Secure Configuration

Here is our recommended secure configuration for N-able N-central Report Manager.

Operating System (OS)

• Install Microsoft Windows Server 2016 or 2019 Standard or Enterprise Edition.

  See:

  System Requirements

• Enable the Windows Firewall. See details in Network Security Section below.

  Also see:

  Server Requirements

• Install and configure an Anti-Virus (AV) product, such as N-able EDR or N-able AV Defender.

• Install an N-central Agent onto the Report Manager system; N-central automatically recognizes Report Manager, and adds applicable health checking and monitoring services, Remote Control, and access to other tools remotely, such as deploying AV.

SQL Server

• Install Microsoft SQL Server 2017 Standard or Enterprise Edition

  See:

  System Requirements

IIS

• Configure HTTPS with a minimum of TLS v1.2 for Report Manager by following the Installation Guide (Configure HTTPS and SSL for Report Manager page 20).

  See:

  Configure HTTPS and SSL for Report Manager

• Install the latest security patches for IIS and enable Secure HttpOnly Cookies and HSTS attributes in IIS.

  See Microsoft:

• Microsoft - HSTS on IIS

• Microsoft - Secure Cookies on IIS

Application Security – Report Manager

• Install using the Local Admin account or a domain account with local admin rights, DO NOT USE a domain admin account.

  NOTE: It is not necessary to join the Report Manager server to a domain. It is only required if optionally delivering Scheduled Reports to a file share, which requires a file share on the same domain, or if delivering Scheduled Reports via email and the environment requires domain-joined mail hosts.

• After linking N-Central as a datasource, disable the reportsadmin default account

  See:

  Post Install Steps

Network Security

• Do not expose Report Manager directly to the internet.

• Create the following ACLs communication with Report Manager:

  • Enable port 443 inbound to Report Manager from local network only

    Also, optionally allow access to 443 (HTTPS) from sites where users require access to generate reports, such as Client sites (geo-restrictions)

• Enable port 1433 inbound to Report Manager from N-Central. Report Manager should only accept this traffic from the N-Central internet protocol (IP) address.

• Optionally, block all access to Report Manager and use Remote Control via N-central to perform configuration/report generation.

• Place N-central and Report Manager on an isolated or dedicated subnet.

System Auditing and Monitoring

• Ensure that the recommended audit logs are enabled according to the Center for Internet Security (CIS) for Windows 2016/2019 and MS SQL 2017.

• Ensure there is enough disk space for the audit logs. Audit logs can fill up an entire disk if they aren’t managed or rotated.

Data Encryption

• Ensure disk encryption is enabled. This can be completed by deploying N-able Security Manager: AV Defender - Disk Encryption Manager or using N-able N-central’s preloaded Automation Policies for configuring and enabling Microsoft BitLocker.

  See:

  Deploying N-able AV Defender - Disk Encryption Manager

  Deploying Microsoft BitLocker via N-able N-central Automation Policy

Patching and OS updates

• Ensure the OS is up to date with the latest Microsoft patches.

• Ensure Microsoft patches are applied regularly and frequently, such as by using N-central’s Patch Management features.

System Backup

• Ensure system has an up-to-date backup, such as by using N-central’s MSP Backup features. Also, see the Install Guide or Online Help for details on configuring SQL Backups and a Maintenance Plan.

  See:

  Post Install Steps