Secure Configuration
Here is our recommended secure configuration for N-able N-central Report Manager.
Operating System (OS)
Install Microsoft Windows Server 2016 or 2019 Standard or Enterprise Edition.
See:
Enable the Windows Firewall. See details in Network Security Section below.
Also see:
Install and configure an Anti-Virus (AV) product, such as N-able EDR or N-able AV Defender.
Install an N-central Agent onto the Report Manager system; N-central automatically recognizes Report Manager, and adds applicable health checking and monitoring services, Remote Control, and access to other tools remotely, such as deploying AV.
SQL Server
Install Microsoft SQL Server 2017 Standard or Enterprise Edition
See:
IIS
Configure HTTPS with a minimum of TLS v1.2 for Report Manager by following the Installation Guide (Configure HTTPS and SSL for Report Manager page 20).
See:
Install the latest security patches for IIS and enable Secure HttpOnly Cookies and HSTS attributes in IIS.
See Microsoft:
Application Security – Report Manager
Install using the Local Admin account or a domain account with local admin rights, DO NOT USE a domain admin account.
NOTE: It is not necessary to join the Report Manager server to a domain. It is only required if optionally delivering Scheduled Reports to a file share, which requires a file share on the same domain, or if delivering Scheduled Reports via email and the environment requires domain-joined mail hosts.
After linking N-Central as a datasource, disable the reportsadmin default account
See:
Network Security
Do not expose Report Manager directly to the internet.
Create the following ACLs communication with Report Manager:
Enable port 443 inbound to Report Manager from local network only
Also, optionally allow access to 443 (HTTPS) from sites where users require access to generate reports, such as Client sites (geo-restrictions)
Enable port 1433 inbound to Report Manager from N-Central. Report Manager should only accept this traffic from the N-Central internet protocol (IP) address.
Optionally, block all access to Report Manager and use Remote Control via N-central to perform configuration/report generation.
Place N-central and Report Manager on an isolated or dedicated subnet.
System Auditing and Monitoring
Ensure that the recommended audit logs are enabled according to the Center for Internet Security (CIS) for Windows 2016/2019 and MS SQL 2017.
Ensure there is enough disk space for the audit logs. Audit logs can fill up an entire disk if they aren’t managed or rotated.
Data Encryption
Ensure disk encryption is enabled. This can be completed by deploying N-able Security Manager: AV Defender - Disk Encryption Manager or using N-able N-central’s preloaded Automation Policies for configuring and enabling Microsoft BitLocker.
See:
Deploying N-able AV Defender - Disk Encryption Manager
Deploying Microsoft BitLocker via N-able N-central Automation Policy
Patching and OS updates
Ensure the OS is up to date with the latest Microsoft patches.
Ensure Microsoft patches are applied regularly and frequently, such as by using N-central’s Patch Management features.
System Backup
Ensure system has an up-to-date backup, such as by using N-central’s MSP Backup features. Also, see the Install Guide or Online Help for details on configuring SQL Backups and a Maintenance Plan.
See: