Skip to content

Best practices: maxing out Resilio Active Everywhere security

Management Console

Operating system user account

Create a dedicated user account to run the Management Console service. Make sure you grant permissions to the installation and the storage folder to the user account running the Resilio Management Console service.

On Linux, a dedicated user account is created automatically for package installations.

Storage folder and data access

  • Limit to a minimum the number of users/groups that have access to the Management Console's storage folder, ideally this should only be the user account that runs the Management Console service.
  • Ensure that only user account running Management Console can write data to the audit.log.
  • Enable encryption for the Management's Console service data. For details, see Sensitive Data Encryption.

Agent to Management Console communication

Access to Management Console

Miscellaneous

  • Enable Content-Security-Policy to prevent various types of attacks, such as cross-site scripting (XSS) and clickjacking. In the Management's Console configuration file, set the contentSecurityPolicyHeader setting to true.
  • If you're running the Management Console on a dedicated system that doesn't participate in data transfer Jobs, don't enable the integrated Agent during the installation. Option is available in MC installer on Windows OS.
  • Disabled core dumps/process dumps in our OS (actual instructions depends on OS type and version).
  • If you are using Console API, use separate API tokens for different cases and users. Don't let several users share same token, and don't use same token, for example, for testing and production purposes.

  • Disable Agent and Console debug logging.

    Warning

    Disabling debug logging will limit Resilio Support Team's abilities to troubleshoot issues with your deployment.

Storage and caching servers

Operating system user account

Create a dedicated user account to run the Agent service. Make sure you grant permissions to the installation and the storage folder to the user account running the Resilio Agent service.

On Linux, a dedicated user account is created automatically for package installations.

Note

  • The user account running the Agent must have enough permissions to access and manage the data specified in the Job along with the permissions that the Agent synchronizes.
  • Synchronizing POSIX permissions requires root privileges.

Storage folder and data access

  • Limit to a minimum the number of users/groups that have access to the Agent's storage folder, ideally this should only be the user account that runs the Agent service.
  • Agents rely on security means built into the operating system: Data Protection API for Windows, Keychain for macOS, TPM for Linux. When neither is available (for example, the Agent runs in a cloud instance or in a Docker container), you can enable the encryption manually. For details, see Sensitive Data Encryption.

Agent to Agent communication

  • Set agent TLS ciphers to DHE-PSK-AES256-GCM-SHA384.
  • Ensure the Encrypt on LAN setting in all Agent's profiles is enabled.
  • Set the Token rotation policy of all Job profiles to enforced.
  • Ensure that ATA tokens rotate at least every hour (Advanced settings > Key token lifetime) with the overlap no more than 30 minutes (Advanced settings > Key token overlap).

Windows and macOS end-user workstations

Operating system user account

Create a dedicated user account to run the Agent service. Make sure you grant permissions to the installation and the storage folder to the user account running the Resilio Agent service.

Note

The user account running the Agent must have enough permissions to access and manage the data specified in the Job along with the permissions that the Agent synchronizes.

Storage folder and data access

  • Limit to a minimum the number of users/groups that have access to the Agent's storage folder, ideally this should only be the user account that runs the Agent service.