Support
Getting Started

Security Hardening for Invicti Enterprise On-Premises

This document is for:
Invicti Enterprise On-Premises

You can follow this security hardening guide to improve the security of your On-Premises installation.

Updating to the current version

It is strongly recommended that you always run the latest version of Invicti Enterprise On-Premises.

Invicti Enterprise is available as an On-Demand and On-Premises solution. Invicti Enterprise On-Premises solution runs on your servers and network, so it is strongly recommended you update the On-Premises manually whenever there is an update.

  • Updating it lets you scan your web application with new security checks and improvements against the latest threats to security. The new version also includes fixes and improvements for the On-Premises solution.
  • When Invicti releases a new version of the On-Premises solution, it pushes this version to all users. It shows you information, saying that, “A new version of Invicti Enterprise is available. Download the latest version.” This information box also includes the release notes.

For further information, see Updating Invicti Enterprise On-Premises.

Configuring the SSL/TLS Certificate for Invicti Enterprise Application Server

Unless your Invicti Enterprise Application Server is configured to use HTTPS, the traffic between the Invicti Enterprise Agents and Invicti Enterprise Application Server will be in the cleartext.

  • Invicti Enterprise requires Transport Layer Security (TLS) for the communication between the Application Server and the Agent(s).
  • The application server in Invicti Enterprise provides the web interface that enables the efficient administration and automation of scans. This is the application that you see and use via the Invicti Enterprise UI.
  • The agent is a service application that executes scans and informs the application server of the results.

The following diagram shows the architecture of Invicti Enterprise.

If you fail to configure HTTPS for the application server, its communication with the agent will be in cleartext. To prevent this scenario for your security, you need to install your website certificate in Microsoft IIS. For further information about installing SSL certificates, see Step-by-Step instructions on Installing SSL Certificate on Microsoft IIS 8, 8.5 and 10.

How to configure the SSL/TLS Certificate for Invicti Enterprise Application Server
  1. Log in to the Invicti Enterprise Application Server with an admin account.
  2. From the main menu, select Settings > General.
  3. In the Server Root URL field,replace the protocol with ‘https’.
  4. If you have completed the SSL/TLS configuration before installing any of the Invicti Enterprise Agents, then complete the following steps because your configuration should already be correct.

If you need to go back and update your Agents, however, do the following:

  • Open Invicti Enterprise Agent’s config file (default location is C:\Program Files (x86)\Invicti Enterprise Agent\appsettings.json) and change the apiRootUrl to the new HTTPS link:
  "AgentInfo": {
    "AgentName": "Agent-1",
    "AgentType": "Standard",
    "ApiRootUrl": "http://localhost:80",
    "ApiToken": ""
  • Restart the server on which the agent is installed. In order to accomplish a successful connection between the Agent and the Invicti Enterprise Application Server, the HTTPS connection should contain no SSL/TLS errors. If you see any certificate errors, as illustrated below, the agent will not be able to connect to the application server due to this SSL/TLS validation error:

You can install an internal trusted certificate on the Invicti Enterprise Application Server and Invicti Enterprise Agents. When both servers and visitors have this certificate, everything will work as expected. Please refer to your operating system manuals for more information about how to add a CA certificate as a trusted root authority.

Encrypting connections to the SQL Server

Enabling SSL/TLS encryption increases the security of data transmitted between the SQL Server and Invicti Enterprise Application Server. This is only necessary if the SQL Server is installed on a different server in a different network.

How to encrypt connections to SQL Server
  1. First, configure an SSL/TLS certificate for your SQL Server instance (see How to enable SSL encryption for an instance of SQL Server by using Microsoft Management Console).
  2. Next, from the main menu, select Settings > Database.
  3. On the Database Settings page, enable the Encrypt Connection checkbox.

Enabling two-factor authentication / Universal 2nd factor authentication (U2F)

You can also enable two-factor authentication. Two-factor Authentication setup doesn’t require an online connection or transmit any kind of data to outside networks.

For further information, see Enabling Two-Factor Authentication.

Setting firewall

Invicti Enterprise was designed to operate inside a trusted, firewalled internal network. Invicti Enterprise must be protected by an external firewall. The Windows firewall should be sufficient to protect Invicti Enterprise.

  • Invicti automatically encrypts communication between nodes using TLS; however, it is recommended that firewalls are enabled on machines that host Invicti Enterprise.
  • Please note that by default, the Invicti Enterprise On-Premises installation process does not configure ports in the Windows firewall; you should do this manually if external access is required.

Restricting access to the server

Invicti Enterprise’s configuration files and log files may contain sensitive information. Therefore, it is highly recommended to restrict physical access to the machine that is running Invicti Enterprise.

Also, ensure that only authorized and trusted users have access to the Invicti files in the C:\Program Files (x86)\Invicti Enterprise Web Application\App_Data.