Recommended security settings for MyWorkDrive
The default configuration of MyWorkDrive, Windows Server and your firewall is designed to get MyWorkDrive server up and running with minimum effort; however, settings should be adjusted to improve security before deploying to production.
This is a specific list of Recommendations regarding Security settings in MyWorkDrive. A more general discussion of MyWorkDrive security architecture can be found in our Security Overview.
Many of the recommendations made are covered in further detail in our Server Setup Guide and the links provided below.
General Security Settings
- Use Antivirus on your file shares; set exclusions for the MyWorkDrive server as noted in our Antivirus Settings for MyWorkDrive article.
- Adjust Windows Security settings as recommended in our Steps to lockdown IIS for Compliance and Security article.
- Adjust Firewall and network security, permitting the appropriate ports, addresses and services as outlined in our Firewall Settings for MyWorkDrive article.
- NTFS permissions should be set to Least Privileged. Recommended settings for file shares are available in our Windows File Sharing article.
MyWorkDrive Server Settings
- Either enable the Cloud Web Connector, or Setup an SSL certificate and Require SSL for login. As of version 5.4.1, the Cloud Web Connector uses Cloudflare, which includes a number of security beneifts as outlined in our Cloudflare Integration article.
- Disable any clients you are not using. If you do not intend to support any of the three available clients (Web Client, Map Drive client or Mobile client) disable them in Settings.
- When enabling Map Drive and Mobile Clients, set a minimum version to match the version at install with MyWorkDrive server. IE, if you are installing a new MyWorkDrive instance, set the minimum version of the Clients to match the installed server version. If you are updating MyWorkDrive server, update clients as appropriate to take advantage of security updates and performance improvements.
- Setup a Block or Allow list for file types for the Map Drive client to restrict file types.
- Disable WebDAV, unless you are using a device or service which requires it. MyWorkDrive does not require WebDAV to be enabled, the setting in Settings allows MyWorkDrive to act as a WebDAV server to permit connections by legacy devices.
- Disable OneDrive and Outlook sharing if you do not intend to support them.
- Adjust Session Timeouts at the bottom of the Settings page to be appropriate for your organization. The time listed is in Minutes.
MyWorkDrive Enterprise Settings
- Enable SSO. We support most SSO providers via SAML through manual configuration, and have included easy setup wizards for ADFS, AzureAD, OneLogin, Okta and Shibboleth.
- Enable MFA if not included with your SSO. We have included Duo for users who do not have an MFA through their SSO.
- Enable Data Leak Prevention and apply it to shares where users should not be permitted to download files.
Either setup the Alerts feature to notify you of unusual activity by users/clients accessing shares via email, or setup a log aggregating software to capture the logs and provide monitoring/processing. Login and User Activities are stored in C:\Wanpath\WanPath.Data\Logs\AdminDashboard\