Best practices: maxing out Resilio Active Everywhere security

User account running Agent / MC

Windows

Create a dedicated user account for Agent / MC, ensure they do not run as LOCAL SYSTEM.

Note

Make sure you grant permissions to the installation and the storage folder to the user account running Resilio services.

Linux

Do not run as root unless you need to sync POSIX permissions. It is advisable to make a dedicated user account to run the Agent. Such an account is created automatically for package installations.

Storage folder and data access

Ensure that minimum other users / groups has access to Agent's or Management Console's storage folder, ideally - only user account that runs Agent or Management Console. Note, that the user account running the Agent must have enough permissions to operate data and permissions that the Agent synchronises.
Ensure that only user account running Management Console can write data to the audit.log.
For extra protection of Agent's service data on Linux-based OS ensure that your VM / hardware provides access to TPM. Agent on Windows uses Data protection API and macOS Agent uses Keychain features automatically. If TPM is not available or Agent runs in a docker container, use this article to set encryption key manually.
Delete the sync-<version-.backup folder in agent's storage folder since it may contain non-encrypted data from previous version.
For extra protection of MC service data follow this article to set encryption key manually.
It is recommended to set the env var in srvctrl start/stop script as in this case it will only be available for the Management Console processes only.
Also, it is recommended to customize env var name via MC configuration file.
Delete Management Console backups after encrypting sensitive data since it may contain non-encrypted data.

Agent to Management Console communications

Set Management Console TLS cipher to ECDHE-ECDSA-AES256-GCM-SHA384
Ensure "Identify agent by name" setting is disabled in Management Console advanced settings.
Ensure to use agent configuration file with defined certificate fingerprint, do not connect agents using IP:PORT simplified method.
Once all agents are connected - delete the bootstrap token from MC
Ensure to apply your custom certificate to agents connection (port 8444 by default).

Agent to Agent communications

Set agent TLS ciphers to DHE-PSK-AES256-GCM-SHA384
Ensure "Encrypt on LAN" setting of all agents profiles is enabled
Set "Key token rotation policy" of all job profiles set to "Enforced"
Ensure that ATA tokens rotate at least every hour with the overlap no more than 30 minutes.

Ensure to apply your custom certificate to both WebUI connection (default port 8443).
Ensure to have proper Management Console password policy matching your organization demands
If you are using Azure AD authentication and do not require local users - disable local users login.
If you are using local Management Console accounts - enable 2FA for all users.

Other security tweaks and checks to be done

If you are using Console API, use separate API tokens for different cases and users. Don't let several users share same token, and don't use same token, for example, for testing and production purposes.
Disable Agent and Console debug logging.
Disabled core dumps / process dumps in our OS (actual instructions depends on OS type and version).
If you're running the Management Console on a dedicated system that doesn't participate in any Jobs, don't enable the integrated Agent during the installation.
For data distribution workloads consider enabling the Data Managers Console