F. Best Practices
Website Documentation for your KeePass client and Pleasant Password Server
Security practices and customizations for your Pleasant Password Server installation.
Have Questions? Contact Us
1. Protect the Admin account
At startup, a local admin user is created and is assigned an Administration role with system-wide permissions.
These permissions should be accessible in cases of emergency, by at least one trusted staff member, preferably two or more. Actions that entirely remove or disable the necessarry role permissions are discouraged and are not covered by standard Technical Support.
Risks to Mitigate:
Your installation could become at risk of: being unprepared for an emergency, getting locked out, or losing access to your assets.
- Set and verify the admin user's email address to a secure email account
- Configure the admin's login reset settings so that if the password is forgotten it can be reset
- Rename the admin account from the default name, to a name of your choice
- Only plan to use this admin user for emergencies / initial configuration
- Consider this admin account as a "Super Admin" account
2. Maintain a working Local Admin account
Risks to Mitigate:
- A dropped connection to the Domain Controllers will lock LDAP and Active Directory users out of Password Server.
- Emergency situations may occur with a user account such as: an admin can get locked out, or loses their password and cannot be recovered.
- Setup a second Administrator Role with the Administer Users permission. Configure it with less "working everyday" permissions. Periodically adjust and remove permissions not needed weekly.
- Remember: to add group permissions to the Root folder
- Setup a second Admin user, and consider it an "Everyday Admin" account. Keep as a local account, if possible.
- Setup the Everyday admin's email & login reset separately from the admin
3. Setup Database Backups & Safeguard the Encryption Keys
Risks to Mitigate:
- Accidentally deleting a folder
- Forgetting a credential and needing to recover it
- Making a serious configuration mistake
- Store a copy of your Encryption Keys in a secure location:
- Schedule Automatic Backups of your Database
4. Take regular Snapshots of Server
- Install inside a Virtual Machine (VM). By backing up your VM, you also achieve point 3.
5. Keep your Service Plan up-to-date
- We strongly recommend keeping updated with the latest Security measures, fixes, and features.
- First, subscribe with at least 2 email addresses to receive the Password Server News & Security Alerts
- Our Support lives up to our name in as many ways as possible.
6. Use a trusted third-party Certificate
- We recommend purchasing a signed TLS/SSL certificate from a trusted third-party vendor and hosting on an FQDN. This provides added security and convenience for your users.
7. Secure & Harden your Server Environment
8. Disallow older methods of SSL encryption
- There are a variety of TLS/SSL encryption methods available on your machine(s), some of which may be older and no longer recommended. While removing them will mean that users with older browsers (IE 6, etc.) will no longer be able to connect to your server, it will mean that more current browsers won't fall back to less secure encryption methods.
- Disable Insecure Encryption Protocols
9. Review the Ten Immutable Laws of Security
- Many security concerns result from procedures which violate one or more of these laws of Security Administration.
- The overview list is found at Microsoft, and the original version with detailed explanation is here.
Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date anti malware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.