This document provides recommendations for hardening and implementing best practices for the Traverse on-premises installations.
Best Practice Guide:
1. Security related patches
- Newer versions of applications often introduce improvements in security functionality over older versions. This can make it more difficult for an adversary to craft reliable exploits for security vulnerabilities they discover.
- Ensure you have installed the latest versions of the Traverse Platform that include security related fixes. Here are the important links:
a. Release Notes
b. Traverse Software Access Links
2. Application configuration
- ·By default, many applications enable functionality that is not required by users while security functionality may be disabled or set at a lower security level.
- Disable non-SSL access to the Web Application and install a valid SSL certificate as described in Configuring SSL for the Web Application
- Configure user account settings to leverage both account and view limitations, where necessary.
- Enforce MFA (multifactor authentication) for all user accounts. Customers should review their system configuration to confirm administrative user accounts also leverage MFA.
- Review user accounts and ensure only necessary accounts are configured on the Traverse with only the necessary privileges.
- Review the secure Remote Access gateway functionality of traverse for the default ports used by this feature.
3. Network and Server Hardening
- Server hardening is the main aspect of securing a web application. This includes not just web servers and application servers but also database and file servers, cloud storage systems, and interfaces to any external systems.
- Start by removing or disabling unnecessary software and services (especially file sharing services such as FTP) and closing all unnecessary ports. Minimize administrative access channels – for example: if you only use SSH sessions to manage a server, remove or disable its web-based administrative interface.
- Disable unnecessary ports, protocols, and services on your host operating system. For required Traverse ports, see the Traverse Port Requirements guide
- Apply proper segmentation controls on the network where you have deployed the Traverse Platform (BVE, DGE, and DGEx) instances.
- Implement strict access control and auditing in your environment at the operating system and network layers. Limit access to the Traverse Platform servers to only those authorized persons who require access as part of their duties.
- Apply layered network security controls, like leveraging application load balancers, and setting appropriate firewall rules to limit what can access or send network traffic to your Traverse Platform
- If you deploy Split Traverse Platform servers (i.e., BVE, DGE and DGEx) in your environment, dedicate these servers where possible or minimize the installation of any third-party software.
4. Operating System Hardening
- Maintain the latest security updates for the operating system installed - (System Requirements).
- Specific configuration settings for hardening a Microsoft Windows server might include disabling guest accounts, enabling the Windows Firewall, requiring a login to shut down the system, or disabling or restricting anonymous access to shares. For a Linux server, hardening steps might include creating separate partitions for critical mounts, specifying secure encryption settings for remote SSH sessions, configuring SELinux, logging all administrator and root access, or restricting process access to core dumps.