Hardening the HIAB
Purpose
This article describe the different steps needed to further harden the HIAB after completing the installation.
Hardening Procedure
The HIAB is hardened by default but some functionality must be manually activated such as restrictions of both physically or remote access. This can be done by password protection, key-based authentication, Multifactor Authentication (MFA), restricted management interface access from listed IP-addresses or ranges and network interfaces.
It’s recommended to perform these steps when setting up the HIAB.
The Console
Password protect the console to restrict unauthorized local access. See HIAB Console Password Management.
Add trusted keys when setting up remote SSH access to the HIAB console. The HIAB console is hardened by default and cannot be accessed via SSH unless an administrator adds trusted keys in the management settings, which means key-based authentication is applied, not password based. See Configuring and Accessing the HIAB console using SSH.
The HIAB Management Interface
Restrict the HIAB management interface to only accept connections on a specific network interface. This means that the HIAB can not be accessed from a scanned network even if the HIAB would constitute a risk. See Configure UI Management Interface.
Configure the HIABs management interface to only allow administrative login from listed IP-addresses or ranges. See Access control in HIAB Server Settings.
Access and Authentication
Enable Multifactor Authentication (MFA) for logins to the HIAB. See Two Factor Authentication.
HIAB supports role based authentication, meaning that access to administrative functionality in the tool is limited based on a user’s granted role. See User Roles.
The HIAB itself can integrate against AD or via SAML to existing IDPs and map identities. See Netsec Integration.
The HIAB, if used as a stand-alone system, can be configured to match your organizations password policy or best practices (1.
New Releases and Updates
Make sure to schedule updates so that you do not miss any security releases or updates. See HIAB Updates.
Security releases are bundled with vulnerability definitions, which are released regularly. Updates and security releases are tested prior to releases for stability and security.
Encryption
Although the disk is generally not encrypted, sensitive data such as credentials for configurations are, or uses salted hashes.
Backups, however, are encrypted even though the disc content is not. See HIAB-backup
Support
The remote support function allows the Outpost24 support to remotely access a customers HIAB through SSH. This function is turned off by default and need to be activated if needed. See HIAB remote support.
Remote Support uses mutual key-based authentication meaning the HIAB, as well as the Outpost24 remote support personal, strongly authenticate using keys. See HIAB remote support.
Support staff access to the remote support platform is monitored and logged, and restricted to staff who are screened and adequately trained.
Reference
Related Articles
- Cloud Discovery on HIAB
- HIAB E-mail Whitelisting
- Setting up a HIAB as an Appsec Scale Scanner
- Deploy HIAB on Microsoft Azure
- How DNS Lookup Works in UI and in Console
- HIAB Restore
- Configuring and Accessing the HIAB console using SSH
- Technical Specification
- Virtual HIAB Appliance
- Extend HIAB Disk Space on Azure
- HIAB Backup
- Syslog (HIAB only)
- SNMP (HIAB only)
- LDAP/AD
- HIAB Updates
Copyright
© 2025 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.