您好DICGC_IN

根据你的描述，似乎你想搜索方法以避免s-s-rs中的漏洞。

如果是这样，似乎它与看来你提到的大多数方面都不能通过配置设置来解决。

我建议你可以尝试发布帖子： at：

HTTPS ：//feedback.azure.com/forums/908035-sql-server 。

如果客户多次提到要求，产品团队可能会考虑在下一个SQL Server版本中添加此功能。您的反馈对我们改进产品很有价值，并且b $ b增加了提供的服务水平。

感谢您的支持和理解。

最诚挚的问候，

Eric Liu

Hi Team,

Current setup:

There are 5 reports generated and displayed via URL to the end users. I have used the default configuration to generate s-s-rS web service URL and this is called by NETIQ SSO server. After VAPT was performed the below 6 issues were highlighted. Please let me know how it can be closed.

Vulnerability 1: Weak Cipher Suites

The remote host supports the use MD5

The MD5  cipher is flawed in its generation of a pseudo-random stream

of bytes, so that a wide variety of small biases are introduced into

the stream, decreasing its randomness.

Vulnerability 2: Sensitive Information disclosed

The HTTP responses returned by this web application include a header named Server. The value of this header includes the version of Server, Asp.Net & Mysql.

Vulnerability 3: Strict transport security not enforced

The HTTP Strict Transport Security policy defines a timeframe where a browser must connect to the web server via HTTPS.

Vulnerability 4: Cacheable HTTP response

Browsers may store a local cached copy of content received from web servers.

If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

Vulnerability 5: Click-jacking  

No X-Frame Options header found in response. 

Vulnerability 6: View state Parameter Not Encrypted

The __VIEWSTATE parameter is not encrypted. To reduce the chance of someone intercepting the information stored in the View State, it is good design to encrypt the View State. To do this, set the machine Key validation type to AES. This instructs ASP.NET to encrypt the View State value using the Advanced Encryption Standard. View State, which by default is Base64 encoded can be easily decoded.

Below each vulnerability the description is provided. Please assist me to close this issue.

 

Hi DICGC_IN

According to your description ,seems that you want to search the methods to avoid the Vulnerability in s-s-rs.

If so , seems it is more related to the developed aspects. Seems most aspects you referred could not fixed just by configure the settings .

I suggest you could try to post the thread at : at : https://feedback.azure.com/forums/908035-sql-server.

If the requirement mentioned by customers for many times, the product team may consider to add this feature in the next SQL Server version. Your feedback is valuable for us to improve our products and increase the level of service provided.

Thanks for your support and understanding.

Best Regards,

Eric Liu