How to secure a GMS/Analyzer Web Server Service against weak ciphers and other vulnerabilities
03/26/2020 
1047 
11556
DESCRIPTION:
If your GMS/Analyzer server is publicly accessible, securing the web server service against weak ciphers and/or other vulnerabilities may be needed.
This article describes some basic steps to identify issues along with methods of mitigating such issues.
RESOLUTION:
Step 1:
Identify if any vulnerabilities due to weak ciphers or other known vulnernabilities exist currently on your GMS/Analyzer server.
The following utility can scan your web service by providing the server URL:
https://sslanalyzer.comodoca.com/
This screen shot shows the types of vulnerabilities that may be seen:
Analysis:
Step 2:
Modify server.xml file to limit the ciphers/protocols/features that may be causing issues.
a) In Windows - navigate to the following directory:
[installDir]:\GMSVP\Tomcat\conf\
b) Right-click the server.xml file and choose Edit.
c) Find the following connectors (two exist in Windows server.xml; Connector port may differ on your server):
<Connector port="443" address="0.0.0.0" minProcessors="5" redirectPort="" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLCertificateFile="C:\GMSVP/conf/gmsvpserver.crt" SSLCertificateKeyFile="C:\GMSVP/conf/gmsvpserver.key" SSLPassword="value" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" />
<Connector port="443" address="[::]" minProcessors="5" redirectPort="" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLCertificateFile="C:\GMSVP/conf/gmsvpserver.crt" SSLCertificateKeyFile="C:\GMSVP/conf/gmsvpserver.key" SSLPassword="value" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" />
d) Add the following values following the - secure="true" - value in the connector config:
SSLDisableCompression="true" SSLProtocol="TLSv1" SSLCipherSuite="ALL:!aNULL:!ADH:!eNULL:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:AES:AESGCM:!RC4:RSA:+HIGH:+MEDIUM:-LOW:!SSLv2:@STRENGTH"
Example of change:
Description of changes:
SSLDisableCompression="true" (Disables Compression, which is vulnerable to CRIME attack)
SSLProtocol="TLSv1" (Disables SSLv3 which is vulnerable to Poodle)
SSLCipherSuite="ALL:!aNULL:!ADH:!eNULL:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:AES:AESGCM:!RC4:RSA:+HIGH:+MEDIUM:-LOW:!SSLv2:@STRENGTH" (Disables weak ciphers)
e) Save chages to the server.xml file and restart the GMS/Analyzer server
How to Test:
Re-scan using the SSL Analyzer utility you prefer and verify changes:
Additional info:
When GMS is installed on Windows, you may see a Vulnerability listed for - Secure Renegotiation (Client-initiated).
This may not be fixed by applying changes in the article.
Tomcat does not see this issue as a specific vulnerability and no specific fix is listed.
For further info, refer to -
http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
