The following guide provides a series of recommendations for improving the security (“hardening”) of your Acunetix On-Premises installation.
1. Update to the current version
It is recommended that you always run the latest version of Acunetix. Additionally, Acunetix periodically publishes updates, which may include fixes for known security vulnerabilities.
By default Acunetix is set to Download and install updates automatically. If this setting is modified to Notify me of new product updates, it is recommended that you periodically review the Acunetix Build History page to ensure no security updates are missed. It is not recommended to set the update option to Do not automatically check for updates [Not Recommended].
Updates are downloaded from https://updates.acunetix.com over a secure HTTPS connection.
To get the latest version or build of Acunetix, visit https://www.acunetix.com/download/fullver.
2. Configure TLS with a valid, trusted certificate
Transport Layer Security (TLS) is required by Acunetix, however, it is recommended that you use a valid, trusted certificate (not the default self-signed certificate created by Acunetix during installation).
Acunetix comes with a built-in utility for generating certificates for use with Acunetix. You can find this utility under C:\Program Files (x86)\Acunetix\core\certgen.exe
certgen.exe usage:
certgen /d <target_directory> /c <common_name>
To generate certificate signed using existing authority
certgen /d <target_directory> /a
To generate new authority
certgen /d <target_directory> /c <common_name> /a [/i]To generate new authority and signed certificate (/i to also install it in ROOT)
This is the same tool which the Acunetix installer uses to generate and register the certificate during installation. If you are serving Acunetix on acunetix.example.com, you can run the following command if the self signed CA generated by Acunetix is sufficient for your needs.
certgen /d "C:\ProgramData\Acunetix\certs" /a /c acunetix.example.comThis will generate four files in the target directory:
ca.cer– Public certificate of the certificate authorityca.key– Private key of the certificate authority which can be used for signingserver.cer– Public certificate of Acunetix serverserver.key– Private key of the Acunetix server
If you want to use your own certificate authority (recommended) you can do that too. There are two approaches you can take.
Generate a Server Certificate via certgen.exe
Copy the CA’s certificate and private key in the directory you use for /d argument and name it ca.cer and ca.key.
Then you can run the command:
certgen /d "C:\ProgramData\Acunetix\certs" /c acunetix.example.comUse your own Server Certificate
You may use your own server certificate, in which case you have to generate the private key and the certificate in the aforementioned formats and configure them in C:\ProgramData\Acunetix\settings.iniin order for Acunetix to use them. The relevant lines from settings.ini are:
server.ssl.certificate=C:\path\to\server.cer
server.ssl.private_key=C:\path\to\server.key3. Firewall protection
Acunetix was designed to operate inside a trusted, firewalled internal network. Acunetix must be protected by an external firewall. The Windows firewall, should be sufficient to protect Acunetix in standalone and multi-engine deployments.
In multi-engine deployments, Acunetix automatically encrypts communication between nodes using TLS, however, it is recommended that firewalls are enabled on machines that host Acunetix. Additionally, if the multi-engine setup involves machines accessible on different networks (e.g. over the Internet) it’s strongly recommended that the communication occurs over a secure VPN connection.
Please note that by default, the Acunetix installation process does not configure ports in the Windows firewall — this will need to be done manually if external access is required.
4. Restrict access to the server
Acunetix configuration files and log files may contain sensitive information. Therefore, it is highly recommended to restrict physical access to the machine that is running Acunetix. In addition, ensure that only authorized and trusted users have access to the Acunetix files in the C:\ProgramData\Acunetix directory.
Get the latest content on web security
in your inbox each week.
THE AUTHOR
