Best practices for Cayosoft Administrator password Self-Service server deployment

For additional security related details please see the Cayosoft Document titled High Availability and Security

Follow Microsoft best practices where applicable, see Microsoft Security Best Practices to Protect Internet Facing Web Servers

Within IIS always require/Force SSL so only a HTTPS connection can be made from the server.

Deploy a stand-alone Windows Web Server on which you will run Cayosoft Administrator, see Installation of Cayosoft Administrator server dedicated for Self Service operations

Only configure the Cayosoft Active Directory Extension as it is all that is needed for password reset.

Create a least privileged Service Account with only the necessary permissions to accomplish Self-Service Password Resets & Account Unlock

Configure externally facing server to only speak to a AD DC in same DMZ as the Cayosoft Self-Service Password Reset Server.

Export security key and keep it in a safe place off-line. The security key is used to encrypt all passwords in the Cayosoft database.

Use the Cayosoft Password Policy to require strong passwords: long, complex and without any pragmatic words present.

Do not expire passwords. Microsoft's official security position to not expire passwords periodically without a specific reason. We found that your current policy is set to require a password reset every 999 days. (https://security.microsoft.com/securescore from Microsoft Secure Score)