Hardening your PingFederate deployment

A good enterprise approach to security is based upon multiple layers of security controls (defense) that are placed throughout the system. Most IT organizations will start hardening beginning with the operating system and then working up the stack. The Center for Internet Security (CIS) publishes configuration benchmarks that are widely used as part of system hardening guide and provides solid guidance for the operating system configuration. In addition to your traditional hardening policies that include closing vulnerable ports, restricting access to services and other operating system level security configurations, taking these additional system specific steps will ensure your PingFederate deployment is secure.

• Enable target resource validation
• Ensure OpenToken last mile integration is not based on query parameters
• Disable Application Authentication if not needed
• Disable SSO Discovery Service if not needed
• Restrict Administrator Console access to local network and limited machines
• Rename/Remove native mode admin account
• Update ownership of run.properties in bin directory
• Update ownership of authentication configuration
• Run PingFederate as a normal user, not root privilege
• Remove PingFederate SDK
• Disable Auto-Connect Profile if not needed
• Avoid use of wildcard in OAuth client redirect URI
• OAuth token validation should use POST instead of GET
• Enable validation for InErrorResource in http-request-parameter to prevent open redirection
• Configure password complexity
• Configure LDAPS Disable HTTP port if not in use
• Configure cipher suites Install stronger cipher suites (if permitted)
• Use internally issued certificate for Admin Console SSL connection
• Use external issued certificate by trusted CA for runtime SSL connection
• Use separate certificates for signing and decryption

PingFederate utilizes the Java Development Kit (JDK) as a run time environment on the host machine. It’s important not to forget about taking steps to harden the JDK. PingFederate only needs the bin, jre, and lib directories of the JDK to operate, so it’s a good idea to remove the extra stuff that comes with the JDK installation.

From a networking perspective, a good stateful inspection network firewall with a default-deny rule set and exceptions for a PingFederate server deployment is needed. The rules should be restricted to the federation services integrated by your organization. Since the PingFederate server is most likely internet facing, a DMZ with strong default-deny egress rules on the firewall to prevent data ex-filtration is recommended for the overall deployment.

As you heard at RSA and from Darran at EIC, an attack is coming. Don’t let your PingFederate deployment be the weak link. These additional PingFederate specific steps should ensure your deployment is secure. Contact us if you have questions or if you need help making the most of your Ping Identity investment.