Security Recommendations

Since the primary role of the Gateway is hosting a set of web services using Microsoft Internet Information Service (IIS), the recommendations will focus on securing this role. Normal security best practices relating to firewall configuration, patching and monitoring should still be addressed.

To harden the security posture of the Gateway server, we recommend the following:

• Do not run the MyPass Gateway (IIS) on a domain controller or with any other dedicated functions.
• Install only the IIS modules you need (as described in the Gateway software prerequisite section)
• Ensure that server roles are kept separate.
• Keep your antivirus, malware, EDR/XDR software up to date.
• Isolate web applications if more that one exists on the server.
• Implement the principle of least privilege when assigning permissions to the service account for the Gateway.
• Make periodic backups of the server or IIS configuration.
• Never deploy a gateway without using transport layer encryption, and take care to configure accepted SSL ciphers and protocols.
• Ensure that incoming firewall ports only allow HTTP, TCP on port 443.
• Configure the outgoing firewall configuration if DMZ or HIPS is used between the Gateway and target credential repositories.
• Always ensure that only authorized MyPass  Cloud platform POD Accepted Call  IPs as listed on your Gateway.