F. Best Practices

Security practices and customizations for your Pleasant Password Server installation.

1. Protect the Admin account

At startup, a local admin user is created and is assigned an Administration role with system-wide permissions.
Actions that remove, disable, or inhibit this role are not covered by Technical Support.

Risks to Mitigate:

Your installation could become at risk of: being unprepared for an emergency, getting locked out, or losing access to your assets.

Steps:

  • Set and verify the admin user's email address to a secure email account
  • Configure the admin's login reset settings so that if the password is forgotten it can be reset
  • Rename the admin account from the default name, to a name of your choice
  • Only plan to use this admin user for emergencies / initial configuration
  • Consider this admin account as a "Superuser" account

2. Maintain a working Local Admin account

Risks to Mitigate:

  • A dropped connection to the Domain Controllers will lock LDAP and Active Directory users out of Password Server.
  • Emergency situations may occur with a user account such as: an admin can get locked out, or loses their password and cannot be recovered.

Steps:

  • Setup a second Administrator Group with the Administer Users permission. Configure it with less "working everyday" permissions. Periodically adjust and remove permissions not needed weekly.
  • Remember: to add group permissions to the Root folder
  • Setup a second Admin user, and consider it an "Everyday Admin" account. Keep as a local account, if possible.
  • Setup the Everyday admin's email & login reset separately from the admin

3. Setup Database Backups & Store Encryption Keys to a Secondary Location

Risks to Mitigate:

  • Accidentally deleting a folder
  • Forgetting a credential and needing to recover it
  • Making a serious configuration mistake

Steps:

  • Store a copy of your Encryption Keys in a secure location
    • Server Encryption key from Service Config Utility
    • Database Backup Encryption key from Database Backup & Database Restore
  • Schedule Automatic Backups of your Database

4. Take regular Snapshots of Server

  • Install inside a Virtual Machine (VM). By backing up your VM, you also achieve point 3.

5. Keep your Service Plan up-to-date

  • We strongly recommend keeping updated with the latest Security measures, fixes, and features.
  • Our Support lives up to our name in as many ways as possible.

6. Use a trusted third-party Certificate

  • We recommend purchasing a signed SSL certificate from a trusted third-party vendor and hosting on an FQDN. This provides added security and convenience for your users.

7. Disallow older methods of SSL encryption

  • There are a variety of SSL encryption methods available on your machine, many of which are older methods and no longer recommended. While removing them will mean that users with older browsers (IE 6, etc.) will no longer be able to connect to your server, it will mean that more current browsers won't fall back to less secure encryption methods.
  • Here is a Microsoft page that provides some additional information.
  • Use a tool such as this: https://www.nartac.com/Products/IISCrypto/

8. Review the Ten Immutable Laws of Security

  • Many security concerns result from procedures which violate one or more of these laws.
  • Detailed list on Microsoft Technet.


Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date anti malware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.

Tag page
You must login to post a comment.