UNICORN™
Hardening Guide
Table of Contents
Table of Contents
1
Secure the database connection ......................................................................
3
2
Secure the Active Directory® connection ........................................................
9
2
UNICORN Hardening Guide 29194918 AA
1 Secure the database connection
1
Secure the database connection
Introduction
In UNICORN 7.0.2 and later it is possible to use either server side encryption (default) or
client side encryption with certificates to ensure a secure database communication.
Server side encryption on an SQL
Server®
Note:
Microsoft does not recommend to have both server side encryption and client
side encryption turned on.
Enable server side encryption on the SQL Server by following the instructions.
Step
Action
1
Log in as an Administrator on the database server computer.
2
Start the SQL Server Configuration Manager.
UNICORN Hardening Guide 29194918 AA
3
1 Secure the database connection
Step
Action
3
Click SQL Server Network Configuration, right-click Protocols for UNICORN
and then click Properties.
Result: The Protocol for UNICORN Properties dialog box opens.
4
Double-click Force Encryption and click Yes.
5
Click OK.
6
Restart the SQL Server service for UNICORN or restart the computer.
Server side encryption on the
SQL Server installed by UNICORN
Note:
Microsoft does not recommend to have both server side encryption and client
side encryption turned on.
Server side encryption is turned on by default when the express edition of SQL Server is
installed by the UNICORN installation program. You can turn the server side encryption
on and off in the UNICORN Configuration Manager.
4
Step
Action
1
Log in as an Administrator on the database server computer.
2
Start the UNICORN Configuration Manager.
UNICORN Hardening Guide 29194918 AA
1 Secure the database connection
Step
Action
3
Select or clear the Force Encryption check box to turn server side encryption
on or off.
4
Click OK.
5
Click Yes in the message box to restart the UNICORN SQL server instance
and apply the new setting or No to apply the settings after next UNICORN
SQL Server instance restart.
Client side encryption with
trusted certificates
Note:
Microsoft does not recommend to have both server side encryption and client
side encryption turned on.
Follow the instructions to configure UNICORN to use trusted certificates.
Note:
This document does not describe certificates handling in detail. It is assumed
that the local IT department will assist with that.
Stage
Description
1
Create certificates and have them signed by an Authorized organization.
Note:
Certificates can be created with a number of different tools. E.g.,
•
OpenSSL
•
Makecert
•
IIS Management Console
•
Windows Server® AD certificate services.
Note:
Certificates have a lifetime of 2 to 3 years and need to be reissued after they
have expired.
2
Install certificates on every UNICORN client.
Note:
Depending on the certificates installed the fully qualified domain name (FQDN)
for the database location might be needed.
Use the Control Panel on the computer running the database to locate the
FQDN. See Identify the fully qualified domain name, on page 8
UNICORN Hardening Guide 29194918 AA
5
1 Secure the database connection
Stage
Description
3
Use the UNICORN Service Tool to edit the UNICORN client configuration files
to use encryption and to not trust server certificates. See UNICORN Service
Tool User Manual
4
Install certificates on the database server.
5
On the database server, use the SQL Server Configuration Manager to set
certificates for the SQL server UNICORN instance:
1
Expand SQL Server Network Configuration.
2
In Protocols for UNICORN choose Properties.
3
In Protocols for UNICORN Properties window, click on Certificates tab
to set the certificate.
Note:
If you are no longer using certificates, clear SQL Server usage of certificates
prior to deleting certificates from the computer. SQL Server will not start
without the configured certificate.
6
Check that the client connections are encrypted. See Check client connections,
on page 7.
Tip:
If the connections are refused it is possible that the certificates are not properly installed.
Client side encryption without
trusted certificates
Note:
Microsoft does not recommend to have both server side encryption and client
side encryption turned on.
Follow the instructions to set up client side encryption without using trusted certificates
6
Stage
Description
1
Use the UNICORN Service Tool to edit the UNICORN client configuration files
to use encryption and to trust all server certificates. See UNICORN Service
Tool User Manual
2
Check that the client connections are encrypted. See Check client connections,
on page 7.
UNICORN Hardening Guide 29194918 AA
1 Secure the database connection
Check client connections
You can check the encryption status of current client connections by running the following
SQL script.
To execute an SQL script there are two options; execute it directly in
SQL Server Management Studio or save the script to a text file and execute it using
sqlcmd from an elevated command line.
SELECT session_id, encrypt_option FROM sys.dm_exec_connections
go
sp_who
The result of the first query is a list of the connections established to the current instance
of SQL Server and the details of each connection. The second query returns a list of
session ID (spid) and connection information. By cross-referencing these two lists you
can check if the connections from a specific computer (hostname) are encrypted.
UNICORN Hardening Guide 29194918 AA
7
1 Secure the database connection
Identify the fully qualified
domain name
The fully qualified domain name (FQDN) is also called "full computer name". Follow the
instruction to identify a computer's FQDN.
8
Step
Action
1
Enter Computer name in the Windows® Start menu search box.
2
Click the See the name of this computer Control Panel item displayed as a
result.
3
The FQDN for the computer is listed as "Full computer name" under the
heading "Computer name, domain, and workgroup settings".
UNICORN Hardening Guide 29194918 AA
2 Secure the Active Directory® connection
2
Secure the Active Directory connection
®
Introduction
UNICORN 7.0.2 and later are by default configured to use secure (encrypted) user authentication with an Active Directory (AD) using the TLS/SSL-protocol.
Note:
In order to secure user authentication between an Active Directory and the
client a trusted relationship must be established (using certificates). This can
be done by your local IT department by adding the Server Role Active Directory
Certificate Services in Server Manager.
Encrypt user authentication with
the Active Directory
The following table outlines the process of enable or disable encrypting user authentication with an Active Directory.
Stage
Description
1
Establish a trusted relationship using certificates between the Active Directory and the AD-user.
2
Enable or disable encrypted user authentication to the Active Directory in
UNICORN using the UNICORN Service Tool. See UNICORN Service Tool User
Manual
UNICORN Hardening Guide 29194918 AA
9
For local office contact information, visit
www.gelifesciences.com/contact
GE, GE monogram and UNICORN are trademarks of General Electric Company.
GE Healthcare Bio-Sciences AB
Björkgatan 30
751 84 Uppsala
Sweden
All other third party trademarks are the property of their respective owner.
www.gelifesciences.com/UNICORN
Active Directory, Microsoft, SQL Server, Windows and Windows Server are
trademarks of Microsoft Corporation.
Any use of UNICORN is subject to GE Healthcare Standard Software End-User
License Agreement for Life Sciences Software Products. A copy of this Standard
Software End-User License Agreement is available on request.
UNICORN 7 © 2009 - 2016 General Electric Company
© 2016 General Electric Company
First published Apr. 2016
All goods and services are sold subject to the terms and conditions of sale of
the company within GE Healthcare which supplies them. A copy of these terms
and conditions is available on request. Contact your local GE Healthcare representative for the most current information.
GE Healthcare Europe GmbH
Munzinger Strasse 5, D-79111 Freiburg, Germany
GE Healthcare UK Limited
Amersham Place, Little Chalfont, Buckinghamshire, HP7 9NA, UK
GE Healthcare Bio-Sciences Corp.
100 Results Way, Marlborough, MA 01752, USA
GE Healthcare Dharmacon, Inc.
2650 Crescent Dr., Lafayette, CO 80026, USA
HyClone Laboratories, Inc.
925 W 1800 S, Logan, UT 84321, USA
GE Healthcare Japan Corporation
Sanken Bldg. 3-25-1, Hyakunincho Shinjuku-ku, Tokyo 169-0073, Japan
29194918 AA 04/2016 a315