Mercurial > hg > orthanc-book
changeset 238:a363714813b2
securing orthanc
author | Sebastien Jodogne <s.jodogne@gmail.com> |
---|---|
date | Fri, 12 Apr 2019 11:37:14 +0200 |
parents | 1a701dfdfcad |
children | a162fa200a13 |
files | Sphinx/source/dicom-guide.rst Sphinx/source/faq.rst Sphinx/source/faq/scalability.rst Sphinx/source/faq/security.rst Sphinx/source/plugins/dicomweb.rst |
diffstat | 5 files changed, 189 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/Sphinx/source/dicom-guide.rst Thu Apr 04 16:29:17 2019 +0200 +++ b/Sphinx/source/dicom-guide.rst Fri Apr 12 11:37:14 2019 +0200 @@ -262,6 +262,8 @@ Orthanc <rest>`. +.. _dicom-protocol: + DICOM network protocol ----------------------
--- a/Sphinx/source/faq.rst Thu Apr 04 16:29:17 2019 +0200 +++ b/Sphinx/source/faq.rst Fri Apr 12 11:37:14 2019 +0200 @@ -19,6 +19,7 @@ faq/rest-samples.rst faq/series-completion.rst faq/proprietary.rst + faq/security.rst Features supported by Orthanc -----------------------------
--- a/Sphinx/source/faq/scalability.rst Thu Apr 04 16:29:17 2019 +0200 +++ b/Sphinx/source/faq/scalability.rst Fri Apr 12 11:37:14 2019 +0200 @@ -65,3 +65,6 @@ * Make sure to read guides about the `tuning of PostgreSQL <https://wiki.postgresql.org/wiki/Performance_Optimization>`__. + +* You might also be interested in checking the options related to + :ref:`security <security>`.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/Sphinx/source/faq/security.rst Fri Apr 12 11:37:14 2019 +0200 @@ -0,0 +1,181 @@ +.. _security: + +Securing Orthanc +================ + +.. contents:: + +Orthanc is a microservice for medical imaging. Out-of-the-box, it +makes the assumption that it runs on the localhost, within a secured +environment. As a consequence, care must be taken if deploying Orthanc +in a insecure environment, especially if it is run as a public-facing +service on Internet. This page provides instructions to secure Orthanc +through its :ref:`configuration options <configuration>`. + + +General configuration +--------------------- + +As for any service running on a computer, you should: + +* Make sure to run the Orthanc service as a separate user. In + particular, never run Orthanc as the ``root`` user on GNU/Linux, or + as the ``Administrator`` user on Microsoft Windows. + +* Contact your network administrators to setup `Intranet firewalls + <https://en.wikipedia.org/wiki/Firewall_(computing)>`__, so that + only trusted computers can contact Orthanc through its REST API + or through the DICOM protocol. + +Care must also be taken about some configuration options specific to +Orthanc: + +* ``LimitFindResults`` and ``LimitFindInstances`` should not be set to + zero to avoid making Orthanc unresponsive on large databases by a + malicious user that would make many lookups within Orthanc. A value + of ``100`` should be a good compromise. + +* ``HttpsVerifyPeers`` should be set to ``true`` to secure outgoing + connections to remote HTTPS servers (such as when Orthanc is acting + as a :ref:`DICOMweb client <dicomweb-client>`). + +* Make sure to understand the implications of the + ``OverwriteInstances`` option. + +* You might also be interested in checking the options related to + :ref:`performance optimization <scalability>`. + + + +Securing the HTTP server +------------------------ + +.. highlight:: lua + +Orthanc publishes a :ref:`REST API <rest>` that provides full +programmatic access to its content, in read/write. This means for +instance that a malicious user could delete the entire content of the +server, or could inspect confidential medical data. + +By default, the HTTP server is restricted to the localhost to prevent +such attacks from the outside world. However, as soon as external +access is granted by setting the ``RemoteAccessAllowed`` configuration +option to ``true``, you should: + +* Set ``AuthenticationEnabled`` to ``true`` to force the users to + authenticate. The authorized users are listed in the option + ``RegisteredUsers``. + +* Enable :ref:`HTTPS encryption <https>` to prevent the stealing of + medical data or passwords, even on the Intranet. + +* If Orthanc is put on a server that can be contacted from Internet, + put Orthanc behind a :ref:`reverse proxy <https>`, and let this + reverse proxy take care of the HTTPS encryption. + +* Setup rules that define, for each authorized user, which resources + it can access, and through which HTTP method (GET, POST, DELETE + and/or PUT). This can be done by defining a :ref:`filter written in + Lua <lua-filter-rest>`. Here is a sample Lua filter that + differentiates between an administrator user (``admin``) who has + full access on the localhost only, and a generic user (``user``) + that has only read-only access:: + + function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders) + if method == 'GET' and (username == 'user' or username == 'admin') then + -- Read-only access (only GET method is allowed) + return true + elseif username == 'admin' and ip == '127.0.0.1' then + -- Read-write access for administrator (any HTTP method is allowed on localhost) + return true + else + -- Access is disallowed by default + return false + end + end + + Very importantly, make sure to protect ``POST`` access to the + ``/tools/execute-script`` URI. This URI can indeed be used by a + malicious user to execute any system command on the computer as the + user that runs Orthanc. + +* Consider implementing a :ref:`higher-level application + <improving-interface>` (e.g. in PHP) that takes care of user + authentication/authorization, and that is the only one to be + allowed to contact the Orthanc REST API. + +* For advanced scenarios, you might have interest in the + :ref:`advanced authorization plugin <authorization>`. Similarly, + developers of :ref:`plugins <plugins>` could be interested by the + ``OrthancPluginRegisterIncomingHttpRequestFilter2()`` function + provided by the Orthanc plugin SDK. + + +**Remark:** These parameters also apply to the :ref:`DICOMweb server plugin <dicomweb>`. + + +Securing the DICOM server +------------------------- + +.. highlight:: json + +Besides its REST API that is served through its embedded HTTP/HTTPS +server, Orthanc also acts as a :ref:`DICOM server <dicom-protocol>` +(more precisely, as a DICOM SCP). + +The DICOM modalities that are known to Orthanc are defined by setting +the ``DicomModalities`` configuration option. Out-of-the-box, Orthanc +accepts C-ECHO and C-STORE commands sent by unknown modalities, but +blocks C-FIND and C-MOVE commands issued by unknown modalities. + +To fully secure the DICOM protocol, you should: + +* Set the ``DicomAlwaysAllowEcho`` configuration option to ``false`` + to disallow C-ECHO commands from unknown modalities. + +* Set the ``DicomAlwaysAllowStore`` configuration option to ``false`` + to disallow C-STORE commands from unknown modalities. + +* Set the ``DicomCheckModalityHost`` configuration option to ``true`` + to validate the IP and hostname address of the remote modalities. + +* For each modality that is defined in ``DicomModalities``, + selectively specify what DICOM commands are allowed to be issued by + the SCU of this modality by setting the suboptions ``AllowEcho``, + ``AllowFind``, ``AllowMove`` and ``AllowStore``. For instance, a + modality could be allowed to C-STORE images, but be disallowed to + C-FIND the content of Orthanc. Here is a sample configuration to + define a single modality that is only allowed to send DICOM + instances to Orthanc:: + + { + "DicomModalities" : { + "untrusted" : { + "AET" : "CT", + "Port" : 104, + "Host" : "192.168.0.10", + "AllowEcho" : false, + "AllowFind" : false, + "AllowMove" : false, + "AllowStore" : true + } + } + } + + **Note:** These configuration suboptions only affect the behavior of + the DICOM SCP of Orthanc (i.e. for incoming connections). Orthanc + will always be able to make outgoing DICOM SCU connections to these + modalities, independently of the value of these suboptions. + +* Consider implementing a :ref:`filter implemented in Lua + <lua-filter-rest>` to restrict which modalities can C-STORE images + within Orthanc, and which kind of images are accepted by Orthanc. + +* Consider setting ``DicomCheckCalledAet`` to ``true`` to force proper + configuration of remote modalities. + + +**Remark:** As of Orthanc 1.5.6, `DICOM TLS encryption +<https://www.dicomstandard.org/using/security/>`__ is not supported +yet. We are looking for :ref:`an industrial sponsor <contributing>` to +get this feature implemented, as it is useful in enterprise scenarios.