This article discusses how to harden the Apex One/OfficeScan server via IIS.
Administrators can harden Apex One server by applying the following configurations:
- Install Apex One Patch Build 2146 or later builds.
This patch contains an enhancement that prevents Sample Submission function failure when IP Address and Domain Restriction settings are being configured.For OfficeScan XG SP1, the required patch will be released in May 2020.
- Go to Server Manager > Add Roles and Features > Server Selection > Server Roles > Web Server (IIS) > Web Server > Security and tick “IP and Domain Restrictions” for your IIS.
- Open the IIS console and configure IP and Domain Restrictions:
- Add IP addresses of allowed devices (e.g. system administrator computer) by clicking Add Allow Entry... in the right panel and input the target "Specific IP address" or "IP address range", then click OK.
- Add both IPv4 and IPv6 addresses of allowed computers.
- System administrator, Apex One server, Apex Central server, Apex One Edge Server shall be added to the Allowed list.
- Allow localhost IP to ensure any internal Apex One communication within the console:
Default localhost IP values: 127.0.0.1, ::1
- If you get logged out after allowing the necessary IP address when accessing the Apex One web console, clear your browser cache and restart the web browser.
- Allowing or restricting domain names access is not recommended as this rule may significantly affect server performance because it requires a DNS lookup for every request.
- Enable "Proxy Mode setting…" if you want to filter clients that access IIS through one or more firewalls, load-balancing, or proxy servers.
Administrators can configure their servers to examine the X-Forwarded-For HTTP header in order to determine which requests to block.
To enable X-Forwarded-For logging in IIS:
- Expand SERVERNAME > Sites > OfficeScan website directory.
- Double-click Logging under IIS group in middle panel.
- Click Select Fields... under Log File > Format.
- On the W3C Logging Fields menu, click Add Field….
- Input “X-Forwarded-For” in both Field Name and Source sections.
The Custom Fields section should show the entry.
- Restart IIS Admin Service.
The log file name should append a ”_x” at the end and show X-Forwarded-For on the header.
When you restrict the IP/Domain and access it through Apex One web console, it will return default error message:
This can be configured via Deny Action Type:
|Unauthorized||Returns error 401|
|Forbidden||Returns error 403|
|Not Found||Returns error 404|
|Abort||Terminates the connection|
The shared folder of the Apex One/OfficeScan server is named "ofcscan" and is located in the C:/program files/Trend Micro/Officescan/PCCSRV folder. The Administrator may opt to disable it to reduce the attack surface.
Either of the following options can be used to disable Apex One/OfficeScan SMB share:
- Right-click the PCCSRV folder under the OfficeScan server installation directory.
- Select “Share with” and then “Advanced sharing…”.
- Click Advanced Sharing… on the PCCSRV folder’s Properties window.
- Untick “Share this folder” and then click Apply.
- Click Yes and then OK.
PCCSRV folder is not shared anymore.
Please note that the following functions would be impacted once the Apex One/OfficeScan shared folder is disabled.
- Agents cannot launch autopcc.exe for installation and update.
- The server's Start menu shortcut does not work because it uses a UNC path.
- Uninstalling the server may fail because the program looks for files in UNC.
- If an alternative quarantine directory is specified in the UNC path, then it would not work. You have to modify the location in URL format or absolute file path when the ofcscan shared folder is deactivated.