Synergetic Security Review Template (2021)
Synergetic databases and applications require adequate security configuration through multiple layers of the environment. They main objective of this exercise is to protect the database and system availability to ensure that confidential data is kept private and the system is secured and continually accessible to users who need access. This review focuses on helping to improve system security, however for improved business continuity practices it is recommended to also consider additional options that may provide improved performance, high availability and disaster recovery. The key focus points of this template are for hardening security configuration within a Synergetic environment across the following layers:
- Information Security Management
- Network Security
- Database Security
- Web Server Security
- Application Security
- Supporting Services Security
Refer to Synergetic Data Privacy and Security Information Sheet - Synergetic User Hub - Synergetic Wiki for a top level overview.
The review process aims to highlight risk factors and provide guidance for the organisation in line with:
- Synergetic platform security best practices
- Incorporated aspects of the ISMS ISO 27001 related to application and data protection
- Center for Internet Security (CIS) hardening guide
- SQL 2016/2017/2019 https://www.cisecurity.org/benchmark/microsoft_sql_server/ - this has been reviewed in detail and the recommended settings incorporated to this guide.
- IIS https://www.cisecurity.org/benchmark/microsoft_iis/ - note that the CIS IIS benchmark guide should be consulted separately and has not been directly incorporated into this review template.
The Synergetic Security Information Sheet will assist with understanding of the types of sensitive and personal data stored within Synergetic, some of the regulations that may apply to your school and top level technical areas to secure. Each individual school should verify their own regulatory information system and data protection requirements to ensure compliance. This register is not considered comprehensive to overall data and information system protection and should be used as a supplementary guide only. This register is constantly evolving and feedback is welcomed via Discourse to help improve it.
INFORMATION SECURITY MANAGEMENT
This includes policies, procedures and documentation in place to protect sensitive data.
Information from the client system admin and management is required for this section.
Seq | Recommended Controls | Control Reference | Findings | Risk Rating (Critical, High, Medium, Low) |
---|---|---|---|---|
1 | Policies for Information Security are:
| Management direction for information security A.5.1 | ||
2 | Information security and data privacy roles and responsibilities:
| Organization of information security A.6.1 | ||
3 | Asset, data classification and information flow
| A.8.1 |
NETWORK SECURITY
To identify organisational assets and define appropriate protection responsibilities.
Seq | Recommended Controls | Control Reference | R* | Findings | Risk Rating (Critical, High, Medium, Low) |
---|---|---|---|---|---|
1 | All Synergetic servers and data backups are documented in an inventory ideally with supporting network diagram.
| Asset Management - Inventory of Assets A.8.1.1 Operational procedures and responsibilities A.12.1 | |||
2 | Physical access to the Synergetic database servers and backups is restricted
| Physical and environmental security A.11.1 | |||
3 | Network access
| Access Control - Access to networks and network services A.9.1.2 | |||
4 | User access provisioning
| User Access Management A.9.2.1 A9.2.2 | |||
5 | Administrator user accounts
| User Access Management A.9.2.3 | |||
6 | Password management
| User responsibilities A.9.3 User access management A9.2.4 | |||
7 | Review of User Access Rights
| User access management A.9.2.5 | |||
8 | Inbound access to SQL and Web server is protected by firewall
| Access Control - Access to networks and network services A.9.1.2 | |||
9 | Outbound internet access from SQL, Web and Service Suite Servers is restricted by firewall Outbound access may be required for:
| Communications Security A.13 | |||
10 | Network traffic is protected by Intrusion Prevention System (IPS) or Web Application Firewall (WAF) or other | Protection from Malware A.12.2.1 | |||
11 | SMTP relay access from Synergetic servers and application is restricted
| Communications Security A.13 | Y |
*R= can be assessed remotely without input from stakeholders - y = YES P=Partially but additional info required from the stakeholders.
DATABASE SECURITY
Seq | Recommended Controls | Control Reference | R* | Findings | Risk Rating (Critical, High, Medium, Low) |
---|---|---|---|---|---|
1 | Local administrators group is restricted on the SQL Servers | Management of privileged access rights A.9.2.3 | Y | ||
2 | Remote Desktop/server access to SQL Servers:
| Management of privileged access rights A.9.2.3 | P | ||
3 | Service Accounts
| Management of privileged access rights A.9.2.3 CIS 3.5-3.7 | P | ||
4 | File shares and permissions
| Management of privileged access rights A.9.2.3 | P | ||
5 | Synergetic data and backup files are protected
| Access Control -Access control policy A.9.1.1 | |||
6 | Database backups are performed
| Backup A.12.3 | P | ||
7 | Database Version
| CIS 1.1 | Y | ||
8 | Database Security
| CIS 1.2 | Y | ||
9 | Database Security - use of 'sa' account
OR
**Renaming of 'sa' account is not supported by Synergetic, even if it is disabled it must still exist as 'sa' | CIS 2.13 | P | ||
10 | Database Security - server level SQL logins limited to:
| Synergetic Security - Best Practices | Y | ||
11 | Database Auditing and Logging
| CIS 5.1 | Y | ||
12 | Database Logon auditing
**Important note - this can be considered however note that it will increase the SQL event log size significantly. Please use with caution and monitor disk/log size. | CIS 5.4 | Y | ||
13 | Database Security
| Synergetic Security - Best Practices | Y | ||
14 | Database Security - Orphaned users
| CIS 3.3 | |||
15 | Database Security - Fixed SQL Server Roles
| Synergetic Security - Best Practices | P | ||
16 | Database Security - Fixed SQL Database Roles
| Synergetic Security - Best Practices | Y | ||
17 | Database Administration - Synergetic Fixed Database Roles
| Synergetic Security - Best Practices | Y | ||
18 | Direct Database Permissions for users and third party service accounts
| Synergetic Security - Best Practices | P | ||
19 |
| Cryptography A.10 | Y | ||
20 | ^Ensure 'Remote Access' Server Configuration Option is set to '0' | CIS 2.6 | Y | ||
21 | ^Ensure Unnecessary SQL Server Protocols are set to 'Disabled' | CIS 2.10 | Y | ||
22 | ^Ensure 'Hide Instance' option is set to 'Yes' for Production For named instance Synergetic config does not allow supplying port number, so needs the browser service to recognise it. | CIS 2.12 | Y | ||
23 | ^Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL **Note that Windows auth is preferred for users & third party vendors so this should not normally apply. | CIS 4.2 | |||
24 | ^Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL **Note that Windows auth is preferred for users & third party vendors so this should not normally apply.Authenticated Logins | CIS 4.3 |
*R= can be reviewed remotely without input from client - y = YES P=Partially, ie. additional info required from client.
^These are additional checks - experimental and should be applied to test server before sign off for production
Unsupported SQL Server CIS Recommendations
Please note, as of the time of writing the following CIS recommendations are likely to cause issues with Synergetic funtionality due to underlying dependencies.
CIS | Description | Reason |
---|---|---|
2.2 | Ensure 'CLR Enabled' Server Configuration Option is set to '0' | Required for underlying logic |
2.9 | Ensure 'Trustworthy' Database Property is set to 'Off' | Required for CLR access |
2.11 | Ensure SQL Server is configured to use non-standard ports | Not supported for default instances . May have issue with changing port on default instance as Synergetic config does not allow supplying of port number in the configuration file. However, this would works okay for named instances using the SQL Browser Service but then CIS 2.12 could not be performed to 'hide' the instance. |
2.14 | Ensure the 'sa' Login Account has been renamed | Synergetic has dependencies on DB owner matching the user that created the CLRs, which is normally ‘sa’ and set the DB owner to dbo (which is linked to sa). |
2.16 | Ensure no login exists with the name 'sa' | As above, ‘sa’ user is required but can be disabled |
3.1 | Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode' | Synergetic requires mixed mode - normal staff and admin user accounts can all use Windows Auth but the application has internal SQL user accounts (zSynergetic_*) managed by the patch process and used for each application |
3.4 | Ensure SQL Authentication is not used in contained databases | As above, Synergetic uses contained users for the zSynergetic* application user accounts |
6.2 | Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies | Current Synergetic CLR settings are defined as follows: System.Drawing UNSAFE_ACCESS SynStreamCrypt SAFE_ACCESS Synergetic.Database.CLR UNSAFE_ACCESS GroupConcat SAFE_ACCESS SqlRegEx SAFE_ACCESS Synergetic.Database.CLR.XmlSerializers EXTERNAL_ACCESS |
WEB SERVER SECURITY
Please refer to https://www.cisecurity.org/benchmark/microsoft_iis/ for industry standard web server hardening recommendations.
Seq | Recommended Controls | Control Reference | R* | Findings | Risk Rating (Critical, High, Medium, Low) |
---|---|---|---|---|---|
1 | Websites protected by SSL certificates | Cryptography A.10 | Y | ||
2 | Application pools operate under app pool identities (not local system) | Synergetic Security - Best Practices | Y | ||
3 | Website folder security
Special permission access should only be available as follows:
| Management of privileged access rights A.9.2 | Y | ||
4 | Authentication for SynWeb and Community Portal
| Cryptography A.10 | Y | ||
5 | Community Portal Administrators
| Management of privileged access rights A.9.2 | P |
*R= can be reviewed remotely without input from client - y = YES P=Partially, ie. additional info required from client.
APPLICATION SECURITY
Seq | Recommended Controls | Control Reference | R* | Findings | Risk Rating (Critical, High, Medium, Low) |
---|---|---|---|---|---|
1 | Synergetic Windows Application (SynMain)
| Synergetic Security - Best Practices | Y | ||
2 | Synergetic Application Share
| Management of privileged access rights A.9.2 | Y | ||
3 | Group/User Security Maintenance
| Management of privileged access rights A.9.2 | P | ||
4 | SynSuperUser Group membership is restricted to authorised users | Management of privileged access rights A.9.2 | P | ||
5 | General Ledger Users
| Management of privileged access rights A.9.2 | P | ||
6 | Business Unit Users
| Synergetic Security - Best Practices | P | ||
7 | Payroll (if used)
| privileged A.10 | Y | ||
8 | Document Classification Security
| Synergetic Security - Best Practices | P | ||
9 | Synergetic Security Groups - Framework
| Synergetic Security - Best Practices | P | ||
10 | Synergetic Security Groups - Membership
| Synergetic Security - Best Practices | P | ||
11 | Synergetic Security Groups - Permissions
| Synergetic Security - Best Practices | P | ||
12 | Synergetic Permission Extract
| Synergetic Security - Best Practices | P |
*R= can be assessed remotely without input from stakeholders - y = YES P=Partially but additional info required from the stakeholders.
SUPPORTING SERVICES SECURITY
Seq | Recommended Controls | Control Reference | R* | Findings | Risk Rating (Critical, High, Medium, Low) |
---|---|---|---|---|---|
1 | If DocMan Import Service is used:
| Synergetic Security - Best Practices | Y | ||
2 | Services run under low level domain user account | Synergetic Security - Best Practices | Y |
*R= can be assessed remotely without input from stakeholders - y = YES P=Partially but additional info required from the stakeholders.
Disclaimer:
The items and guidance listed in this register are based on the opinion or view from individual consultants at Synergetic.
Whilst all care has been taken in preparing this guide, Education Horizons Group does not warrant that the contents of this report (i.e. information, recommendations, opinions or conclusions contained in this report (“Information”)) is accurate, reliable, complete or current. The Information does not purport to contain all matters relevant to the usage of Synergetic software. The Information has been prepared on the basis of circumstances and technology current as at the date of the report and care should be taken by the School to determine if circumstances have changed in a manner which would affect the Information. To the extent permissible by law, Education Horizons Group shall not be liable for any errors, omissions, defects or misrepresentations in the Information or for any loss or damage suffered by persons who use or rely on such Information (including by reasons of negligence, negligent misstatement or otherwise). If any law prohibits the exclusion of such liability, Synergetic limits its liability to the re-supply of the Information, provided that such limitation is permitted by law and is fair and reasonable.