Documentation forAccess Rights Manager

Secure your ARM deployment

This section provides recommendations and best practices for securing your Access Rights Manager (ARM) deployment.

General

Complete the following tasks in your ARM deployment.

Review the latest release notes. They describe the new features, improvements, and fixed issues implemented in each version. They also provide information about upgrades and describe workarounds for known issues.

Install the latest ARM version, including all service releases. This process ensures that the Windows server hosting ARM is running the latest release with application hardening.

See Prepare to install ARM for additional installation requirements.

Deactivate ARM accounts for users who move to another department or leave your organization. This ensures that unauthorized personnel cannot access the application using an unused account.

See Manage ARM users for more information.

ARM server

Complete the following tasks on the Microsoft Windows server hosting ARM.

Secure the ports using IP whitelisting.

IP whitelisting is supported only on systems with Windows Firewall. If you are using another firewall vendor, follow the vendor's firewall documentation and manually apply the firewall settings as instructed below.

SolarWinds strongly recommends installing ARM on a dedicated server that is neither public nor internet-facing.

To learn about best practices for configuring your ARM installation securely, see Best practices to secure SolarWinds Products.

ARM and SolarWinds Platform products must be installed on separate servers. ARM is not a SolarWinds Platform product.

Reconfigure your firewall settings.

  • Only allow traffic for port 5671 between the ARM Server and collectors.

    The ARM Server runs the ARM service and processes new data and requests. This service also functions as the primary collector.
  • Only allow port 55555 TCP connections between the ARM Server and collectors.

    Port 55555 is the ARM components default port. ARM uses this port for all communication between the ARM server and client (GUI applications), Web Client, WebAPI, and collectors.

Configure single sign-on (SSO) for your ARM web applications.

See Prerequisites for single sign-on configuration in ARM for instructions.

Change the user name and password on RabbitMQ.

See Creating a unique RabbitMQ account in SolarWinds ARM for instructions.

Disable NT LAN Manager (NTLM) on the ARM server.

See Is it safe to disable NTLM v1 while using ARM for instructions.

See NTLM Overview located on the Microsoft Learn website for more information about NTLM.

Replace the certificates used to encrypt communications between ARM Server and collectors.

See Replacing the certificates used to encrypt communication between ARM server and collectors for instructions.