Security Hardening Guide

This information in this guide helps you to make your Lasernet Keep system secure.

As a minimum, we recommend that you consider implementing the following security features:

• Set password complexity rules

• Use HTTPS for all web traffic and redirect HTTP traffic to HTTPS

• Use TLS for the database connection

• Encrypt database connection password

• Firewall rules

• Antivirus

• Windows service account

• NAS user rights for service account

• Document access control

External Integrations

Content Security Policy (CSP)

We have implemented a Content Security Policy (CSP) that aligns with modern web security standards. This blocks and restricts dangerous behaviors.

The CSP prevents “iframing” in Keep, but the configuration can be adjusted to allow this if required. For more information, contact a Lasernet Group representative.

Database Password Protection

This feature encrypts the password that Keep uses to connect to the database. This password is stored in Keep configuration files. If you do not encrypt it, it is stored as cleartext. For instructions, see Encrypt the Lasernet Keep Datasource Password.

Firewall Rules

Keep Server

Configure the Keep server’s firewall to allow inbound traffic on the HTTPS port (443). This is the only open port required.

Outbound rules should allow access to the database server. SQL Server typically uses port 1433; see the link in the next section.

If using a NAS, ensure the appropriate ports are open. For example, port 445 for SMB shares.

Database Server

This depends on whether SQL Server or Oracle is deployed and how it is configured.

For SQL Server, follow Microsoft’s recommendations: Configure the Windows Firewall to Allow SQL Server Access.

For Oracle, see Database Firewall Administration Guide and Oracle Database Port Numbers.

Antivirus

Install antivirus / antimalware software in accordance with appropriate corporate policy.

Windows Service Account

This is the account under which Keep runs. By default, Keep runs under the Local System account, but a specific local or domain account can be used to further enhance security. The account requires the “Log On As A Service” right.

If a NAS is being used to store archive data, see the next section. This may have already been configured during installation.

The account is set using the Windows Services application:

1. Right-click the Keep Windows service then click Properties.

2. Click the Log On tab.

3. Click the This Account option.

4. Enter the Windows Service account username (or browse for it).

5. Enter the account credentials.

6. Click OK.

NAS User Rights for Windows Service Account

If a Network Attached Storage (NAS) device is used to securely store archive data, the Windows Service account configured previously will require rights to access the share, and to read, write, and delete the archive files.

Document Access Control

In general, document access is restricted by configuring user accounts and groups and granting them access to searches. However, technically, internal users can also use the Keep REST API to view, update, and download any document, regardless of these restrictions. When Document Sharing is enabled, they can also share any document they have access to with external users.

To limit internal users’ access to only those documents returned by the searches they have been explicitly granted access to, enable Document Access Control in the Keep server settings.