License Server Security Hardening
Overview
QLM provides a set of tools to harden the security of your License Server. This article describes all the configuration options available to you in order to secure your License Server. In addition to QLM hardening options, you should apply best practices at the networking and operating system levels to restrict access to the server.
Network Security
The QLM License Server needs to be accessed by your customers over HTTPS. At the firewall level, you should only enable the HTTPS protocol and open up the required port to connect over HTTP (443).
In addition, you should consider disabling SSL and TLS / TLS 1.1.
To disable SSL and TLS 1/1.1 for the QLM License Server, add the following entry in the License Server's web.config file, in the <QlmWebService.Properties.Settings> section:
SSL3
48
TLS
192
TLS 1.1
768
TLS 1.2
3072
TLS 1.3
12288
Values can OR'ed together. For example, to enable support for TLS 1.1 and TLS 1.2, you would set the value to 768 + 3072 = 3849
Operating System Security
Ensure that the latest Microsoft security updates are installed on a regular basis.
Database
Ensure that the latest Microsoft SQL Server security updates are installed on a regular basis.
You should create a regular backup of your database and store it in a remote location.
Backups
You should create a regular full backup of your server. For partial backups, you should make sure that the following components are backed up:
IIS Configuration
SQL Server Databases
Folders where you deployed the QLM License Server
QLM Security
Encryption Keys
Blocking IP Addresses
Blocking Computer IDs
You can block a specific computer from activating a license at two levels:
List of denied computers defined per Activation Key.
HTTP Methods
Allowed IP Addresses for HTTP Methods
Since HTTP Methods are designed to be called from a 3rd party platform such as an ecommerce provider, you can restrict access to these methods by IP Address.
This can be achieved with the help of 2 server properties:
httpAdminMethods: List of HTTP methods considered to be administration methods. These methods can be protected by restricting the IP addresses that can call them.
httpAdminMethodsAllowedIPAddresses: List of IP addresses that are allowed to call HTTP admin methods.
Allowed IP Addresses for Management API
Calling the QLM Management API (.NET API) requires knowledge of the AdminEncryptionKey. For additional security, you can limit access to the QLM Management API to a set of IP addresses.
Last updated