Hardening the OneSpan Authentication Server operating system

Securing the installation source

Before installing any software, ensure that the installation source of your host operating system and other software that you intend to install on it comes from a trusted source.

Hardening a Microsoft environment

• Servers should be connected to a trusted network during the installation and hardening processes.
• Use the Windows file system NTFS only. It offers access controls and protections that are not available with FAT32 file system.
• Update the system after the base installation, and install all current service packs. Make sure the system stays updated at all times.
• Rename the built-in administrator account. This account is the primary point for attacks.
• Use a strong password for the renamed administrator account. For more information about password guidelines, see Static password strength and age rules and Password guidelines.
• Disable the guest account.
• Configure an account lockout policy to counter brute-force attacks.
• Disable all unnecessary services and file shares. Configure appropriate Access Control Lists (ACL) for services and file shares that are necessary for day-to-day operations.
• Install antivirus software and implement processes to keep it up-to-date so that your host is shielded against the latest virus threats.
• Install and use an intrusion detection system (IDS).

Hardening a Linux environment

• Servers should be connected to a trusted network during the installation and hardening processes.

• Use separate disk partitions. The following file systems should be mounted on separate partitions:

  • /usr
  • /home
  • /var
  • /var/tmp
  • /tmp
• Disable unwanted SUID and SGID binaries. Every local or remote user can use such binaries.
• Keep the Linux kernel and other installed software up-to-date.
• Make sure that no non-root accounts have their UID set to 0.
• Disable the root login for remote administration.
• Use Linux security extensions where possible.
• Make sure you have a good and strong password policy. For more information about password guidelines, see Static password strength and age rules and Password guidelines
• Lock user accounts after successive login failures.
• Disable unwanted services and listening network ports. Configure appropriate Access Control Lists (ACL) for services and file shares that are necessary for day-to-day operations.
• Install and use an Intrusion Detection System (IDS).

Securing OneSpan Authentication Server

To secure OneSpan Authentication Server, the following steps are recommended:

Hardening the OneSpan Authentication Server Administration Web Interface

Password guidelines

To minimize the risk of compromised passwords and increase protection against brute-force attacks, enforce password guidelines. Recommendations for safe passwords include but are not limited to the following measures:

• Do not use personal information. Never use any information personally related to yourself or any other individual such as names, birth dates, addresses, telephone numbers etc. as a part of your password. It is very easy for attackers to guess your last name, your pet's name, the birthday of your child, and similar details.
• Do not use ordinary words or phrases. Attackers attempt to crack your password by executing programs that use multilingual wordlists and data structures (rainbow tables), similar to a dictionary (dictionary attack).
• Mix different character types. Use combinations of uppercase and lowercase letters, numbers, and special characters such as & or %.
• Use at least 16 characters. The greater the length of the password, the longer an attempted brute-force attack will take and the more difficult it is to crack the password. A password length of 16 characters equals 96 bits, which is well beyond the cracking capabilities of regular computers.
• Use a passphrase. Rather than trying to remember a password created by using various character types which do not form a word from the dictionary, you can use a passphrase. Think up a sentence or a line from a song or poem that you like and create a password using the first letter of each word.