Documentation Center

Server security configuration recommendations

Follow the steps covered in some or all of the following sections to make sure your Trados GroupShare server is as secure as possible. Each section covers a specific area.

Authentication Method

Our general recommendation is to use one of the following primary authentication methods: Windows Authentication, SAML v2 Authentication or JWT Authentication, even though SDL Authentication is an option as well. This will allow using sophisticated account lockout options available in the dedicated identity and authentication services.

System Security

We recommend the system administrators to implement an anti-virus solution to perform a scan before uploading or further using the files in translation projects and resources.

Database authentication

When connecting to the database server, we strongly recommend using Windows authentication over of SQL-based authentication. With SQL authentication, the username and password credentials to access the database are visible in clear text in the configuration file. With Windows Authentication the credentials are not specifically embedded in the file, which means that they cannot be accessed in case someone gains access to your configuration file.

Enable HTTP Strict Transport Security (HSTS)

To check that HSTS is enabled in IIS Manager:

  1. Access the IIS Web Server.
  2. Open IIS Manager.
  3. Expand the Sites section and click SDL Server.
  4. Click on HSTS.
  5. Verify that Enable is checked, and Max-Age is set to something other than 0.

The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named Strict-Transport-Security. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion. Check the response headers to see if the strict-transport-security field is present.

Redirect HTTP to HTTPS

To redirect HTTP to HTTPS:

  1. Add a redirect ruleconfigured in the website web.config file located under SDL Server\Web\web.config
    <rule name="Redirect HTTP to HTTPS" stopProcessing="true"> 
    <match url="(.*)" /> 
    <conditions> 
    	<add input="{HTTPS}" pattern="off" /> 
    </conditions> 
    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" /> 
    </rule>
    
  2. Open Developer Tools and take the link to any resource, for example a font, an image, etc.
  3. Copy the link and paste it in a new tab, changing the protocol from HTTPS to HTTP. You should see a redirect happening.

Disable Tomcat default page

This setting is a one-time configuration and it is generally not required after an upgrade.

To disable Tomcat default page:
  1. Navigate to C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf
  2. Open the web.xml file and comment out the following section:
    <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
    

Note: If you disable index.jsp you will need to specify that in the URL when loading MultiTerm Online. We do not recommend this as it can lead to unexpected issues. The other two entries can be commented out as they are not used.

Disable deprecated TLS and SSL versions

This setting is a one-time configuration and it is generally not required after an upgrade.

Navigate to your system's Key Registry. We recommend consulting docs.microsoft.com on how to do so depending on your system.

Check that the following keys are present and set to:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

Path traversal fix for MultiTerm Online (MTO)

Path traversal vulnerability in IIS should not reproduce if RequestFilteringModule and UrlRoutingModule modules are enabled. For GroupShare this is enabled by default.

This is not the case for MTO.

You can see this by accessing https://<domain>/multiterm/..;x=x/ which displays Tomcat's default page.

If MultiTerm Online is routed through IIS this can be fixed with request filtering:
  1. Go to Request Filtering in IIS Manager under SDL Server.
  2. Add a new "Deny Sequence" URL rule to deny the character sequence ".." in the URL.

After the rule is added accessing https://<domain>/multiterm/..;x=x or any other URL that has ".." in it will return HTTP 404 error.

Enable HSTS for MTO

  1. Navigate to C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf and open the web.xml file.
  2. Edit the HttpHeaderSecurity filter as follows:
    <filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
    </init-param>
    <init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
    </init-param><init-param>
    <param-name>antiClickJackingOption</param-name>
    <param-value>SAMEORIGIN</param-value>
    </init-param>
    </filter>
    
  3. Set the antiClickJackingOption parameter using the value SAMEORIGIN, otherwise, pages that contain iFrame can stop working after enabling HSTS.
  4. Ensure the <async-supported> line is always above the <init-param> ones as shown in the example above. Otherwise you may hit XML validation erros if that is enabled directly on the context or by the system ropertySTRICT_SERVLET_COMPLIANCE.
  5. Uncomment the following section:
    <filter-name>httpHeaderSecurity</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

MTO security constraint configuration

  1. Navigate to C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\multiterm\WEB-INF
  2. Open the web.xml file.
  3. Add the following section:
    <security-constraint>
     <web-resource-collection>
     <web-resource-name>twx-portal</web-resource-name>
     <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
    </security-constraint>
    

Enable IIS secure cookies

  1. Navigate to SDL Server\Web
  2. Open the web.config file
  3. Add the httpCookies node as following:
    <system.web> 
    ... 
    <httpCookies httpOnlyCookies="true" requireSSL="true" /> 
    ...
    
  4. Add a redirect rule for secure cookies in web.config
    <system.webServer>
     <rewrite>
     <outboundRules>
     <rule name="Use only secure cookies" preCondition="Unsecured cookie">
     <match serverVariable="RESPONSE_SET_COOKIE" pattern=".*" negate="false" />
     <action type="Rewrite" value="{R:0}; secure" />
     </rule>
     <preConditions>
     <preCondition name="Unsecured cookie">
     <add input="{RESPONSE_SET_COOKIE}" pattern="." />
     <add input="{RESPONSE_SET_COOKIE}" pattern="; secure" negate="true" />
     </preCondition>
     </preConditions>
     </outboundRules>
     </rewrite>
    </system.webServer>
    

Alternatively, you can adjust the script under C:\ProgramData\Package Cache\SDL\TradosGroupShare2020\SecureCookie.ps1 ($configPath = 'W:\SDL\SDL Server\Web\web.config') and run it as admin.