Here are some best practices for maintaining the security of your Web Suite account.
1. Server Administrator (SA) Account
Avoid compromising the Server Administrator (SA) account when connecting Web Suite to your database. This can be accomplished by connecting Web Suite with our built-in account BillQuickSQL or your own account. If you are connecting with BillQuickSQL, be sure to change the default password from ‘Admin’ to something more complex. You should also configure your account with the least required permissions.
How to change the BillQuickSQL password?
To change the BillQuickSQL account password:
- Log in to SQL Server Manager (SSMS).
- Expand Security > Logins and right-click on BillQuickSQL and select Properties.
- Under General > Password, type a new password and confirm the new password.
- Click OK.
It is also recommended that you use the least privilege roles for BillQuickSQL or your own SQL Server Account and assign them to your company database. This can be done using SQL Server Management Studio or the below SQL Script:
- db_datareader
- db_datawriter
- db_ddladmin
USE [Your Web Suite Database Name];
GO
EXEC sp_addrolemember N'db_datareader', N'BillQuickSQL';
GO
EXEC sp_addrolemember N'db_datawriter', N'BillQuickSQL';
GO
EXEC sp_addrolemember N'db_ddladmin', N'BillQuickSQL';
GO
EXEC sp_droprolemember N'db_owner', N'BillQuickSQL';
Change 'SA' Password
We highly recommend that you change your current 'SA' password. Keep it strong and safe. This can be done using SQL Server Management Studio or the below SQL script:
USE [master]GOALTER LOGIN [sa] WITH PASSWORD=N'enter your strong password'GO
Note: If you have moved your database to a new server and BillQuickSQL is not available, you can re-create this account by right-clicking on Security > New > Login. You must enter a name for it and select the following options:
- General > SQL Server Authentication: you must create a password here.
- Server Roles: select Public.
- User Mapping > WS Database: enter dbo under Default Schema and select role membership for db_owner and public.
- Status: should be Grant for permissions and Enabled for Login.
2. IIS Management > Authentication
We recommend that you disable Anonymous Authentication and enable Windows Authentication. You can accomplish this by the following steps:
- Open IIS (inetmgr).
- Expand Sites > Default Web Suite and navigate to your site: WS20xx.
- Click on the site to display Authentication on the right.
- Double-click on it and make these changes by right-clicking on each row and choosing the appropriate option:
What is the purpose of this authentication?
This adds an extra level of security to your website by prompting users to enter their Windows credentials prior to entering the Web Suite login information.
In Active Directory setting, you can use your Windows login. You are prompted to enter these credentials once in your browser and they are remembered in the future.
In a setting where this is not the case, we recommend creating a general standard user on the server, say Web Suite User, and sharing this login with your Web Suite users.
3. Intranet
If this is possible, we suggest keeping Web Suite restricted from public access. We recommend setting up a VPN and allowing users to connect to the server directly for Web Suite access to decrease the risk for exposure.
4. Maintenance
Be sure to take regular daily/weekly/monthly backups that are saved in an offsite location. In case your server is compromised, you can always start on a new system and restore the database backup.
Note: This is applicable to all versions of Web Suite and Microsoft SQL Server.
Quick Tips
- You should change the default password for supervisor.
- Always use a complex password for your users.
- Change your password every month.
- Avoid using the passwords that you use in other online accounts, e.g., your bank account, etc.