Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configure IIS security setting for OfficeScan Edge Relay Server

    • Updated:
    • 21 Dec 2017
    • Product/Version:
    • OfficeScan XG.All
    • Platform:
    • Windows 2012 Server R2
Summary

PCI Data Security Standard (DSS) 3.1 has a restriction policy for every external internet service. Apart from the TLSv1.0 deprecation, some security settings for the Internet Information Services (IIS) server are required as well. This article shows how to set the security headers and Transport Layer Security (TLS) cipher suite priority required by PCI DSS 3.1.

Details
Public

Security response header

By default, the IIS server doesn't contain security headers. Users have to add the security headers manually. Refer to this Microsoft article: Add a Custom HTTP Response Header (IIS 7).

Please add following security headers to meet the PCI DSS standard:

  • Cache-Control
  • Content-Security-Policy
  • Strict-Transport-Security
  • X-Content-Type-Options

Trend Micro provides a hot fix to automatically add the aforementioned headers on the Edge server. Please contact Trend Micro Technical Support for assistance.

TLS cipher suite priority

To configure the IIS TLS cipher suite priority, users have to set up a Group Policy:

  1. Open the Group Policy Object Editor (i.e. Run gpedit.msc in the Command Prompt).
  2. Go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
  3. Under the SSL Configuration Settings, open the SSL Cipher Suite Order setting.
  4. Follow the instructions inside to order the cipher suite.

There are several cipher suite best practice guides on the internet, however, using the Firefox version is recommended: Security/Server Side TLS.

Additionally, Nartac has released a tool called IISCrypto, which provides a PCI DSS 3.1 template including these TLS settings, cipher suite priorities, etc. This tool makes it more convenient for admins to apply or modify these settings in a very quick way.

Verification

Many web services could be used to verify the PCI DSS compatibility, for example:

High-Tech Bridge
BITSIGHT

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1119108
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.