Exceptions to the measurement policy

Disclaimer: Het origineel van deze pagina geschreven in het Nederlands. Deze pagina is automatisch vertaald naar andere talen met behulp van DeepL. Dit kan leiden tot verschillen in nuance, toon en betekenis. Raadpleeg bij twijfel altijd eerst de Nederlandse versie. Door de hoge kosten van vertalingen kan het zijn dat deze pagina inhoudelijk achter loopt met de Nederlandse versie. Wij beschouwen de Nederlandse versie van deze pagina als leidend.

This page contains a list of exception situations to measurements on basic security. A measurement without context will be evaluated negatively. Therefore, basic security adds exceptions according to the so-called “comply or explain” process.

If an exception is missing, please contact us. This exception request will then be reviewed and may or may not be added to the measurements. Include the requirements of the proper explanation manual.

Version numbers

The expectation is not to encounter any information that an attacker could use to carry out an attack. So in general, we don’t expect version numbers. These are the exceptions to that:

  1. SSH2.0 strings without comments are excluded because version information is part of the protocol. See www.openssh.com/txt/rfc4253.txt 4.2. That means, for example, that “OpenSSH_9.2p1” is approved but “OpenSSH_9.2p1 Debian-2+deb12u2” is not. This is because in this, additional information (“Debian-2+deb12u2”) is published about the system. This means that the system is not hardened against attackers and an attacker knows exactly what kind of system this is.
  2. Major versions of well-known products that say little about the patch level. Such as: Microsoft IIS 8.5, Microsoft httpapi/2.0, rtc 7.0, awselb/2.0. These are approved.

Certificates

It is expected that all certificates will be issued by an accredited organization. These certificates are then trusted in the browser and devices. These are the exceptions to this:

  1. G1 Government Certificates. These are not trusted by the browser but are trusted by the central government. This is indicated by a statement. Not trusted is now by design. The certificate that is accepted must include the serial number 10004001, among others.

Open Gates

The expectation is that the attack surface is minimal: that is, as few open ports as possible. These are the exceptions to this:

  1. 8080/8443 (Cloudflare): By default, the cloudflare firewall opens some redundant ports, such as 8080. You can configure what will appear there. If we see cloudflare listed there we now approve it with an explanation. This is ultimately not good and we encourage cloudflare users to indicate that the company should start closing these ports. This exception takes place based on the content of the web page. A policy is applied to this as a declaration.
  2. 8443 (VPN): Subdomains related to homeworking may open this port. We recognize this by subdomains (and many variations on): telecommuting, homeworking, workstation, workstation, extranet, intranet, remote, remote working, vpn and the like.

Encrypted data transfer (HTTPS)

Web sites and Web services are expected to be encrypted so that information remains confidential. These are the exceptions to this:

  1. Certificate revocation lists: No encrypted connection is needed on subdomains “pki”, “crl”, “ocsp” and some variants thereof. The HSTS header does not need to be set on port 443 (we would not expect https).
  2. No encryption is required on Microsoft Autodiscover subdomains, this is a general exception for Microsoft services because otherwise everyone is red…? This applies to “autodiscover” and “autodiscover.test” domains.

HTTP Headers

The expectation is that all websites are set up for security. These are the exceptions to that:

  1. Missing headers for SOAP/JSON/XML content types: These services are not intended for humans and therefore do not need to provide the browser protection intended to protect humans.
  2. Missing headers for technical services: The ADFS subdomain does not require the HSTS header to be set.

Other

All safety requirements are expected to be met. There are complex scenarios where this has not yet happened or is possible. These are the exceptions:

  1. Microsoft services on subdomains around lyncdiscover, sip, enterpriseenrollment, enterpriseregistration, webmail, msoid. This was done because these services are not intended for browsers but for automated services. At the same time because the impact would be high everywhere and ICT service providers cannot solve these problems:
    • The certificate on these subdomains is trusted, despite not being trusted from Qualys.
    • Because these are services intended for devices, not browsers, the http headers are not required.