The following is a list of ten GP Strategies recommendations for securing your EtaPRO system.
Significant changes have been made to EtaPRO security beginning with version 10.4.6, however, these suggestions may also be applied to previous versions of the software.
- Update Default EtaPRO Passwords - Upon initial installation, your EtaPRO system is configured to use a set of default usernames and passwords. For EtaPRO security mode, these include the following users: administrator, analyst, and user. You should change the password each of these accounts. If you are not using these accounts, you should delete them.
- Delete the EPSupport user account – Past GP Strategies practice was to create an EtaPRO authentication mode user called EPSUPPORT. This account should be deleted once the system is operating in a production environment.
- Update The SQL Server sa Account Password – If GP Strategies installs SQL Server, the password for the sa account will be initially set to Changeme1!. It is critical that you change the password for this account to something else. If someone gains access to SQL server using the sa account and successfully uses the Changeme1! password, they can delete or modify all the configuration data within your EtaPRO system.
- Use Windows Security Mode – EtaPRO has two security modes, EtaPRO security mode and Windows security mode. In EtaPRO security mode, the system administrator is required to create and manage users through the EtaPRO client. In Windows security mode, EtaPRO uses your existing Windows credentials. GP Strategies strongly recommends that you use Windows security mode.
- Make Sure You Have Nightly Backups – You should backup your EtaPRO databases and EPArchive files on a nightly basis. The EtaPRO software is provided with a tool that helps you create scheduled task for doing this. Alternatively, you can work with you IT department to create a backup plan. Please note, the EtaPRO provided routines back up to a local directory on your computer. You need to take steps to ensure that the files in the local directory are moved to a more secure location on a regular basis. If your system suffers damage or is compromised, you will need the backups to restore your system.
- Create a Specific Account for Use with the EtaPRO Databases – The account should only have permissions for the EtaPRO databases, and it should not be a SQL Server system administrator account. This account should be used to prevent the possibility of users gaining access to non-EtaPRO related databases that might be hosted on the instance of SQL server used by EtaPRO. For information on how to configure a SQL user for use with EtaPRO, refer to the following link: https://issues.etapro.com/f/page?W601
- Run EtaPRO Services on a Lower Privilege Account – Prior to EtaPRO 10.4.6, EtaPRO services were configured to run on the local system account by default. The local system account is a high privilege account. If any vulnerabilities are discovered within EtaPRO, there is a potential that the privileges associated with the local system account can be taken advantage of to compromise your system. Going forward, GP Strategies recommends that you run all Windows services used by EtaPRO on a lower privilege account. You can specify what window account is used to run the EtaPRO services using the Configure Server Service Account button on the EtaPRO Service Manager configuration form. Please note, if you connect to SQL Server using Windows authentication, your services must use a Windows account that has owner permissions for the databases used by EtaPRO. Starting with EtaPRO 10.4.6, EtaPRO uses the lower privileged Local Service account instead of the Local System account. This account typically does not have permissions to connect to SQL Server. Therefore, in order to connect to SQL Server, you may need to change the account used by the EtaPRO services whenever you update your software
- Check the Windows Firewall – The Windows firewall on the EtaPRO server should not be disabled and open ports should be minimized. For a listing of TCP ports used by EtaPRO please refer to the following link: https://issues.etapro.com/f/page?W13
- Limit Remote Access to Your EtaPRO Server – You should limit access to the computer where you are running EtaPRO. You should not provide access to people who are not engaged in the administration of your EtaPRO system.
- Run SQL Server Using Lower Privilege Accounts - Upon installation, the account used for running the Windows services associated with SQL Server can be specified. In general, you should not use high permission account such as the local system account. If SQL Server is installed locally on the EtaPRO server and you change the accounts that it uses, please make sure that the selected accounts have read and write permissions for the directories you are using for your EtaPRO database files. Failure to configure directory permissions may prevent the databases from being usable. For information on how to update the accounts used by SQL Server, please refer to Microsoft SQL Server documentation available on-line.