Microsoft Operating System Configuration

ActivID CMS relies heavily on operating in a stable and secure operating system (OS) environment. Microsoft recommends applying all security-related maintenance releases and patches as they are issued. However, because security enhancements to the OS may potentially impact some of the functions and services required by ActivID CMS, it is important to first run a comprehensive testing of these maintenance releases and security patches in a dedicated test environment (one in which replicates the production ActivID CMS deployment) before ever attempting to deploy these on the ActivID CMS production servers.

However, if the ActivID CMS server is available over the public Internet (for example, where users are able to access the ActivID CMS User Portal), it is strongly recommended that organizations automatically and immediately apply all critical security-related maintenance releases and patches from Microsoft, even if this is to the detriment of the ActivID CMS server’s functionality.

To minimize the damage caused by failures related to an applied maintenance release or security patch, you should implement proven and tested disaster recovery procedures for each component that is utilized by ActivID CMS.

To ensure you implement security-related maintenance releases and patches in a timely manner, it is recommended that you use Microsoft’s WSUS server. While the configuration of the server is outside the scope of this documentation, the server should be configured to deliver all security-related maintenance releases and patches immediately to a specific group (where the ActivID CMS server is configured as a member of that group).

Note: New releases of Microsoft software, including service packs, feature packs, and major-minor-maintenance releases should not be deployed on the ActivID CMS server before you verify that ActivID CMS officially supports the applicable released version.

In terms of configuring the Microsoft OS to provide a secure operating environment for ActivID CMS, it is recommended that you read the Microsoft Windows Server Security Guides. Read the recommendations suggested by Microsoft and apply them on your Windows Servers:

Observing ActivID CMS-Related Security Considerations

This section assumes that you have implemented the secure Microsoft OS environment recommended in the previous section. To securely implement ActivID CMS with this secure Microsoft OS environment, apply the following guidelines:

  • Install IIS on a separate partition from the system partition. This ensures that any attempt at a directory traversal does not provide access to the system volume.

  • Install ActivID CMS on a separate partition from the system partition.

  • Create a local user group per system, of which the domain groups are members. This allows rights to be locally assigned on the server. 

  • Use a separate ActivID CMS user account per ActivID CMS server.

  • Provide the local user group access to the following locations (specific information regarding configuration and access rights is documented in Local File System Rights):

    • ActivID CMS Program/Installation directory

    • Local Machine Certificate Store in the registry

  • Configure ActivID CMS in the attended mode, which ensures that no passwords or PIN codes are stored obfuscated in the configuration (.cfg) files. When in attended mode, each time the ActivID CMS server starts, the operator needs to enter the security key, database password, and HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system. PIN (if this is configured). The passwords and PINs are stored obfuscated in the RAM memory of the ActivID CMS system and will be automatically cleared if the system is shut down.

  • Define and enforce policies for all secrets (password, PIN). It is important to find the right balance between security best practices and user convenience. Useful guidelines on password policy can be found in the NIST National Institute of Standards and Technology 800-63 special publication.

  • Make sure that all tasks (such as requesting certificates) are completed using the User ID of the ActivID CMS User. The ActivID CMS User does not require rights to log on to the system locally if the system is running in the unattended mode.

This is important when requesting certificates on behalf of the ActivID CMS service for example, the certificate Distinguished Name (DN) corresponds to the DN of the user running the ActivID CMS services.

  • Minimize the number of applications installed on the ActivID CMS server system (the only components to be installed on the ActivID CMS server) to include the following:

    • Operating systems (Windows Server)

    • Database systems (Oracle or Microsoft SQL Server)

    • ActivID CMS software

    • Backup software

    • Anti-virus/security software

Note: For the list of supported operating systems and database systems, refer to ActivID CMS System Environment.