FIPS Compliance with Titan Server

FIPS Compliance with Titan Server

Question

How can I ensure FIPS Compliance with Titan Server in my Windows environment?

Answer

Titan Server can meet FIPS Compliance requirements. There are configuration items within Titan Server to consider, as well as Operating System configurations to ensure on the system running Titan.

Steps

1. Login to the Titan Server Administrator using valid credentials

2. Navigate to the specific Services that are to be used in Titan (e.g. FTPS, SFTP, HTTPS)

   1. Enable the setting to “Enable FIPS Compliance…” for each of the Services of interest. Choose “Apply”.

      1. NOTE: This option ensures the encryption methods enabled within Titan are all FIPS compliant, and any non-compliant options will be disabled.

   2. If preferring to not use the “Enable FIPS Compliance…” option, ensure that under the SFTP settings in Titan, the Ciphers, MACs, and Key Exchanges in use are all FIPS Compliant, and be sure to disable weak options.

      1. For FTPS and HTTPS (TLS) Services, verify these options at the Windows level: Verifying and Configuring TLS Settings for Windows Server

3. Review links from Windows regarding ensuring OS is FIPS Compliant:

   1. Link: Windows FIPS 140 Validation for Operating Systems

   2. link: Windows Server 2019 FIPS 140 Validation

4. See attached documentation with additional recommendations for configuration and use of Titan Server.

General Recommendations/Best Practices for Configuration of a Titan Server:

1. Use of system drives (C: drive) for application install files, non-system drives (D: drive or remote share) for configuration and home directory and an additional drive (E: drive) for log files to help ensure optimal performance
2. Use of only secure endpoints (FTPS, SFTP & HTTPS) for internal and external user base to prevent breaches or vulnerabilities to the server environment
3. Do not enable or use insecure, outdated Ciphers (CTRs vs CBCs), MACs (SHA1 or MD5) and KEXes (SHA1 and Group1) for all secure endpoints
4. Always use 2048 key bit or higher for SFTP host key or TLS certificates, do not use 1024 as it is considered insecure
5. Use of Compression for SFTP to compress file transfer to reduce bandwidth and uploading/downloading time
6. Define PASV ports for all FTPS file transfers to prevent port collision and/or exhaustion (recommend port range of 28000 – 30000 in application, internal firewall & external firewall)
7. Set the current Idle Connection Timeout setting to a low setting (5 minutes or less) to clear idle sessions faster to help maintain and reduce memory consumption
8. Enable “Block Anti-Timeout Schemes” setting to prevent idle user sessions from consuming memory by sending random commands (REST 0, PWD, TYPE A, LIST) to the server
9. Use of Ban file types and adding *.msi, bat, ps1, reg, exe or any executable file types to prevent remote execution
10. Log Information logging should be set to General Information level when not troubleshooting an issue. Verbose or TRACE level logging will write quite a bit of information to disk consuming unnecessary disk space, occupying disk I/O, CPU, and memory
11. Use of PGP feature to encrypt all inbound files (files uploaded to Titan MFT server) in real-time vs post file transfer to ensure data security of files and prevent any corruption of data for all files at rest
12. Use of TLS for SMTP to encrypt and secure traffic betweenTitan SFTP and SMTP
13. Enable 301 Redirect to direct HTTP to HTTPS for secure file transfer
14. Enable Password complexity, expiration and Password History to ensure account integrity