The Security Dashboard is simply a tool to offer guidance on how to improve the security of the Devolutions Server platform and also tips on reducing the workload for administrators. Some tips are common infosec best practices, others are a consensus between our owns teams.
The scores are admittedly open to question and we do not pretend each topic has the same relative value for all of our community members. Achieving 100% is surely not an end goal in itself, we simply aim to raise awareness and provide ideas for your own security hardening.
Improvement Actions Items
Active directory should be configured to use a secure communication channel
The LDAPS protocol should be used to provide communication confidentiality and integrity over the network. Otherwise, actions such as password resets could send the password in cleartext over the network.
In the web interface Administration - Server Settings - Authentication - Domain, check Enable LDAPS
Backups should be enabled and configured
Backups should be configured to an external media or cloud storage to avoid permanent loss of data.
Database accounts should be different for web application, scheduler and management tools
Minimum privileges should be granted and applied for service and database accounts to operate. Shared and excessively privileged service and database accounts may induce unnecessary security risk exposure.
Email notifications should be configured
An email server configuration is required to transmit important application messages such as security events or errors.
Email server settings are in the web interface Administration - Server Settings - Email
External logging destination should be configured
Sending logs to an external system is recommended to maintain integrity and availability of event information.
Logging is configured in the web interface Administration - Server Settings - Logging
Secure https communications should be enabled
Secure communications guarantee the integrity and confidentiality of the data transmitted between the client and the server.
Sessions should be revalidated within 24 hours
Excessive session duration may allow exposure beyond necessary to unauthorized users. Refresh token lifetime should therefore be configured within 24 hours (1440 min).
The administrator count should be no more than 5
Limiting the number of active administrators within the platform will reduce the attack surface of an attacker to only those accounts configured. Having more than 5 administrators can also be a sign of poor segregation of duty within the business unit or organization.
The default mssql “sa” database account should be avoided
The default MSSQL administrative account is a high privilege account that should only be used to manage the database instance. A less privileged user or service account is preferred to reduce impact of compromise.
The server configuration file should be encrypted
Sensitive information is stored in the web.config configuration file. It is recommended to enable encryption to prevent tampering and ensure confidentiality.