Mercurial > hg > orthanc-book
annotate Sphinx/source/faq/security.rst @ 979:caa4d1484627
typo
author | Sebastien Jodogne <s.jodogne@gmail.com> |
---|---|
date | Fri, 01 Sep 2023 09:11:28 +0200 |
parents | 20a369cc2823 |
children |
rev | line source |
---|---|
238 | 1 .. _security: |
2 | |
3 Securing Orthanc | |
4 ================ | |
5 | |
6 .. contents:: | |
7 | |
8 Orthanc is a microservice for medical imaging. Out-of-the-box, it | |
9 makes the assumption that it runs on the localhost, within a secured | |
10 environment. As a consequence, care must be taken if deploying Orthanc | |
11 in a insecure environment, especially if it is run as a public-facing | |
12 service on Internet. This page provides instructions to secure Orthanc | |
13 through its :ref:`configuration options <configuration>`. | |
14 | |
15 | |
16 General configuration | |
17 --------------------- | |
18 | |
19 As for any service running on a computer, you should: | |
20 | |
21 * Make sure to run the Orthanc service as a separate user. In | |
22 particular, never run Orthanc as the ``root`` user on GNU/Linux, or | |
23 as the ``Administrator`` user on Microsoft Windows. | |
24 | |
25 * Contact your network administrators to setup `Intranet firewalls | |
26 <https://en.wikipedia.org/wiki/Firewall_(computing)>`__, so that | |
27 only trusted computers can contact Orthanc through its REST API | |
28 or through the DICOM protocol. | |
29 | |
634
2571d7f4e135
protect configuration file
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
30 * Make sure that the :ref:`configuration files <configuration>` |
2571d7f4e135
protect configuration file
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
31 containing confidential information or private keys (typically |
2571d7f4e135
protect configuration file
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
32 ``RegisteredUsers``) are only readable by the user that runs |
2571d7f4e135
protect configuration file
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
33 Orthanc. |
2571d7f4e135
protect configuration file
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
34 |
238 | 35 Care must also be taken about some configuration options specific to |
36 Orthanc: | |
37 | |
38 * ``LimitFindResults`` and ``LimitFindInstances`` should not be set to | |
39 zero to avoid making Orthanc unresponsive on large databases by a | |
40 malicious user that would make many lookups within Orthanc. A value | |
41 of ``100`` should be a good compromise. | |
42 | |
43 * ``HttpsVerifyPeers`` should be set to ``true`` to secure outgoing | |
44 connections to remote HTTPS servers (such as when Orthanc is acting | |
45 as a :ref:`DICOMweb client <dicomweb-client>`). | |
46 | |
47 * Make sure to understand the implications of the | |
48 ``OverwriteInstances`` option. | |
49 | |
50 * You might also be interested in checking the options related to | |
51 :ref:`performance optimization <scalability>`. | |
52 | |
526 | 53 |
54 .. _security_http: | |
238 | 55 |
56 Securing the HTTP server | |
57 ------------------------ | |
58 | |
59 .. highlight:: lua | |
60 | |
61 Orthanc publishes a :ref:`REST API <rest>` that provides full | |
62 programmatic access to its content, in read/write. This means for | |
63 instance that a malicious user could delete the entire content of the | |
64 server, or could inspect confidential medical data. | |
65 | |
66 By default, the HTTP server is restricted to the localhost to prevent | |
67 such attacks from the outside world. However, as soon as external | |
68 access is granted by setting the ``RemoteAccessAllowed`` configuration | |
69 option to ``true``, you should: | |
70 | |
71 * Set ``AuthenticationEnabled`` to ``true`` to force the users to | |
72 authenticate. The authorized users are listed in the option | |
73 ``RegisteredUsers``. | |
74 | |
75 * Enable :ref:`HTTPS encryption <https>` to prevent the stealing of | |
76 medical data or passwords, even on the Intranet. | |
77 | |
78 * If Orthanc is put on a server that can be contacted from Internet, | |
79 put Orthanc behind a :ref:`reverse proxy <https>`, and let this | |
80 reverse proxy take care of the HTTPS encryption. | |
512 | 81 |
82 * Enable :ref:`Client certificate authentication <https>` between multiple | |
83 Orthanc peers. | |
84 | |
526 | 85 * Consider turning of the :ref:`embedded WebDAV server <webdav>` by |
86 setting configuration option ``WebDavEnabled`` to ``false``. | |
938 | 87 |
88 * Ensure that ``/tools/execute-script`` is disabled by leaving the configuration | |
89 ``ExecuteLuaEnabled`` to its default ``false`` value. | |
90 | |
91 * Ensure that the REST API can not write to the filesystem (e.g. in the | |
92 ``/instances/../export`` route) by leaving the configuration | |
939 | 93 ``RestApiWriteToFileSystemEnabled`` to its default ``false`` value. |
938 | 94 |
948 | 95 * Make sure to run Orthanc as a non-privileged user with read-write access only |
96 for the storage area. | |
97 | |
238 | 98 * Setup rules that define, for each authorized user, which resources |
99 it can access, and through which HTTP method (GET, POST, DELETE | |
100 and/or PUT). This can be done by defining a :ref:`filter written in | |
101 Lua <lua-filter-rest>`. Here is a sample Lua filter that | |
102 differentiates between an administrator user (``admin``) who has | |
103 full access on the localhost only, and a generic user (``user``) | |
104 that has only read-only access:: | |
105 | |
106 function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders) | |
107 if method == 'GET' and (username == 'user' or username == 'admin') then | |
108 -- Read-only access (only GET method is allowed) | |
109 return true | |
110 elseif username == 'admin' and ip == '127.0.0.1' then | |
111 -- Read-write access for administrator (any HTTP method is allowed on localhost) | |
112 return true | |
113 else | |
114 -- Access is disallowed by default | |
115 return false | |
116 end | |
117 end | |
118 | |
119 Very importantly, make sure to protect ``POST`` access to the | |
944 | 120 ``/tools/execute-script`` and ``/instances/../export`` URIs. |
121 The first URI can indeed be used by a malicious user to execute any | |
122 system command on the computer as the user that runs Orthanc. The second | |
123 URI can be used by a malicious user to overwrite system files possibly | |
124 with malicious DICOM files that may lead to execution of system commands. | |
238 | 125 |
126 * Consider implementing a :ref:`higher-level application | |
289 | 127 <improving-interface>` (e.g. in PHP, Java, Django...) that takes |
128 care of user authentication/authorization, and that is the only one | |
129 to be allowed to contact the Orthanc REST API. In particular, you | |
130 must create a higher-level application so as to properly deal with | |
131 `CSRF attacks | |
132 <https://en.wikipedia.org/wiki/Cross-site_request_forgery>`__: | |
133 Indeed, as explained in the introduction, Orthanc is a microservice | |
134 that is designed to be used within a secured environment. | |
238 | 135 |
812 | 136 * Configuration option ``OrthancExplorerEnabled`` should be set to |
137 ``false`` in Internet-facing deployments. | |
138 | |
238 | 139 * For advanced scenarios, you might have interest in the |
140 :ref:`advanced authorization plugin <authorization>`. Similarly, | |
141 developers of :ref:`plugins <plugins>` could be interested by the | |
142 ``OrthancPluginRegisterIncomingHttpRequestFilter2()`` function | |
143 provided by the Orthanc plugin SDK. | |
144 | |
942 | 145 * Don't forget that, if you are using a Database Server to store your |
146 index, you can deploy | |
147 :ref:`multiple Orthanc instances connected to the same DB <multiple-writers>`. | |
148 You may therefore have one Orthanc that is public facing with a very strict | |
149 secure configuration and one Orthanc that is not public facing and less | |
150 secured that is accessible e.g. only to your backend application or your | |
151 scripts. | |
238 | 152 |
153 **Remark:** These parameters also apply to the :ref:`DICOMweb server plugin <dicomweb>`. | |
154 | |
155 | |
156 Securing the DICOM server | |
157 ------------------------- | |
158 | |
159 .. highlight:: json | |
160 | |
161 Besides its REST API that is served through its embedded HTTP/HTTPS | |
162 server, Orthanc also acts as a :ref:`DICOM server <dicom-protocol>` | |
163 (more precisely, as a DICOM SCP). | |
164 | |
248 | 165 In general, the DICOM protocol should be disabled if running Orthanc |
166 on a cloud server, except if you use a VPN (cf. `reference | |
517 | 167 <https://groups.google.com/d/msg/orthanc-users/yvHexxG3dTY/7s3A7EHVBAAJ>`__) |
168 or a SSH tunnel (cf. `reference | |
518 | 169 <https://www.howtogeek.com/168145/how-to-use-ssh-tunneling/>`__). Favor |
517 | 170 HTTPS for transfering medical images across sites (see above). You can |
171 turn off DICOM protocol by setting the configuration option | |
172 ``DicomServerEnabled`` to ``false``. | |
248 | 173 |
238 | 174 The DICOM modalities that are known to Orthanc are defined by setting |
175 the ``DicomModalities`` configuration option. Out-of-the-box, Orthanc | |
176 accepts C-ECHO and C-STORE commands sent by unknown modalities, but | |
177 blocks C-FIND and C-MOVE commands issued by unknown modalities. | |
178 | |
179 To fully secure the DICOM protocol, you should: | |
180 | |
181 * Set the ``DicomAlwaysAllowEcho`` configuration option to ``false`` | |
182 to disallow C-ECHO commands from unknown modalities. | |
183 | |
184 * Set the ``DicomAlwaysAllowStore`` configuration option to ``false`` | |
185 to disallow C-STORE commands from unknown modalities. | |
186 | |
187 * Set the ``DicomCheckModalityHost`` configuration option to ``true`` | |
683
11e536e70b37
ip addresses are mandatory if DicomCheckModalityHost is true
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
634
diff
changeset
|
188 to validate the IP address of the remote modalities (note that |
11e536e70b37
ip addresses are mandatory if DicomCheckModalityHost is true
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
634
diff
changeset
|
189 hostnames cannot be used in ``DicomModalities`` when this option is |
11e536e70b37
ip addresses are mandatory if DicomCheckModalityHost is true
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
634
diff
changeset
|
190 enabled: The ``Host`` values should only contain IP addresses). |
238 | 191 |
192 * For each modality that is defined in ``DicomModalities``, | |
193 selectively specify what DICOM commands are allowed to be issued by | |
194 the SCU of this modality by setting the suboptions ``AllowEcho``, | |
413 | 195 ``AllowFind``, ``AllowMove``, ``AllowStore`` and ``AllowGet``. For instance, a |
238 | 196 modality could be allowed to C-STORE images, but be disallowed to |
197 C-FIND the content of Orthanc. Here is a sample configuration to | |
198 define a single modality that is only allowed to send DICOM | |
199 instances to Orthanc:: | |
200 | |
201 { | |
202 "DicomModalities" : { | |
203 "untrusted" : { | |
204 "AET" : "CT", | |
205 "Port" : 104, | |
206 "Host" : "192.168.0.10", | |
207 "AllowEcho" : false, | |
208 "AllowFind" : false, | |
209 "AllowMove" : false, | |
413 | 210 "AllowGet" : false, |
238 | 211 "AllowStore" : true |
212 } | |
213 } | |
214 } | |
215 | |
216 **Note:** These configuration suboptions only affect the behavior of | |
217 the DICOM SCP of Orthanc (i.e. for incoming connections). Orthanc | |
218 will always be able to make outgoing DICOM SCU connections to these | |
219 modalities, independently of the value of these suboptions. | |
220 | |
221 * Consider implementing a :ref:`filter implemented in Lua | |
222 <lua-filter-rest>` to restrict which modalities can C-STORE images | |
223 within Orthanc, and which kind of images are accepted by Orthanc. | |
224 | |
225 * Consider setting ``DicomCheckCalledAet`` to ``true`` to force proper | |
226 configuration of remote modalities. | |
227 | |
228 | |
609
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
588
diff
changeset
|
229 Starting with Orthanc 1.9.0, `DICOM TLS encryption |
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
588
diff
changeset
|
230 <https://www.dicomstandard.org/using/security/>`__ is supported by |
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
588
diff
changeset
|
231 Orthanc. If you need to share DICOM instances between sites, but if |
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
588
diff
changeset
|
232 you don't want to use DICOMweb or Orthanc peers over HTTPS, you must |
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
588
diff
changeset
|
233 enable :ref:`DICOM TLS in Orthanc <dicom-tls>` to ensure secure |
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
588
diff
changeset
|
234 exchanges. |
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
588
diff
changeset
|
235 |
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
588
diff
changeset
|
236 As a workaround for the releases <= 1.8.2 of Orthanc that don't |
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
588
diff
changeset
|
237 support DICOM TLS, `it has been reported |
544
d7ec7ea133b8
note about nginx to emulate dicom tls
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
528
diff
changeset
|
238 <https://www.digihunch.com/2020/11/medical-imaging-web-server-deployment-pipeline/>`__ |
d7ec7ea133b8
note about nginx to emulate dicom tls
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
528
diff
changeset
|
239 that the "*SSL Termination for TCP Upstream Servers*" feature of nginx |
546 | 240 can be used to emulate DICOM TLS. Another option is to use `stunnel |
609
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
588
diff
changeset
|
241 <https://www.stunnel.org/>`__. |
586
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
242 |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
243 |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
244 Securing the storage |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
245 -------------------- |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
246 |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
247 In general, for security, Orthanc should store its database index |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
248 (PostgreSQL, SQLite...) and its :ref:`storage area <orthanc-storage>` |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
249 for DICOM files on an `on-premises, self-hosted infrastructure |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
250 <https://en.wikipedia.org/wiki/On-premises_software>`__ with `disk |
588 | 251 encryption |
252 <https://en.wikipedia.org/wiki/Disk_encryption>`__. Similarly, Orthanc | |
253 itself should ideally run on your own on-premises infrastructure, and | |
254 not on a virtual machine that is managed by a public cloud solution | |
255 provider. | |
586
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
256 |
588 | 257 Depending on your jurisdiction, it might be possible to move the |
258 storage area to a `cloud-based object storage | |
259 <https://en.wikipedia.org/wiki/Object_storage>`__, by using the | |
260 :ref:`dedicated storage plugins <object-storage>`. :ref:`Orthanc-side | |
261 encryption <client-side-encryption>` should be enabled in such a | |
262 situation. | |
586
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
263 |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
264 In any case, make sure to get legal advice that is very specific to |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
265 the legislation of the countries where you are active (for |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
266 illustration, check out the recent debates over the `privacy shield |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
267 <https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield>`__ in |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
268 Europe). Make sure to understand the implications of using cloud-based |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
269 object storage, of using virtual machines in the cloud to store health |
588 | 270 data, of using managed database servers (even with so-called |
271 "encryption-at-rest" features)... | |
586
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
272 |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
273 As a free and open-source project, the Orthanc ecosystem cannot be |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
274 taken as liable for any security breach or data leak in your |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
275 deployments, for any misconfiguration, for any bad handling of |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
276 personal/health data, for any bypassing of regulatory requirements, |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
277 for not being compliant with your local legislation, or for any |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
278 similar stuff: Orthanc is just software, security is your |
5f5519f1491a
securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
568
diff
changeset
|
279 responsibility. |