Solarwinds Orion Server: I applied DoD STIGs and now the product is not functioning. What do I need to correct?

Version 2

    Purpose: To provide common fixes for Department of Defense (DoD) DISA STIGs on Windows systems where Solarwinds Product are located. These heightened requirements have been known to causing a few issues when implemented.

     

    STIG Policy: Once I applied a STIG Policy the Solarwinds Services Collector and Job Engine are now stopped.

    Cause: Net.TCP Port Sharing Service is Disabled. Solarwinds requires Net.TCP Port Sharing for Solarwinds Collector and Job Engine Services to run. An exception may need to be made if required for the software to function. Solarwinds utilizes this service to combine all of our TCP 17777 traffic for Website views, API, Additional Polling Engine, and Agent communications.

     

    Go into Control Panel> Administrative Tools> Services

    Edit Port.TCP Port Sharing service, change from Disabled to Automatic and start the Service.

    Start all other Solarwinds Services, or use the Orion Service Manager below:

    Please go into the Orion Service Manager under Start> Programs> Solarwinds Orion> Advanced Features> Orion Service Manager.

    Select Stop Everything.

    Once all Services are stopped, please wait one minute,  then select Start Everything

     

     

     

     

     

    STIG Rule: Restrict file name extensions

    STIG ID WA000-WI6260 is set and that is what is preventing the site from running properly.

    "Allow unlisted file name extensions" must be unchecked within IIS "Request Filtering." This change breaks the website. Is there a known work-around?

     

     

    Rule Title: The production web-site must filter unlisted file extensions in URL requests.

     

    STIG ID: WA000-WI6260

    Rule ID: SV-32697r1_rule

    Vuln ID: V-26046

    Severity: CAT II Class: Unclass

     

    Discussion:

    Request filtering enables administrators to create a more granular rule set to allow or reject inbound web content. By setting limits on web requests it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The allow unlisted property of the File Extensions Request Filter enables rejection of requests containing specific file extensions not defined in the File Extensions filter. Tripping this filter will cause IIS to generate a Status Code 404.7.

     

    Documentable: No

     

    Responsibility:  Web Administrator

     

    Check Content:

    For each site reviewed:

    1. Open the IIS Manager.

    2. Click on the site name.

    3. Double-click the Request Filtering icon.

    4. Click Edit Feature Settings in the Actions Pane.

     

    If allow unlisted file extensions checkbox is checked, this is a finding.

     

    Fix Text:

    1. Open the IIS Manager.

    2. Click the site name under review.

    3. Double-click the Request Filtering icon.

    4. Click Edit Feature Settings in the Actions Pane.

    5. Uncheck the allow unlisted file extensions checkbox.

     

    IA Controls:ECSC-1

     

    Here is the list of allowed extensions needed:

    .

    .ascx

    .ashx

    .asmx

    .aspx

    .axd

    .config

    .cs

    .css

    .gif

    .html

    .ico

    .jpg

    .js

    .master

    .png

    .sitemap

    .svg

    .template

    .woff

    .woff2

     

    When the IIS website is set to "Require" client certificates, the website breaks. Is there a known work-around?

    You will need to install a SSL Certificate on the Server. Please see the following from Guide which includes Smart Card Authentication setup:

    Setup SSL and Enable Smart Card (CAC/PKI) User Authentication for Orion Web Console

     

     

    Rule Title:  The amount of virtual memory an application pool uses must be set.

    STIG ID: WA000-WI6024 IIS7

     

    STIG ID: WA000-WI6024 IIS7

    Rule ID: SV-32570r1_rule

    Vuln ID: V-13706

    Severity: CAT II Class: Unclass

     

    Discussion:

    IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.

     

    Documentable: No

     

    Responsibility:  Web Administrator

     

    Check Content:

    1. Open the IIS Manager.

    2. Click on Application Pools.

    3. Highlight an Application Pool and click Advanced Settings in the Action Pane.

    4. In the advanced settings dialog box scroll down to the recycling section and ensure the value for Virtual Memory Limit is not set to 0. If it is, this is a finding.

     

     

    Fix Text:

    1. Open the IIS Manager.

    2. Click the Application Pools.

    3. Highlight an Application Pool and click Advanced Settings in the Action Pane.

    4. In the advanced settings dialog box scroll down to the recycling section and set the value for Virtual Memory Limit to a value other than 0.

     

    IA Controls:ECSC-1

     

    Finding Details:

    Each Pool was set for : 0

     

    Comments:

    I made the following changes:

     

    Classic.NET AppPool - 300KB

    DefaultAppPool - 300KB

    SolarWinds Orion Application Pool - 0 I could not make the change without breaking the site.

    SolarWinds Orion NCM Application Pool - 0  I could not make the change without breaking the site.

    SolarWinds Findings:

    We set this to 1,000,000 (it’s in KB, so that number represents 1 GB of virtual memory) and it worked fine.

    It should be fine for the majority of the production environments, but if it was not, you can gradually increase this number until you find a value working reliably.

     

     

     

    Rule Title:  The amount of private memory an application pool uses must be set.

    STIG ID: WA000-WI6026 IIS7

     

    STIG ID: WA000-WI6026 IIS7

    Rule ID: SV-32571r1_rule

    Vuln ID: V-13707

    Severity: CAT II Class: Unclass

     

    Discussion:

    IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.

     

    Documentable: No

     

    Responsibility: Web Administrator

     

    Check Content:

    1. Open the IIS Manager.

    2. Click the Application Pools.

    3. Highlight an Application Pool and click Advanced Settings in the Action Pane.

    4. Scroll down to the recycling section and ensure the value for Private Memory Limit is set to a value other than 0. If not, this is a finding.

     

    Fix Text:

    1. Open the IIS Manager.

    2. Click the Application Pools.

    3. Highlight an Application Pool and click Advanced Settings in the Action Pane.

    4. Scroll down to the recycling section and set the value for Private Memory Limit to a value other than 0.

     

    IA Controls:ECSC-1

     

    Findings Details:

    Each Pool was set for : 0

    Comments:

    Classic.NET AppPool - 300KB

    DefaultAppPool - 300KB

    SolarWinds Orion Application Pool - 0 I could not make the change without breaking the site.

    SolarWinds Orion NCM Application Pool - 0 I could not make the change without breaking the site.

     

    SolarWinds Findings:

    We set this to 1,000,000 (it’s in KB, so that number represents 1 GB of virtual memory) and it worked fine.

    It should be fine for the majority of the production environments, but if it was not, you can gradually increase this number until you find a value working reliably.