Synergetic Security Review Template (2021)

Policies for Information Security are:

• Defined, approved by management
• Published and communicated to staff and external parties
• Regularly reviewed for suitability

Management direction for information security

A.5.1

Information security and data privacy roles and responsibilities:

• are defined and allocated
• Staff in roles are aware of the requirement to secure the Synergetic systems and database

Organization of information security

A.6.1

Asset, data classification and information flow

• asset, data classification and information flow (how data is used or transferred) is documented
• risk assessment/registers used

All Synergetic servers and data backups are documented in an inventory ideally with supporting network diagram.

• Synergetic asset register documentation exists

• include test/DR/snapshot systems

• include data backup procedures, schedule and locations

Asset Management - Inventory of Assets

A.8.1.1

Operational procedures and responsibilities

A.12.1

Physical access to the Synergetic database servers and backups is restricted

• Physical entry controls
• Protection from external/environmental threats

Network access

• Restricted to authorised users
• Database server is only directly accessible to staff network or web servers
• Database server is not contactable via guest networks
• Only authorised devices can connect to the network that hosts the Synergetic servers

Access Control - Access to networks and network services

A.9.1.2

User access provisioning

• follows a formal process for creation or deactivation of accounts
• follow a formal process for assigning or revoking access rights for Synergetic application and database systems

User Access Management

A.9.2.1

A9.2.2

Administrator user accounts 

• Administrator accounts are restricted and documented
• Use of administrator accounts is restricted for admin operations only
• Review current Domain Administrator accounts

Password management

• Password and password handling policies are in place and used for staff, service and administrator level accounts
• Secure password provisioning and handling procedures are in place (eg. not emailed or stored in plain text)

User responsibilities A.9.3

User access management

A9.2.4

Review of User Access Rights

• A regular scheduled audit of existing accounts, groups and permission sets allowing access to the Synergetic databases is performed.

Inbound access to SQL and Web server is protected by firewall

• The minimum ports required for servers/services to function
• See here for guidelines:  Synergetic Network Port Details / Microsoft SQL Server Network Port Config

Access Control - Access to networks and network services

A.9.1.2

Outbound internet access from SQL, Web and Service Suite Servers is restricted by firewall

Outbound access may be required for:

• SMTP servers
• ScreenConnect: Synergetic Remote Access
• Octopus Deploy:  Automatic Upgrades
• VSN from Service Suite server (VIC sites): https://www.eduweb.vic.gov.au/VSRWebService/

Communications Security

A.13

Protection from Malware

A.12.2.1

SMTP relay access from Synergetic servers and application is restricted

• Secured via TLS where applicable
• Secured via passwords (no anonymous relays)
• IP address restrictions (where possible)

Communications Security

A.13

Local administrators group is restricted on the SQL Servers

Management of privileged access rights

A.9.2.3

Remote Desktop/server access to SQL Servers:

• Remote Desktop Users Users group is restricted
• Servers are not directly accessed via RDP or other remote connection software

Management of privileged access rights

A.9.2.3

Service Accounts

• SQL Server service accounts use low level domain users (non-admin accounts)

Management of privileged access rights

A.9.2.3

CIS 3.5-3.7

File shares and permissions

• Database files and backups are not accessible to normal user accounts via file shares
• Database server does not allow file share access to non-admin accounts

Management of privileged access rights

A.9.2.3

Synergetic data and backup files are protected

• Backup file locations documented
• Secured to authorised system administrators
• Access to and use of backups is controlled and data protection is maintained

Access Control -Access control policy

A.9.1.1

Database backups are performed

• Regular schedule
• Allowing for point in time recovery
• System RTO and RPO is documented
• Backup and DR schedules to meet the defined RTO/RPO

Database Version

• SQL Server is patched in line with hardware requirements
• Latest cumulative updates have been applied
• Windows Server patched (get-hotfix | sort InstalledOn -Desc)

CIS 1.1

Database Security

• The SQL Server (Windows Server) and instance is dedicated for Synergetic database use
• No third party applications are installed to the SQL Server (other than AV)

CIS 1.2

Database Security - use of 'sa' account

• 'sa' account is disabled

OR

• SA account password meets policy and is secured
• Password has been updated when admin staff change over
• Staff with access to the 'sa' password are known and authorised
• The 'sa' password not distributed or used by staff
• SA account is not used for daily server maintenance

**Renaming of 'sa' account is not supported by Synergetic, even if it is disabled it must still exist as 'sa'

Database Security - server level SQL logins limited to:

• Limited to 'sa' and administrators
• Synergetic*_*ServerLogin

Database Auditing and Logging

• Ensure 'Maximum number of error log files' is set to greater 
  than or equal to '12'

Database Logon auditing

• Ensure 'SQL Server Audit' is set to capture both 'failed' and 
  'successful logins' 

**Important note - this can be considered however note that it will increase the SQL event log size significantly. Please use with caution and monitor disk/log size.

CIS 5.4

Database Security 

• Users access database via Windows Authentication by Active Directory Group membership
• AD groups are used and not individual user accounts

Database Security - Orphaned users

• Ensure 'Orphaned Users' are Dropped From SQL Server 
  Databases

Database Security - Fixed SQL Database Roles

• Fixed database role membership use is restricted

Database Administration - Synergetic Fixed Database Roles

• Membership is restricted to Synergetic service accounts

Direct Database Permissions for users and third party service accounts

• Controlled via restricted dedicated SQL Server roles
• Only granted permissions when required (eg. normal Synergetic users don't need direct table access)
• Not granted to entire schema (eg. dbo, finance)
• Not granted to fixed server or database roles eg. SysAdmin, db_datareader, db_owner
• Permissions are only granted to the required objects

• Data encryption

  • Network traffic encryption (TLS)
  • Data at rest (TDE)

  *TDE is standard SQL Server functionality and requires SQL 2016/2017 Enterprise or SQL 2019 Standard. It is currently un-tested with Synergetic. Approval for prod use is TBA.

^Ensure Unnecessary SQL Server Protocols are set to 'Disabled'

^Ensure 'Hide Instance' option is set to 'Yes' for Production 
SQL Server instances

For named instance Synergetic config does not allow supplying port number, so needs the browser service to recognise it.

^Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL 
Authenticated Logins Within the Sysadmin Role

**Note that Windows auth is preferred for users & third party vendors so this should not normally apply.

^Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL 
Authenticated Logins

**Note that Windows auth is preferred for users & third party vendors so this should not normally apply.Authenticated Logins

Not supported for default instances . May have issue with changing port on default instance as Synergetic config does not allow supplying of port number in the configuration file. However, this would works okay for named instances using the SQL Browser Service but then CIS 2.12 could not be performed to 'hide' the instance. 

Current Synergetic CLR settings are defined as follows: 

System.Drawing UNSAFE_ACCESS 

SynStreamCrypt SAFE_ACCESS 

Synergetic.Database.CLR UNSAFE_ACCESS 

GroupConcat SAFE_ACCESS 

SqlRegEx SAFE_ACCESS 

Synergetic.Database.CLR.XmlSerializers EXTERNAL_ACCESS 

Cryptography A.10

Website folder security

• App pool users (eg. IIS AppPool\SynWeb) should only have read & exec access to the website folders

Special permission access should only be available as follows:

• "C:\Windows\Temp" "IIS_IUSRS" "Modify"
• "inetpub\wwwroot\Reports" "IIS_IUSRS" "Read"
• "inetpub\wwwroot\SynWeb\App_Sprites" "IIS AppPool\SynWeb" "Modify"
• "inetpub\wwwroot\SynWeb\Site" "IIS AppPool\SynWeb" "Modify"
• "inetpub\wwwroot\SynWeb\Site\Certificates" "IIS AppPool\SynWeb" "Read, Write"
• "inetpub\wwwroot\SynWeb\Uploads" "IIS AppPool\SynWeb" "Modify", "IUSR" "Modify", "IIS_IUSRS" "Modify"
• "inetpub\wwwroot\SynergeticCommunityPortal\Site" "IIS AppPool\SynCommPortal" "Modify"
• "inetpub\wwwroot\SynergeticCommunityPortal\Site\Certificates" "IIS AppPool\SynCommPortal" "Read, Write"

Management of privileged access rights

A.9.2

Authentication for SynWeb and Community Portal

• SAML or other SSO auth method is used

Community Portal Administrators

• Security role is restricted to system admin users

Management of privileged access rights

A.9.2

Synergetic Windows Application (SynMain)

• User Authentication is via Windows Authentication

Synergetic Application Share

• Read&Exec only to staff who require Synergetic app access
• Write access only to \Forms and \Reports\Site for admin users or report developers
• No additional files are stored in the application share (eg. sensitive data extracts)

Management of privileged access rights

A.9.2

Group/User Security Maintenance

• Accessible only to system administrators (restricted set)

Management of privileged access rights

A.9.2

Management of privileged access rights

A.9.2

General Ledger Users

• User list is current and only contains authorised users
• Permissions to view 'all accounts' is restricted to authorised users

Management of privileged access rights

A.9.2

Business Unit Users

• User list is current and only contains authorised users
• Purchase Order super authorisers is restricted

Payroll (if used)

• Payroll Encryption is enabled

Document Classification Security

• Restricted to authorised users

Synergetic Security Groups - Framework

• Security Group framework (eg. tiered, role based) list and each group purpose is documented
• Naming standards are defined
• Tiered / role based permission sets are used
• Redundant groups are renamed or removed

Synergetic Security Groups - Membership

• Groups do not contain inactive staff
• Group membership is approved by module data 'asset' owners - eg. General Ledger access is authorised by the Business Manager/Accountant. Enrolments data view or change permissions is approved by the Head of Admissions.

Synergetic Security Groups - Permissions

• Permission change management procedures in place (including request approval and logging)
• Change logs are reviewed - no unauthorised changes have occurred in past period (ConfigGroupSecurityHistory)
• Permission sets are reviewed on a periodic basis

Synergetic Permission Extract

• Extract is provided regularly for review
• Review and sign off from system admin and management

If DocMan Import Service is used:

• DocMan UNC share paths are secured by user role

Synergetic Security - Best Practices