License Server Security Hardening

Overview

QLM provides a set of tools to harden the security of your License Server. This article describes all the configuration options available to you in order to secure your License Server. In addition to QLM hardening options, you should apply best practices at the networking and operating system levels to restrict access to the server.

Network Security

The QLM License Server needs to be accessed by your customers over HTTPS. At the firewall level, you should only enable the HTTPS protocol and open up the required port to connect over HTTP (443).

In addition, you should consider disabling SSL and TLS / TLS 1.1.

Operating System Security

Ensure that the latest Microsoft security updates are installed on a regular basis.

Database

Ensure that the latest Microsoft SQL Server security updates are installed on a regular basis.

You should create a regular backup of your database and store it in a remote location.

Backups

You should create a regular full backup of your server. For partial backups, you should make sure that the following components are backed up:

• IIS Configuration

• SQL Server Databases

• Folders where you deployed the QLM License Server

QLM Security

Encryption Keys

The QLM .NET API uses a proprietary encryption mechanism to encrypt data over the wire in addition to HTTPS encryption. You can read details about this topic here. Ensure that the CommunicationEncryption and the AdminEncryptionKey do not have the same value.

Blocking IP Addresses

You can block a list of IP addresses from communicating with the License Server by configuring a list of blocked IP addresses in the QLM Server Properties / options.

Blocking Computer IDs

You can block a specific computer from activating a license at two levels:

• Global List of blocked computer ID defined in QLM Server Properties / options.

• List of denied computers defined per Activation Key.

HTTP Methods

QLM provides a series of HTTP methods that can be invoked from a URL. These methods can be individually enabled by in the security section of the Server Properties.

Allowed IP Addresses for HTTP Methods

Since HTTP Methods are designed to be called from a 3rd party platform such as an ecommerce provider, you can restrict access to these methods by IP Address.

This can be achieved with the help of 2 server properties:

• httpAdminMethods: List of HTTP methods considered to be administration methods. These methods can be protected by restricting the IP addresses that can call them.

• httpAdminMethodsAllowedIPAddresses: List of IP addresses that are allowed to call HTTP admin methods.

Allowed IP Addresses for Management API

Calling the QLM Management API (.NET API) requires knowledge of the AdminEncryptionKey. For additional security, you can limit access to the QLM Management API to a set of IP addresses.