How to secure a GMS/Analyzer Web Server Service against weak ciphers and other vulnerabilities
03/26/2020 
1047 
10038
DESCRIPTION:
If your GMS/Analyzer server is publicly accessible, securing the web server service against weak ciphers and/or other vulnerabilities may be needed.
This article describes some basic steps to identify issues along with methods of mitigating such issues.
RESOLUTION:
Step 1:
Identify if any vulnerabilities due to weak ciphers or other known vulnernabilities exist currently on your GMS/Analyzer server.
The following utility can scan your web service by providing the server URL:
https://sslanalyzer.comodoca.com/
This screen shot shows the types of vulnerabilities that may be seen:
Analysis:
Step 2:
Modify server.xml file to limit the ciphers/protocols/features that may be causing issues.
a) In Windows - navigate to the following directory:
[installDir]:\GMSVP\Tomcat\conf\
b) Right-click the server.xml file and choose Edit.
c) Find the following connectors (two exist in Windows server.xml; Connector port may differ on your server):
<Connector port="443" address="0.0.0.0" minProcessors="5" redirectPort="" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLCertificateFile="C:\GMSVP/conf/gmsvpserver.crt" SSLCertificateKeyFile="C:\GMSVP/conf/gmsvpserver.key" SSLPassword="value" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" />
<Connector port="443" address="[::]" minProcessors="5" redirectPort="" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLCertificateFile="C:\GMSVP/conf/gmsvpserver.crt" SSLCertificateKeyFile="C:\GMSVP/conf/gmsvpserver.key" SSLPassword="value" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" />
d) Add the following values following the - secure="true" - value in the connector config:
SSLDisableCompression="true" SSLProtocol="TLSv1" SSLCipherSuite="ALL:!aNULL:!ADH:!eNULL:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:AES:AESGCM:!RC4:RSA:+HIGH:+MEDIUM:-LOW:!SSLv2:@STRENGTH"
Example of change:
Description of changes:
SSLDisableCompression="true" (Disables Compression, which is vulnerable to CRIME attack)
SSLProtocol="TLSv1" (Disables SSLv3 which is vulnerable to Poodle)
SSLCipherSuite="ALL:!aNULL:!ADH:!eNULL:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:AES:AESGCM:!RC4:RSA:+HIGH:+MEDIUM:-LOW:!SSLv2:@STRENGTH" (Disables weak ciphers)
e) Save chages to the server.xml file and restart the GMS/Analyzer server
How to Test:
Re-scan using the SSL Analyzer utility you prefer and verify changes:
Additional info:
When GMS is installed on Windows, you may see a Vulnerability listed for - Secure Renegotiation (Client-initiated).
This may not be fixed by applying changes in the article.
Tomcat does not see this issue as a specific vulnerability and no specific fix is listed.
For further info, refer to -
http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
