How to Enable HSTS on the Dell Security Manager Proxy Server

Affected Products:

• Dell Security Management Server

Affected Versions:

• 11.1 and Later (Modified with a configuration change)
• 11.0 and Earlier (Requires an updated .jar file that contains an HSTS filter. Investigation for these older servers is being conducted.)

Affected Operating Systems:

• Windows Server

An HSTS vulnerability has been identified in the Dell Security Manager Proxy Server. An HSTS filter can be configured for the services to address this vulnerability.

HTTP Strict Transport Security (HSTS) is being marked as a vulnerability by security scanners, in the Dell Security Manager Proxy Server.

Dell Security Manager Proxy Server consists of four services:

• Dell Core Server Proxy
• Dell Device Server
• Dell Policy Proxy
• Dell Security Server Proxy

The file webdefault.xml, in the conf folder, must be modified to include the configuration for the HSTS filter, to enable HSTS on the Dell Core Server Proxy, Dell Device Server, and Dell Security Server Proxy services.

The installation locations are:

• Dell Core Server Proxy: C:\Program Files\Dell\Enterprise Edition\Core Server Proxy
• Dell Device Server: C:\Program Files\Dell\Enterprise Edition\Device Server
• Dell Security Server Proxy: C:\Program Files\Dell\Enterprise Edition\Security Server Proxy

Do the following steps:

1. Stop the proxy services.
2. Change the directory to one of the proxy services .\conf folders.
3. Make a backup of the conf\web-default.xml file in case an error occurs.
4. Add the HSTS filter updates to one of the services conf\web-default.xml file.

The HSTS filter configuration is added to the bottom of the webdefault.xml file, above the line:

</web-app>

The HSTS filter configuration is:

<filter>
    <filter-name>HSTSFilter</filter-name>
    <filter-class>com.credant.jetty.servlet.TransportSecurityFilter</filter-class>
    <init-param>
      <param-name>maxAgeSeconds</param-name>
      <param-value>31536000</param-value>
    </init-param>
    <init-param>
      <param-name>includeSubDomains</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>addPreload</param-name>
      <param-value>true</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>HSTSFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

The last few lines of web-default.xml would be (with the added HSTS filter in yellow below):

<security-constraint>
    <web-resource-collection>
      <web-resource-name>Disable TRACE and OPTIONS</web-resource-name>
      <url-pattern>/</url-pattern>
      <http-method>TRACE</http-method>
      <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint/>
  </security-constraint>
  
 <filter>
    <filter-name>HSTSFilter</filter-name>
    <filter-class>com.credant.jetty.servlet.TransportSecurityFilter</filter-class>
    <init-param>
      <param-name>maxAgeSeconds</param-name>
      <param-value>31536000</param-value>
    </init-param>
    <init-param>
      <param-name>includeSubDomains</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>addPreload</param-name>
      <param-value>true</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>HSTSFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

</web-app>

5. Copy the updated web-default.xml file to the other affected services.
6. Restart the proxy services.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.