HOME / DOCUMENTATION / Security hardening

Security hardening for Acunetix On-Premises

THIS DOCUMENT IS FOR: Acunetix On-Premises

The following document provides a series of recommendations for improving the security (“hardening”) of your Acunetix On-Premises installation.

1. Update to the latest version

It is recommended that you always run the latest version of Acunetix. Additionally, Acunetix periodically publishes updates, which may include fixes for known security vulnerabilities.

By default, Acunetix is set to Download and install updates automatically. If this setting is modified to Notify me of new product updates, it is recommended that you periodically review the Acunetix Release notes page to ensure no security updates are missed. It is not recommended to set the update option to Do not automatically check for updates [Not Recommended].

Updates are downloaded from https://updates.acunetix.com over a secure HTTPS connection.

To get the latest version or build of Acunetix, visit https://www.acunetix.com/download/fullver.

2. Configure TLS with a valid, trusted certificate

Transport Layer Security (TLS) is required by Acunetix, however, it is recommended that you use a valid, trusted certificate (not the default self-signed certificate created by Acunetix during installation).

Acunetix comes with a built-in utility for generating certificates for use with Acunetix. You can find this utility under C:\Program Files (x86)\Acunetix\core\certgen.exe.

The utility does not currently display any help, its usage is detailed below

Usage of certgen.exe:

certgen /d <target_directory> /c <common_name>
To generate certificate signed using existing authority
certgen /d <target_directory> /a
To generate new authority
certgen /d <target_directory> /c <common_name> /a [/i]

To generate new authority and signed certificate (/i to also install it in ROOT)

This is the same tool which the Acunetix installer uses to generate and register the certificate during installation. If you are serving Acunetix on acunetix.example.com, you can run the following command if the self signed CA generated by Acunetix is sufficient for your needs.

certgen /d "C:\ProgramData\Acunetix\certs" /a /c acunetix.example.com

This will generate four files in the target directory:

  • ca.cer – Public certificate of the certificate authority
  • ca.key – Private key of the certificate authority which can be used for signing
  • server.cer – Public certificate of Acunetix server
  • server.key – Private key of the Acunetix server

If you want to use your own certificate authority (recommended) you can do that too. There are two approaches you can take:

Generate a server certificate via certgen.exe

Copy the CA’s certificate and private key in the directory you use for /d argument and name it ca.cer and ca.key.

IMPORTANT:
The private key has to be in OpenSSL PEM format and UNENCRYPTED, and the certificate in X.509 format.

Then, you can run the command:

certgen /d "C:\ProgramData\Acunetix\certs" /c acunetix.example.com

Use your own server certificate

If you prefer to use your own SSL certificate for Acunetix, you can do so by replacing the default certificate files. Generate the private key and the certificate in the aforementioned formats and configure them in  C:\ProgramData\Acunetix\settings.ini in order for Acunetix to use them. The relevant lines from settings.ini are:

server.ssl.certificate=C:\path\to\server.cer
server.ssl.private_key=C:\path\to\server.key

However, there are two common pitfalls to avoid when providing your own certificate and key:

  1. Use an unencrypted private key

Encrypted private keys are not supported: Make sure your private key is not encrypted. You can verify this by opening the private key file in a text editor:

  • Valid (unencrypted) key starts with:

-----BEGIN RSA PRIVATE KEY-----

  • Invalid (encrypted) key starts with:

-----BEGIN ENCRYPTED PRIVATE KEY-----

If your key is encrypted, you must convert it to an unencrypted form using OpenSSL:

openssl rsa -in encrypted.key -out unencrypted.key

  1. Use a properly formatted certificate file

The certificate file should be in PEM format and must not include extraneous lines or headers.

Open the certificate file in a text editor and make sure it starts directly with:

-----BEGIN CERTIFICATE-----

Avoid including metadata, comments, or headers (e.g., lines that begin with Bag Attributes, subject=, or issuer=) that may appear if the file was copied from a browser or extracted from a keystore.

3. Firewall protection

Acunetix was designed to operate inside a trusted, firewalled internal network. Acunetix must be protected by an external firewall. The Windows firewall, should be sufficient to protect Acunetix in standalone and multi-engine deployments.

In multi-engine deployments, Acunetix automatically encrypts communication between nodes using TLS, however, it is recommended that firewalls are enabled on machines that host Acunetix. Additionally, if the multi-engine setup involves machines accessible on different networks (e.g. over the Internet) it’s strongly recommended that the communication occurs over a secure VPN connection.

Note that by default, the Acunetix installation process does not configure ports in the Windows firewall — this will need to be done manually if external access is required.

4. Restrict access to the server

Acunetix configuration files and log files may contain sensitive information. Therefore, it is highly recommended to restrict physical access to the machine that is running Acunetix. In addition, ensure that only authorized and trusted users have access to the Acunetix files in the C:\ProgramData\Acunetix directory.