HESK Security check list
This page intends to provide basic security tips for HESK administrators. In other words - how to make HESK more secure and less prone to attacks?
#1 Keep HESK updated
As with any software, HESK evolves and receives regular bug and security updates along with feature improvements. Make sure you always use the latest stable version of HESK.
See what patches and upgrades are available for your HESK:
- login to HESK admin panel
- go to the Settings > General page
- click the Check for updates link
- review and install available patches and/or upgrades
To be notified of new HESK versions you should:
- follow HESK on Twitter here (fast update notifications)
- subscribe to the HESK Newsletter here (less frequent notifications)
#2 Use unique usernames and passwords
Do not use the default and common usernames such as Administrator, Admin, Webmaster, etc... These are easy to guess.
Never use the same password for multiple services. Using for example your email password for HESK is a very bad idea. Use long, unique passwords with a combination of lowercase letters, uppercase letters, digits, and symbols.
You can change usernames and passwords on the HESK Team and Profile page.
#3 Use Multi-factor authentication (MFA)
Multi-factor authentication is another layer of protection against unauthorized access to your help desk. When enabled, users need to enter not only their username and password but also a random number (token) that is either emailed to them or generated using a third-party app such as Google Authenticator or Authy.
You can manage your MFA settings on the Profile page.
Force all users to use MFA :
- login to HESK admin panel
- go to the Settings > Help desk
- under Security find and enable Require Multi-Factor Authentication
- save changes
#4 Use a dedicated database for HESK
Do not use the same MySQL database for all your scripts. If you do, a single vulnerable script could read and modify all your important data.
Always install HESK in a separate MySQL database and use a dedicated database user for HESK.
Do not give other MySQL users access to the HESK database and do not give HESK database user access to other databases.
#5 Rename /admin and /attachments folders and hide admin link
HESK allows you to rename your sensitive folders, so do it:
- rename folder admin to a hard-to-guess name
- rename folder attachments to a hard-to-guess name
- login to HESK admin panel
- go to the Settings > Help Desk page
- enter new names for the Admin folder and Attachments folder settings.
- on the Settings > Misc page uncheck the Admin link option to now show a link to your admin panel on the HESK homepage
- save settings
Note 1: you may need to go back to the Settings > Help desk page and enable the Use attachments setting again after these changes!
Note 2: an even further step would be to password-protect your sensitive folders, for example using htaccess on Linux servers.
#6 Restrict allowed attachment size and types
If you expect your customers to upload images there is no need to allow the uploading of .exe files.
Be conservative about what file attachments you allow:
- login to HESK admin panel
- go to the Settings > Help Desk page
- under Attachments set your attachment limits
- save settings
You should also make sure all script handlers are removed from your attachments folder - check with your server administrator on how to do that.
#7 Debug mode should be OFF
Unless you are actively troubleshooting your HESK installation, debug mode should be OFF!
- login to HESK admin panel
- go to the Settings > Help Desk page
- look under Features and make sure Debug mode is set to OFF
- save settings
#8 SPAM protection should be ON
Is your entire help desk hosted on the intranet or password-protected? If not, enable SPAM protection!
- login to HESK admin panel
- go to the Settings > Help Desk page
- enable at least one option under SPAM Prevention
- save settings
No need to overdo it though. Unless you have serious SPAM problems, enabling just one SPAM prevention measure will make the help desk more user-friendly.
#9 Email piping and POP3/IMAP fetching considerations
Are you using email piping or POP3/IMAP fetching?
If no, make sure these two features are turned OFF in HESK Settings!
If yes, make sure you have URL Access Key set in Admin panel > Settings > Help desk > Security; this will prevent anyone from accessing your hesk_imap.php, hesk_pop3.php and/or hesk_pipe.php file via an URL address without specifying a valid URL Access Key:
This will show a "missing access key" error:
https://example.com/hesk/inc/mail/hesk_imap.php
This will work if a valid key is provided:
https://example.com/hesk/inc/mail/hesk_imap.php?key=XXXXXXXXX
#10 Not everyone should be an administrator
Does Mary really need access to HESK settings? Does Joe really need permission to create new ticket categories?
Instead of creating administrator accounts, give users restricted access:
- login to HESK admin
- go to the Team page
- when creating a new or editing an existing user click the Permissions tab
- select Account type: Staff and only give the user permissions he/she needs
- save changes
#11 Disable features you are not using
This one is simple: if you don't use something, disable it! What's the point of having Knowledgebase functionality enabled if you have no Knowledgebase articles?
Here are some features that can be disabled. Click the [?] help link next to them on the HESK Settings page to learn what each does:
- Multiple languages
- Allow automatic login
- Debug mode
- Password reset
- Attachments
- Knowledgebase
- Email piping
- POP3 fetching
- IMAP fetching
- Multiple emails
#12 Using a shared computer? Automatic login should be OFF
The automatic login function is convenient as it allows HESK to remember your login so you don't have to enter your username and password every time you open the HESK admin panel.
However, anyone using the same computer may also gain access to the help desk using your username!
If you access HESK from a shared computer the Allow automatic login function should be OFF or at least remember to Logout after finishing your work!
#13 Buy a HESK license
Seriously. A license will remove "Powered by" links from your help desk making it harder for a random visitor to determine what software you are using. Anyone trying to exploit a known software vulnerability will also have a harder time finding your help desk using search engines.
More importantly, by purchasing a license you support the HESK author. This means more features and quick bug fixes in the future.
A one-time fee only. Buy a HESK license here.
Comments? Suggestions? Let us know!
Comments and ideas about securing HESK are always welcome.
Please feel free to contact us with your suggestions here.
.