Hardening the PRA Engine Host

This topic discusses best practices for hardening Privileged Remote Access (PRA) engine servers.

PRA engines do not store any passwords, PII, or user data in any configuration files.

General Hardening Steps

Restrict Incoming Port Access to All PRA Engine Servers

PRA engines do not require any open incoming ports.

  • Allow an SSH proxy port coming from the user's LAN.

  • Block all other incoming ports.

Remove Unnecessary User Groups

For administrator user groups:

  • Remove default domain admins, administrator and unused/unnecessary groups.

  • Create one group that is going to have access to the PRA engine server(s)

  • Disable the built-in local administrator user.

Rename Default Accounts

  • Change the names of all administrator and guest accounts to names that do not indicate their permissions.

  • Create a new locked and unprivileged "administrator" user name as bait.

Disable Services

Disable these services:

  • None

Restrict Network Protocols

  • None

SSL/TLS Settings

Keep your server SSL/TLS settings up to date. Among other settings, the different protocols and cipher suites can be vulnerable to different attacks on SSL/TLS.

  • Disable SSL 2.0

  • Disable SSL 3.0

  • Disable TLS 1.0

  • Disable TLS 1.1

  • Enable TLS 1.2