none
Cloud Management Gateway changing IIS Headers RRS feed

  • Question

  • I have a customer with an on premise SCCM and a Cloud Management Gateway in Azure. The customer needs to harden the CMG do to their security policy. They have ask us to configure the CMG to do IIS header rewrites to not show or display the domain name of the company. Has anyone done this or know if it can be done. I believe it is possible with Azure Application Gateways, but have found no info about if CMG's can be reconfigured in this way.

    Thanks

    Chris

    Wednesday, October 16, 2019 6:21 PM

All replies

  • Sorry, not following. Remove what domain from where exactly? Can you provide an example?


    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, October 16, 2019 7:40 PM
  • Thanks Jason for the reply.

    The customer is look to be able to make changes to the CMG header settings similar to the following:

    HTTP Headers:
    Strict-Transport-Security - HSTS
    Best practice would include: Strict-Transport-Security: max-age=31536000; includeSubDomains
    X-Frame-Options - Disables iframes
    Best practice would include: X-Frame-Options: DENY'
    Best practice would include: X-Frame-Options: ALLOW-FROM https://example.com/
    X-XSS-Protection - Mitigates XSS
    Best practice would include: X-XSS-Protection: 1; mode=block
    X-Content-Type-Options
    Best practice would include: X-Content-Type-Options: nosniff
    Content Security Policy
    Best practice would include: content-security-policy: upgrade-insecure-requests
    Cache Control
    Best practice would include: Cache-Control: no-cache,must-revalidate,max-age=0,no-store,private

    They are changes they can make on their other Application Gateways in Azure so were hoping to make them on the CMG as well.

    On a random side note, I just got done (5min ago) configuring your UI++ for AD Authentication of an Upgrade Task Sequence. You are a life saver!
    • Edited by cccn714 Wednesday, October 16, 2019 9:00 PM
    Wednesday, October 16, 2019 8:48 PM
  • Thank you for the kind words on UI++ and I'm always very happy to hear that I can help others succeed.

    For the header, I'm not expert on this by any means and I've never looked at a live header from CMG. Given that it's not actually a web application though, it's a web service consumed only by a very specific client, I can't see that any of the above is actually applicable except possibly an internal domain name being embedded somewhere although since the CMG isn't joined to any domain and can be called anything that the customer wants it to be called, I don't see it knowing anything sensitive for it to even put in a header. As noted though, I don't know the content of the header explicitly so can't say if this does or doesn't exist with certainty.

    First step would definitely be capturing a header to see what's in there just to validate or rule this out as being a concern. Then, it's almost certainly a support case with Microsoft to identify a supported path if something sensitive does exist.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, October 16, 2019 9:20 PM
  • Thanks again Jason

    I am pretty sure these changes can't be made to a CMG given it is a service as you suggested. I will most likely be opening a Support ticket to see if I can get some confirmation from MS.

    Thursday, October 17, 2019 8:41 PM
  • Hi,

     

    How are things going? I just checked in to see if there are any updates. Please feel free to feedback and if the above reply is helpful, please kindly click Mark as answer”. It would make the reply to the top and easier to be found for other people who has the similar question.

     

    Thank you!

     

     

    Best regards,

    Larry


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 21, 2019 2:07 AM
  • Larry,

    While Jason's reply was helpful it didn't answer the question of..

    Can the SCCM Cloud Management Gateway's header information be changed, similar to the way an Azure Application Gateways header info can be changed see the link below.

    https://docs.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers

    Wednesday, October 23, 2019 5:05 PM