Keep your GpsGate Server secure (on-site)

Hosted and On-site servers

• Read about the general security measures here.

Server on-site security

Basic measures

• Do not use a browser on your Windows server for casual surfing!
• Do not open and read emails on your Windows server!
• Never install software from the Internet that is not 100% needed and know its source!
• Make sure you always have the latest Windows Updates from Microsoft installed.
• Use a firewall, and only keep open the ports needed.
• Be very restrictive on which software you install on the server.

Additional measures

• Secure your GpsGate Server with a dedicated Windows user.
• Enable HTTPS for the GpsGate Server site in IIS.
• If using HTTPS, make sure to disable SSL 2.0 and 3.0, which are insecure and used by default: https://www.nartac.com/Products/IISCrypto/
• Enable X-Frame-Options: SAMEORIGIN to avoid Clickjacking. (https://en.wikipedia.org/wiki/Clickjacking)
• How to protect your web server: https://support.microsoft.com/en-us/help/2694329/mitigating-framesniffing-with-the-x-frame-options-header
• Add option to enable Token Based Mitigation Authenticate to prevent CSRF (Cross Site Request Forgery) attacks.
  Enabled in SiteAdmin > Security > Use Token Based Mitigation authentication
• Enforce "Secure" flag on cookies even if using HTTP. This will not let users log in or make requests over HTTP when enabled. This is to assist clients to formally pass security PEN tests. The following needs to be manually added to the GpsGateServer/Franson NMEA Service/GpsGate.Service.exe.config file in the <appSettings> section and restart the service:
  <add key="EnforceSecureCookie" value="true" />