Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Hardening the Apex One/OfficeScan server via Internet Information Services (IIS)

    • Updated:
    • 31 Mar 2020
    • Product/Version:
    • Platform:
Summary

This article discusses how to harden the Apex One/OfficeScan server via IIS.

Details
Public

Administrators can harden Apex One server by applying the following configurations:

  1. Install Apex One Patch Build 2146 or later builds.

    This patch contains an enhancement that prevents Sample Submission function failure when IP Address and Domain Restriction settings are being configured.

     
    For OfficeScan XG SP1, the required patch will be released in May 2020.
  2. Go to Server Manager > Add Roles and Features > Server Selection > Server Roles > Web Server (IIS) > Web Server > Security and tick “IP and Domain Restrictions” for your IIS.

    Harden Apex One

  3. Open the IIS console and configure IP and Domain Restrictions:
    1. Open Internet Information Services (IIS) Manager.
    2. Select <HostName> > <Site> > officescan > console and double-click the IP and Domain Restrictions icon in the middle panel.

      Harden Apex One

    3. Select "Deny action" under "Access for unspecified clients".
  4. Add IP addresses of allowed devices (e.g. system administrator computer) by clicking Add Allow Entry... in the right panel and input the target "Specific IP address" or "IP address range", then click OK.
    • Add both IPv4 and IPv6 addresses of allowed computers.
    • System administrator, Apex One server, Apex Central server, Apex One Edge Server shall be added to the Allowed list.
    • Allow localhost IP to ensure any internal Apex One communication within the console:

      Default localhost IP values: 127.0.0.1, ::1

     
    • If you get logged out after allowing the necessary IP address when accessing the Apex One web console, clear your browser cache and restart the web browser.
    • Allowing or restricting domain names access is not recommended as this rule may significantly affect server performance because it requires a DNS lookup for every request.
  5. Enable "Proxy Mode setting…" if you want to filter clients that access IIS through one or more firewalls, load-balancing, or proxy servers.

    Administrators can configure their servers to examine the X-Forwarded-For HTTP header in order to determine which requests to block.

    Harden Apex One

    To enable X-Forwarded-For logging in IIS:

    1. Expand SERVERNAME > Sites > OfficeScan website directory.
    2. Double-click Logging under IIS group in middle panel.

      Harden Apex One

    3. Click Select Fields... under Log File > Format.

      Harden Apex One

    4. On the W3C Logging Fields menu, click Add Field….
    5. Input “X-Forwarded-For” in both Field Name and Source sections.

      Harden Apex One

      The Custom Fields section should show the entry.

      Harden Apex One

    6. Restart IIS Admin Service.

      The log file name should append a ”_x” at the end and show X-Forwarded-For on the header.

      Harden Apex One

      Harden Apex One

When you restrict the IP/Domain and access it through Apex One web console, it will return default error message:

Harden Apex One

This can be configured via Deny Action Type:

Action TypeDescription
UnauthorizedReturns error 401
ForbiddenReturns error 403
Not FoundReturns error 404
AbortTerminates the connection

Harden Apex One

The shared folder of the Apex One/OfficeScan server is named "ofcscan" and is located in the C:/program files/Trend Micro/Officescan/PCCSRV folder. The Administrator may opt to disable it to reduce the attack surface.

Either of the following options can be used to disable Apex One/OfficeScan SMB share:

  1. Right-click the PCCSRV folder under the OfficeScan server installation directory.
  2. Select “Share with” and then “Advanced sharing…”.

    Disable Apex One shared folder

  3. Click Advanced Sharing… on the PCCSRV folder’s Properties window.

    Disable Apex One shared folder

  4. Untick “Share this folder” and then click Apply.

    Disable Apex One shared folder

    Disable Apex One shared folder

  5. Click Yes and then OK.

    Disable Apex One shared folder

PCCSRV folder is not shared anymore.

Disable Apex One shared folder

  1. Open the Computer Managementc console.

    Disable Apex One shared folder

  2. Expand Shared Folders and then click Shares.

    Disable Apex One shared folder

  3. Right-click ofcscan and then select “Stop Sharing”.

    Disable Apex One shared folder

  4. Click Yes.

    Disable Apex One shared folder

PCCSRV folder is not shared.

Disable Apex One shared folder

Please note that the following functions would be impacted once the Apex One/OfficeScan shared folder is disabled.

  • Agents cannot launch autopcc.exe for installation and update.
  • The server's Start menu shortcut does not work because it uses a UNC path.
  • Uninstalling the server may fail because the program looks for files in UNC.
  • If an alternative quarantine directory is specified in the UNC path, then it would not work. You have to modify the location in URL format or absolute file path when the ofcscan shared folder is deactivated.
Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000249216
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.