Best practices for Cayosoft Administrator password Self- Service server deployment

• For additional security-related details please see the Cayosoft documentation article titled HSecurity.

• Follow Microsoft best practices where applicable, see Microsoft Security Best Practices to Protect Internet Facing Web Servers

• Within IIS always require/Force SSL so only a HTTPS connection can be made from the server.

• Deploy a stand-alone Windows Web Server on which you will run Cayosoft Administrator, see Installation of Cayosoft Administrator server dedicated for Self Service operations.

• Only configure the Active Directory Extension as it is all that is needed for password reset.

• Create a least privileged Service Account with only the necessary permissions to accomplish Self-Service Password Resets & Account Unlock.

• Configure the externally facing server to speak only to an AD DC in the same DMZ as the Cayosoft Self-Service Password Reset Server.

• Export the security key and keep it in a safe place offline. The security key is used to encrypt all passwords in the Cayosoft database, see .

• Use the Cayosoft Password Policy to require strong passwords: long, complex, and without any pragmatic words present.

• Do not expire passwords. Microsoft's official security position is to not expire passwords periodically without a specific reason.