The following guide provides a series of recommendations for improving the security (“hardening”) of your Acunetix On-Premises installation.

1. Update to the current version

It is recommended that you always run the latest version of Acunetix. Additionally, Acunetix periodically publishes updates, which may include fixes for known security vulnerabilities.

By default Acunetix is set to Download and install updates automatically. If this setting is modified to Notify me of new product updates, it is recommended that you periodically review the Acunetix Build History page to ensure no security updates are missed. It is not recommended to set the update option to Do not automatically check for updates [Not Recommended].

Updates are downloaded from https://updates.acunetix.com over a secure HTTPS connection.

To get the latest version or build of Acunetix, visit https://www.acunetix.com/download/fullver.

2. Configure TLS with a valid, trusted certificate

Transport Layer Security (TLS) is required by Acunetix, however, it is recommended that you use a valid, trusted certificate (not the default self-signed certificate created by Acunetix during installation).

Acunetix comes with a built-in utility for generating certificates for use with Acunetix. You can find this utility under C:\Program Files (x86)\Acunetix\core\certgen.exe

certgen.exe usage:

certgen /d <target_directory> /c <common_name>
To generate certificate signed using existing authority
certgen /d <target_directory> /a
To generate new authority
certgen /d <target_directory> /c <common_name> /a [/i]

To generate new authority and signed certificate (/i to also install it in ROOT)

This is the same tool which the Acunetix installer uses to generate and register the certificate during installation. If you are serving Acunetix on acunetix.example.com, you can run the following command if the self signed CA generated by Acunetix is sufficient for your needs.

certgen /d "C:\ProgramData\Acunetix\certs" /a /c acunetix.example.com

This will generate four files in the target directory:

  • ca.cer – Public certificate of the certificate authority
  • ca.key – Private key of the certificate authority which can be used for signing
  • server.cer – Public certificate of Acunetix server
  • server.key – Private key of the Acunetix server

If you want to use your own certificate authority (recommended) you can do that too. There are two approaches you can take.

Generate a Server Certificate via certgen.exe

Copy the CA’s certificate and private key in the directory you use for /d argument and name it ca.cer and ca.key.

Then you can run the command:

certgen /d "C:\ProgramData\Acunetix\certs" /c acunetix.example.com

Use your own Server Certificate

You may use your own server certificate, in which case you have to generate the private key and the certificate in the aforementioned formats and configure them in  C:\ProgramData\Acunetix\settings.iniin order for Acunetix to use them. The relevant lines from settings.ini are:

server.ssl.certificate=C:\path\to\server.cer
server.ssl.private_key=C:\path\to\server.key

3. Firewall protection

Acunetix was designed to operate inside a trusted, firewalled internal network. Acunetix must be protected by an external firewall. The Windows firewall, should be sufficient to protect Acunetix in standalone and multi-engine deployments.

In multi-engine deployments, Acunetix automatically encrypts communication between nodes using TLS, however, it is recommended that firewalls are enabled on machines that host Acunetix. Additionally, if the multi-engine setup involves machines accessible on different networks (e.g. over the Internet) it’s strongly recommended that the communication occurs over a secure VPN connection.

Please note that by default, the Acunetix installation process does not configure ports in the Windows firewall — this will need to be done manually if external access is required.

4. Restrict access to the server

Acunetix configuration files and log files may contain sensitive information. Therefore, it is highly recommended to restrict physical access to the machine that is running Acunetix. In addition, ensure that only authorized and trusted users have access to the Acunetix files in the C:\ProgramData\Acunetix directory.

SHARE THIS POST
THE AUTHOR
Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.