewers group created earlier
5. Create another allow rule this time for the Fastvue Administrators
6. Remove the Allow all users rule

Remove Access to the Settings Tab

At this point user access to the Fastvue Sophos Reporter site will be limited to the users specified in the groups. To restrict access to the Setting tab do the following in the IIS Management Console:

1. Select and Expand the Fastvue Sophos Reporter site
2. Select the Settings folder under the Fastvue Sophos Reporter website
3. Select Authorization Rules
4. The rules created earlier will be inherited here.
5. Select and Remove the Fastvue Viewers rule

At this point only the Fastvue Administrators group should have access to the Settings tab.  If you are testing this remember to close the browser to end the user sessions.

Securing the site with HTTPS

Any site that requires credentials to be passed should be secured using SSL encryption. This means using HTTPS and certificates. For this article we will be using an internal self-signed certificate but in practice it is better to use a certificate from your internal PKI or a third party CA such as VeriSign.

Generate a Certificate

1. Open the IIS Management Console
2. Select the IIS server itself (not the site)
3. Select Server Certificates
4. Select Create Self-Signed Certificate
5. Specify a friendly name for the certificate. A good practice is to use the server’s FQDN name. This will generate a certificate that matches the server’s name.

Add the HTTPS Binding

1. Select the Fastvue Sophos Reporter IIS website (e.g. Default Web Site on the left)
2. Under Actions on the right, select Bindings…
3. Select Add
4. Change the type to HTTPS
5. In the SSL certificate box select the Self-Signed Certificate created earlier
6. Click OK to finish the change

Enforce SSL

1. Select the Fastvue Sophos Reporter IIS website again on the left
2. Select SSL Settings
3. Check the Require SSL Box and then Apply on the right hand side

The Fastvue Sophos Reporter site will now require HTTPS and users to be authenticated. At this point you will see a certificate warning since the self-signed certificate is not from a trusted CA on the client machine. Using either an internal PKI or a third party CA certificate would resolve this issue.

Another issue you will notice is that when attempting to connect to the site using HTTP you will get:

403 – Forbidden: Access is denied Error

To fix this, we can change the 403 error page to redirect us to the HTTPS site.

Customize Error Pages

1. Still in the IIS Management Console, select the Fastvue Sophos Reporter site on the left
2. Select Error Pages
3. Select and Edit 403
4. Select the Respond with a 302 redirect option
5. Specify https:// followed by the FQDN of your site. For example, https://fastvue01.mydomain.com. Make sure you specify the S in https://

Now when you try to access the site via plain http, you will be redirected to the https site instead of seeing the 403 error message.

Change the Fastvue Site Settings to use HTTPS

When Fastvue Sophos Reporter sends an email such as a scheduled report or an alert, it uses the URL set in Settings | Site Settings as the domain in these links back to the application. Now that you've secured the site using HTTPS, it is a good idea to change the Site Settings to also use HTTPS to avoid being redirected to the root of the website by the custom error page configured above.

To edit the Site Settings:

1. In Fastvue Sophos Reporter, click the Settings Tab and go to the Site Settings section
2. Change the URL to use https:// instead of http://
3. Click Save

Summary

If you followed through the steps above, Fastvue Sophos Reporter will now be secured using Windows Authentication. Two user groups can access Sophos Reporter, but only the admin group can access pages on the Settings tab, and the site can only be accessed via HTTPS / SSL.