Security Hardening

In order to harden the security posture of the MyPass Gateway server, the following recommended to be implemented. Since the primary role on the MyPass Gateway is the host a set of web services using Microsoft Internet Information Service (IIS), the recommendations will focus on securing this role. Normal security best practice relating to firewall configuration (partially addressed below) and patching should still be addressed.

• Do not run the MyPass Gateway (IIS) on a domain controller
• Install only the IIS modules you need (as described in the MyPass Gateway prerequisite section)
• Ensure that server roles are kept separate
• Keep your antivirus software up to date
• Isolate web applications
• Implement the principle of least privilege
• Make periodic backups of the IIS server
• Turn on SSL and maintain SSL certificates
• Configure accepted SSL ciphers
• Incoming Firewall Port Configuration
• Outgoing Firewall Port Configuration
• Network Firewall Configuration
• MyPass Application Accepted Call List