Security & SQL Database Best Practices

1. Security and Workflows

Connection to the Web Console

Starting with v8.0.1, the CurrentWare web console will have a preconfigured self-signed SSL certificate that is enabled by default. This will ensure that network communication to and from the CurrentWare web console is encrypted.

NOTE: Since this is a self-signed certificate that is not issued by any public certificate authority, you will likely see a warning message in your web browser when accessing the CurrentWare web console from an external computer.

Rest assured that your remote access to the web console is secure; web browsers simply warn users when self-signed certificates are detected as they do not have validation of its legitimacy from a third-party certificate authority.

SQL Server Application workflow

All tracked data is temporarily stored on the local machine where the cwClient is installed. It holds the data in an encrypted local database before it sends the data to the CurrentWare Server.

Once the server receives the data and stores it on the server’s SQL database, it will delete the local data from the local client database.

CurrentWare Client to CurrentWare Server Communications

The Client talks to the Server using socket technology on several CurrentWare ports ranging from 8989 to 8998. You can see each one here: https://www.currentware.com/support/open-ports/. The Client sends the data from the client machines to the server via HTTPS encryption.

CurrentWare Server to SQL Database Communication

The CurrentWare Server will process updates of information to the SQL database by using the default local SQL ports 1433 and 1434.

Support for SQL Transparent Data Encryption (TDE)

Transparent data encryption (TDE) encrypts your SQL Server to improve the security of your database. This encryption is known as encrypting data at rest.

By using TDE you can ensure that in the event a malicious actor is able to bypass your security measures and steal your database, the data remains unintelligible to them without the decryption key.

TDE encrypts the storage of an entire database by using a symmetric key called the Database Encryption Key (DEK). On database startup, the encrypted DEK is decrypted and then used for decryption and re-encryption of the database files in the SQL Server database engine process.

In version 8.0.1+ organizations with paid versions of SQL Server can implement TDE on the SQL database used to store their CurrentWare data.

⚠️IMPORTANT NOTES

  • TDE is not compatible with the SQL Express that comes prepackaged with CurrentWare. If you would like to use TDE you must upgrade to a paid version of a SQL server such as SQL Server Standard or SQL Server Enterprise, then migrate your CurrentWare SQL Express database to your new database.
  • If you enable TDE on your SQL database any other software you have connected to that same database will also have TDE enabled. To avoid conflicts with other software that may not support TDE it is recommended that you use a dedicated SQL database for your CurrentWare installation.

When can CurrentWare access my data?

CurrentWare can only access data if a request is explicitly made by an appropriate security contact by the Customer for support.

Our team first attempts to provide support without receiving data or information from the Customer. However, if detailed logs or servers are needed, our Tier 2 Support will request this information from the Customer.

We respect the privacy of the information transmitted to us based on our End User Licence Agreement & Privacy Policies. We will only access the necessary data for support & troubleshooting purposes.

Who has access to my data?

Note: This only applies to BrowseReporter, AccessPatrol & enPowerManager reporting features

The CurrentWare team has no ability to access your users’ activity data unless you explicitly provide it.

The CurrentWare server & client are installed locally on the customer’s PCs & network. Server data is only accessible by your organization’s privileged users with access to the Server PC/location and Console, which is password protected. You can also have your accounts secured with 2-factor authentication.

Client data is hidden on local PCs and encrypted. Once it is transmitted to the server, it is removed from the client side.

Your CurrentWare software deployment can track data from your end user’s Internet, bandwidth, application, PC usage, and endpoint activities with BrowseReporter, AccessPatrol, and/or enPowerManager.

By default, the data you collect remains in your database indefinitely unless you manually delete specific types of data with the included database data deletion tools or you configure the Auto Delete Scheduler to automatically delete data that is older than X days.

2. Best Practices for BrowseReporter Configuration:

a. Do you need to track the browsing bandwidth usage?

If not needed, turning it off will reduce your storage needs.
This is done by going to Settings > BrowseReporter and unchecking “Enable Bandwidth Tracking”

b. Do you want to auto delete data after a specific time period?

The knowledge base to set up that feature up is here: https://www.currentware.com/support/can-currentware-delete-older-data-automatically/ 

c. Set the CurrentWare Server to auto restart after a specified time period (8hrs+)

This will ensure your client connections are always stable and ensure the data is being uploaded efficiently.
This is done by going to Settings > Server Settings and enabling “Restart CurrentWare server every # of hours”

d. On your initial installation: You can immediately remove other CurrentWare solutions from the command line of your CurrentWare server machine.

  1. Run CMD as Administrator
  2. Run this command:
    • REG DELETE HKLM\SOFTWARE\WOW6432Node\CurrentWare\Plugin\SOLUTIONNAME /f
  3. Replace ‘SOLUTIONNAME’ with the unused solution you want to remove. See below what the commands should look like.
    • AccessPatrol:
      REG DELETE HKLM\SOFTWARE\WOW6432Node\CurrentWare\Plugin\AccessPatrol /f
    • BrowseControl:
      REG DELETE HKLM\SOFTWARE\WOW6432Node\CurrentWare\Plugin\BrowseControl /f
    • BrowseReporter:
      REG DELETE HKLM\SOFTWARE\WOW6432Node\CurrentWare\Plugin\BrowseReporter /f
    • enPowerManager:
      REG DELETE HKLM\SOFTWARE\WOW6432Node\CurrentWare\Plugin\enPowerManager /f
      • Important: ONLY remove the solutions you do not use. CurrentWare is not responsible for lost data or improper filtering due to uninstalling wrong solution(s).
  4. Run the command to delete the solution registry.
  5. Then run C:\Program Files (x86)\CurrentWare\cwConsole\cwConsole.exe
  6. The SQL database tables will update to reflect the removals accordingly.
  7. Log back into your Webconsole to see the changes. Removed solutions should now show not installed when selecting them.


New to CurrentWare? Get Started Today!

“I chose CurrentWare for the solid product that gave more options with a lower price tag, high accuracy, and solid customer support.” -Vincent Pecoreno Network Administrator, Viking Yachts