Security Hardening for Acunetix 360 On-Premises
You can follow this security hardening guide to improve the security of your On-Premises installation.
Updating to the current version
It is strongly recommended that you always run the latest version of Acunetix 360 On-Premises.
Acunetix 360 is available as an On-Demand and On-Premises solution. The On-Premises solution runs on your servers and network, so it is strongly recommended you update the On-Premises manually whenever there is an update.
- Updating it lets you scan your web application with new security checks and improvements against the latest threats to security. The new version also includes fixes and improvements for the On-Premises solution.
- When Acunetix 360 releases a new version of the On-Premises solution, it pushes this version to all users. It shows you information, saying that, "A new version of Acunetix 360 is available. Download the latest version." This information box also includes the release notes.
For further information, see Updating Acunetix 360 On-Premises.
Configuring the SSL/TLS Certificate for Acunetix 360 Application Server
Unless your Acunetix 360 Application Server is configured to use HTTPS, the traffic between the Acunetix 360 Agents and Acunetix 360 Application Server will be in the cleartext.
- Acunetix 360 requires Transport Layer Security (TLS) for the communication between the Application Server and the Agent(s).
- The application server in Acunetix 360 provides the web interface that enables the efficient administration and automation of scans. This is the application that you see and use via the Acunetix 360 UI.
- The agent is a service application that executes scans and informs the application server of the results.
The following diagram shows the architecture of Acunetix 360.
If you fail to configure HTTPS for the application server, its communication with the agent will be in cleartext. To prevent this scenario for your security, you need to install your website certificate in Microsoft IIS. For further information about installing SSL certificates, see Step-by-Step instructions on Installing SSL Certificate on Microsoft IIS 8, 8.5 and 10.
How to configure the SSL/TLS Certificate for Acunetix 360 Application Server
- Log in to the Acunetix 360 Application Server with an admin account.
- From the main menu, select Settings > General.
- In the Server Root URL field, replace the protocol with ‘https’.
- If you have completed the SSL/TLS configuration before installing any of the Acunetix 360 Agents, then complete the following steps because your configuration should already be correct.
If you need to go back and update your Agents, however, do the following:
- Open Acunetix 360 Agent’s config file (default location is C:\Program Files (x86)\Acunetix 360 Agent\appsettings.json) and change the apiRootUrl to the new HTTPS link:
- Restart the server on which the agent is installed. In order to accomplish a successful connection between the Agent and the Acunetix 360 Application Server, the HTTPS connection should contain no SSL/TLS errors. If you see any certificate errors, as illustrated below, the agent will not be able to connect to the application server due to this SSL/TLS validation error:
You can install an internal trusted certificate on the Acunetix 360 Application Server and Acunetix 360 Agents. When both servers and visitors have this certificate, everything will work as expected. Please refer to your operating system manuals for more information about how to add a CA certificate as a trusted root authority.
Encrypting connections to the SQL Server
Enabling SSL/TLS encryption increases the security of data transmitted between the SQL Server and Acunetix 360 Application Server. This is only necessary if the SQL Server is installed on a different server in a different network.
How to encrypt connections to SQL Server
- First, configure an SSL/TLS certificate for your SQL Server instance (see How to enable SSL encryption for an instance of SQL Server by using Microsoft Management Console).
- Next, from the main menu, select Settings > Database.
- On the Database Settings page, enable the Encrypt Connection checkbox.
Enabling Two-factor authentication / Universal 2nd factor authentication (U2F)
You can also enable two-factor authentication. Two-factor authentication setup doesn’t require an online connection or transmit any kind of data to outside networks.
For further information, see Enabling Two-Factor Authentication.
Acunetix 360 was designed to operate inside a trusted, firewalled internal network. Acunetix 360 must be protected by an external firewall. The Windows firewall should be sufficient to protect Acunetix 360.
- Acunetix 360 automatically encrypts communication between nodes using TLS; however, it is recommended that firewalls are enabled on machines that host Acunetix 360.
- Please note that by default, the Acunetix 360 On-Premises installation process does not configure ports in the Windows firewall; you should do this manually if external access is required.
Restricting access to the server
Acunetix 360's configuration files and log files may contain sensitive information. Therefore, it is highly recommended to restrict physical access to the machine that is running Acunetix 360.
Also, ensure that only authorized and trusted users have access to the Acunetix 360 files in the C:\Program Files (x86)\Acunetix 360 Web Application\App_Data.