Appearance
Securing the Operating System
You should use industry best practices to secure the Host OS on the AlphaTrust® e-Sign machine including applying the latest OS security updates after installing all of the AlphaTrust e- Sign™ components.
Windows Firewall configuration
We recommend activating and configuring the firewall service provided by the Windows server operating system. For production systems, the following rules should be created/applied:
Inbound Rules
- As a baseline, all inbound firewall rules should be turned off. If you are accessing the server via RDP, first create or modify a rule ("Remote Desktop - User Mode (TCP-In)") permitting access from your local internal network to the server via RDP (TCP port 3389) and activate the rule, otherwise you will lose connectivity to the server when you turn off all the inbound rules.
- Activate "World Wide Web Services (HTTPS Traffic-in) - TCP port 443. If you are operating a single server instance of AlphaTrust® e-Sign, where the SQL server is local to the server, the firewall configuration is complete for Inbound rules (see Outbound Rules below for optional additional rules).
For Web-farmed installations or for single installations with a remote SQL Server connection and/or a remote file repository:
- To permit file system access to a remote SMB share add a rule, or edit the existing rule ("File and Printer Sharing (SMB-In)"), to permit on the local network a connection between these systems on TCP port 445.
- To permit access to a remote SQL Server instance, add a rule called "SQL Database (TCPIn)", to permit on the local network a connection between these systems on the TCP port which your SQL server is configured to listen on (TCP port 1433 by default). If you have SQL Server Management tools running locally that must access the remote SQL Server instance you will need to add a rule for tool access (TCP port 1434 by default).
Outbound Rules
By default, Windows firewall permits all Outbound connections - those connections originating from the Windows application server on which AlphaTrust® e-Sign is operating. If you change this setting the default deny, where all outbound connections are denied, you will need to be sure these rules are active:
- Core Networking - DNS (UDP-Out) - UDP port 53
- NTP - you may need to open UDP port 123 for Network Time Protocol access to an NTP server, depending on how you provide time synchronization to your server. Be sure to verify that there is a functioning reliable time source configured for the server.
If your AlphaTrust® e-Sign installation need to access a remote file share or remote SQL Server, add the Outbound rules for that access:
- To permit file system access to a remote SMB share add a rule, or edit the existing rule ("File and Printer Sharing (SMB-Out)"), to permit on the local network a connection between these systems on TCP port 445.
- To permit access to a remote SQL Server instance, add a rule called "SQL Database (TCPOut)", to permit on the local network a connection between these systems on the TCP port which your SQL server is configured to listen on (TCP port 1433 by default). If you have SQL Server Management tools running locally that must access the remote SQL Server instance you will need to add a rule for tool access (TCP port 1434 by default).