Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Quest has tools and processes in place to identify, protect, detect, and remediate vulnerabilities and incidents when they occur, including external security partners. As part of our standard security operations, Quest does not use CrowdStrike in any of our operations. We are reviewing our third parties, and so far, there is minimal affect. It is Quest's policy not to provide further technical details unless they directly impact customer data.

Identity Manager 9.1 - Web Application Configuration Guide

Table of Contents

About this guide Configuring the API Server

Logging in to the Administration Portal Configuring displaying and editing of API projects Configuring authentication

Configuring primary authentication with single sign-on Configuring multi-factor authentication Configuring authentication tokens

Changing encryption

General web application configuration

Customize logo

Configuring the Web Portal

Configuring request functions

Configuring requesting by reference users

Configuring self-registration of new users

Configuring the Application Governance Module

Configuring entitlements Filling application hyperviews

Configuring the Password Reset Portal

Configuring Password Reset Portal authentication

Configuring Password Reset Portal login with a passcode Configuring Password Reset Portal login with password questions

Recommendations for secure operation of web applications

Using HTTPS Disabling the HTTP request method TRACE Disabling insecure encryption mechanisms Removing the HTTP response header in Windows IIS

Disabling the HTTP request method TRACE

The TRACE request allows the path to the web server to be traced and to check that data is transferred there correctly. This allows a trace route to be determined at application level, meaning the path to the web server over various proxies. This method is particularly useful for debugging connections.

IMPORTANT: TRACE should not be enable in a productive environment because it can reduce performance.

To disable the HTTP request method TRACE using Internet Information Services

You will find instructions by following this link:

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/tracing/

Disabling insecure encryption mechanisms

It is recommended that you disable all unnecessary encryption methods and protocols on the grounds of security. If you disable redundant protocols and methods, older platforms and systems may not be able to establish connections with web applications anymore. Therefore, you must decide which protocols and methods are necessary, based on the platforms required.

NOTE: The software "IIS Crypto" from Nartac Software is recommended for disabling encryption methods and protocols.

For more information about disabling encryption, see https://www.nartac.com/Products/IISCrypto.

Detailed information about this topic

https://blogs.technet.microsoft.com/exchange/2015/07/27/exchange-tls-ssl-best-practices/

https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

Removing the HTTP response header in Windows IIS

Attackers can obtain a lot of information about your servers and network by looking at the response header your server returns.

To give attackers a little information as possible, you can remove the HTTP response header in Windows IIS.

To remove the HTTP response header in Windows IIS

Read the instructions in the following links:
- https://github.com/dionach/stripheaders
- https://www.saotn.org/remove-iis-server-version-http-response-header/

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Identity Manager 9.1 - Web Application Configuration Guide

Disabling the HTTP request method TRACE

Disabling insecure encryption mechanisms

Detailed information about this topic

Removing the HTTP response header in Windows IIS