Fonctions de sécurité d'IIS

Pour le déploiement d'ABBYY FlexiCapture 12 dans l'environnement du client, la configuration de sécurité standard est utilisée. Si nécessaire, pour renforcer la sécurité de votre serveur Web, vous pouvez utiliser Internet Information Services (IIS) et configurer des règles supplémentaires pour des demandes spécifiques.

Important ! If you encounter the "Due to browser policy restrictions, this URL cannot be opened using the insecure HTTP protocol. Please use the secure HTTPS protocol or change your browser policy." error while working with a web station, it means that you are using the product in iFrame over the unsecured HTTP protocol. For more information about the causes of the error and possible workarounds, see iFrame restrictions.

En-tête Content-Security-Policy

Content-Security-Policy (CSP) est une stratégie de sécurité standard utilisée par les navigateurs modernes pour se protéger contre les attaques par injection de données, comme le cross-site scripting (XSS). Les principes du mode de fonctionnement du CSP sont les suivants : utiliser une liste blanche pour déterminer quelles ressources peuvent être chargées en toute sécurité, ignorer les ressources provenant de sources non vérifiées et recueillir des données sur les tentatives de contournement de la politique de sécurité.

Pour la mise en pratique de cette politique, le serveur doit avoir un en-tête HTTP Content-Security-Policy avec une ou plusieurs directives configurées, chaque directive étant associée à un seul type de ressources spécifique. Les directives constituent une politique de sécurité dans laquelle sont spécifiées les règles qui s'appliquent aux ressources.

Pour configurer un CSP pour votre navigateur Internet, ajoutez le code suivant au fichier Web.config :

<system.webServer> 
<httpProtocol> 
<customHeaders> 
<add name="Content-Security-Policy" value="default-src https: 'unsafe-inline' 'unsafe-eval'" /> 
</customHeaders> 
</httpProtocol> 
</system.webServer>
    

Remarque :Si vous utilisez les fonctions d'intégration de systèmes tiers d'ABBYY FlexiCapture et l'accès à d'autres hôtes vous est nécessaire, spécifiez-les également dans le fichier Web.config. Après avoir apporté des modifications à vos paramètres de sécurité, vérifiez toujours que le logiciel est resté opérationnel.

Pour plus d'informations sur Content-Security-Policy, consultez ce site Web.

HTTP Strict-Transport-Security Header

HTTP Strict-Transport-Security (HSTS) is a website protection mechanism that works by restricting the interactions between the browser and the website to a secure connection established using the SSL protocol. A web server that has HSTS set up contains an instruction for the browser to exclusively use an HTTPS connection and forbids it from using HTTP. HSTS is primarily used to fend off interception attacks involving queries and responses, e.g. MITM (Man-In-The-Middle) attacks.  

To be able to use this security policy, you need to use URL address rewrite rules to add the Strict-Transport-Security (STS) header to the HTTP responses. This is necessary to prevent unwanted HTTP queries and redirect all HTTP traffic to HTTPS (based on logic set out in the rules). To set up the appropriate rules, you need to install the URL Rewrite module. For more information, see the official Microsoft website.

To set up HSTS for your browser, add the following code to your web-config file:

<rule name="Add the STS header in HTTPS responses">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule> 
    

Remarque :The max-age directive specifies the time period (in seconds) during which the rule will be applied. The value above corresponds to one year.

For more information about HSTS, see the official Microsoft website.

The X-Powered-By and X-AspNet-Version Headers

Apart from HTTP headers that are essential for improving the security of your web server, there are also headers that are optional. Often, such optional headers are not governed by any standards and their use increases the amount of traffic generated by each HTTP query, making it easier to carry out malicious attacks.

The following are two such optional headers:

  • X-Powered-By is an HTTP header that contains information about various technologies used by the web server.
  • X-AspNet-Version is an HTTP header that contains information about the ASP.NET version that is used to deploy applications on the web server.

By default, both X-Powered-By and X-AspNet-Version are included in server responses. We recommend that you disable these headers, since providing identifying information can pose a security threat.

To remove the X-Powered-By header from the IIS configuration, paste the following code into your web.config file:

<httpProtocol> 
<customHeaders> 
<remove name="X-Powered-By" />   
</customHeaders></httpProtocol> 
    

To remove the X-AspNet-Version header from your IIS configuration, paste the following code into your web.config file:

<httpRuntime enableVersionHeader="false" />
    

The X-XSS-Protection Header

X-XSS-Protection is an HTTP header that is used by browsers to prevent Cross-Site Scripting attacks. The header works by enabling an XSS filter, which intercepts unwanted attempts to insert malicious third-party code into web pages opened on a browser.

X-XSS-Protection is compatible with the following browsers: Internet Explorer 8+, Chrome, and Safari. However, most modern browsers use a stricter security policy (e.g. Content-Security-Policy), which makes this header necessary only if you are using an older browser that does not support CSP.

To enable the X-XSS-Protection header for your browser, copy the following code to your web.config file:

<system.webServer> 
<httpProtocol> 
<customHeaders> 
<add name="X-XSS-Protection" value="1; mode=block" /> 
</customHeaders> 
</httpProtocol> 
</system.webServer>
    

The X-Content-Type-Options Header

X-Content-Type-Options is an HTTP header that is used by browsers to prevent attacks that exploit MIME (Multipurpose Internet Mail Extensions) vulnerabilities. MIME is an Internet standard for content that is sent over an internet connection. All files served by the web server are processed by browsers in a manner that depends on the MIME type of those particular files. Browsers determine the resource type by either using the Content-Type response, or by inspecting the resource contents, which makes it possible for attackers to mask HTML files as files of a different type.

The only directive available for this header is the nosniff directive. It instructs browsers to use only the MIME type that was specified by the web server.

To enable the X-Content-Type-Options header for your browser, paste the following code into your web.config file:

<system.webServer> 
<httpProtocol> 
<customHeaders> 
<add name="X-Content-Type-Options" value="nosniff" /> 
</customHeaders> 
</httpProtocol> 
</system.webServer> 
    

The Server Header

Server Header is a response header that contains information about the application used by the source server to process a request (e.g. the version number of the application). Potential availability of this kind of information to third parties is a security threat. For this reason, we recommend deleting the contents of the Server Header.

To delete the contents of the Server Header, add the following code into your web.config file:

<rewrite>  
     <outboundRules rewriteBeforeCache="true"> 
    <rule name="Remove Server header"> 
      <match serverVariable="RESPONSE_Server" pattern=".+" /> 
      <action type="Rewrite" value="" /> 
    </rule>   
</outboundRules> 
</rewrite> 
    

If you are using IIS 10.0, Windows Server 2016, or Windows Server 2019, use the following code instead:

Set-WebConfigurationProperty  
-pspath 'MACHINE/WEBROOT/APPHOST'   
-filter "system.webServer/security/requestFiltering"  
-name "removeServerHeader"  
-value "True" 
    

Remarque :The settings described above require the URL Rewrite module to be installed. For more information, please see the Microsoft documentation.

Protection Against Distributed Denial-of-Service Attacks

Distributed denial-of-service (DDoS) attacks involve overloading an application with HTTP requests, causing a significant increase in the amount of traffic and making the application inaccessible to legitimate users. It may not be easy to detect such attacks, as it is often difficult to distinguish between legitimate and malicious traffic.

To protect your web server from DDoS attacks, we recommend that you set up your IIS server to block access to your application if someone exceeds either the allowed number of requests over a certain period of time or the allowed number of concurrent requests.

To set up DDoS protection in IIS as described above, do the following:

  1. Launch IIS Manager.
  2. Select your website in the treeview and double-click the IP Address and Domain Restrictions icon on the site home page.
  3. In the Actions pane, click Edit Dynamic Restriction Settings.
  4. In the dialog box that opens, select the preferred method: Deny IP Address based on the number of concurrent requests or Deny IP Address based on the number of requests over a period of time.
  5. Click OK.

In the IIS server settings, you can also restrict access to your application from specific IP addresses and specify the type of action that the server should perform when attempts are made to access your application from restricted IP addresses:

  1. Launch IIS Manager.
  2. Select your website in the treeview and double-click the IP Address and Domain Restrictions icon on the site home page.
  3. In the Actions pane, click Edit Dynamic Restriction Settings.
  4. In the dialog box that opens, select the desired type of action from the Deny Action Type drop-down list.
  5. Click OK.

For cases where multiple HTTP requests are sent by multiple users from a single IP address, enable proxy mode in the IIS server settings. Doing so will let the proxy server pass the x-forwarded-for header to the web server to help identify the user.

To enable proxy mode, do the following:

  1. Launch IIS Manager.
  2. Select your website in the treeview and double-click the IP Address and Domain Restrictions icon on the site home page.
  3. In the Actions pane, click Edit Feature Settings.
  4. In the Edit IP and Domain Restriction Settings dialog box, select Enable Proxy Mode.
  5. Click OK.

For more information about using IIS to restrict access to your application from certain IP addresses, please see the Microsoft documentation.

Remarque :Using the proxy mode for handling large amounts of traffic may affect system performance and make it harder for legitimate users to access your application.

1/14/2021 2:17:19 PM


Please leave your feedback about this article