logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
jordantiss  
#1 Posted : Thursday, January 8, 2015 6:20:43 PM(UTC)
jordantiss


Rank: Newbie

Joined: 1/8/2015(UTC)
Posts: 8
United States

Support for HTTP Script Transport Security (HSTS) would be nice. It's just a simple HTTP header that would be included only when served over HTTPS. It has configurable max-age, includeSubDomains, and preload, parameters.

For now, I've just added the following module to the site, which has a hard coded max age.

Code:

class HstsModule : IHttpModule
{
  public void Dispose() { }

  public void Init(HttpApplication context)
  {
    context.BeginRequest += context_BeginRequest;
  }

  void context_BeginRequest(object sender, EventArgs e)
  {
    HttpApplication context = (HttpApplication)sender;
    if(context.Request.IsSecureConnection)
      context.Response.AppendHeader("Strict-Transport-Security", "max-age=31536000");
  }
}

Edited by user Thursday, January 8, 2015 6:21:42 PM(UTC)  | Reason: Not specified

jordantiss  
#2 Posted : Thursday, January 8, 2015 7:49:31 PM(UTC)
jordantiss


Rank: Newbie

Joined: 1/8/2015(UTC)
Posts: 8
United States

I figured I would write a guide for those who wanted to include HSTS support themselves.

It's recommended that you follow MyKe's guide on enabling SSL with permanent redirection to HTTPS before implementing HSTS support. It wouldn't make sense to tell browsers to redirect to HTTPS if your server's not ready for it.

Create an App_Code directory in your server's ScreenConnect folder, and add a file called HstsModule.cs with the following code:

Code:

using System;
using System.Web;

class HstsModule : IHttpModule
{
  public void Dispose() { }

  public void Init(HttpApplication context)
  {
    context.BeginRequest += context_BeginRequest;
  }

  void context_BeginRequest(object sender, EventArgs e)
  {
    HttpApplication context = (HttpApplication)sender;
    if(context.Request.IsSecureConnection)
      context.Response.AppendHeader("Strict-Transport-Security", "max-age=31536000");
  }
}


The max-age parameter is set to one year (31536000 seconds), but you can change that accordingly. More information on parameters is available on OWASP's HSTS article.

Now, add the following line inside the <httpModules> section of the web.config file:

Code:
<add name="HstsModule" type="HstsModule" />


From now on, all HTTPS responses will include the HSTS header, and all subsequent requests will automatically be redirected to HTTPS by the browser before any data is sent.
jordantiss  
#3 Posted : Thursday, January 8, 2015 8:10:03 PM(UTC)
jordantiss


Rank: Newbie

Joined: 1/8/2015(UTC)
Posts: 8
United States

As a justification for this request, I posted some comments as to the importance of HSTS in the HTTP to HTTPS redirection thread.
Paul Moore  
#4 Posted : Thursday, January 8, 2015 10:39:23 PM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
Honestly, I'd avoid alterations like this. Instead, install Screenconnect as a backend service and front it with NGINX/IIS.

There's much wider support for strong cipher suites/ECDHE, PFS, HSTS, HPKP, Session resumption and won't require any changes to the Screenconnect installation, making future upgrades cleaner & easier.

Edited by user Thursday, January 8, 2015 10:41:13 PM(UTC)  | Reason: Not specified

ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
jordantiss  
#5 Posted : Friday, January 9, 2015 9:24:21 PM(UTC)
jordantiss


Rank: Newbie

Joined: 1/8/2015(UTC)
Posts: 8
United States

Originally Posted by: Paul Moore Go to Quoted Post
Honestly, I'd avoid alterations like this. Instead, install Screenconnect as a backend service and front it with NGINX/IIS.

There's much wider support for strong cipher suites/ECDHE, PFS, HSTS, HPKP, Session resumption and won't require any changes to the Screenconnect installation, making future upgrades cleaner & easier.


That is a good point. I'm going to look into Reverse Proxy on IIS. Are there any good guides for that with ScreenConnect?
damadhatter  
#6 Posted : Thursday, March 5, 2015 3:06:16 AM(UTC)
damadhatter


Rank: Newbie

Joined: 2/1/2014(UTC)
Posts: 4

Does placement matter under the http modules for this file?

<add name="HstsModule" type="HstsModule" />


I breaks the web portal once I add it like below


<httpModules>
<remove name="UrlAuthorization" />
<remove name="FileAuthorization" />
<remove name="FormsAuthentication" />




<add name="SetupModule" type="Elsinore.ScreenConnect.SetupModule, Elsinore.ScreenConnect.Web" />
<add name="CompressionModule" type="Elsinore.ScreenConnect.CompressionModule, Elsinore.ScreenConnect.Web" />
<add name="BaseUrlRedirectionModule" type="BaseUrlRedirectionModule" />
<add name="HstsModule" type="HstsModule" />
<add name="FormsAuthenticationModule" type="Elsinore.ScreenConnect.FormsAuthenticationModule, Elsinore.ScreenConnect.Web" />
<add name="IPSecurityModule" type="Elsinore.ScreenConnect.IPSecurityModule, Elsinore.ScreenConnect.Web" />
jordantiss  
#7 Posted : Thursday, March 5, 2015 4:22:53 PM(UTC)
jordantiss


Rank: Newbie

Joined: 1/8/2015(UTC)
Posts: 8
United States

Originally Posted by: damadhatter Go to Quoted Post
Does placement matter under the http modules for this file?


No, it doesn't make a difference.

Originally Posted by: damadhatter Go to Quoted Post
I breaks the web portal once I add it like below


What breaks? Do you get an error message?
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.