Security Hardening Guide
- 28 Nov 2025
- 2 Minutes to read
- Contributors
- Print
- PDF
Security Hardening Guide
- Updated on 28 Nov 2025
- 2 Minutes to read
- Contributors
- Print
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
This information in this guide helps you to make your Lasernet Keep system secure.
As a minimum, we recommend that you consider implementing the following security features:
Set password complexity rules
Use HTTPS for all web traffic and redirect HTTP traffic to HTTPS
Use TLS for the database connection
Note
This page contains draft documentation for beta software. Until the final release of Lasernet Keep 11.0, the content on this page is subject to revision.
External Integrations
Content Security Policy (CSP)
We have implemented a Content Security Policy (CSP) that aligns with modern web security standards. This blocks and restricts dangerous behaviors.
The CSP prevents “iframing” in Keep, but the configuration can be adjusted to allow this if required. For more information, contact a Formpipe representative.
Database Password Protection
This feature encrypts the password that Keep uses to connect to the database. This password is stored in Keep configuration files. If you do not encrypt it, it is stored as cleartext. For instructions, see Encrypt the Lasernet Keep Datasource Password.
Firewall Rules
Keep Server
Configure the Keep server’s firewall to allow inbound traffic on the HTTPS port (443). This is the only open port required.
Outbound rules should allow access to the database server. SQL Server typically uses port 1433; see the link in the next section.
If using a NAS, ensure the appropriate ports are open. For example, port 445 for SMB shares.
Database Server
This depends on whether SQL Server or Oracle is deployed and how it is configured.
For SQL Server, follow Microsoft’s recommendations: Configure the Windows Firewall to Allow SQL Server Access.
For Oracle, see Database Firewall Administration Guide and Oracle Database Port Numbers.
Antivirus
Install antivirus / antimalware software in accordance with appropriate corporate policy.
Windows Service Account
This is the account under which Keep runs. By default, Keep runs under the Local System account, but a specific local or domain account can be used to further enhance security. The account requires the “Log On As A Service” right.
If a NAS is being used to store archive data, see the next section. This may have already been configured during installation.
The account is set using the Windows Services application:
Right-click the Keep Windows service then click Properties.
Click the Log On tab.
Click the This Account option.
Enter the Windows Service account username (or browse for it).
Enter the account credentials.
Click OK.
NAS User Rights for Windows Service Account
If a Network Attached Storage (NAS) device is used to securely store archive data, the Windows Service account configured previously will require rights to access the share, and to read, write, and delete the archive files.