These recommendations provide hardening, configuration and best-practice recommendations for your Naverisk installation and server.
Ensure that either the Windows or a third-party firewall is enabled. This should be configured to deny (block) all inbound and outbound traffic on all ports other than those required for Naverisk, email and administration. The following ports are required for Naverisk
• Inbound TCP 8092 (Network Controller – Agent listener)
• Inbound TCP 9202 (Site Controller - ACT (Agent) listener)
• Inbound TCP 9999 (Site Controller – Network Controller listener)
• Inbound TCP 9990 (Remote Control relay)
• Inbound UDP 9990 (Remote Control relay)
• Outbound TCP 9993 (Management Service)
• Inbound TCP 443 (Web server HTTPS)
Other ports required will be outbound SMTP (email sending) and inbound POPS (mail fetching). Note that POP is not recommended. Do not enable inbound SMTP.
You will also require RDP access for administration. We recommend that this is restricted via the firewall to trusted addresses only. For cloud-hosted servers, this should be your office external IP. For internal servers we recommend restricting access to authorised workstations only.
Windows Server opens a number of firewall ports by default, each of these should be assessed and closed unless absolutely required. Inbound WMI is often used for monitoring or management, however this should be restricted or blocked as it provides an attack vector.
Naverisk uses IIS as its web server. This should be secured as follows
• Remove bindings for HTTP. Only HTTPS should be enabled
• Do not use self-signed certificates for Naverisk. Obtain and install a valid SSL certificate.
• Do not host any other websites or services on the Naverisk server.
Accounts and access
• Restrict access to the Naverisk server to designated admins only.
• Ensure admin accounts have strong passwords.
• If using Domain accounts, ensure admins use a separate account for administration, and that their regular day to day accounts do not have Domain Admin privilege.
• Configure auditing and/or alerting for all logons to the Naverisk server.
Ensure the Naverisk server patching is up to date with all security patches installed. Zero-day exploits are increasingly common, and patches should be installed as quickly as practicable after they are released.
Ensure that the Windows server and SQL versions used are supported by Microsoft and not end-of-life, so current patches are available. Upgrade end-of-life operating systems or SQL servers to a supported version.
• Do not run any other application or services on the Naverisk server.
• Do not share any directories on the server.
• When connecting via RDP, do not map local drives on your workstation to the server.
• Do not install any web browsers on the server. Ensure protected mode is enabled on IE. Never browse websites from the server, even to download software that is to be installed.
Review the installation guide and ensure that Naverisk and its underlying components (eg IIS) are configured correctly.
Ensure that you have the latest Naverisk version installed.
Best practice guidelines and recommendations
Poorly secured user accounts are one of the most common attack vectors, so good account and password management will pay the greatest dividends in securing your Naverisk installation
• Ensure all users are using 2FA plus PIN code.
• If the API is required, the API user account should have a secure, randomised password. This should be at least 15 characters long.
• Make use of Groups in Naverisk to control what users can do. Do not give every user full admin rights. Minimise the number of users able to edit Devices – this restricts the ability to create dangerous script packs or remove monitoring. Likewise restrict access to the settings tab.
• Have a proper staff exit procedure to ensure accounts are disabled as soon as staff leave. Disgruntled ex-staff with Naverisk access could create chaos very easily.
Other observations and suggestions
• Ensure your own network is secured and has proper anti-virus/spyware protection. Use mail-washing applications if possible. Most attacks start from within your network, not externally.
• Ensure your clients are using anti-virus/spyware, and that you are actively monitoring this from Naverisk.
• Ensure you and your clients are running regular effective backups. Backup storage/vaults should not be on CIFS/SMB shares as these can be accessed by crypto locker attacks. Backups should include Office365 email, Onedrive and Sharepoint data.
• Plan, document and rehearse DR/recovery procedures for you and your Clients. This can minimise the damage caused by an attack by allowing you to react quickly and effectively, and allow you to recover from an attack in the shortest possible time.