# Endpoint details ## Add endpoint 1. Click the 'Add Endpoint' button. 2. Enter the URL or IP address to be monitored as the target. 3. Assign a description and [tags](https://docs.enginsight.com/docs/master/operation/platform/tags). 4. Confirm that you are authorized to analyze the endpoint. 5. Define what you want to monitor with Enginsight. It is best to enable all features at the beginning. 6. Select at least one observer to perform the monitoring. If you are an on-premises customer and have not yet added an Observer, [install an Observer](https://docs.enginsight.com/docs/master/operation/platform/observer#add-observer). In the SaaS platform, you can also use two provisioned observers (Germany, USA). 7. Add the endpoint. {% hint style="danger" %} Permanent monitoring of the Observer can only be ensured if the IP addresses from which monitoring is performed are not blocked by firewall rules. If necessary, unblock the following IP addresses when using the observers available on the SaaS platform: 164.90.185.111\ 164.90.231.250\ 142.93.119.55\ 142.93.119.52\ 138.68.93.235\ 138.68.71.130\ 139.59.155.98 Optionally allow all A-records from this domain: observers.enginsight.com {% endhint %} ## Overview Here you will find a list of all your endpoints, including the current risk score and associated severity. Clicking on an endpoint will take you to the detailed view.
### Dashboard Several windows give you quick information about the security status of your endpoint.
You can find out what is behind each tile below: {% tabs %} {% tab title="Risk Assessments" %}
The risk score is calculated using the criticalities of the Common Vulnerability Scoring System (Critical: 100; High: 50; Medium: 10; Low: 1) and the number of existing CVEs. The risk assessment allows you to prioritize endpoints based on your existing risk. You can find more detailed information under [Assessments](#assessments). {% endtab %} {% tab title="SSL/TLS Certificate" %}
Find out the most important information about your certificate. Which domain is it for? Who is the issuer and how long is your certificate valid for? You can find more detailed information under [SSL/TLS](#ssl-tls). {% endtab %} {% tab title="Performance" %}
Find out from which region your website is being monitored and details about availability and offline time. The response time displayed corresponds to the duration of a technical HTTP request without loading content such as images or scripts. It serves as a basis for assessing the server response time and includes a check of the HTTP status code. {% endtab %} {% tab title="Vulnerabilities" %}
Use the list of all vulnerabilities found to identify the need for action and prioritize the processing of particularly critical vulnerabilities. You can get a deeper insight under [Vulnerabilities](#vulnerarbilities). {% endtab %} {% tab title="Severity Checks" %}
Recognize at a glance the accumulation of the different degrees of severity of the weaknesses found. {% endtab %} {% tab title="Applications" %}
Find out which software has been found, for which development and/or service for the product has been discontinued or whether software updates are available. Get further informations under [Applications](#applications-1). {% endtab %} {% tab title="Reputation" %}
Obtain information about IPs referenced directly or indirectly from the web server in HTML that have been marked as malware or similar using blocklists. Get more Informations under [Assessment](#assessments). {% endtab %} {% tab title="Checks by category" %}
This overview informs you about the respective occurrence of these categories. {% endtab %} {% tab title="Malicious software" %}
Get information on all the signs of malicious software on your endpoints. You can get more detailed insights under [Assessments](#assessments). {% endtab %} {% endtabs %} ## Assessments The view allows you to search for checks that have been carried out. Quickly record the existing criticality of individual checks, as well as their associated category, the corresponding module and the recorded risk score.
Use the top search bar or the filters on the left-hand side to display the relevant results. Click on a top category in the filter bar on the left to select all characteristics or select the desired filters separately from the list. ## Vulnerarbilities Get an overview of existing vulnerabilities.
At the beginning of the entry you will find a classification of the severity. You will also find the official CVSS score (Common Vulnerability Scoring System) for the CVE (Common Vulnerable Exposure) in question and the associated software. ### Appease vulnerabilities Use the multiedit function to appease several entries with just one click. Furthermore, you can select in the overlay whether the specific CVEs are to be selected or all associated CVEs of the following Common Platform Enumeration. #### **Add Exception** 1. Select individual vulnerabilities and then click on "Add Exception" in the top right-hand corner of the screen. The following overlay will then open:
2. If required, enter a comment which will then be attached to the selected vulnerabilities. 3. Select the scope: "General Exception". Below this you will find a list of all previously selected CVEs. 4. Confirm your entry by clicking on: "Supress". #### Supress 1. Select individual vulnerabilities and then click on "Supress" in the top right-hand corner of the screen. The overlay then opens.
2. If required, enter a comment, which will then be attached to the selected vulnerabilities. 3. Select a scope: 1. General Exception 1. Then enter the corresponding values under "Vendor", "Product" and "Version". You can easily copy this information from the CVSS vector strings and paste it in the right place. 2. Specific CVE's 4. Confirm your entry by clicking on: "Add action". ## Settings Under Settings you will find the destination, and you also have the option of adding a description to your endpoint. Get an overview of assigned tags or add them if required. In the "Regions" area, you will find information about the assignment of the observers.
**Advanced settings** You can activate the "Human Accessibility" option in the advanced settings. This setting determines that your website is only displayed as accessible if it returns the HTTP status code 200 (OK). If this option is activated, the website is considered unavailable if it returns a different status code (e.g. 404, 500), even if the server is technically accessible. If you do not activate this option, only the technical accessibility of the server is taken into account, regardless of the status code returned. **Responsibilities** Select a **technical manager** who is responsible for the maintenance and operation of the server. This person should have sound technical knowledge and be able to solve technical problems quickly. You should also appoint a **specialist** from your organization. This person is responsible for the content and functional aspects of the endpoint and ensures that the server meets the business requirements. ## BSI The view shows you which checks your endpoint does not pass and where your configuration fails. Use this information to tackle the issue of compliance in a targeted manner. Work through this list in a targeted manner and use it as proof of legal compliance.
In the technical guideline BSI TR-03116-4, the German Federal Office for Information Security (BSI) provides specifications and recommendations for secure SSL/TLS configuration. The guideline is a good indicator for evaluating the SSL/TLS configuration.Check the compliance of your endpoint. ## Performance Use the overview to keep an eye on all applications associated with the endpoint.
Here you will find all information about the application environment of the endpoint that can be detected externally. The Observer creates a footprint of the endpoint and checks for e.g. * CMS, * Web Server, * Frameworks or * Libraries. The more information an endpoint reveals about the technologies used, the more starting points there are for hackers to launch targeted attacks on the applications. Ideally, an endpoint is configured and programmed in such a way that little can be learned about the technical basis. All detected applications are presented to you in a clear list. You receive an assessment of how security-critical it is to detect the application from the outside. {% hint style="danger" %} Make sure you keep your applications as up-to-date as possible to ensure the security of your systems. {% endhint %} With this in mind, we have decided on the following categorization: * **HIGH**\ **Backend-relevant technologies that pose a high risk of serious attacks**. e.g. CMS, wikis, blogs, ecommerce, CI, programming languages, databases, runtimes, operating systems, message boards, web server extensions, hosting panels, issue trackers * **MEDIUM**\ **Technologies with a medium level of risk**, e.g. web servers, development, managed CMS * **LOW**\ **Other technologies** e.g. UI frameworks or JavaScript libraries **If no version is recognizable, the criticality is reduced. Backend-relevant technologies receive a medium rating, apps categorized as medium receive a low rating.** As proof, you can find out where the Observer detected the application: in an HTTP header, a cookie or in the code of the website itself. If known vulnerabilities (CVE) are found for the detected version, these are indicated in the list. All application vulnerabilities are also listed separately under [Vulnerabilities](#vulnerabilities). ## Domain Name System You use the Domain Name System (DNS) to configure various aspects of your domain. DNS is necessary, for example, to assign the appropriate IP to the domain. Proper configuration is necessary for the smooth operation of the website. Monitor your DNS settings by monitoring your DNS records. You receive all DNS records in a clear list. In addition, Enginsight checks specific, security-relevant DNS records.
### DNS validation tests To prevent misuse of your domain and secure the SSL/TLS connection, you should use DNS records specially developed for this purpose: CAA, SPF, DMARC. The Observer therefore specifically checks for these three records.
#### CAA record (Certification Authority Authorization) With a CAA record, the domain owner determines which Certificate Authority Authorization may issue an SSL/TLS certificate. The Observer checks for: * **Missing contact address for DNS CAA** \ No contact address has been assigned (iodef). * **Invalid contact address for DNS CAA** \ The contact address (iodef) contains invalid characters for emails and/or an invalid email format (not ) * **Unconventional certification authority** \ The certification authority used (issue, wildissue) is not on our whitelist. This includes: letsencrypt.org, globalsign.com, sectigo.com, camerfirma.com, accv.es, actalis.it, amazon.com, pki.apple.com, atos.net, buypass.com, aoc.cat, certigna.fr, [www.certinomis.com](http://www.certinomis.com), ecert.gov.hk, certsign.ro, certum.pl #### SPF-Record (Sender Policy Framework) The SPF protocol makes it possible to authorize IP addresses to send emails with the domain. In this way, third parties can be prohibited from misusing the domain name. The record is effective in preventing phishing emails with the domain. We validate: * **Outdated SPF version** \ Check the SPF version used (v), currently only SPF1 exists. * **Multiple SPF entries exist** \ Never use multiple SPF entries. Instead, combine several SPFs in a single entry. * **SPF entry contains characters after ALL** \ No further entries may follow the optional ALL entry. * **Incorrect SPF syntax** \ The entry contains unknown entries (known are: spf1, mx, ip4, ip6, exists, include, all, a, redirect, exp, ptr) and/or unauthorized characters. #### DMARC-Record (Domain-based Message Authentication, Reporting and Conformance) The DMARC record defines a procedure for what should be done if the domain is used by an unauthorized IP to send an e-mail. Enginsight checks: * **Invalid DMARC policy** \ The DMARC policy (p) has no usual value. Usual values are: none: The sending of emails is not affected. You will only receive a notification. quarantine: Emails that do not pass the DMARC check will end up in the recipient's spam folder. reject: Emails that do not pass the DMARC check should be rejected by the recipient. * **Invalid DMARC subdomain policy** \ The DMARC subdomain policy (sp) has no normal value (for values see: DMARC policy) * **Invalid DMARC percentage filter specification** \ The optional percentage filter specification (pct) can be used to specify the percentage of messages to be filtered. The value must therefore be between 1 and 100. * **Invalid DMARC address for report emails** \ The report email address contains invalid characters or an invalid email format (not ) * **Invalid DMARC protocol version** \ The version of DMARC (v) must be DMARC1. {% hint style="info" %} **Alerts: Invalid SPF DNS record, Invalid CAA DNS record** To receive immediate notification of incorrect DNS records, switch alerts to your endpoints. With the "Invalid CAA DNS record" alert, you can be informed about incorrect CAA DNS records. The "Invalid SPF DNS record" alert warns you of incorrect SPF records. {% endhint %} ## HTTP-Header Here you will receive an analysis and evaluation of the HTTP connection configuration you have made via HTTP headers.
### Set HTTP headers All set HTTP headers are listed and evaluated in an overview: * *OK*: The HTTP configuration complies with the recommendations. * *Avoidable HTTP header*: The configuration made unnecessarily reveals a lot of information and therefore makes the HTTP connection potentially vulnerable. * *Unknown HTTP header*: An unknown HTTP header has been detected that potentially reveals information. Please check the necessity of the HTTP header and remove it if necessary.
### Test for required HTTP headers The system checks whether all headers important for security have been set. These are: | Name | Recommendation | Description | | ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Content-Security-Policy | | The HTTP content security policy regulates which resources can be loaded or executed in the browser in a certain way. | | Expect-CT | max-age=0 | The Expect-CT (Certificate Transparency) HTTP header defines how the CT policy is to be applied. | | Feature-Policy | accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none' | The feature policy determines which functions or APIs of a browser may be used. | | Referrer-Policy | no-referrer-when-downgrade | The referrer policy ensures that referrer information may only be sent under certain conditions. | | Strict-Transport-Security |

max-age=31536000;

includeSubDomains

| HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections that protects against both connection encryption and session hijacking. | | X-Content-Type-Options | nosniff | The only defined value "nosniff" prohibits Internet Explorer from using MIME sniffing to determine and apply a content type other than the declared content type. | | X-Frame-Options |

DENY

(SAMEORIGIN)

(ALLOW-FROM )

| The X-Frame-Options can be used to determine whether a calling browser may render the target page in a , or , i.e. embed it. | | X-XSS-Protection |

1;

mode=block

| X-XSS protection can prohibit browsers from loading a target page if a cross-site scripting (XSS) attack is detected. | If headers are not set correctly, a recommendation is issued. ## Open Ports Here you can analyze your ports that are accessible through the Observer. The rating (low, medium, high) indicates whether the ports should normally be publicly accessible.
The Observer checks the following common ports: | Port | IANA Services | | ----- | ------------- | | 21 | ftp | | 22 | ssh | | 23 | telnet | | 25 | smtp | | 53 | domain | | 80 | http | | 106 | 3com-tsmux | | 110 | pop3 | | 111 | sunrpc | | 123 | ntp | | 135 | epmap | | 137 | netbios-ns | | 138 | netbios-dgm | | 139 | netbios-ssn | | 143 | imap | | 161 | snmp | | 389 | ldap | | 443 | https | | 445 | microsoft-ds | | 465 | urd | | 587 | submission | | 993 | imaps | | 995 | pop3s | | 1433 | ms-sql-s | | 1512 | wins | | 1723 | pptp | | 2222 | EtherNet-IP-1 | | 2483 | ttc | | 2484 | ttc-ssl | | 3306 | mysql | | 3389 | ms-wbt-server | | 4369 | epmd | | 5432 | postgresql | | 5666 | nrpe | | 5672 | amqp | | 5984 | couchdb | | 6379 | redis | | 8080 | http-alt | | 8443 | pcsync-https | | 8983 | apache solr | | 27017 | mongodb | With the "New open port" endpoint alert, you can set an alert as soon as the Observer detects a new open port. ## SSL/TLS Gain insight into your SSL/TLS configurations and check whether the encryption complies with current security standards.
### Certificate The overview provides information on the certificate used, e.g. the validity, the public key used, which domain the certificate was assigned to and which certification authority issued it.
### Web-Encryption-Checks Our security checks check the SSL/TLS encryption for known vulnerabilities caused by misconfigurations or the use of outdated technologies.
Our security checks check the SSL/TLS encryption for known vulnerabilities caused by misconfigurations or the use of outdated technologies. These are: | Title | Description | | -------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Supports SSL/TLS compression | The use of compression is not recommended, as it makes SSL/TLS vulnerable (especially for CRIME, Compression Ratio Info-leak Made Easy). | | No support for secure renegotiation | Secure Renegotiation ensures that no overload is possible if a client is constantly requesting new keys. Requests are then blocked and a DDoS attack is prevented. | | Supports weak SSL/TLS ciphers | SSL/TLS ciphers determine which encryption algorithms are used to exchange keys and how communication is secured. If insecure SSL/TLS ciphers are offered, the established connection is no longer secure. | | Weak Diffie-Hellman parameter | An insecure key exchange method is used. | | Supports anonymous ciphers | Anonymous ciphers are insecure and should not be used. | | Supports vulnerable ciphers | Ciphers that contain insecure cryptographic procedures should not be offered. | | Insecure SSL/TLS protocol | Only secure protocols should be offered for encryption. | | Susceptible to NULL pointer dereference | | | Susceptible to DROWN | The outdated SSLv2 can be used to crack recorded TLS traffic. | | Susceptible to FREAK | In a FREAK attack, the communication partners are tricked into agreeing on an insecure encryption method, even though secure methods are available. | | Does not support the latest protocol (TLSv1.3) | The latest and most secure protocol TLSv1.3 is not supported. | | Susceptible to logjam attacks | Attackers can obtain the secret keys by exploiting a vulnerability in the Diffie-Hellman key exchange. | | Cipher supports MD5 | MD5 is no longer considered sufficiently secure and should therefore not be used. | | Supports zero-cipher encryption | A zero cipher means that no encryption is used at all. This is never recommended beyond testing purposes. | | Supports ciphers susceptible to Poodle attacks | Poodle attacks exploit a vulnerability in SSL 3.0 so that encrypted information from an SSL 3.0 connection can be exposed. | | Supports RC4 ciphers | RC4 is no longer considered sufficiently secure and should therefore not be used. | | Susceptible to SLOTH attack | Weak hash functions (MD5, SHA-1) allow a SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes) attack. | | Vulnerable according to the BSI | SSL/TLS encryption does not comply with the requirements of the BSI (German Federal Office for Information Security). | | No support for Perfect Forward Secrecy (PFS) | Perfect Forward Secrecy ensures that the newly negotiated session key cannot be reconstructed from the long-term key. | | No support for Authenticated Encryption (AEAD) ciphers | | | Susceptible to Sweet32 attacks | The stream cipher RC4 makes the connection vulnerable to Sweet32 attacks. | | Supports weak protocols | Weak, outdated protocols jeopardize the security of the SSL/TLS connection. | | No certificate issuer can be determined | SSL/TLS certificates are issued by Certification Authorities (CA). The issuer must be identifiable. | | Certificate CRL not available | | | Certificate signature cannot be decrypted | The signature of a certificate enables a third party to confirm the identity of the certificate owner. It should therefore be legible. | | CRL signature cannot be decrypted | | | Public key cannot be decoded | The public key is used to enable secure key exchange. It should therefore be decodable. | | Invalid certificate signature | | | Invalid CRL (Certificate Revocation List) signature | | | Invalid certificate | Trust has been withdrawn from invalid certificates. They should no longer be used. | | Invalid expiration date of the certificate | The expiration date of the certificate used is incorrect. | | Invalid CRL (Certificate Revocation List) | The certificate revocation list used is invalid. | | Expiry of the validity of the CRL (Certificate Revocation List) | The validity period of the certificate revocation list used has expired. | | Format error in the notbefore field of the certificate | The notbefore field contains an invalid time. | | Format error in the notafter field of the certificate | The notafter field contains an invalid time. | | Format error in the lastupdate field of crl | The lastupdate field contains an invalid time. | | Self-signed certificate | Even signed certificates are not able to confirm authenticity and are therefore not recommended. | | Self-signed certificate in the certificate chain | Even signed certificates are not able to confirm authenticity and are therefore not recommended | | Local exhibitor certificate not available | | | The first certificate could not be verified | | | Certificate chain too long | | | Revoke certificate | The certificate used has been revoked and should no longer be used. | | Invalid CA certificate | The certificate issued by the Certificate Authority is invalid. | | Path length limit exceeded | | | Unsupported certificate purpose | | | Certificate is not trustworthy | The certificate used is not considered trustworthy. | | Certificate rejected | The certificate used causes problems and is therefore rejected. | | Deviation between certification body and issuer | Certification body and exhibitor do not fit together. | | Mismatch between certification body and serial number of the issuer | Certification authority and serial number of the issuer do not match. | | The key usage does not take into account the signing of certificates | | | Expired certificate | If the certificate has expired, it becomes invalid and you can no longer carry out secure transactions. | {% hint style="info" %} It can happen that a certificate is marked as unverifiable in Enginsight, although your browser does not display an error message when you call up the domain there. This is not a false positive. In this case, your browser has cast the certificate chain of a common Certification Authority (CA), which is why it can trace the certificate chain. However, this is not a correct configuration of your SSL/TLS encryption, as the reference to the root certificate is missing in the certificate chain. {% endhint %} ### Supported Protocols You receive an overview of all supported protocols, which are compared with best practice. A rating indicates how critical deviations from the recommendation are.
{% hint style="info" %} The "OK" label means that the certificates comply with current security standards and have no critical security gaps. {% endhint %} ### Supported Ciphers You receive an overview of all supported ciphers, which are compared with best practice. A rating indicates how critical deviations from the recommendation are.