RSA Archer

Security Configuration Guide

6.2
Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax
numbers:https://community.rsa.com/community/rsa-customer-support.

Trademarks
RSA, the RSA Logo, RSA Archer, RSA Archer Logo, and EMC are either registered trademarks or trademarks of EMC
Corporation ("EMC") in the United States and/or other countries. All other trademarks used herein are the property of their
respective owners. For a list of RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm.

License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may
be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This
software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.

Third-party licenses
This product may include software developed by parties other than RSA.

Note on encryption technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.

Note on Section 508 Compliance

The RSA Archer GRC is built on web technologies which can be used with assistive technologies, such as screen readers,
magnifiers, and contrast tools. While these tools are not yet fully supported, RSA is committed to improving the experience of
users of these technologies as part of our ongoing product road map for the RSA Archer GRC.

Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.

Copyright © 2010-2016 EMC Corporation All Rights Reserved. Published in the USA.
December 2016
RSA Archer Security Configuration Guide

Contents

Preface 7
About this Guide 7
RSA Archer Documentation 7
Support and Service 8
Other Resources 8

Chapter 1: Security Configuration Settings 10

Security Settings 10
User Authentication 11
Default User Accounts 11
Configuring New Accounts 12
New User Account with System Administrator Privileges 12
Authentication Configuration 12
User Accounts 13
Default System Administrator Account 14
Default Archer Service Accounts Password 14
LDAP Configuration 15
Single Sign-On 15
Domain Field 16
Logon Banner 16
User Actions Requiring No Authentication 16
User Authorization 17
Access Roles 17
Role Assignment by Group or User 18
Entity Permissions 18
Component Access Control 19
Component Authentication 19
Configuration Database Authentication 20
Instance Database Authentication 20
Configuration Service Authentication 20
Component Authorization 20

3
RSA Archer Security Configuration Guide

SQL Server Databases 21

Log Settings 21
Log Description 21
Security Events Report 21
RSA Archer Error Logs 22
Log Directory Permissions 23
Windows Event Logs 23
Log Management and Retrieval 23
Communication Security Settings 23
Port Usage 23
Network Encryption 29
Web Server Communication 29
RSS Communications 30
Disabling Weak Ciphers 30
SSL Certificate Guidance 31
What are the certificate requirements? 31
SQL Server Communication 32
Data Feed Communication 32
RSA Archer Web Services 32
Database Query 33
File Transporter 33
FTP Transporter 33
HTTP Transporter 33
Mail Monitor (POP3/IMAP) 34
RSS Feed 34
Threat Feed (iDefense, Deep Sight) 34
Data Security Settings 34
Encryption of Data at Rest 35
Additional Security Considerations 35
Java Runtime Environment Deployment 35
Privilege Levels for Archer Services 36
File Repository Path 36
Restrict Permissions on Repository Files 36
Keyword Index Files 37
Company Files Path 37

4
RSA Archer Security Configuration Guide

Custom iView 37
Custom Layout Object 38
Offline Access 38

Chapter 2: Secure Deployment and Usage Settings 39

Protecting the RSA Archer Environment 39
Security Controls Map 39
Firewall Rules 43
DMZ to Corporate Network 43
Corporate Network to Site Sub-Network 43
Archer-to-Archer Data Feeds 45
Secure Deployment Settings 46
Web Server Security Configuration 48
Disallow Arbitrary File Uploads 48
Remove IIS and ASP .NET Version Information from HTTP Headers 50
Remove X-Powered-By HTTP Header 50
IP Whitelist 51

Chapter 3: Secure Maintenance 52

Security Patch Management 52
Malware Detection 52
Virus Scanning 53
Ongoing Monitoring and Auditing 53

Chapter 4: Physical Security Controls 54

Physical Security Controls Recommendations 54

Chapter 5: User Support 55

Supporting Your Users 55
Preventing Social Engineering Attacks 55
Confirming User Identities 56
Advice for Your Users 56

Chapter 6: FIPS-Compliant Mode 57

Platform in FIPS-Compliant Mode 57
Platform Release Supporting FIPS 57
FIPS-Compliant Operation Requirements 57
FIPS Certificates 58

5
RSA Archer Security Configuration Guide

Set Up FIPS for Windows 58

SQL Server FIPS Setup 58
Configure Browser for FIPS Compliance 59
LDAP Configuration for FIPS Mode 59
Configuring the Platform to Communicate with LDAP 60
Platform FIPS Certification 60
Secure Hash Algorithm (SHA) Standard (FIPS 180-3) 60
Advanced Encryption Standard (AES) Algorithm (FIPS 180-3) 60
Enable FIPS for 140-2 on the Web Server 61

Appendix A: Authentication Configuration 62

Authentication Methods 62
Disclaimer 62
HTTPS/SSL Authentication 62
Configure IIS for HTTPS/SSL Authentication 63
Configure Platform web.config File for HTTPS/SSL Authentication 63
Configure REST API web.config File for HTTPS/SSL Authentication 64
Configure RSA Archer Control Panel for HTTPS/SSL Authentication 64
HTTP Authentication 65
Windows Authentication 65
Configure IIS for Windows Authentication 66
Configure Platform web.config File for Windows Authentication - HTTP 66
Configure Platform web.config File for Windows Authentication - HTTPS 66
Single Sign-On for Windows Integrated Authentication 67
Configure Platform web.config File for Single Sign-On 67
Configure RSA Archer Control Panel for Single Sign-On - Single Instance 68
Configure RSA Archer Control Panel for Single Sign-On - Multiple Instances 68

6
RSA Archer Security Configuration Guide

Preface

About this Guide

This guide provides an overview of security configuration settings available in the RSA® Archer™
GRC Platform and security best practices for using those settings to help ensure secure operation of
RSA Archer.

RSA Archer Documentation

You can access RSA Archer documentation on the Archer Customer/Partner Community on RSA
Link at: https://community.rsa.com/community/products/archer-grc/archer-customer-partner-
community/platform/62

Document Description

Release Notes A list of issues fixed in the release and a list of issues known at the time of the
release. Available in PDF format.

What's New Overview of the new and updated features in the release. Overview of the
Guide differences between RSA Archer version 5.x and version 6.x. Suggestions on
planning for moving from 5.x to 6.x are included. Available in PDF format.

Installation Instructions for installing RSA Archer GRC 6.2, and upgrading from 5.x to
and Upgrade version 6.2. Available in PDF format.
Guide

Online Provides information for using RSA Archer Platform and Solution use cases. This
Documentation document includes the information to set up and maintain the Platform and use the
Rest and Web APIs. Available from within the product in HTML5 format using
context-sensitive links, as well as in a Zip format for local installation. Content
from the online Documentation system is also available in PDF format, divided in
to the following guides: Administrator Guide, User Guide, Rest API Guide, Web
API Guide, and a Use Case Guide for each of the available solution use cases.

Preface 7
RSA Archer Security Configuration Guide

Document Description

Archer Control Information for using the RSA Archer Control Panel module to manage the
Panel (ACP) internal settings of the Platform, such as license keys, global paths and settings.
Online Help Available from within the ACP module, in a ZIP format for local installation, and
in PDF format.

Security and Overview of the security configuration settings available in the RSA Archer
Configuration Platform and the security best practices for using those settings to help ensure
Guide secure operation of the Platform. Available in PDF format.

Sizing and Provides the sizing and performance considerations for the Platform. This
Performance document is intended for system administrators who are responsible for installing
Guide and managing RSA Archer. Available in PDF format.

Support and Service

Customer Support Information https://community.rsa.com/community/rsa-customer-support

Customer Support E-mail [email protected]

Other Resources

Resource Description

RSA Our public forum, on the RSA Link Community platform, brings together customers,
Archer prospects, consultants, RSA Archer GRC thought leaders, partners and analysts to
GRC talk about GRC as a practice, and includes product demos, GRC videos, white
Community papers, blogs and more.
on https://community.rsa.com/community/products/archer-grc
RSA Link

Archer Our private community, is a powerful governance, risk and compliance online
Customer / network that promotes collaboration among RSA Archer customers, partners,
Partner industry analysts, and product experts. Engaging with the RSA Archer Community
Community on RSA Link enables you to collaborate to solve problems, build best practices,
on establish peer connections and engage with RSA Archer GRC Thought Leaders.
RSA Link https://community.rsa.com/community/products/archer-grc/archer-customer-partner-
community

Preface 8
RSA Archer Security Configuration Guide

Resource Description

RSA Ready RSA's Technology Partner Program is where 3rd parties gain access to RSA
Software in order to develop an interoperability and have it documented and
certified. RSA Ready certifications are posted to an online Community and
supported by RSA Support.
https://community.rsa.com/community/products/rsa-ready

Preface 9
RSA Archer Security Configuration Guide

Chapter 1: Security Configuration Settings

Security Settings 10

User Authentication 11

User Authorization 17

Access Roles 17

Entity Permissions 18

Component Access Control 19

Component Authorization 20

Log Settings 21

Log Management and Retrieval 23

Communication Security Settings 23

Port Usage 23

Network Encryption 29

Data Security Settings 34

Additional Security Considerations 35

Security Settings
You can secure the operation of RSA Archer by configuring security settings. The categories of
security settings consist of the following:
l Access control settings limit access by end users or by external RSA Archer components.

l Log settings are related to the logging of events.

l Communication security settings are related to security for RSA Archer network communications.

l Data security settings are designed to ensure protection of the data handled by RSA Archer.

l Additional security considerations. There are several additional security issues for you to
consider.

Chapter 1: Security Configuration Settings 10

RSA Archer Security Configuration Guide

User Authentication
User authentication settings control the process of verifying an identity claimed by a user for
accessing RSA Archer.

Default User Accounts

The following table describes the default RSA Archer user accounts of a System Administration
(sysadmin) account and several RSA Archer services accounts. When creating a new instance, the
installer requires the user to enter a password for the sysadmin account and service accounts.
Please note the following:
l Standard users cannot log on to any of the default user accounts. Only the System Administrator
can log on to the sysadmin account.

l You cannot delete or rename any of the default user accounts.

User Account Description

sysadmin The system administrator account for RSA Archer. This account

can be disabled, but cannot be deleted or renamed.

userArcherAssetServer A service account for the Asset service. This account can only
be used by the RSA Archer services.

userArcherAsyncService A service account for job management. This account can only be
used by RSA Archer services.

userArcherCalculationAccount A service account for calculations. This account can only be

used by RSA Archer services.

userArcherDataFeedService A service account for data feeds. This account can only be used
by RSA Archer services.

userArcherLdapService A service account for LDAP synchronization. This account can

only be used by RSA Archer services.

userArcherNotificationService A service account for notifications. This account can only be

used by RSA Archer services.

userMigrationUser A service account for migration. This account can only be used
by the installer.

userOfflineService A service account for Offline Access. This account can only be
used by RSA Archer services.

Chapter 1: Security Configuration Settings 11

RSA Archer Security Configuration Guide

Configuring New Accounts

Each RSA Archer user must have an account to log on to the system.

New User Accounts

All new user accounts are created with a unique password assigned manually by an administrator or
generated automatically by RSA Archer. RSA strongly recommends that you enable the Force
Password Change with the Next Sign-In option in RSA Archer for all new user accounts.
Configuring this option requires the user to change the password after the first successful log-on
attempt into RSA Archer.
For instructions on creating a new user account, see Add a User in the Online Documentation. For
instructions on setting the Force Password Change with the Next Sign-In option, see Require a User
Password Change in the Online Documentation.

Important: RSA strongly recommends that you ensure users are approved for logging on to the
system before creating an account for them. Even when users are approved, RSA recommends that
you only assign the minimum set of access permissions for users to perform their job.

New User Account with System Administrator Privileges

RSA recommends that you create a new user account and assign the System Administrator access
role to it. This access role grants the account all rights within RSA Archer.
For instructions on creating a new user account, see Add a User in the RSA Archer GRC online
documentation. For instructions on assigning access roles to an account, see Assign an Access Role
to a User in the RSA Archer GRC online documentation.

Important: RSA recommends that before issuing this account, you ensure that the user is approved
for full access to the system.

Authentication Configuration
User authentication settings control the process of verifying an identity claimed by a user for
accessing RSA Archer.
RSA Archer has a default anonymous HTTP authentication configuration that simplifies the
installation process and prevents problems during installation. Anonymous HTTP authentication is
sufficient for most environments. For those environments where it is not sufficient, more
sophisticated authentication methods are necessary. Configuring authentication methods requires
changes to multiple server-side components, some of which are outside the scope of RSA Archer.
For more information, see Appendix A.

Chapter 1: Security Configuration Settings 12

RSA Archer Security Configuration Guide

User Accounts
RSA Archer enforces the password strength, logon, and session time-out policies specified by the
security parameters defined in the Administration workspace.

Note: These security parameters are enforced by RSA Archer across all user accounts except the
sysadmin and service accounts. RSA strongly recommends that you instruct your administrators on
your corporate IT policy and security best practices for generating and managing passwords for all
accounts.

The following table shows the default security parameters settings for password strength.

Parameter Setting

Minimum password length 9 characters

Alpha characters required 2 characters

Numeric characters required 1 character

Special characters required 1 character

Uppercase characters required 1 character

Lowercase characters required 1 character

Password change interval 90 days

Previous passwords disallowed 20 passwords

Grace logons 0 logon

Maximum failed logon attempts 3 attempts

Session time-out 10 minutes (sysadmin account)

10 minutes (user account)
30 minutes (service account)

Account lockout period 999 days

RSA recommends that you treat these settings as the minimum requirement for enforcing strong
passwords and secure sessions in RSA Archer.
For information on configuring security parameters, see Managing Security Parameters in the RSA
Archer GRC online documentation.

Chapter 1: Security Configuration Settings 13

RSA Archer Security Configuration Guide

Default System Administrator Account

RSA recommends that you instruct your administrators on your corporate IT policy and security best
practices for generating and managing passwords for the default System Administrator (sysadmin)
account.
RSA recommends that you change the default System Administrator password at least every 90 days
using the RSA Archer Control Panel. The new password must be a strong password meeting the
security parameter configuration for the account. You can disable the sysadmin account, but cannot
delete or rename it.
For more information, see "Change the SysAdmin Password" in the Online Documentation.

Default Archer Service Accounts Password

In RSA Archer there is one password for all RSA Archer GRC service accounts. The following
table shows the RSA Archer GRC service accounts.

Service User Name

Asset Server userArcherAssetServer

Async Service userArcherAsynService

Calculation Agent userArcherCalculationAccount

Data Feed Service userArcherDataFeedService

LDAP Service userArcherLdapService

Migration User userMigrationUser

Notification Service userArcherNotificationService

Offline Access userOfflineService

RSA recommends that you change the RSA Archer service accounts password at least every 90
days using the RSA Archer Control Panel. The new password must be a strong password that meets
the recommended security parameter configuration.
For more information, see "Change the Services Account Password" in the Online Documentation.

Chapter 1: Security Configuration Settings 14

RSA Archer Security Configuration Guide

LDAP Configuration
For on-premise deployments, RSA Archer supports the ability to synchronize information between
RSA Archer and the organization LDAP server to streamline the administration of user accounts and
groups. With an LDAP configuration, RSA Archer can execute a scheduled synchronization or
manually coordinate the user and group information from the LDAP source with the user and group
information in RSA Archer. When multiple LDAP sources are leveraged, completing user
authorization requires the domain for the user.
RSA recommends that you select LDAP servers that communicate using LDAP over HTTPS, and
that you set the LDAP Connection attribute to secure.
For more information, see Managing LDAP Configurations in the Online Documentation.

Single Sign-On
RSA Archer supports the ability to integrate with your existing Single Sign-On (SSO) solution for
user authentication.
You can integrate RSA Archer with your SSO provider using one of the following options:
l Windows Authentication. For SSO to work with RSA Archer, the user must be authenticated by
the designated authority first, for example, using the Microsoft Internet Information Services (IIS)
Integrated Authentication mechanism. In addition, the designated authority must pass the logged-
on user's identity and domain to RSA Archer.

l Header Parameter. For SSO to work with RSA Archer, the user must be authenticated by the
designated authority first, for example using a third-party mechanism like RSA Access Manager,
CA Single Sign-On, or IBM Tivoli Access Manager WebSEAL. In addition, the designated
authority must pass the logged-on user's identity and domain to RSA Archer through
HTTP headers.

l Request Parameter. For SSO to work with RSA Archer, the user must be authenticated by the
designated authority first, for example using a third-party mechanism like RSA Access Manager,
CA Single Sign-On, or IBM Tivoli Access Manager WebSEAL. In addition, the designated
authority must pass the logged-on user's identity and domain to RSA Archer over query string as a
request parameter: https://<instanceurl>/Default.aspx?<username
parameter>=<username>&<domain parameter>=<domain> where user name parameter / domain
name parameter should be specified as configured in the RSA Archer Control Panel.

l Federation. This mode enables SAML based federated Single Sign-On. For SSO to work with
RSA Archer, you must configure the setup for HTTPS and the designated authority must

Chapter 1: Security Configuration Settings 15

RSA Archer Security Configuration Guide

authenticate the user first, for example using a third-party mechanism or Identity Providers like
RSA Via Access, Shibboleth, ADFS (as Identity Provider),or OMB Max (Shibboleth). This
option delegates authentication to your own authentication server.

When using SSO, RSA recommends that you verify that the third-party component responsible for
user authentication is correctly authenticating users. RSA recommends that you use the standard log-
off and session expiration behavior of RSA Archer as defined in the security parameters
configuration. For more information, see User Authentication.

Note: When using SSO, RSA Archer assumes that the SSO component has already authenticated
the user and relies on the information provided by the SSO component to identify the user.

For instructions on configuring SSO, see Configure Single Sign-On in the RSA Archer GRC online
documentation.

Domain Field
RSA recommends that you require a domain for LDAP synchronizations and SSO. If domains are
not used, RSA recommends that you disable the display of the Domain field in the RSA Archer
Control Panel.
For more information, see "Disable Domain Field" in the RSA Archer Control Panel Help.

Logon Banner
RSA Archer allows you to customize the logon banner to ensure that standard government or
corporate warning signs are displayed. For example, this is a private system; use or misuse may be
logged and invalid access pursued.
For instructions on customizing the logon banner, see Display Logon Banner in the RSA Archer
GRC online documentation.

User Actions Requiring No Authentication

The following table describes the actions that a user can perform without being authenticated in
RSA Archer.

User Action Description of Components

Access the Login page Allows the user to log in to RSA Archer.

Access the Logout page Shows that a user was logged out of RSA Archer.

Access the Forgot Allows users to request an RSA Archer password reset.

Password control

Chapter 1: Security Configuration Settings 16

RSA Archer Security Configuration Guide

User Action Description of Components

Browse the Web Service Shows the methods that are available in the Web Services API. By
API ASMX files default, RSA Archer does not allow the files to be invoked without
being directly on the server. RSA recommends that you use IIS and
Windows file permissioning to control access to these files in
accordance with your corporate policy.

Perform the Allows integrations using the Web Service API to log on to
general.CreateUserSession RSA Archer and create a session token.
Web Service API method

User Authorization
RSA Archer supports role-based access control. RSA Archer allows you to create access roles that
you can assign to users. Each access role is mapped to a list of user authorization settings. User
authorization settings control rights or permissions that are granted to a user for accessing a resource
managed by RSA Archer.

Access Roles
RSA Archer allows creating one or more access roles. Each access role is mapped to a list of
permissions that grant the user rights to perform certain tasks and create, read, update, and/or delete
RSA Archer entities. RSA recommends that you limit privilege abuse and conflict of interests by
configuring access roles that provide separation of duties.
Immediately after installation, RSA recommends that you configure access roles as follows:
l Create a new access role with no rights and make it the default role. Grant additional roles to
users as needed for appropriate access in RSA Archer.

l Create read-only roles that can be used by an auditor. RSA recommends that these roles only
have permissions to view reports, configurations, and logs.

l Create a new Security Administrator role that has full rights to Access Control. Grant the
Security Administrator role access rights to managing roles.

l Configure access roles to grant non-administrative users only the rights they need for each task
based on their role in the organization. You can grant multiple access roles to each user. RSA
recommends that these roles do not have permission to view or modify security configuration.

RSA recommends that you review users’ task permissions on a routine basis to ensure that each user
is granted the correct task permissions.

Chapter 1: Security Configuration Settings 17

RSA Archer Security Configuration Guide

For information on access roles, see Managing Access Roles in the Online Documentation.

Role Assignment by Group or User

RSA Archer allows access roles to be assigned to users through group membership or directly to
user accounts. RSA recommends that you assign permissions through group membership and not
directly through user accounts.
For instructions on assigning permissions through group membership, see Assign a Group to an
Access Role in the RSA Archer GRC online documentation.

Entity Permissions
RSA Archer supports user permissions on multiple system components. RSA recommends that you
grant permissions only to users who need to access these components. When granting permissions to
these components, RSA recommends that you do not select the Everyone group because that group
grants rights for all users. You should review the granted permissions on a routine basis to ensure
that the correct access is granted to users.
The following table explains user permissions on the supported components.

Component Permissions Explanation

Workspaces Configured in Workspaces and Dashboards. RSA recommends that you

Dashboards configure these components to be private.
Global iViews For more information, see the following in the Online Documentation:
l Assign Access Rights to a Workspace

l Assign Access Rights to a Dashboard

l Assign Access rights to a Global iView

Global Reports Configured in an application or questionnaire in which the report resides. RSA
recommends that you set the Permissions field to Global Report.
For more information, see Add a Report in the Online Documentation.

Record Configured for each record in an application or questionnaire by setting the

Permissions Record Permissions field.
For more information, see Record Permissions Field in the Online
Documentation.

Chapter 1: Security Configuration Settings 18

RSA Archer Security Configuration Guide

Component Permissions Explanation

Field Configured for each field in an application or questionnaire. RSA recommends

Permissions that you configure fields to be private.
For more information, see Assign Access Rights to a Field in the Online
Documentation.

Application Configured in Application Builder for the owners' assigned applications,

Owners questionnaires, or sub-forms.
Questionnaire For more information, see the following in the Online Documentation:
Owners
Sub-Form l Assign Application Owners
Owners
l Assign Questionnaire Owners and Report Administrators

l Assign Sub-Form Owners

Global Report Configured in Application Builder for the owners' assigned reports in a specific
Administrators application or questionnaire.
For more information, see the following in the Online Documentation:
l For global reports in applications, Assign Global Report Creation Rights for
an Application

l For global reports in questionnaires, Assign Questionnaire Owners and

Report Administrators

Discussion Configured in Discussion Forums. Discussion forum roles provide administration

Forum Roles and forum creation rights for specific discussion communities.
For more information, see Assign Community Administrator and Forum Creators
in the Online Documentation.

Component Access Control

Component access control settings manage access to RSA Archer by external and internal systems
or components.

Component Authentication
Component authentication settings control the process of verifying an identity claimed by an external
or internal system or component.

Chapter 1: Security Configuration Settings 19

RSA Archer Security Configuration Guide

Configuration Database Authentication

RSA Archer leverages a configuration database for storing configuration information. The system
supports a database deployed on SQL Server 2012 or SQL Server 2014. RSA recommends that you
configure authentication with this database based on Microsoft’s recommended best practices for
secure authentication to a database. For more information, see the Microsoft MSDN Library.
RSA Archer supports using Integrated Security for connecting to the database.

Instance Database Authentication

RSA Archer leverages a database for each instance in the installation to store the instance’s data.
The system supports a database deployed on SQL Server 2012 or SQL Server 2014. RSA
recommends that you configure authentication with this database based on Microsoft recommended
best practices for secure authentication to a database. For information on these recommendations,
see the Microsoft MSDN Library. RSA Archer supports using Integrated Security for connecting to
the database, as well as using a secure connection to the database.
For more information, see Configure Database Connection Properties in the RSA Archer Control
Panel Help.

Configuration Service Authentication

The RSA Archer Control Panel and Archer Web Services authenticate to the Archer Configuration
Service using the X.509 certificate. During installation, RSA Archer allows you to do the following:
l Use an existing X.509 certificate, for example, one issued and signed by your Root CA. RSA
recommends that you use a domain certificate or a certificate signed by an external CA and
generated in accordance to industry best practices.

l Have the installer generate an X.509 certificate for you. In this case, the installer generates a
self-signed certificate.

The X.509 certificate used for authentication to the Archer Configuration Service does not interfere
with other certificates used within IIS, for example your SSL certificate.

Component Authorization
Component authorization settings control permissions that are granted to accounts that need access
to a specific component.

Chapter 1: Security Configuration Settings 20

RSA Archer Security Configuration Guide

SQL Server Databases

RSA Archer leverages SQL Server 2012 or SQL Server 2014 databases for data storage. Restrict
authorization to these databases to only the accounts that need access to the database.
During installation and upgrade, the account connecting to the databases from RSA Archer requires
db_owner permission. Post-installation, the account connecting to both Instance and Configuration
databases from RSA Archer requires the following permissions on the database:
l Data Reader rights (member of db_datareader)

l Data Writer rights (member of db_datawriter)

l Execute permissions on all stored procedures and scalar functions

l Select permissions on all views, table-valued functions, and in-line functions

l Execute permissions on the system stored procedure sp_procedure_params_100_managed

Important: Grant the same privileges to the user for both the Instance database and the
Configuration database.

Log Settings
A log is a chronological record of system activities that enables the reconstruction and examination
of the sequence of environments and activities surrounding or leading to an operation, procedure, or
event in a security-relevant transaction from inception to final results.

Log Description
The following table shows the security-relevant logs provided by RSA Archer.

Component Location

Security Events Report The instance database

RSA Archer Error Logs File system in the configured logging directory

Windows Event Logs Event Viewer

Security Events Report

The Security Events report contains a list of all of the security-related events that have occurred in
RSA Archer. This report includes the following security events:

Chapter 1: Security Configuration Settings 21

RSA Archer Security Configuration Guide

l Access Role Created l Role Removed from User

l Access Role Deleted l Security Events Started

l Access Role Modified l Security Events Stopped

l Account Status Modified l Security Parameter Assignment Modified

l Application Owner Added l Security Parameter Created

l Application Owner Deleted l Security Parameter Deleted

l Failed User Login l Security Parameter Modified

l Full Application Content Delete l Sub-Form Owner Added

l Global Report Permission Granted l Sub-Form Owner Deleted

l Global Report Permission Removed l User Account Added

l LDAP Configuration Delete Started l User Account Deleted

l LDAP Configuration Delete Completed l User Account Modified

l Maximum Login Retries Exceeded l User Added to Group

l Offline Access Sync Requested - Download l User Full Name Modified

l Offline Access Sync Requested - Upload l User Login

l Password Changed by Administrator l User Login Name Modified

l Password Changed by User l User Logout

l Reset Password Requested l User Removed from Group

l Role Assigned to User

RSA Archer Error Logs

You can configure the location of the RSA Archer error log in the RSA Archer Control Panel at both
the installation and the instance level. The default log location for the instance is
C:\ArcherFiles\logging.
RSA recommends that you configure the setting at the installation level and allow the location for
the instance level to default based on the installation setting.
For more information, see Logging Settings and Verify the Logging Properties in the RSA Archer
Control Panel Help.

Chapter 1: Security Configuration Settings 22

RSA Archer Security Configuration Guide

Log Directory Permissions

RSA recommends that you restrict the permissions on the log files folder to the same read, write,
and modify permissions of the account that the IIS processes and the RSA Archer-installed services
are running.
For more information, see "Grant Permissions to RSA Archer Directories" in the Post-Installation
section of the Online Documentation.

Windows Event Logs

The following items are logged in the Windows Event logs by the RSA Archer services and web
application:
l Service Start (Application and System logs)

l Service Stop (Application and System logs)

l .NET Runtime Errors

Log Management and Retrieval

The Security Events report is a persistent report in the instance database that contains all security-
related events. This report has no retention or additional configuration properties.
RSA recommends that administrators define and enforce a retention policy for the RSA Archer
Error logs, as well as the Windows Event logs, in accordance with your corporate IT policy and
security best practices.

Communication Security Settings

Communication security settings enable the establishment of secure communication channels
between RSA Archer components, as well as between RSA Archer components and external
systems or components. For new installations, HTTPS is enabled by default. For upgrades,
RSA recommends users remove the existing HTTP bindings. For more information, see Appendix A:
Configure IIS for HTTPS/SSL Authentication.

Port Usage
RSA recommends that you configure your firewall rules and access control lists to expose only the
ports and protocols necessary for operation of RSA Archer.

Chapter 1: Security Configuration Settings 23

RSA Archer Security Configuration Guide

The Job Engine and Configuration Service can run on multiple servers simultaneously. You should
account for each server running those services when planning firewall rules. For a given item, you
may omit the rule if the source and destination components run on the same server.
RSA Archer services and supporting services on the web server and SQL Server use specific ports
to communicate with each other and with interfaces and applications external to RSA Archer.
You can modify the following ports:
l Configure the port used for SQL in SQL Server.

l Configure the port used for HTTPS in Microsoft IIS.

The following table lists ports used by RSA Archer. Bolded rows identify the minimum set of ports
that must be open for the application to work. In the heading and rightmost column, M stands for
Mandatory and O stands for Optional. Brackets around items in the Destination column indicate
supporting hosts and servers that communicate with RSA Archer.

Port
Purpose Source Destination Protocol M/O
(Default)

Client Web Platform Web UI Web Server HTTP(S) 80/TCP, M

Connectivity (IIS) or Load 443/TCP
Balancer

See Web Server Communication. The destination is a Load Balancer if the

Platform is deployed with a web server cluster or farm. RSA recommends
that you rely only on HTTPS.

Platform Web API Web Server HTTP(S) 80/TCP, O

(IIS) or Load 443/TCP
Balancer

See Web Server Communication. The destination is a Load Balancer if the

Platform is deployed with a web server cluster or farm. RSA recommends that
you rely only on HTTPS. You can change the default port for use by your
application.

Archer-to-Archer Data Web Server HTTP(S) 80/TCP, O

Feed (IIS) or Load 443/TCP
Balancer

See Web Server Communication. The destination is a Load Balancer if the

Platform is deployed with a web server cluster or farm. You can change the
default port for use by your application.

Chapter 1: Security Configuration Settings 24

RSA Archer Security Configuration Guide

Port
Purpose Source Destination Protocol M/O
(Default)

Offline Access Web Server HTTP(S) 80/TCP, O

(IIS) or Load 443/TCP
Balancer

Only required if using offline access.

RSS Feeds Web Server (IIS) or [Remote Host] HTTP(S) 80/TCP, O

Load Balancer 443/TCP

See Web Server Communication. The destination is a Load Balancer if the

Platform is deployed with a web server cluster or farm. You can change the
default port for use by your application.

Threat Feeds Job Engine Service [Remote Host] HTTPS 443/TCP O

See Web Server Communication. Only required if using Threat Management to

pull in a threat intelligence feed from Symantec DeepSight, Verisign iDefense, or
other supported feeds..

SQL Queries Configuration Service, [Database SQL 1433/TCP M

Job Engine Service, Server (SQL
Queuing Service, Web Server)
Server (IIS) running RSA
Archer
database]

See SQL Server Communication. You can change the default port for use by
your application.

LDAP Synchronization [Database SQL 1433/TCP O

Service Server (SQL
Server) running
RSA Archer
database]

See SQL Server Communication. Only required if using LDAP synchronization.

Configuration Service, [Database SQL 1434/UDP O

LDAP Synchronization Server (SQL
Service, Job Engine Server) running
Service, Queuing RSA Archer
Service, Web Server database]
(IIS)

Chapter 1: Security Configuration Settings 25

RSA Archer Security Configuration Guide

Port
Purpose Source Destination Protocol M/O
(Default)

If using a named instance, SQL Browser is also required.

Microsoft File Job Engine Service, [File Server for SMB/CIFS 445/TCP O
Sharing Web Server (IIS) document
repository]

Only required if the document repository is not contained on a single web server.

Web Server (IIS) [File Server for SMB/CIFS 445/TCP O

company_files]

Only required if the appearance files are not all contained in a single web server.

Queuing Service [File Server for SMB/CIFS 445/TCP O

keyword
indexes]

Only required if the keyword search indexes are not all contained on a single web
server.

LDAP LDAP Synchronization [LDAP Server] LDAP(S) 389/TCP O

Queries Service (LDAP),
636/TCP
(LDAPS)

Only required if performing LDAP synchronization. You can change the default
port for use by your application.

Audit Logging Web Server (IIS) [Remote Host] TCP/UDP Varies O

Only required if Audit Logging is enabled.

Cache Java [Cache Service TCP 13402 O

Locator Server]

Only required if using the RSA Archer Cache as your Caching Option.

Cache Server Java [Cache Service TCP 13401 O

Server]

Only required if using the RSA Archer Cache as your Caching Option.

Chapter 1: Security Configuration Settings 26

RSA Archer Security Configuration Guide

Port
Purpose Source Destination Protocol M/O
(Default)

Local Cache Local cache client (Web [Cache Service TCP 40404 O
Server (IIS), Job Engine Server]
Service, LDAP
Synchronization
Service)

Only required if using the RSA Archer Cache as your Caching Option.

Email Job Engine Service [SMTP Server] SMTP(S) 25/TCP O

Notifications (SMTP),
465
(SMTPS)

Only required if using email notifications. You can change the default port for use
by your application.

Mail Monitor Job Engine Service [POP3 or POP3(S), 110/TCP O

IMAP Server] IMAP(S) (POP3),
995/TCP
(POP3S),
143
(IMAP),
993/TCP
(IMAPS)

Only required if leveraging Mail Monitor functionality.

Read Receipts Job Engine Service [POP3 or POP3, 110/TCP O

IMAP Server] IMAP (POP3),
143
(IMAP)

Only required if leveraging Read Receipt functionality.

Configuration Job Engine Service, Configuration WCF 13201/TCP M

Data Queuing Service, Web Service
Retrieval Server (IIS)

Required for RSA Archer service to obtain Platform configuration data.

Caching Service Configuration WCF 13201/TCP O

Service

Only required if using the RSA Archer Cache as your Caching Option.

Chapter 1: Security Configuration Settings 27

RSA Archer Security Configuration Guide

Port
Purpose Source Destination Protocol M/O
(Default)

LDAP Synchronization Configuration WCF 13201/TCP O

Service Service

Only required if using LDAP synchronization.

Configuration Configuration Service Web Server WCF 13300- M

Data Updates (IIS) 13304/TCP

Required to push configuration data updates to the web servers.

Configuration Service Job Engine WCF 13305- M

Service, 13350/TCP
Queuing
Service

Required to push configuration data updates to RSA Archer services.

Configuration Service Caching WCF 13305- O

Service 13350/TCP

Only required if using the RSA Archer Cache as your caching option.

Configuration Service LDAP WCF 13305- O

Synchronization 13350/TCP
Service

Only required if using LDAP synchronization.

SSO Web Server (IIS) [Remote Host] Varies Varies O

Authentication

Only required if using SSO, in which case additional traffic may need to be
allowed. The destinations, ports, and protocols would vary based on the SSO
provider and your specific implementation. You can change the default port for
use by your application.

Data Job Engine Service [Remote Host] Varies Varies O

Publication

Only required if using the Data Publication feature, in which data can be
extracted and written to a relational database system. The destinations, ports, and
protocols vary based on the destination system. You can change the default port
for use by your application.

Chapter 1: Security Configuration Settings 28

RSA Archer Security Configuration Guide

Port
Purpose Source Destination Protocol M/O
(Default)

Other Data Job Engine Service [Remote Host Varies Varies O

Feeds (s)]

Only required if using RSA Archer to pull data from other systems using transfer
protocols, for example, FTP, SMB, and SQL. The destinations, ports, and
protocols vary based on your implementation. You can change the default port for
use by your application.

Network Encryption
The following sections provide information on how to secure communication protocols used by
RSA Archer:
l Web Server Communication

l RSS Communication

l SSL Certificate Guidance

l SQL Server Communication

l Data Feed Communication

Web Server Communication

By default, RSA Archer web clients communicate with the RSA Archer web server (IIS) over one
of two ports:
l HTTP using default port 80

l HTTPS using default port 443

These web clients include:

l RSA Archer web user interface

l Third-party web applications, which are applications provided by the customer that use
RSA Archer web APIs (SOAP and REST)

l Certain data feeds, for example, RSS and Threat Intelligence

Chapter 1: Security Configuration Settings 29

RSA Archer Security Configuration Guide

RSA recommends that you enable web server communication using HTTPS and disable the HTTP
service. In addition to providing encryption of data in transit, HTTPS allows the identification of
servers and, optionally, of clients, by means of digital certificates. To enable HTTPS, the following
three components must be updated:
l IIS

l RSA Archer web.config

l RSA Archer Control Panel

For more information, see Appendix A: Authentication Configuration.

While HTTPS is recommended and helps prevent man-in-the-middle attacks, consider the following
when enabling HTTPS and disabling HTTP:
l Redirecting connections from an unsecured HTTP port to a secured HTTPS port can cause your
application to be vulnerable to these types of attack. Redirecting connections is not a complete
disablement of the HTTP port.

l When you disable HTTP, be certain that the SSL certificate is in the trusted certificate store. If
not, an error message displays.

l Disabling HTTP causes the SOAP API forms to become non-functional. These forms only accept
HTTP Post.

RSA recommends that you use TLS 1.1 or TLS 1.2 to secure the HTTP communication between
RSA Archer web clients and the RSA Archer web server. Secure this communication by configuring
HTTPS connections between the client and the IIS web server.
For information on Microsoft recommendations, see the Microsoft Knowledge Base.

RSS Communications
RSS iViews have the ability to render RSS content from an external source for which the integrity of
content is unknown. This flexibility introduces a potential attack vector if not addressed.
RSA recommends that you set the RSS iView Content Handling option in the RSA Archer Control
Panel to Scrub or Encode to address this issue. For instructions on how to configure RSS iView
content handling, see RSS iView Content Handling in the RSA Archer GRC online documentation.

Disabling Weak Ciphers

Web server communication over HTTP relies on the SSL/TLS ciphers and key lengths provided by
the version of IIS on which RSA Archer is installed. Ensure that IIS is configured for cryptographic
support, which cannot be easily defeated. RSA recommends that you configure Microsoft IIS to only
allow ciphers with key lengths of 128 bits or greater.

Chapter 1: Security Configuration Settings 30

RSA Archer Security Configuration Guide

SSL Certificate Guidance

To enable Field Encryption in RSA Archer , it is advised that the certificate should be obtained from
a trusted Certificate Authority (CA). However, you may choose to generate a self-signed certificate.
When generating a Field Encryption certificate you should keep the following in mind:

What are the certificate requirements?

Certificates must meet the following requirements:

l The certificate is present in the local machine store as a personal certificate

l The certificate is exportable

l The certificate is not expired

l The certificate has a key size of 2048 bits

l The certificate has a private key

How to secure a certificate?

The certificate being used for encryption should have very limited access. Here are some of the
security measures that should be taken to protect the certificate:
l Only the Administrator account should have Full Control and Read access to the certificate, all
other accounts should have only Read access

l The certificate should be given read-only access to the following accounts:

l In a server hosting the archer web application, only the AppPool account used by the web
application should be given access (Read-Only) to the certificate

l In a server hosting archer services e.g. Configuration Service, Job Framework etc., only accounts
used by the services should be given access (Read-Only) to the certificate

l Revoke access for all accounts that are not required

l Losing the encryption certificate could mean permanent loss of data and thus it is advised that the
encryption certificate is backed up regularly. The backup should be password protected and kept
safely

For recommendations on generating/installing an SSL Certificate using IIS, see the Microsoft
TechNet Library.
For information about industry best practices, see the following:

Chapter 1: Security Configuration Settings 31

RSA Archer Security Configuration Guide

l NIST SP 800-52

l PCI-DSS v1.2, point 4.1

SQL Server Communication
RSA recommends that you use a secured database connection to secure the communications
between the instance database server and the RSA Archer web and services servers. For
recommendations on configuring a secure database connection, see the Microsoft MSDN Library.
The Configuration database cannot accept secure or encrypted connections. RSA recommends that
you follow the guidance in SSL Certificate Guidance when issuing an SSL certificate to
communicate with SQL Server.

Data Feed Communication

You can configure the Data Feed Manager to retrieve or receive data from various external data
sources using a variety of transport protocols. RSA recommends that whenever you have the option
to choose between unsecured or secured versions of a communication protocol, you choose the
secured version.
To strengthen data feed security, RSA recommends that the Data Feed Manager require data feed
paths to be specified as relative paths. For more information, see "Enable Relative Path for Data
Feed Manager" in the Online Documentation.

Note: Relative path entry is set up as the default starting with RSA Archer 6.0. Because the setting
is not updated automatically on systems upgraded to version 6.0, RSA recommends manually setting
the requirement on upgraded systems.

RSA Archer Web Services

RSA recommends that you rely on HTTPS for secure communications between the RSA Archer
web server and the following:
l Third-party web applications, which are applications provided by the customer that use the
Platform web APIs

l Archer-to-Archer data feeds

For information on enabling HTTPS, see Web Server Communication. For information on
configuring the Archer Web Services transporter, see the RSA Archer GRC online documentation
topic Define the Archer Web Services Transporter in the Data Feed Manager section.

Chapter 1: Security Configuration Settings 32

RSA Archer Security Configuration Guide

Database Query
RSA recommends that the external database from which you are capturing data is located within
your corporate network and that data transmission occurs over an encrypted communications
channel. RSA also recommends that the credentials you use to retrieve the data have read-only
permissions. For more information, see Define a Database Query Transporter in the Data Feed
Manager in the Online Documentation.

File Transporter
The File Transporter allows a file from an external source with unknown contents and integrity to be
brought onto RSA Archer servers. This flexibility introduces a potential attack vector where the
associated risk must be accepted by the customer.
RSA recommends that you disable the File Transporter if a business need does not require its use. If
the File Transporter must be used, RSA recommends selecting Zip File as the File Type and using
encryption by selecting an Encryption Type.
For more information, see Transporter Availability in the RSA Archer Control Panel Help. For
information on configuring the File Transporter, see the Data Feed Manager section of Define a File
Transporter in the Online Documentation.

FTP Transporter
The FTP Transporter allows a file from an external source with unknown contents and integrity to be
brought onto RSA Archer servers. This flexibility introduces a potential attack vector where the
associated risk must be accepted by the customer.
RSA recommends that you disable the FTP Transporter if a business need does not require its use. If
you must use the FTP Transporter, RSA recommends selecting Zip File as the File Type and using
encryption by selecting an Encryption Type.
For instructions on how to disable the FTP Transporter, see Transporter Availability in the Online
Documentation. For information on configuring the FTP transporter, see the Data Feed Manager
section in Define an FTP Transporter in the Online Documentation.

HTTP Transporter
The HTTP Transporter allows a file from an external source with unknown contents and integrity to
be brought onto RSA Archer servers. This flexibility introduces a potential attack vector where the
associated risk must be accepted by the customer.
RSA recommends that you disable the HTTP Transporter if a business need does not require its use.
If you must use the HTTP Transporter, RSA recommends using HTTPS, selecting Zip File as the
File Type, and using encryption by selecting an Encryption Type.

Chapter 1: Security Configuration Settings 33

RSA Archer Security Configuration Guide

For instructions on how to disable the HTTP Transporter, see Transporter Availability in the RSA
Archer Control Panel Help. For information on configuring the HTTP transporter, see the Data Feed
Manager section of Define an HTTP Transporter in the Online Documentation.

Mail Monitor (POP3/IMAP)

RSA recommends that you configure an SSL connection to connect with the email server. For
information about getting a new certificate to use when establishing an SSL connection, see SSL
Certificate Guidance. For information on configuring the Mail Monitor transporter, see the RSA
Archer GRC online documentation topic "Define a Mail Monitor Transporter in the Data Feed
Manager" section.

RSS Feed
RSA recommends that you rely on HTTPS for secure communications between the web server and
the RSS transporter. For information on enabling HTTPS, see Web Server Communication. For
information on configuring the RSS transporter, see Define an RSS Transporter in the Data Feed
Manager in the RSA Archer GRC online documentation.

Threat Feed (iDefense, Deep Sight)

RSA recommends that you rely on HTTPS for secure communications between the web server and
the threat feed. For information on enabling HTTPS, see Web Server Communication. For
information on configuring the Archer Threat Feed, see the RSA Archer GRC online documentation
topic, Define a Threat Feed Transporter in the Data Feed Manager section.

Data Security Settings

Data security settings enable the definition of controls designed to prevent unauthorized disclosure of
data stored by the product.

Chapter 1: Security Configuration Settings 34

RSA Archer Security Configuration Guide

Encryption of Data at Rest

RSA recommends that you back up your sensitive data, encrypt it, and keep it in a secure physical
location in accordance with your corporate disaster recovery and business continuity policies,
including the following:
l A full backup of your database (For more information, see the Microsoft TechNet Library.)

l Log files

l Configuration files

l Password for the RSA Archer System Administrator

To help protect online data, such as current database, log file, and configuration files, RSA
recommends that you restrict access to the files and database and configure permissions only to
trusted administrators.

Additional Security Considerations

There are several additional issues for you to consider.
l Java Runtime Environment Deployment

l Privileges Levels for Archer Services

l File Repository Path

l Restrict Permissions on Repository Files

l Keyword Index Files

l Company Files Path

l Custom iView

l Custom Layout Object

l Offline Access

Java Runtime Environment Deployment

The optional RSA Archer Cache service requires the Java Runtime Environment (JRE) with the
Java HotSpot Server Virtual Machine (VM) in a bit version that matches the Platform bit version.
For example, a 64-bit Platform version requires a 64-bit JRE.

Chapter 1: Security Configuration Settings 35

RSA Archer Security Configuration Guide

As part of the JRE install, a Java certificate is installed that is used for secure authentication, which
requires the existence of Java. RSA strongly recommends installing Java Runtime Environment
(JRE) 8 (64 bit).

Privilege Levels for Archer Services

RSA strongly recommends that you set Archer services to run with Domain User account privileges.
In general, RSA Archer GRC services should run with the lowest privilege level that allows them to
work. For instructions on setting Archer service privileges, see Configure Service Credentials in the
Installation section of the RSA Archer Installation Guide.
Local System privileges give Archer services unrestricted access to local system resources. While
this level of privilege allows the services to access all system resources easily, giving unrestricted
access to many services and accounts increases the security vulnerability of a system. Organizations
concerned with system security should avoid giving Local System privileges to services and
accounts without serious justification.
To improve system security, set services and accounts to run with Domain User account privileges
that limit their access to only the system resources they need for normal business operations. This
approach to setting privilege levels keeps the number of services and accounts with unrestricted
system access to a minimum, which reduces the number of entities that can unintentionally or
intentionally violate system security.

File Repository Path

RSA Archer uses a folder on the file system for storing files. The default location is
C:\ArcherFiles\Repository.
RSA recommends that you define the location of the repository folder in RSA Archer to be a share
that uses a UNC path outside of any web and services servers. Doing so eliminates the possibility of
denial of service attacks and large file creation.
For instructions on setting the repository path, see Designate the File Repository Path in the Online
Documentation. For configuration and permission details for the repository folder, see the RSA
Archer Installation and Upgrade Guide.

Restrict Permissions on Repository Files

RSA recommends that you restrict permissions on the repository folder (default location
C:\ArcherFiles\Repository) to read, write, and modify for the account that the IIS processes are
running as and for the account that the Job Engine service is running as.

Chapter 1: Security Configuration Settings 36

RSA Archer Security Configuration Guide

Procedure
1. Log on to Windows servers.

2. Click Start > Administrative Tools > Services.

For the Job Engine, the Log On As column identifies the account the service runs as.

3. Change each account as needed.

Note: The Microsoft IIS process account is configured in Microsoft IIS.

Keyword Index Files

RSA Archer uses a folder on the file system for storing keyword index files. The default location is
C:\ArcherFiles\Indexes.
RSA recommends that you do the following:
l Restrict the permissions on the keyword index files folder to read, write, and modify for the
account that the Queuing service is running as.

l Define the location of the indexes folder in RSA Archer to be a path set to off of any web server
(avoid using a UNC path if possible to avoid performance impacts). The path can be a local path
if the RSA Archer installation includes a dedicated Services server.

Company Files Path

RSA Archer uses the company_files folder to store company images and icons for the web
application. The location of the folder is set during the initial installation and defaults to
C:\Inetpub\wwwroot\RSAArcher\company_files.
RSA recommends that you define the location of the company_files folder in RSA Archer to use a
UNC path outside of any web servers, which eliminates the possibility of denial of service attacks
and large file creation.
For configuration and permission details for the company_files folder, see the RSA Archer
Installation and Upgrade Guide.

Custom iView
A Custom iView provides the ability to create dynamic content by inserting a script without being
sanitized, which then executes within the context of RSA Archer. This flexibility introduces a
potential attack vector where the associated risk must be accepted by the customer.
RSA recommends that only trusted administrators have permission to create and edit Custom
iViews.

Chapter 1: Security Configuration Settings 37

RSA Archer Security Configuration Guide

Custom Layout Object

A Custom Layout Object provides the ability to create dynamic content by inserting a script without
being sanitized, which then executes within the context of RSA Archer. This flexibility introduces a
potential attack vector where the customer must accept the associated risk.
RSA recommends that only trusted administrators have permission to create and edit Custom Layout
Objects.

Offline Access
Offline Access provides a limited local copy of RSA Archer on a user's laptop.
It is important to understand what data is being synced down to Offline Access. Offline Access
Gateway Application content and all related content is synced down to Offline Access. All
RSA Archer metadata is synced down to Offline Access. All data files are encrypted at rest.
RSA recommends that only trusted users with secure laptops with strict firewall rules restricting
remote access to Offline Access have permission to Offline Access.

Chapter 1: Security Configuration Settings 38

RSA Archer Security Configuration Guide

Chapter 2: Secure Deployment and Usage Settings

Protecting the RSA Archer Environment 39

Security Controls Map 39

Firewall Rules 43

Secure Deployment Settings 46

Protecting the RSA Archer Environment

Protect all physical, local, and remote access to the servers hosting RSA Archer. Restrict all access
methods to the absolute minimum required to maintain RSA Archer.
RSA recommends that you do not set up RSA Archer test environments to contain exact copies of
the full production environment's data or to use the same system or authentication secrets. If the test
environment contains any sensitive information from the production environment, take the same
precautions to protect the test environment as you do in the production environment.

Security Controls Map

RSA Archer deployment consists of three physical tiers: a web tier, a services tier, and a database
tier. An organization can deploy RSA Archer in a single host configuration or a multi-host
configuration. For more information, see the RSA Archer GRC Platform Installation and Upgrade
Guide.
When deploying RSA Archer on-premise within a corporate network, RSA recommends that you do
the following:
l Deploy RSA Archer hosts within the corporate network. The DMZ-to-Corporate-Network
Firewall intercepts all communication between the single host and the other components in the
network.

l Ensure that users are accessing RSA Archer from within the corporate network. If users must
access RSA Archer from the internet, RSA recommends that they connect to the corporate
network through a secure VPN connection.

l Allow only remote access to RSA Archer hosts for secure maintenance using the Remote
Desktop Protocol (RDP) through a secure VPN connection.

Chapter 2: Secure Deployment and Usage Settings 39

RSA Archer Security Configuration Guide

l Configure firewall rules to ensure secure communication between RSA Archer and other
components in the network.

Important: RSA recommends that you deploy RSA Archer services in a secure location, where
physical access to the servers is restricted only to the personnel who manage the servers.

Chapter 2: Secure Deployment and Usage Settings 40

RSA Archer Security Configuration Guide

The following figure shows an example of a multi-host configuration.

For multi-host configurations, RSA Archer recommends that you do the following:

Chapter 2: Secure Deployment and Usage Settings 41

RSA Archer Security Configuration Guide

l Deploy RSA Archer web, services, and database servers in the corporate network.

l Deploy data feed servers in the corporate network, except those that provide information using
HTTPS, such as, RSS and Threat Intelligence services.

l Ensure that all RSA Archer servers in a site are connected to the same sub-network.

l Deploy firewalls at each site to ensure secure transfer of data from an instance of RSA Archer at
one site to another instance of the RSA Archer located at a different site.

l Configure firewall rules to intercept all communication between RSA Archer components in the
network, as shown in the preceding figure. For more information, see Firewall Rules.

While the previous figure shows multiple types of data feeds, the following figure expands on the
Archer-to-Archer data feed type using the example of one geographic site to another.

When deploying RSA Archer in multiple geographically dispersed sites and configuring one instance
of RSA Archer at one site to feed data to another instance of RSA Archer at another site, RSA
recommends that you do the following:
l Configure firewall rules to intercept all communication between the RSA Archer components in
the network and between different sites, as depicted by the firewalls in the preceding figure. For
more information, see Firewall Rules.

l Implement data transfer between sites using a secure tunnel as shown in the preceding figure.

Chapter 2: Secure Deployment and Usage Settings 42

RSA Archer Security Configuration Guide

Firewall Rules
Use firewalls to restrict network traffic between RSA Archer and external systems. For graphical
depictions of restricting network traffic, see Security Controls Map.
RSA recommends that you configure firewall rules to ensure secure communication for the
following connections:
l DMZ to Corporate Network

l Corporate Network to Site Sub-Network

l Archer-to-Archer Data Feeds

RSA strongly recommends that you configure firewall rules as described in the following sections.
These recommendations are based on the following assumptions:
l You have a stateful firewall, indicating that only the establishment of TCP ports is considered.

l You specify the direction of communication for the UDP ports because the connections are
sessionless.

l The firewall processes the rules top to bottom, finishing with a generic drop of all packets.

l You are deploying RSA Archer as shown in one of the figures in Security Controls Map.

DMZ to Corporate Network

RSA recommends that you do the following:
l Configure whitelist communication from the VPN server in the DMZ to the client machines on
which the RSA Archer web user interface runs.

l Create firewall rules for all machines from which you intend to remotely access the corporate
network through RDP.

Corporate Network to Site Sub-Network

For corporate network to site sub-network configurations, RSA recommends the following:
l Allow firewall access at each site only from designated RSA Archer client machines through a
whitelisted IP address and port.

l Set firewall rules to drop all unless explicitly allowed.

Chapter 2: Secure Deployment and Usage Settings 43

RSA Archer Security Configuration Guide

Single-Host Configuration

RSA recommends that you secure the following default ports to ensure a secure communication
between client machines running the RSA Archer web user interface and the RSA Archer web
server:
l TCP 80

l TCP 443

For more information on securing these ports, see Communication Security Settings.
The following table shows the firewall rules for a single host configuration.

Source IP Address –>

Purpose RULE | DIRECTION Protocol Port
Destination IP Address

Client Web ALLOW | INBOUND ArcherWebUI_IPAddr –> TCP 443

Connectivity ArcherWebServer_IPaddr

ALLOW | OUTBOUND ArcherWebServer_IPaddr –> TCP 443

ArcherWebUI_IPAddr

<Default> BLOCK | INBOUND All_* –> All_* * *

BLOCK | OUTBOUND All_* –> All_* * *

Multi-Host Configuration

RSA recommends that you secure the following default ports to ensure a secure communication
between client machines running the RSA Archer web user interface and the RSA Archer web
server:
l TCP 80

l TCP 443

For information on securing these ports, see Communication Security Settings.

The following table shows the firewall rules for a multi-host configuration that includes a reverse
proxy/load balancer.

Chapter 2: Secure Deployment and Usage Settings 44

RSA Archer Security Configuration Guide

Source IP Address –
>
Purpose RULE | DIRECTION Protocol Port
Destination IP
Address

Client Web ALLOW | INBOUND ArcherWebUI_IPAddr – TCP 443

Connectivity >
ArcherWebServer_
IPaddr

ALLOW | ArcherWebServer_ TCP 443

OUTBOUND IPaddr
–> ArcherWebUI_
IPAddr

RSS Feeds ALLOW | INBOUND RSSServer_IPAddr –> TCP 443

ArcherWebServer_
IPaddr

ALLOW | ArcherWebServer_ TCP 443

OUTBOUND IPaddr
–> RSSServer_IPAddr

Threat ALLOW | INBOUND ThreatFeedServer_ TCP 443

Feeds IPAddr
–> ArcherWebServer_
IPaddr

ALLOW | ArcherWebServer_ TCP 443

OUTBOUND IPaddr
–> ThreatFeedServer_
IPAddr

<Default> BLOCK | INBOUND All_* –> All_* * *

BLOCK | All_* –> All_* * *

OUTBOUND

Archer-to-Archer Data Feeds

RSA Archer might run in multiple sub-networks within your corporate network, where each sub-
network is called a site. You can configure RSA Archer to allow the RSA Archer located in one site
to feed data to the RSA Archer in another site. For more information, see Archer-to-Archer Data
Feed in the Data Feed Manager section of the Online Documentation.

Chapter 2: Secure Deployment and Usage Settings 45

RSA Archer Security Configuration Guide

For this scenario, RSA recommends that you do the following:

l Ensure that the firewall at each end of the data transfer allows communication only through a
whitelisted IP address and port.

l Secure the following default ports to ensure a secure communication between two RSA Archer
instances located in different sites:
o TCP 80
o TCP 443

For more information, see Communication Security Settings.

Configure the site's firewall rules as shown in the following table.

Source IP Address –>

Purpose RULE | DIRECTION Protocol Port
Destination IP Address

Archer Data Feed ALLOW | INBOUND ArcherDataFeed_IPAddr –> TCP 443

ArcherWebServer_IPaddr

<Default> BLOCK | INBOUND All_* –> All_* * *

BLOCK | OUTBOUND All_* –> All_* * *

Secure Deployment Settings

The following table shows the security controls that RSA recommends to be in place for securing the
deployment of RSA Archer.

Chapter 2: Secure Deployment and Usage Settings 46

RSA Archer Security Configuration Guide

Instructions
Cons of on How to
Secure Pros of Secure
Deployment Secure Configure
Deployment Deployment
Settings Deployment Secure
Setting Setting
Setting Deployment
Setting

HTTPS is enabled For best possible Provides a high Could impact See Web Server
by a new 6.2 security between level of protection performance. Communication.
installation, by client and server, for the
default, between enable HTTPS and communication
client and server. disable HTTP in between client and
Remove any Microsoft IIS. server by avoiding
existing HTTP tampering,
bindings (port 80) spoofing, and man-
via IIS Manager. in-the-middle type
of attacks.

Database Encrypting the Provides increased Could impact See SQL Server
Encrypted communication security by performance. Communication.
Communication between the implementing
RSA Archer web secure
server and the communication
instance database between the web
increases security. server and instance
database.

Windows Server Hardening the web Provides improved Could cause Follow Microsoft
Security server based on security and some security
Configuration industry best reduced risk for the unsecured configuration
practices reduces servers deployed Windows recommendations
the likelihood of for RSA Archer. Server for the applicable
vulnerabilities. features to IIS version.
become
unavailable.

Chapter 2: Secure Deployment and Usage Settings 47

RSA Archer Security Configuration Guide

Instructions
Cons of on How to
Secure Pros of Secure
Deployment Secure Configure
Deployment Deployment
Settings Deployment Secure
Setting Setting
Setting Deployment
Setting

SQL Server Hardening the SQL Provides improved Could cause Follow Microsoft
Security Server installation security and some security
Configuration hosted on the reduced risk for the unsecured configuration
database server database server SQL Server recommendations
based on industry deployed for the features to for the applicable
best practices Platform become SQL server
reduces the installation. unavailable. version.
likelihood of
vulnerabilities on
the servers.

Web Server Security Configuration

For recommendations on IIS security configuration, see the Microsoft Knowledge Base.
In addition to Microsoft's recommendation, RSA recommends that you configure Microsoft IIS to do
the following:
l Enable SSL communications. For more information, see Web Server Communication.

l Disallow arbitrary file extensions.

l Remove IIS and ASP.Net Version Information from HTTP Headers.

Disallow Arbitrary File Uploads

The RSA Archer allows users to upload files with any type of extension. RSA recommends training
your users on good security practices including not uploading any file from sources other than
themselves to prevent introducing potentially malicious files to the RSA Archer platform.To tighten
security, you can prevent users from uploading files with specific extensions. For more information,
see "File Creation Restriction" in the Online Documentation.
Depending on what your users do with RSA Archer, prevent certain file types. For example, prevent
the upload of executable .exe files to RSA Archer. However, if your users investigate security
incidents, you may want to allow the upload of executable files containing viruses and other potential
malware for use in investigations.
Do not prevent uploads of files with extensions used by normal RSA Archer operations, including
the following:

Chapter 2: Secure Deployment and Usage Settings 48

RSA Archer Security Configuration Guide

l .AI l .GIF l .PPS l .WMF

l .BMP l .ICO l .PPSM l .XLA

l .CSS l .JPEG l .PPSX l .XLAM

l .CSV l .JPG l .PPT l .XLS

l .DOC l .PDF l .PPTM l .XLSB

l .DOCM l .PNG l .PPTX l .XLSM

l .DOCX l .POT l .PS l .XLSX

l .DOT l .POTM l .RTF l .XLT

l .DOTM l .POTX l .TIF l .XLTM

l .EMF l .PPA l .TIFF l .XLTX

l .EPS l .PPAM l .TXT l .XML

l .EXIF

To complement file upload restrictions that you set in RSA Archer, RSA recommends that you
implement the following measures outside of RSA Archer to prevent rogue applications from
uploading arbitrary files with potentially malicious content. These external measures alone do not
prevent file uploads done using the file upload capabilities provided for attachment and image fields
in RSA Archer.
l Configure Microsoft IIS, using ISAPI and Request Filtering, for example, to allow only file types
approved for use within your business requirements for RSA Archer. When implementing this
external measure, do not disallow file types used by normal RSA Archer operations. Upload
operations use the file types listed above, and download operations such as data exports use the
following file types:

l CSV l HTML l RTF l XML

l HTM l PDF l XLS l MHTML

l Configure Microsoft IIS, for example, using ISAPI and Request Filtering, to disallow uploading of
executable files, for example, files with .exe, .scr, or .vbs extensions.

l Run a virus scan on a file before it is uploaded into the system.

l Run a malware scan on a file before it is uploaded into the system.

Chapter 2: Secure Deployment and Usage Settings 49

RSA Archer Security Configuration Guide

For information about Microsoft IIS security configuration settings, see the Microsoft Knowledge
Base.

Remove IIS and ASP .NET Version Information from HTTP

Headers
To make it more difficult for attackers to identify vulnerabilities in the software that is powering the
web server, do not disclose the types of applications and their respective version numbers in HTTP
headers. While certain HTTP headers are necessary, the HTTP headers that identify the web server
are not necessary, including the following:
l Server: Microsoft-IIS/<version_ number>

l X-Powered-By: ASP.NET

l X-AspNet-Version: <version_ number>

AspNet-Version HTTP Header

RSA recommends that you do the following:

l Remove the HTTP headers that identify the web server.

l Ensure that <httpRuntime enableVersionHeader="false"/> is set in the RSA Archer web.config

file, located at:
o IIS\DefaultWebSite\RSAArcher\web.config

o IIS\DefaultWebSite\RSAArcher\api\web.config

Remove X-Powered-By HTTP Header

Procedure
1. Launch the Microsoft IIS Manager.

2. Expand the Sites folder.

3. In the IIS grouping, select the website that you want to modify, and double-click the HTTP
Response Headers section.

4. If "X-Powered-By: ASP.NET" is displayed in the Custom Header listbox, click the Remove link
in the right-hand column.

Note: To ensure that the server header is not automatically added to the outgoing HTTP response by
Microsoft IIS, use Microsoft's free UrlScan utility.

Chapter 2: Secure Deployment and Usage Settings 50

RSA Archer Security Configuration Guide

IP Whitelist
The IP Whitelist allows for the ability to define a range of IP addresses that can access
RSA Archer. The IP Whitelist restricts incoming connections only, and should include the following
items:
l Web Application servers

l Services servers

l Client machines accessing the Web Application

Optionally, the following items can also be included:

l Data Feed source servers

l LDAP servers

RSA recommends implementing the IP Whitelist to limit the availability of the GRC Platform as a
potential attack vector.

Chapter 2: Secure Deployment and Usage Settings 51

RSA Archer Security Configuration Guide

Chapter 3: Secure Maintenance

Security Patch Management 52

Malware Detection 52

Virus Scanning 53

Ongoing Monitoring and Auditing 53

Security Patch Management

Security patches are released on an as-needed basis.
All security patches for RSA Archer originate as RSA and are available for you to download as an
update as long as you have a current maintenance agreement in place with RSA. Updates are
available from RSA SecurCare Online. Product documentation is posted on the RSA Archer
Community. RSA recommends that you register your product and sign up for the RSA Archer
Community.
The following table lists the third-party components for which patches are needed.

Third-Party
EMC Customer Reference to
Component for Frequency
Responsibility Responsibility Instructions for
which Patch Is of Patch
(Y/N) (Y/N) Applying Patch
Needed

Windows Server 2012 Determined N Y Based on vendor

& 2014 by vendor. recommendations.

SQL Server 2012 Determined N Y Based on vendor

& 2014 by vendor. recommendations.

Malware Detection
RSA recommends that you deploy a malware detection solution on the web and database servers.
The malware detection solution should be based on your standard tools and best practices. It is your
responsibility to deploy patches and updates for the malware detection tools.

Chapter 3: Secure Maintenance 52

RSA Archer Security Configuration Guide

Virus Scanning
RSA recommends that you run virus scanning software on the deployed servers on a routine basis. If
you are running Threat or Vulnerability feeds, RSA strongly recommends that you disable virus
scanning for the folder in which the Threat or Vulnerability data files are temporarily stored. A virus
scanning engine could interpret the data as a virus or malware.
For information on configuring the folder, see the RSA Archer GRC online documentation topic
Threat Data Transport in the Data Feed Manager section.

Ongoing Monitoring and Auditing

As with any critical infrastructure component, RSA recommends that you constantly monitor your
system and perform periodic and random audits, for example, configuration, permissions, and
security logs. Ensure that the configurations and user access settings match your company policies
and needs.

Chapter 3: Secure Maintenance 53

RSA Archer Security Configuration Guide

Chapter 4: Physical Security Controls

Physical Security Controls Recommendations 54

Physical Security Controls Recommendations

Physical security controls are designed to protect resources against unauthorized physical access and
physical tampering. RSA recommends that the physical servers for RSA Archer are deployed in a
secure data center leveraging the organization’s best practices for physically securing a data center,
server rack, and server.

Chapter 4: Physical Security Controls 54

RSA Archer Security Configuration Guide

Chapter 5: User Support

Supporting Your Users 55

Preventing Social Engineering Attacks 55

Confirming User Identities 56

Advice for Your Users 56

Supporting Your Users

It is important to have well-defined policies around Help Desk procedures for your RSA Archer
installation. RSA strongly recommends that your Help Desk administrators understand the
importance of password strength and the sensitivity of data, such as user logon names and
passwords. Creating an environment where an end user is frequently asked for this kind of sensitive
data increases the opportunity for social engineering attacks. Train end users to provide, and Help
Desk administrators, to request the least amount of information needed in each situation.

Preventing Social Engineering Attacks

Fraudsters frequently use social engineering attacks to trick unsuspecting employees or individuals
into divulging sensitive data that they can then use to gain access to protected systems. RSA
recommends that you use the following guidelines to help reduce the likelihood of a successful social
engineering attack:
l Help Desk administrators should only ask for a user's user name over the phone when users call
the Help Desk. Help Desk administrators should never ask for user passwords.

l The Help Desk telephone number should be well known to all users.

l Help Desk administrators should perform an action to authenticate the user's identity before
performing any administrative action on a user's behalf. For example, ask users one or more
questions to which only they know the answer.

l If Help Desk administrators need to initiate contact with a user, they should not request any user
information. Instead, users should be instructed to call the Help Desk back at a well-known Help
Desk telephone number to ensure that the original request is legitimate.

Chapter 5: User Support 55

RSA Archer Security Configuration Guide

Confirming User Identities

It is critical that your Help Desk administrators verify each end-user identity before performing any
Help Desk operations. RSA recommends that you verify user identities using the following methods:
l Call the end-user back on a phone owned by the organization and on a number that is already
stored in the system.
Important: Be careful when using mobile phones for identity confirmation, even if they are
owned by the company. Mobile phone numbers are often stored in locations that are vulnerable to
tampering or social engineering.

l Send the user an email to a company email address. If possible, use encrypted email.

l Work with the employee's manager to verify the user's identity.

l Verify the identity in person.

l Use multiple open-ended questions from employee records. For example: Name one person in
your group, or what is your badge number? Avoid yes or no questions.

Advice for Your Users

RSA recommends that you instruct your users to do the following:
l Never give their passwords to anyone, not even to Help Desk administrators.

l Change their passwords at regular intervals.

l Inform your users of what information requests to expect from Help Desk administrators.

l Always log off from the RSA Archer web interface when finished.

l Always lock their desktops when they step away from their computers.

l Regularly close their browser and clear their cache of data.

l Do not upload any files to RSA Archer from sources other than themselves.

Note: RSA recommends that you conduct regular training to communicate this guidance to users.

Chapter 5: User Support 56

RSA Archer Security Configuration Guide

Chapter 6: FIPS-Compliant Mode

Platform in FIPS-Compliant Mode 57

Set Up FIPS for Windows 58

SQL Server FIPS Setup 58

Configure Browser for FIPS Compliance 59

LDAP Configuration for FIPS Mode 59

Platform FIPS Certification 60

Enable FIPS for 140-2 on the Web Server 61

Platform in FIPS-Compliant Mode

The Federal Information Processing Standard (FIPS) is a United States and Canadian government
standard that is intended to ensure secure data communications among compliant systems. FIPS 140-
2 specifies the Security Requirements for Cryptographic Modules, including the approved encryption
algorithms and hashing algorithms and the methods for generation and management of encryption
keys. To qualify as FIPS compliant, RSA Archer must be configured and operated in accordance
with FIPS 140-2 requirements, using FIPS-certified components and algorithms in all required
instances.

Platform Release Supporting FIPS

RSA Archer release 6.0 and later can be configured for FIPS compliance.

FIPS-Compliant Operation Requirements

You can configure FIPS compliance on any Windows system that supports RSA Archer, including
Windows Server 2008 R2 and 2012.

Note: This requirement applies to all RSA Archer components.

You must configure web browsers for FIPS operation. See Configure Browser for FIPS Compliance.

Chapter 6: FIPS-Compliant Mode 57

 RSA Archer Security Configuration Guide

FIPS Certificates
Cryptographic modules that are FIPS 140-2 certified have undergone testing and verification by a
government-approved evaluation laboratory. You can obtain the required FIPS certificates from the
National Institute of Standards and Technology (NIST) website at:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
For a list of certificates applicable to RSA Archer, see Platform FIPS Certification.
To be FIPS compliant, you must configure software to use FIPS 140-2 certified cryptographic
modules on the components of RSA Archer.

Set Up FIPS for Windows

Use the Local Security Policy tool to perform the FIPS setup for Microsoft Windows.

Procedure
1. Log on to Windows as a Windows system administrator.

2. Click Start > Control Panel.

3. In the Control Panel window, click Administrative Tools.

4. In the Administrative Tools window, click Local Security Policy.

5. In the Local Security Policy window, in the navigation pane, click Local Policies > Security
Options.

6. In the Policy pane, double-click System cryptography: Use FIPS compliant algorithms for
encryption, hashing, and signing.

7. On the Local Security Setting tab, click Enabled.

8. Click Apply.

9. Click OK.

10. Close the Local Security Policy window.

SQL Server FIPS Setup

All versions of SQL Server that support RSA Archer are configurable for FIPS compliance. For
instructions on setting up FIPS on SQL Server, see the Microsoft SQL Server documentation.

Chapter 6: FIPS-Compliant Mode 58

RSA Archer Security Configuration Guide

Note: SQL Server 2012 or SQL Server 2014 must be installed on a Windows Server 2012-based
server. The Windows server must be FIPS enabled prior to starting SQL Server.

For dialog security between services, the encryption uses the FIPS-certified instance of AES if the
FIPS mode is enabled. If the FIPS mode is disabled, the encryption uses RC4. When a Service
Broker endpoint in the FIPS mode is configured, the administrator must specify AES for the Service
Broker. If the endpoint is configured to RC4, the SQL Server generates an error, and the transport
layer does not start.
Messages in two logs verify that the SQL Server is running in FIPS mode:
l When the SQL Server service detects that FIPS mode is enabled at startup, it logs this message in
the SQL Server error log:

Service Broker transport is running in FIPS compliance mode.

l This message is logged in the Windows Event log:

Database Mirroring transport is running in FIPS compliance mode.

Configure Browser for FIPS Compliance

In addition to FIPS enablement on the host system, you must configure any web browser used to
connect to the RSA Archer for FIPS compliance. For more information, see Set Up FIPS for
Windows.
When using supported versions of Microsoft Internet Explorer with the Platform in FIPS mode,
enable TLS 1.1/1.2 or higher in the browser. For more information, see "Qualified and Supported
Environments"on the RSA Archer Community.

Procedure
1. Open Internet Explorer.

2. Click Tools, and then click Internet Options.

3. On the Advanced tools tab, select Use TLS 1.1/2.2.

4. Verify that both Use SSL 2.0 and Use SSL 3.0 options are cleared.

LDAP Configuration for FIPS Mode

Note: RSA assumes that you use Microsoft Active Directory as the LDAP server. For other types of
LDAP servers, see their product-specific documentation.

Chapter 6: FIPS-Compliant Mode 59

RSA Archer Security Configuration Guide

Connections to Active Directory from RSA Archer can be unencrypted or encrypted. If you intend to
encrypt connections, you must configure Active Directory with a server certificate. You can achieve
this with a server certificate on the Windows server, which installs the server certificate, using auto
enrollment on Active Directory.
To configure Active Directory in FIPS mode, the Windows server hosting Active Directory must be
FIPS enabled. For more information, see Set Up FIPS for Windows.

Configuring the Platform to Communicate with LDAP

You must configure communication to LDAP from RSA Archer. The server running the RSA
Archer Data Feed service must be able to communicate securely with the Active Directory server.
For more information, see Configure the LDAP Directory Properties in the Online Documentation.

Platform FIPS Certification

The following tables list the FIPS certificates for the cryptographic components that the RSA Archer
uses.

Secure Hash Algorithm (SHA) Standard (FIPS 180-3)

Algorithm Operating System Certificate Number

SHA-256 Windows Server 2008 753

Windows Server 2008 R2 1081

Advanced Encryption Standard (AES) Algorithm (FIPS 180-3)

Algorithm Operating System Certificate Number

AES-256 Windows Server 2008 757

Windows Server 2008 R2 1168

Chapter 6: FIPS-Compliant Mode 60

RSA Archer Security Configuration Guide

Enable FIPS for 140-2 on the Web Server

Procedure
1. Enable FIPS mode on the web server.

a. Go to Administrative Tools.

b. In Administrative Tools, select Local Security Policy.

c. Expand Local Policies, and select Security Options.

d. Double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing,
and signing. Select Enable.

2. Download and install the JCE Unlimited Jurisdiction Policy files.

a. Go to http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-
2133166.html and follow the steps provided to download the JCE Unlimited Jurisdiction
Policy files.

b. Extract and open the ZIP file.

c. Edit the jar file names by adding the extension .org to the end of the files so that they are not
overwritten later.

d. Paste the renamed files in %SystemDrive%\Program Files\Java\<java_version_

directory>\lib\security.

3. Move the jcm.jar from: %SystemDrive%\Program Files\Java\java_version_directory\lib\ext to

another folder for future use.

4. In the %SystemDrive%\Program Files\Java\java_version_directory\lib\security directory, change

the line com.rsa.cryptoj.fips140initialmode = NON_FIPS140_MODE, to
com.rsa.cryptoj.fips140initialmode = FIPS140_MODE.

5. In the %SystemDrive%\Program Files\RSA Archer\Workflow\setup\fips_support directory,

change the line com.rsa.cryptoj.fips140initialmode = NON_FIPS140_MODE, to
com.rsa.cryptoj.fips140initialmode = FIPS140_MODE.

Chapter 6: FIPS-Compliant Mode 61

RSA Archer Security Configuration Guide

Appendix A: Authentication Configuration

Authentication Methods 62

HTTPS/SSL Authentication 62

HTTP Authentication 65

Windows Authentication 65

Single Sign-On for Windows Integrated Authentication 67

Authentication Methods
The following authentication methods are supported in RSA Archer:
l HTTPS/SSL Authentication

l HTTP Authentication

l Windows Authentication

l Single Sign-On Authentication

See Authentication Configuration in Chapter 1, Security Configuration Settings.

Disclaimer
Before making any of the authentication configuration changes below, back up the RSA Archer
web.config file, the Configuration database, and the IIS settings.

Important: A misconfigured authentication method can prevent the entire RSA Archer from being
accessible.

HTTPS/SSL Authentication
The certificate for SSL must be available in the Server Certificates component (Machine Name >
Server Certificates) within IIS. When the certificate is available, an https Binding which uses the
SSL certificate must be added for the RSA web site.

Appendix A: Authentication Configuration 62

RSA Archer Security Configuration Guide

Use the following tasks to configure IIS, the web.config files, and the RSA Archer Control Panel for
HTTPS/SSL authentication.
l Configure IIS for HTTPS/SSL Authentication

l Configure Platform web.config File for HTTPS/SSL Authentication

l Configure REST API web.config File for HTTPS/SSL Authentication

l Configure RSA Archer Control Panel for HTTPS/SSL Authentication

Configure IIS for HTTPS/SSL Authentication

Procedure
1. Select the Platform web site in the Connections pane.

2. In the Actions pane, click Bindings.

3. Click Add.

4. In the Type list, select the https option.

5. In the SSL certification list, select the applicable certificate.

6. Click OK.

7. Do one of the following:

l To continue without removing the HTTP Site Binding, go to the next step.

l To remove the HTTP Site Binding, do the following:

a. Select the HTTP Site Binding.

b. Click Remove.

c. Click Yes.

8. Click Close.

9. Perform an IIS reset.

Configure Platform web.config File for HTTPS/SSL Authentication

RSA Archer must be configured to run either in HTTP or HTTPS, not both. Edit the RSA Archer
web.config in the base RSA Archer web site directory.

Appendix A: Authentication Configuration 63

RSA Archer Security Configuration Guide

Procedure
1. Find the expression <!-- for HTTPS, replace httpGetEnabled attribute.

2. Replace httpGetEnabled=”false” with httpsGetEnabled=”false”.

3. Find the expression <!-- for HTTPS, uncomment the below lines.

4. Uncomment the line <security mode="Transport" />.

5. Find the expression <!-- for HTTPS, replace httpTransport attribute httpsTransport.

6. Replace <httpTransport with <httpsTransport.

7. Click Save.

8. Perform an IIS reset.

Configure REST API web.config File for HTTPS/SSL

Authentication
The REST API child API IIS application inherits properties from the parent RSA Archer
application. Similar to the Platform web.config, RSA Archer must be configured to run either in
HTTP or HTTPS, not both. Edit the REST API web.config in the api directory within the base
RSA Archer web site directory.

Procedure
1. Find the expression <!-- for HTTPS, replace httpGetEnabled attribute.

2. Replace httpGetEnabled=”false” with httpsGetEnabled=”false”.

3. Find the expression <!-- for HTTPS, uncomment the below lines.

4. Uncomment the line <security mode="Transport" />.

5. Find the expression <!-- for HTTPS, replace httpTransport attribute httpsTransport.

6. Replace <httpTransport with <httpsTransport.

7. Click Save.

8. Perform an IIS reset.

Configure RSA Archer Control Panel for HTTPS/SSL

Authentication
All URLs in the RSA Archer Control Panel must include HTTPS.

Appendix A: Authentication Configuration 64

RSA Archer Security Configuration Guide

Procedure
1. Open the RSA Archer Control Panel.

2. In Instance Management, double-click the instance you want to configure.

3. Click the Web tab.

4. Change all applicable Platform Web site URLs to include HTTPS.

5. Repeat steps 2 – 4 for all other instances.

6. Click Save All.

HTTP Authentication
If you need to restore HTTP after configuring for HTTPS/SSL authentication, implement the process
by undoing all the HTTPS/SSL steps.

Windows Authentication
The authentication mode must be set to Windows Authentication in IIS. All other authentication
modes must be disabled.
l To enable HTTPS in IIS, refer to the Configure IIS for HTTPS/SSL Authentication section.

l To enable HTTP in IIS, refer to the HTTP Authentication section.

Note: If Windows Authentication is not available for selection, it must be installed. Do not enable
Extended Protection because Microsoft Silverlight does not support it.

The REST API does not support Windows Authentication. Windows Authentication must be disabled
for the child API IIS application, and Anonymous Authentication enabled again.
Use the following tasks to configure IIS and the web.config file for Windows HTTP or HTTPS
authentication.
l Configure IIS for Windows Authentication

l Configure Platform web.config File for Windows Authentication - HTTP

l Configure Platform web.config File for Windows Authentication - HTTPS

Appendix A: Authentication Configuration 65

 RSA Archer Security Configuration Guide

Configure IIS for Windows Authentication

Procedure
1. Select the Platform Web site in the Connections pane.

2. Select the Authentication feature.

3. Set Windows Authentication to Enabled.

4. Disable all other authentication modes, for example Anonymous

5. Perform an IIS reset.

Configure Platform web.config File for Windows Authentication -

HTTP
Edit the RSA Archer web.config file in the base RSA Archer web site directory.

Procedure
1. Find the expression <!-- For Windows Authentication, change mode to 'Windows'.

2. Replace <authentication mode="None" /> with <authentication mode="Windows" />.

3. Find the expression <!-- For Windows Authentication, uncomment the below lines.

4. Uncomment the lines below related to <authorization><allow users="*" /></authorization>.

5. Find the expression <!-- For Basic Authentication (without SSL), uncomment the below lines.

6. Uncomment the lines below related to security mode.

7. Find the expression <!-- for Windows Integrated Authentication, add

authenticationScheme="Negotiate".

8. As instructed, add authenticationScheme="Negotiate" /> to httpTransport or httpsTransport.

9. Click Save.

10. Perform an IIS reset.

Configure Platform web.config File for Windows Authentication -

HTTPS
Edit the RSA Archer web.config in the base RSA Archer web site directory.

Appendix A: Authentication Configuration 66

 RSA Archer Security Configuration Guide

Procedure
1. Find the expression <!-- For Windows Authentication, change mode to 'Windows'.

2. Replace <authentication mode="None" /> with <authentication mode="Windows" />.

3. Find the expression <!-- For Windows Authentication, uncomment the below lines.

4. Uncomment the lines below related to <authorization><allow users="*" /></authorization>.

5. Find the expression <!-- for HTTPS, replace httpGetEnabled attribute.

6. Replace httpGetEnabled=”false” with httpsGetEnabled=”false”.

7. Find the expression <!-- For HTTPS with Windows Authentication, uncomment the below lines.

8. Uncomment the lines below related to security mode.

9. Find the expression <!-- for Windows Integrated Authentication, add

authenticationScheme="Negotiate".

10. As instructed, add authenticationScheme="Negotiate" /> to httpTransport or httpsTransport.

11. Click Save.

12. Perform an IIS Reset.

The REST API child API IIS application inherits properties from the parent Platform application.
Similar to the RSA Archer web.config, the api web.config file must be configured to run in HTTP or
HTTPS, not both. Edit the REST API web.config in the API directory within the base RSA Archer
website directory and make the same HTTPS changes referenced in the Configure REST API
web.config File for HTTPS/SSL Authentication section.

Single Sign-On for Windows Integrated Authentication

Use the following tasks to configure Single Sign-On for Windows integrated authentication.
l Configure Platform web.config File for Single Sign-On

l Configure RSA Archer Control Panel for Single Sign-On - One Instance

l Configure RSA Archer Control Panel for Single Sign-On - Multiple Instances

Note: This is supplemental to the Windows Authentication section to which you can refer for the
additional implementation details.

Configure Platform web.config File for Single Sign-On

Edit the RSA Archer web.config file in the base RSA Archer web site directory.

Appendix A: Authentication Configuration 67

RSA Archer Security Configuration Guide

Procedure
1. Find the expression </configuration>.

2. On a preceding blank line, insert <location

path="default.aspx"><system.web><authorization><deny
users="?"/></authorization></system.web></location>.

3. Click Save.

4. Perform an IIS reset.

Configure RSA Archer Control Panel for Single Sign-On - Single

Instance

Procedure
1. Open the RSA Archer Control Panel.

2. In Instance Management, double-click the instance you want to configure.

3. Click the Single Sign-On tab.

4. Select Windows Integrated as the single sign-on mode.

5. Click the Installation Settings tab.

6. Select the Default Instance box.

7. Click the arrow in the Instance list, and then select the instance.

8. Click Save All.

Configure RSA Archer Control Panel for Single Sign-On - Multiple

Instances

Procedure
1. Open the RSA Archer Control Panel.

2. In Instance Management, double-click the instance you want to configure.

3. Click the Single Sign-On tab.

4. Select Windows Integrated as the single sign-on mode.

5. Click the Web tab.

Appendix A: Authentication Configuration 68

RSA Archer Security Configuration Guide

6. Enter a unique Instance URL.

Note: If a matching DNS entry does not exist for the Instance URL, it does not resolve.

7. Click Save.

Appendix A: Authentication Configuration 69