Devolutions Server security dashboard

The Security Dashboard is a tool to offer guidance on how to improve the security of the Devolutions Server platform and also tips on reducing the workload for administrators. Some tips are common infosec best practices, others are a consensus between our owns teams.

The scores are admittedly open to question and we do not pretend each topic has the same relative value for all of our community members. Achieving 100% is surely not an end goal in itself, we simply aim to raise awareness and provide ideas for your own security hardening.

KB4707

Improvement Actions Items

Active directory should be configured to use a secure communication channel

Description The LDAPS protocol should be used to provide communication confidentiality and integrity over the network. Otherwise, actions such as password resets could send the password in cleartext over the network.
Mitigation In the web interface Administration – Server Settings – Authentication – Domain, check Enable LDAPS

Backups should be enabled and configured

Description Backups should be configured to an external media or cloud storage to avoid permanent loss of data.

Database accounts should be different for web application, scheduler and management tools

Description Minimum privileges should be granted and applied for service and database accounts to operate. Shared and excessively privileged service and database accounts may induce unnecessary security risk exposure.

Email notifications should be configured

Description An email server configuration is required to transmit important application messages such as security events or errors.
Mitigation Email server settings are in the web interface Administration – Server Settings – Email.

External logging destination should be configured

Description Sending logs to an external system is recommended to maintain integrity and availability of event information.
Mitigation Logging is configured in the web interface Administration – Server Settings – Logging.

Secure https communications should be enabled

Description Secure communications guarantee the integrity and confidentiality of the data transmitted between the client and the server.

Sessions should be revalidated within 24 hours

Description Excessive session duration may allow exposure beyond necessary to unauthorized users. Refresh token lifetime should therefore be configured within 24 hours (1440 min).

The administrator count should be no more than 5

Description Limiting the number of active administrators within the platform will reduce the attack surface of an attacker to only those accounts configured. Having more than 5 administrators can also be a sign of poor segregation of duty within the business unit or organization.

The default mssql “sa” database account should be avoided

Description The default MSSQL administrative account is a high privilege account that should only be used to manage the database instance. A less privileged user or service account is preferred to reduce impact of compromise.

The server configuration file should be encrypted

Description Sensitive information is stored in the web.config configuration file. It is recommended to enable encryption to prevent tampering and ensure confidentiality.

Vault security level should be set to high

Description Vault security level should be set to high in the vault settings.
Mitigation Vault settings are in the web interface of Devolutions Server under Administration – User and Security Management – Vaults. Edit a vault to open the Edit vault settings window and select High in the drop-down menu under General – Security level.
Give us Feedback