0% found this document useful (0 votes)

145 views79 pages

GAMFT Hardening Guide

The GoAnywhere MFT Hardening Guide provides best practices and configuration guidelines for securing the GoAnywhere MFT environment. It emphasizes the importance of administrator involvement and outlines recommendations for operating systems, data security, and various services like HTTPS, AS2, and SFTP. The guide serves as a resource to enhance security but does not guarantee complete protection, urging users to consult their security teams during implementation.

Uploaded by

krishnaghanat

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

145 views79 pages

GAMFT Hardening Guide

Uploaded by

krishnaghanat

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 79

GoAnywhere MFT

Hardening Guide
Copyright Terms and Conditions

Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective
owners.
The content in this document is protected by the Copyright Laws of the United States of America and other countries worldwide. The
unauthorized use and/or duplication of this material without express and written permission from Fortra is strictly prohibited. Excerpts and
links may be used, provided that full and clear credit is given to Fortra with appropriate and specific direction to the original content.
202310060320
Table of Contents

Introduction 6

Getting Assistance 7

Operating System and Environment Recommendations 8

Inbound & Outbound Data Security Considerations 10

Getting Started 11

Services 12

HTTPS/AS2/AS4 12

Server 19

FTP 20

Server 22

FTPS 25

Server 27

SFTP 29

Server 31

GoFast 33

Agent Service 35

Server 36

PeSIT 36

GoAnywhere Hardening Guide www.goanywhere.com page: 3

Table of Contents

GoAnywhere Gateway 37

Gateway Manager 38

Gateway Configuration 38

Secure Mail Settings 39

Secure Forms Settings 43

Hardening Recommendations 43

Secure Form Configuration 43

Agent Manager 44

Agent Configuration 45

Users 47

Admin Users and Admin User Templates 47

Admin User Groups 48

Admin Security Settings 49

Web Users 52

Web User Settings 55

Web User Self-Registration 58

Domains 60

Reporting 62

Log Settings 62

page: 4 www.goanywhere.com GoAnywhere Hardening Guide

Table of Contents

Encryption 63

Encrypted Folders 63

Folder Restrictions 63

Master Encryption Keys 64

System 65

Global Settings 65

Security Settings 65

Antivirus Settings 68

Admin Server 70

Database Configuration 72

System Alerts 73

IP Filter 75

IP Block Listing 76

Security Settings Audit Report 78

Glossary 79

GoAnywhere Hardening Guide www.goanywhere.com page: 5

Introduction
Fortra strives to apply security best practices in the design, development, and testing of
GoAnywhere MFT. However, securing a GoAnywhere MFT environment requires active
participation from administrators, and the needs and operating procedures of your
organization must be considered. Involve your security team throughout the hardening
process.

This guide does not guarantee the security of your application or environment, however it
is a resource to follow for best-practices when hardening your deployment of GoAnywhere
MFT. It is written with the current cybersecurity landscape in mind and provides specific
configuration guidelines for anyone involved in deploying GoAnywhere MFT.

GoAnywhere Hardening Guide www.goanywhere.com page: 6

Getting Assistance
Fortra encourages receiving a Health Check if you are not confident in implementing the
steps defined in this guide. If you need assistance, please reach out to our Professional
Services team for consulting.

You are also encouraged to visit the knowledge base at

http://www.goanywheremft.com/forum/ to find answers to common questions.

GoAnywhere Hardening Guide www.goanywhere.com page: 7

Operating System and
Environment
Recommendations
NOTE: Please see the GoAnywhere End of Support Life (EOSL) policy for more
information on the current supported versions of the GoAnywhere products. For
additional questions, please see the GoAnywhere Forum.

NOTE: GoAnywhere products should only be run on vendor systems (OS, databases,
file systems, etc) that are up to date with the latest security patches and have not
reached End of Life (EOL).

This guide outlines the steps required for hardening GoAnywhere products. Before you
begin:

l Keep your operating system up to date.

l GoAnywhere is constantly being upgraded with security patches. Due to these
regular security enhancements Fortra recommends that you keep your
GoAnywhere environment up to date with current releases.
l To stay ahead of security threats that target the JRE, externalize your Java
environment and keep it up to date with the latest version supported by your
GoAnywhere product.

NOTE: Fortra recommends keeping the JRE up to date for all three GoAnywhere
products: MFT, Gateway, and Agents. For instructions on externalizing the JRE
and keeping it up to date, see the GoAnywhere MFT, GoAnywhere Gateway,
and the GoAnywhere Agents Installation Guides.

GoAnywhere Hardening Guide www.goanywhere.com page: 8

Operating System and Environment Recommendations /

l Following the principle of least privilege, create a service account for running your
GoAnywhere products.

NOTE: On Linux and Unix, the service account will need elevated permissions
to bind to privileged ports (1 - 1024).

l Following the principle of least privilege, limit access to the installation locations of
your GoAnywhere products to select users.

IMPORTANT: Due to the sensitive nature of the ghttpsroot, adminroot and

tomcat/webapps/ROOT directories, Fortra recommends practicing additional
caution when determining who can access these locations.

l Fortra recommends using a firewall or another device to limit traffic to any hosted
GoAnywhere Services (Admin, HTTPS, AS2, AS4, FTP/S, SFTP, GoFast, Agents,
and PeSIT). Further, Fortra recommends updating your firewall to ensure the
admin ports are not publicly accessible. The default admin ports are 8000 and
8001. Review your Admin Server configuration to determine which ports are being
used by your Admin Client.
l Disable non-blocking entropy gathering on Linux, Unix, Solaris, and MacOS
servers. Using blocking entropy gathering helps to generate more secure
cryptographic keys. Note, this requires editing a startup script for MFT. To edit this
script:

1. Open the goanywhere_catalina.sh file for editing.

2. Change the JAVA_OPTS section from /dev/urandom to /dev/random.

We recommend using Linux tools to help gathering entropy on the OS.

NOTE:
Enabling this option can cause slower startup times while the operating system
gathers enough entropy to properly generate randomness for use in
cryptographic functions.

page: 9 www.goanywhere.com GoAnywhere Hardening Guide

Inbound & Outbound Data
Security Considerations
The following section provides considerations for hardening your overall managed file
transfer environment in addition to the GoAnywhere application.

Inbound Data Security Considerations

There are risks when accepting inbound data transfers from the internet, even from trusted
trading partners. See the Antivirus Settings section for instructions on how to enable
automatic AV scanning for inbound data transfers. This helps prevent malware from
entering your environment and causing damage.

Fortra recommends the GoAnywhere Threat Protection bundle which combines Clearswift
ICAP Gateway with GoAnywhere MFT for proven, compatible, best-in-class threat
protection.

Outbound Data Security Considerations

When sharing data, you may need to mask aspects of that data or put further controls on
sensitive information. This can ensure that trading partners do not leak sensitive
information, intentionally or accidentally. This also allows you to keep track of which files
are outside of your environment, and even control access by revoking rights to this data.

Fortra recommends the GoAnywhere Zero Trust File Transfer bundle for tackling best-in-
class controls on both outbound and inbound data transfers.

GoAnywhere Hardening Guide www.goanywhere.com page: 10

Getting Started
This guide is organized by topic and mirrors the GoAnywhere MFT application. For
example, the Secure Forms Settings topic can be found under the Services section, just as
Secure Forms Settings can be found under Services on the application menu bar.

This guide makes regular reference to the GoAnywhere MFT Admin User Guide, and
Fortra recommends that you have the User Guide readily available as you move through
the hardening process.

While it is not absolutely necessary to use this guide in a linear fashion, it helps ensure that
all elements of the application are considered and addressed.

WARNING:
Implementing the configuration settings recommended throughout this guide can
result in unintended consequences, such as connectivity failures to systems that do
not support the latest security standards. Consult with your security team and other
involved parties to determine the ramifications of hardening your installation of
GoAnywhere MFT. Fortra also recommends you first harden a test or non-production
installation before applying these changes to a production instance. Fortra is not
responsible for any damages caused by the usage of this guide.

GoAnywhere Hardening Guide www.goanywhere.com page: 11

Services
GoAnywhere services are used for inbound connections from your trading partners,
customers, employees, and remote sites. The available services (protocols) are HTTPS,
AS2, AS4, FTP, SFTP, GoFast, Agents, and PeSIT.

HTTPS/AS2/AS4
The following section provides the recommended settings for hardening the
HTTPS/AS2/AS4 Service. Only fields and options with recommended settings will be
addressed.

To manage the HTTPS/AS2/AS4 Service:

1. Log in as an Admin User with the Product Administrator role. If your user account
is assigned to a custom Admin User Role, your ability to view, modify, or execute
actions on this page is based on the permissions specified for that role.

2. From the main menu bar, select Services and then click the Service Manager link.

3. Click Action next to the HTTPS Service, and then click Edit .

GoAnywhere Hardening Guide www.goanywhere.com page: 12

Services / HTTPS/AS2/AS4

Web Client

Enabled
Enable the Web Client if you plan to use it. If not, disable this feature.

Allow Browsers to Save Login Credentials

Disable this feature. This will prevent browsers from storing credentials for this
web page. Saved login credentials can increase the chance of stolen or misused
user privileges.

Allow Session ID in URL

Disable this feature. This will prevent the URL from displaying the Session ID.
Information gathered from exposed Session IDs can help attackers in malicious
activities.

HTTP Strict Transport Security (HSTS)

Enabling the HTTP Strict Transport Security (HSTS) header will instruct
supported browsers to prevent all HTTP communication to GoAnywhere MFT by
enforcing HTTPS and blocking users from overriding invalid certificate warnings.

Include Header
Enabled

page: 13 www.goanywhere.com GoAnywhere Hardening Guide

Services / HTTPS/AS2/AS4

Maximum Age
Set the maximum age to greater than 10368000 seconds (120 days).

HTTP Content Security Policy (CSP)

The Content Security Policy (CSP) response header allows Admin Users to
control which resources GoAnywhere is allowed to load for a given page. The CSP
mitigates potential threats by restricting which domains content can be loaded
from.

Policy
Begin with 'Default' setting. Consult your internal security team and customize as
needed.

NOTE:
Adjusting the CSP policy can impact application functionality. Please test all
changes before applying them to a production environment.

Secure Folders Tab

Secure Folders allows Web Users to work with authorized folders and files on the
network through the HTTPS Web Client.

Enable Java Applet

Disable this feature.

Enable Quick Downloads

Disable this feature if you do not plan to use it.

Enable Quick Uploads

Disable this feature if you do not plan to use it.

User Interface Tab

Help File/URL
If the Help link will open a document (for example, a PDF, text file, or HTML
document), that file must be copied to the [installdirectory]/ghttpsroot/custom

GoAnywhere Hardening Guide www.goanywhere.com page: 14

Services / HTTPS/AS2/AS4

folder, where [installdirectory] is the installation directory of GoAnywhere. Valid

file types are txt, xhtml, htm, html, pdf, doc, docx, rtf, and odt.

NOTE:
Even though file types will be validated, Fortra recommends following the
principle of least privilege when determining who has access to the
ghttpsroot directory.

HTTPS

Maximum Upload File Size

Configuring a maximum upload size can help prevent attacks that consume
server resources. Therefore, limit the maximum upload size according to your
company's needs and security policy. Fortra also recommends limiting disk space
for Web Users and Web User Groups to help prevent this type of attack.

Allow Files with No Extension

Fortra recommends that you disable this feature, as this could help prevent the
upload of malicious files.

Allow Files with an Extension

page: 15 www.goanywhere.com GoAnywhere Hardening Guide

Services / HTTPS/AS2/AS4

Fortra recommends that you enable this feature. Most valid file uploads will
include a file extension. In addition, enabling this feature along with choosing a
File Extension Filter allows GoAnywhere MFT to prevent unwanted files from
being uploaded.

File Extension Filter

This text area allows you to list the file types that are allowed to be uploaded via
GoAnywhere MFT. Limiting allowed file types can help prevent the upload of
malicious files.

NOTE: Type all file extensions without a period (.), separate them with
commas, and do not add line breaks or spaces (for example, if you want to
allow only .txt, .xls, .xlsx and .csv files, type: txt,xls,xlsx,csv).

Fortra recommends choosing valid file extensions according to your company's

needs and security policy.

AS2

The settings on the AS2 tab configure the identity, security, and file restrictions for
AS2 communications. The AS2 service supports multiple AS2 Recipients, each
with their own AS2 ID, certificate alias, upload folder destinations, MDN receipts,
and message security.

AS2 General Tab

Enabled
Enable this Service only if you intend to use it.

GoAnywhere Hardening Guide www.goanywhere.com page: 16

Services / HTTPS/AS2/AS4

AS2 Recipients

Message Decryption

Specify the key used to decrypt incoming messages. The corresponding

certificate should be sent to all Web Users who will be sending AS2 messages to
GoAnywhere MFT.

Key Location
Specify the key used to decrypt incoming messages. Use the System Key vault
whenever possible. RSA keys with a key size of 2048 bits or larger are
recommended. The corresponding certificate should be sent to all Web Users
who will be sending AS2 messages to GoAnywhere. Use a dedicated SSL
certificate for message decryption.

Keep Receipts
Enable

MDN Signature

Specify the location and name of the private key that will be used to sign the AS2
message receipt. This ensures nonrepudiation.

Key Location
Use a dedicated SSL certificate for message signatures.

page: 17 www.goanywhere.com GoAnywhere Hardening Guide

Services / HTTPS/AS2/AS4

Message Security Tab

Require Encryption
Enable this feature. Messages sent without encryption will be denied and will
result in an error.

Require Signature
Enable this feature. Messages sent without a signature will be denied and will
result in an error.

Require Authentication
Enable this feature. Messages sent without requiring authentication will be denied
and will result in an error.

AS4
General Tab
Only enable the AS4 Service if you plan to use it.

Reception Awareness Tab

Set the Maximum receipt Wait Time as low as possible without triggering errors.
A low wait time gives attackers less time to fake a response.

AS4 Message Channels

If you are using a Message Channel that does not have subchannels enabled,
assign access to a single user. This ensures that the messages placed in this
channel are sent to the correct recipient and prevents data leaks to non-privelaged
users.

GoAnywhere Hardening Guide www.goanywhere.com page: 18

Services / HTTPS/AS2/AS4

Server
Listener
Server Header
Set the Server Header name to something generic (such as 'Null', 'None', or 'Web
Server'). Information gathered from the header name can help attackers in
malicious activities.

SSL Tab

SSL Enabled
Enable. It is best practice enable SSL on Listeners unless redirecting from HTTP
to HTTPS.

SSL Protocol
Use the default, TLS protocol. SSL is a deprecated protocol. This field is inherited
from the System Security Settings.

Enabled SSL Protocols

Leave this field blank. Settings will be inherited from the Global Security Settings
page.

page: 19 www.goanywhere.com GoAnywhere Hardening Guide

Services / FTP

Client Authentication
If all users are authenticating with certificates, set this option to 'Required'. If only
some users are authenticating with certificates, use 'Optional'. Otherwise, use
'None'.

Enabled Cipher Suites

Use this list to further limit the protocol specific Cipher Suites beyond those
specified in the Global Security Settings.

Certificate Location
Import your company's private SSL key into the Key Management System and
apply them to the HTTPS listener. If a signed certificate is not available, create an
SSL certificate and apply it. Use the latest version of SSL certificate as possible
and the largest key size possible. If using certificate version 3, be sure that the
certificate extended key usage is set to an SSL/TLS server. See the HTTPS
Certificate Quick Start Guide in the GoAnywhere Admin User Guide for more
information.

Redirection Tab
HTTP/HTTPS traffic can be automatically redirected to the intended protocol, host
and/or port. The redirect process substitutes the appropriate portion of the URL
([protocol]://[host][:port]).

To securely redirect from HTTP to HTTPS, set up an HTTP listener and enable
redirection on that listener. Configure the redirection fields as necessary, set the
redirection protocol as HTTPS, and redirect to the existing HTTPS listener.

FTP
The following section provides all recommended settings for hardening the FTP Service.
Only fields and options with recommended settings will be addressed.

To manage the FTP Service:

GoAnywhere Hardening Guide www.goanywhere.com page: 20

Services / FTP

2. From the main menu bar, select Services and then click the Service Manager link.

3. Click Action next to the FTP Service, and then click Edit .

Upload Restrictions

Allow Files with No Extension

Fortra recommends that you disable this feature, as this could help prevent the
upload of malicious files.

Allow Files with an Extension

File Extension Filter

This text area allows you to list the file types that are allowed to be uploaded via
GoAnywhere MFT. Limiting allowed file types can help prevent the upload of
malicious files.

page: 21 www.goanywhere.com GoAnywhere Hardening Guide

Services / FTP

Fortra recommends choosing valid file extensions according to your company's

needs and security policy.

Server
Listener

The listener specifies on which port the FTP service will monitor traffic.

Idle Timeout
Consult your security team to determine the optimal Idle Timeout setting.

Force Encrypted Authentication

Set to Yes, ensuring that credentials are always secure when authenticating with
this server.

GoAnywhere Hardening Guide www.goanywhere.com page: 22

Services / FTP

Explicit SSL

An Explicit SSL connection will start on any available FTP port. The Explicit SSL
configuration verifies a connection is made and then requests and verifies an SSL
connection before transmitting login or file data.

Enabled SSL Protocol

Leave this field blank. Settings will be inherited from the Global Security Settings
page.

Client Authentication
If all users are authenticating with certificates, set this option to 'Required'. If only
some users are authenticating with certificates, use 'Optional'. Otherwise, use
'None'.

Enabled Cipher Suites

Cipher Suites should be set globally on the Security Settings page. You can
further limit the protocol specific Cipher Suites using this option.

CCC Enabled
Disable unless otherwise requested by your security team. If a Web User sends
the CCC command, it terminates the encryption on the command channel and all
subsequent FTP communication on the command channel will be transmitted in
plain text.

page: 23 www.goanywhere.com GoAnywhere Hardening Guide

Services / FTP

Certificate Location
Import your company's private SSL key into the Key Management System and
apply them to the FTP listener. If a signed certificate is not available, create an
SSL certificate and apply it. Use the latest version of SSL certificate as possible
and the largest key size possible. If using certificate version 3, be sure that the
certificate extended key usage is set to an SSL/TLS server.

Data Connection

Force Encrypted Data Channels

Set to Yes. This setting forces SSL/TLS encryption on the data channels and
rejects any attempts at plain text data transfers.

Active

With an "active" Data Connection, the client computer connects to the server on the control
port and specifies to the server which port it is listening on for the data. This can cause
issues with a firewall on the client side as it may block the incoming data connection from
the server.

Enabled
It is strongly recommended to use a passive data connection unless absolutely
necessary.

GoAnywhere Hardening Guide www.goanywhere.com page: 24

Services / FTPS

Validate IP
Set to Yes. This option specifies if the server should check if the IP address for the
data connection is the same as for the control port. If the IP is not valid, the
connection will fail.

Passive

In a passive Data Connection, the client computer initiates the connection while the host
decides the control port, using a port range within the firewall rules.

FTPS
The following section provides all recommended settings for hardening the FTPS Service.
Only fields and options with recommended settings will be addressed.

To manage the FTPS Service:

2. From the main menu bar, select Services and then click the Service Manager link.

3. Click Action next to the FTPS Service, and then click Edit .

page: 25 www.goanywhere.com GoAnywhere Hardening Guide

Services / FTPS

Upload Restrictions

Allow Files with No Extension

Fortra recommends that you disable this feature, as this could help prevent the
upload of malicious files.

Allow Files with an Extension

File Extension Filter

This text area allows you to list the file types that are allowed to be uploaded via
GoAnywhere MFT. Limiting allowed file types can help prevent the upload of
malicious files.

Fortra recommends choosing valid file extensions according to your company's

needs and security policy.

GoAnywhere Hardening Guide www.goanywhere.com page: 26

Services / FTPS

Server
Listener

The listener specifies on which port the FTPS service will monitor traffic.

Idle Timeout
Consult your security team to determine the optimal Idle Timeout setting.

Implicit SSL

An Implicit SSL connection will start on any available FTP port. The Implicit SSL
configuration verifies a connection is made and then requests and verifies an SSL
connection before transmitting login or file data.

SSL Protocol
Use the default, TLS protocol. SSL is a deprecated protocol. This field is inherited
from the System Security Settings.

Client Authentication
If all users are authenticating with certificates, set this option to 'Required'. If only
some users are authenticating with certificates, use 'Optional'. Otherwise, use
'None'.

page: 27 www.goanywhere.com GoAnywhere Hardening Guide

Services / FTPS

Enabled Cipher Suites

Use this list to further limit the protocol specific Cipher Suites beyond those
specified in the Security Settings.

CCC Enabled
Disable unless otherwise requested by your security team. If a Web User sends
the CCC command, it terminates the encryption on the command channel and all
subsequent FTPS communication on the command channel will be transmitted in
plain text.

Certificate Location
Import your company's private SSL key into the Key Management System and
apply them to the FTPS listener. If a signed certificate is not available, create an
SSL certificate and apply it. Use the latest version of SSL certificate as possible
and the largest key size possible. If using certificate version 3, be sure that the
certificate extended key usage is set to an SSL/TLS server.

Data Connection
Force Encrypted Data Channels
Set to Yes. This setting forces SSL/TLS encryption on the data channels and
rejects any attempts at plain text data transfers.

Active

GoAnywhere Hardening Guide www.goanywhere.com page: 28

Services / SFTP

Enabled
It is strongly recommended to use a 'Passive' data connection unless absolutely
necessary.

Passive

In a passive Data Connection, the client computer initiates the connection while the host
decides the control port, using a port range within the firewall rules.

SFTP
The following section provides the recommended settings for hardening the SFTP
Service. Only fields and options with recommended settings will be addressed.

To manage the SFTP Service:

page: 29 www.goanywhere.com GoAnywhere Hardening Guide

Services / SFTP

2. From the main menu bar, select Services and then click the Service Manager link.

Upload Restrictions

Limit Upload File Size

Fortra recommends that you enable this setting.

Maximum Upload File Size

Configuring a maximum upload size can help prevent attacks that consume server
resources. Therefore, limit the maximum upload size according to your company's
needs and security policy. Fortra also recommends limiting disk space for Web
Users and Web User Groups to help prevent this type of attack.

Allow Files with No Extension

Fortra recommends that you disable this feature, as this could help prevent the
upload of malicious files.

Allow Files with an Extension

GoAnywhere Hardening Guide www.goanywhere.com page: 30

Services / SFTP

File Extension Filter

This text area allows you to list the file types that are allowed to be uploaded via
GoAnywhere MFT. Limiting allowed file types can help prevent the upload of
malicious files.

Fortra recommends choosing valid file extensions according to your company's

needs and security policy.

Server
SCP Enabled
Disable this option unless you are using it. Reducing the number of endpoints
helps administrators focus security efforts.

Min DH Group Exchange Key Size

Use a 2048 minimum key size.

Enabled Key Exchange Algorithms

Please consult with your security team on which algorithms should be enabled.
Please see the GoAnywhere MFT User Guide for more information.

NOTE:
Enable ECDSA keys to allow for more Public Key Signature Algorithms.

page: 31 www.goanywhere.com GoAnywhere Hardening Guide

Services / SFTP

Enabled Cipher Algorithms

Please consult with your security team on which algorithms should be enabled.
Please see the GoAnywhere MFT User Guide for more information.

Enabled Mac Algorithms

Please consult with your security team on which algorithms should be enabled.
Please see the GoAnywhere MFT User Guide for more information.

Enabled Compression Algorithms

Please consult with your security team on which algorithms should be enabled.
Please see the GoAnywhere MFT User Guide for more information.

Software Version
The software name or version should be something generic such as 'Null', 'None',
'SFTP Server', etc. Information gathered from server header can help attackers in
malicious activities.

Listener

The listener specifies on which port the SFTP service will monitor traffic.

Authentication Types Allowed

Set to 'Either', and set Public Key and Password to required in the Web User
configuration settings. Defer to company policy and your security team to make
sure authentication types chosen are those allowed by your organization.

GoAnywhere Hardening Guide www.goanywhere.com page: 32

Services / GoFast

Host Keys

Generate a new SSH RSA or ECDSA key under the System Key Vault of size
2048 or greater and use it for the SFTP Service. Remove any DSA key in the
configuration. DSA keys are not allowed when FIPS 140-2 mode is enabled.

GoFast
The following section provides all recommended settings for hardening the GoFast
Service. Only fields and options with recommended settings will be addressed.

To manage the GoFast Service:

2. From the main menu bar, select Services and then click the Service Manager link.

3. Click Action next to the GoFast Service, and then click Edit .

Upload Restrictions

Allow Files with No Extension

Fortra recommends that you disable this feature, as this could help prevent the
upload of malicious files.

Allow Files with an Extension

page: 33 www.goanywhere.com GoAnywhere Hardening Guide

Services / GoFast

File Extension Filter

This text area allows you to list the file types that are allowed to be uploaded via
GoAnywhere MFT. Limiting allowed file types can help prevent the upload of
malicious files.

Fortra recommends choosing valid file extensions according to your company's

needs and security policy.

Control Channel SSL

Enabled SSL Protocols

Leave this field blank. This setting is covered by the Global Security Settings.

GoAnywhere Hardening Guide www.goanywhere.com page: 34

Services / Agent Service

Client Authentication
If all users are authenticating with certificates, set this option to 'Required'. If only
some users are authenticating with certificates, us 'Optional'. Otherwise, use
'None'.

Enabled Cipher Suites

Use this option to limit the list of enabled Cipher Suites beyond those enabled in
the Global Security Settings.

Certificate Location
Import your company's private SSL key into the Key Management System and
apply it. If a signed certificate is not available, create an SSL certificate and apply
it. Use the latest version of SSL certificate as possible and the largest key size
possible. If using certificate version 3, be sure that the certificate extended key
usage is set to an SSL/TLS server.

Agent Service
The following section provides all recommended settings for hardening the Agents
Service. Only fields and options with recommended settings will be addressed.

To manage the Agent Service:

2. From the main menu bar, select Services and then click the Service Manager link.

3. Click Action next to the Agent Service, and then click Edit .

Registration
Require Approval
It is best practice to require approval for all Agent registrations. This allows for a
two-step process before an Agent can connect to the server.

page: 35 www.goanywhere.com GoAnywhere Hardening Guide

Services / PeSIT

Notify Agent Managers

Select this options so that administrators can monitor Agent registrations.

Server
SSL
SSL Protocol
Leave this field blank.

Enabled SSL Protocols

Leave this field blank. The default SSL/TLS for the JVM will be used. These
settings can be changed on the Security Settings page.

NOTE:
Add other algorithms as needed from the Security Settings page.

Enabled Cipher Suites

Use this option to limit the list of enabled Cipher Suites beyond those enabled in
the Security Settings.

PeSIT
The following section provides all recommended settings for hardening the PeSIT Service.
Only fields and options with recommended settings will be addressed.

To manage the PeSIT Service:

2. From the main menu bar, select Services and then click the Service Manager link.

3. Click Action next to the PeSIT Service, and then click Edit .

GoAnywhere Hardening Guide www.goanywhere.com page: 36

Services / GoAnywhere Gateway

SSL
SSL Enabled
Enable.

Enabled SSL Protocol

Leave this field blank. Settings will be inherited from the Global Security Settings
page.

NOTE:
Add other algorithms as needed from the Global Security Settings page.

Client Authentication
If all users are authenticating with certificates, set this option to 'Required'. If only
some users are authenticating with certificates, us 'Optional'. Otherwise, use
'None'.

Enabled Cipher Suites

Cipher Suites should be set on the Global Security Settings page. You can further
limit the protocol specific Cipher Suites using this option.

Key Name
Import your company's private SSL key into the Key Management System and
apply them to the PeSIT listener. If a signed certificate is not available, create an
SSL certificate and apply it. Use the latest version of SSL certificate as possible
and the largest key size possible. If using certificate version 3, be sure that the
certificate extended key usage is set to an SSL/TLS server.

GoAnywhere Gateway
The following section provides all recommended settings for hardening GoAnywhere
Gateway. Only fields and options with recommended settings will be addressed.

To manage the GoAnywhere Gateway:

page: 37 www.goanywhere.com GoAnywhere Hardening Guide

Services / GoAnywhere Gateway

2. From the main menu bar, select Services and then click the Gateway Manager
link.

Gateway Manager
Gateway IP Filter and Log Rejected IP Addresses
Gateway IP Filter
Enable the Gateway IP Filter. This allows the gateway to filter client connections
based on the IP Filter Allow List and Block List managed by GoAnywhere.

Log Rejected IP Address

Enable Log Rejected IP Addresses. GoAnywhere Gateway will log rejected IP
addresses in the Gateway log file on the Gateway installation.

Gateway Configuration
Control Channel Security
SSL Enabled
Enable. It is best practice enable SSL on Listeners unless redirecting from HTTP
to HTTPS.

Implicit SSL
Disable. This helps prevent man-in-the-middle attacks.

SSL Context Protocol

Enable only TLSv1.2 and TLSv1.3, if available.

NOTE:
Connecting to outdated GoAnywhere Gateway servers may cause
connectivity issues.

GoAnywhere Hardening Guide www.goanywhere.com page: 38

Services / Secure Mail Settings

Secure Mail Settings

The following section provides all recommended settings for hardening the Secure Mail
feature. Only fields and options with recommended settings will be addressed.

To manage Secure Mail Settings:

1. Log in as an Admin User with the Secure Mail Manager role. If your user account
is assigned to a custom Admin User Role, your ability to view, modify, or execute
actions on this page is based on the permissions specified for that role.

2. From the main menu bar, select Services and then click the Secure Mail, Settings
link.

General
Secure Mail Enabled
Enable Secure Mail only if it is actively being used.

File Limit per Package

Set the File Limit per Package with consideration to your disk space.

Send Package

Protection Level

Disable URL Protected and enable Password Protected and Certified Delivery.

Set the Default to Certified Delivery. When Certified Delivery is enabled, Web
Users will be given an option to require recipients to register before they can
access the message.

page: 39 www.goanywhere.com GoAnywhere Hardening Guide

Services / Secure Mail Settings

Password Generation

Enable Generated Automatically and disable Manually Specified. Manually

specified passwords can be set to a single character and are not as secure.

Set the Default to Generated Automatically.

Password Notification

Enable Email and Text Message (SMS).

Set the Default to Text Message (SMS) if SMS has been configured.

Enable Send in Separate Email.

Package Expiration

Enable Enforce Range.

Set the Default to a number of days less than the desired enforced range.

GoAnywhere Hardening Guide www.goanywhere.com page: 40

Services / Secure Mail Settings

Maximum Downloads

Enable Enforce Range.

Set the Default to a number of days less than the desired enforced range.

Disable Allowed.

Set the Default to No. This prevents Web Users from receiving potentially risky
files. In addition, enabling data loss prevention scanning using Triggers can
further mitigate risk.

Request Files

Request Protection Level

Disable URL Protected and enable Certified Delivery.

Set the Default to the Certified Delivery. When Certified Delivery is enabled, Web
Users will be given an option to require recipients to register before they can
access the message.

page: 41 www.goanywhere.com GoAnywhere Hardening Guide

Services / Secure Mail Settings

Request Expiration

Enable Enforce Range.

Set the Default to a number of days less than the desired enforced range.
Enforcing a range prevents links from being used in the future should a user's
inbox be compromised.

Outlook Plugin Policy

Set the Max File Size Options to All file Sizes.

Disable Ask Before Sending and enable Enforce These Settings. Enforcing
setting through the plugin policy ensures that all users adhere to the same settings
when sending messages from Outlook.

Address Rules

Address Rules are used to define the Web User email addresses that are
permitted to send Secure Mail, and to which recipient email addresses can be sent
to.

Configure the address rules to permit the least number of email addresses
necessary.

GoAnywhere Hardening Guide www.goanywhere.com page: 42

Services / Secure Forms Settings

Secure Forms Settings

The following section provides all recommended settings for hardening Secure Forms.

To manage Secure Forms Settings:

1. Log in as an Admin User with the Secure Forms Manager role. If your user
account is assigned to a custom Admin User Role, your ability to view, modify, or
execute actions on this page is based on the permissions specified for that role.

2. From the main menu bar, select Services and then click the Secure Forms,
Settings link.

Hardening Recommendations

If you plan to use Secure Forms, set a Public Form Session Timeout. If you are not using
Secure Forms, uncheck Secure Forms Enabled.

Secure Form Configuration

The following section provides all recommended settings for Secure Form Configuration.
Only fields and options with recommended settings will be addressed.

To configure a Secure Form:

2. From the main menu bar, select Services > Secure Forms > Form Manager.

page: 43 www.goanywhere.com GoAnywhere Hardening Guide

Services / Agent Manager

Access

Enabling Web Client Enabled is recommended. Limit enabling access points to

only those that are needed.

Disabling Public Access is recommended, but can be enabled if business needs

require it. If Public Access is enabled, we recommend not allowing embedded
forms.

Web Users

Assign Web Users using the principal of least privilege.

Web Groups

Assign Web Groups using the principal of least privilege.

Components

Utilize the Mask Input option to hide user input and the Encrypt Data option to
ensure that sensitive data will not be shown in plaintext anywhere within the
application.

Agent Manager
The following section provides all recommended settings for Agent Manager. Only fields
and options with recommended settings will be addressed.

Rotate Agent Key

Force Restart
True. This will force the Agent to immediately reauthenticate to MFT using its new
key pair.

GoAnywhere Hardening Guide www.goanywhere.com page: 44

Services / Agent Configuration

WARNING: Selecting "Force Restart" will restart the Agent immediately and
force the Agent to begin using the new authentication key. Any jobs or
transfers will be terminated.

Fortra recommends regularly rotating authentication keys. Consult your internal

security team to ensure you are rotating keys in accordance with your
organization’s security policy.

WARNING: If you are rotating your Agent’s authentication key because you
suspect the Agent has been compromised, you should immediately unregister
and reregister the Agent. The reregistration process can help reestablish the
identity and legitimacy of the Agent. Simply rotating the Agent’s
authentication key may not be enough to recover a compromised Agent.

Agent Configuration
The following section provides all recommended settings for Agent Configuration. Only
fields and options with recommended settings will be addressed.

To manage Agents:

1. Log in as an Admin User with the Agent Manager role. If your user account is
assigned to a custom Admin User Role, your ability to view, modify, or execute
actions on this page is based on the permissions specified for that role.

2. From the main menu bar, select Services and then click the Agents, Agent
Settings link.

page: 45 www.goanywhere.com GoAnywhere Hardening Guide

Services / Agent Configuration

General

Use a unique registration code for each Agent. To automate for larger
deployments, configure Agent settings through the Agent Service Listener. See
the GoAnywhere MFT User Guide for more information.

Alerts

While not directly security related, alerting Agent Managers when an Agent goes
offline can call attention to security issues.

GoAnywhere Hardening Guide www.goanywhere.com page: 46

Users

Admin Users and Admin User Templates

The following section provides all recommended settings for Admin Users and Admin User
Templates. Only fields and options with recommended settings will be addressed.

To add or edit Admin Users or Admin User Templates:

1. Log in as an Admin User with the Security Officer role. If your user account is
assigned to a custom Admin User Role, your ability to view, modify, or execute
actions on this page is based on the permissions specified for that role.

2. From the main menu bar, select Users, and then click the Admin Users or the
Admin User Templates link.

Fortra recommends creating a service account for all automated aspects of the application
- Secure Forms, Triggers, Monitors, SLAs, etc. Avoid using 'root' or 'administrator'
accounts for this purpose.

Fields for Admin Users and Admin User Templates

Two-Factor Authentication
Enable some form of two-factor authentication: RADIUS (for example, RSA
SecurID and Duo), Time-based One-Time Password (for example, Google
Authenticator), or GoAnywhere One-Time Password.

Roles
Assign roles using the principle of least privilege.

Groups
Assign groups using the principal of least privilege.

GoAnywhere Hardening Guide www.goanywhere.com page: 47

Users / Admin User Groups

Domains
Assign domains using the principle of least privilege.

File Permissions
Limit Admin User folder access through the File Manager Settings. Use the
principle of least privilege.

NOTE:
Fortra recommends providing ‘Read Only’ access to Admin Users and only on
an as-needed basis. Create Web Users (even for internal employees) for fully
managed and audited access to files. Due to the sensitive nature of the
ghttpsroot and adminroot directories, Fortra recommends practicing caution
when determining who has access to these locations.

Admin User Groups

The following section provides all recommended settings for Admin User Groups.

To configure Admin User Groups:

1. Log in as an Admin User with the Security Officer role.

2. From the main menu bar, select Users, and then click the Admin Users link.

Be advised that any permissions given will be passed to all Admin Users within the Admin
User Group.

Admin User Group Fields

Group Roles
Assign group member roles using the principle of least privilege.

Group Domains
Assign group member domains using the principle of least privilege.

page: 48 www.goanywhere.com GoAnywhere Hardening Guide

Users / Admin Security Settings

Admin Security Settings

The following section provides all recommended settings for Admin Security Settings. Only
fields and options with recommended settings will be addressed.

To manage Admin Security Settings:

1. Log in as an Admin User with the Security Officer role.

2. From the main menu bar, select Users, and then click Admin Security Settings.

General

Session Timeout
Set the session timeout according to company policy. OWASP recommends high
risk applications be set from 120 to 300 seconds and 900 to 1800 for low risk
applications.

Allow Browsers to Save Login Credentials

Disable this option to prevent login credentials from being used by another user.

Allow Viewing of Resource Passwords

Disable this option to prevent unwanted access to resource passwords.

Allow Session ID in URL

Disable this option. Information exposed in the URL can be used by intruders.

GoAnywhere Hardening Guide www.goanywhere.com page: 49

Users / Admin Security Settings

Allow Embedding within an IFrame

Disable this option to prevent click-jacking and cross frame reference attacks.

Default Resource Permissions for All Admin Users

Disable all options.

HTTP Strict Transport Security (HSTS)

Include Header
Enabled

Maximum Age
Leave this on the default setting unless your security team requires otherwise.

Include Subdomains
Enable this option.

Include Preload Option

Fortra recommends enabling this option if possible. See the GoAnywhere MFT
User Guide for details.

HTTP Content Security Policy (CSP)

Policy
Start with the 'Default' setting and customize as needed. Consider consulting your
internal security team and testing changes to the CSP before applying changes to
a production environment.

Password Policy

Set password policy parameters in accordance with company password policy.

Consult your internal security team for recommendations.

NOTE:
These settings only apply when using the GoAnywhere login method. If you
use Active Directory to authenticate users, your password policy is managed
by Active Directory.

page: 50 www.goanywhere.com GoAnywhere Hardening Guide

Users / Admin Security Settings

Password Strength

Enforce Settings
Enforce password strength settings.

Minimum Password Length

Set the minimum password strength to 8.

Minimum Number of Upper Case Letters

Set a minimum of 1.

Minimum Number of Lower Case Letters

Set a minimum of 1.

Minimum Number of Digits

Set a minimum of 1.

Minimum Number of Special Characters

Set a minimum of 1.

Allowable Special Characters

Allow all special characters.

Password Age

Maximum Password Age

Do not set the Maximum Password Age to zero (0). The industry standard is 90
days. Consult your internal security team for recommendations.

NOTE:
Applying a Maximum Password Age can affect automated and service level
accounts that use the internal login method.

Password History

Enforce Password History

Enable.

GoAnywhere Hardening Guide www.goanywhere.com page: 51

Users / Web Users

Disallow Reuse of the Last

Disallow reuse of passwords. The number should depend on the maximum age
setting. Consult your internal security team for recommendations.

Web Users
The following section provides all recommended settings for the Web Users. Only fields
and options with recommended settings will be addressed.

To configure Web Users:

1. Log in as an Admin User with the Web User Manager role.

2. From the main menu bar, select Users, and then click the Web Users link.

Authentication
Password Options
Enable 'Allow User to Change Password' if secure password polices are in place.

Password Expiration Interval

Leave this setting at 'Default' unless otherwise necessary. The Password
Expiration Interval will be defined in the Web User Password Policy.

Authentication Types
It is best practice to use two-factor authentication, regardless of the protocol.
Enable 'SAN/DN' whenever possible.

Groups

Assign Web User Groups using the principle of least privilege.

page: 52 www.goanywhere.com GoAnywhere Hardening Guide

Users / Web Users

Features

Assign features using the principal of least privilege.

GoDrive Disk Space Limited

Set a reasonable GoDrive disk space limit.

Maximum Concurrent Sessions

Set a reasonable maximum number of concurrent sessions based upon user need
and company security policy. This helps prevent denial of service attacks.

Folders

Assign folder permissions using the principle of least privilege.

Limit Disk Space

Setting the Limit Disk Space option to ‘Yes’ can help prevent attacks that
consume server resources. Therefore, set the Limit Disk Space option and Disk
Quota configuration according to your company's needs and security policy.

NOTE:
Disk space limits can cause negative performance impacts in large scale
environments.

Forms

Assign forms using the principle of least privilege.

GoAnywhere Hardening Guide www.goanywhere.com page: 53

Users / Web Users

IP Filter
Enable IP Filter
Enable this feature. These filters control which IP addresses or address ranges
have access to the various protocols.

Filter Type
Enable 'Allow List'.

Time Limits
Disable Account When No Activity
Set to 'Default (As defined in the web user security settings).

AS4

Pull Processing Modes

Signal Message Decryption

Use a unique key pair for each trading partner.

User Message Signature

Enable Sign User Message. Signed messages help ensure nonrepudiation.

User Message Encryption

Enable this feature if possible. Use the highest agreed upon algorithm possible to
ensure pull request message responses are encrypted.

Message Options
Enable Reception Awareness. Reception Awareness allows GoAnywhere to
report whether a message has been successfully received or not.

Push Processing Modes

Receipt Signature
Enable Sign Receipt. Signed receipts help ensure nonrepudiation. Use the
highest agreed upon algorithm possible. Signed receipts help ensure
nonrepudiation.

page: 54 www.goanywhere.com GoAnywhere Hardening Guide

Users / Web User Settings

Message Decryption
Use a unique key pair for each trading partner.

Message Options
Set the Reply Mode to 'Synchronous'. This ensure that the message receipt
arrives at the correct endpoint.

Uploads
Ensure that the upload directory is pointing to an encrypted folder where files will
be encrypted at rest.

Require
Set Encryptionand Signature to 'Yes'. This allows GoAnywhere to throw an error if
either are missing from a message.

Web User Settings

The following section provides all recommendations for the Web User Settings. Only fields
and options with recommended settings will be addressed.

To manage the Web User Settings:

2. From the main menu bar, select Users, and then click the Web User Settings link.

General
Disable Inactive Web User Accounts After
Do not set this value to '0' as this disables the setting. Consult your internal
security team for recommendations.

GoAnywhere Hardening Guide www.goanywhere.com page: 55

Users / Web User Settings

Password Policy

Set password policy parameters in accordance with company password policy. If

you do not have an official security policy, our recommendations follow. Consult
your internal security team for further recommendations.

NOTE:
If you use Active Directory to authenticate users, you password policy is
managed by Active Directory.

Password Strength

Enforce Settings
Enforce password strength settings.

Minimum Password Length

Set the minimum password strength to 8.

Minimum Number of Upper Case Letters

Set a minimum of 1.

Minimum Number of Lower Case Letters

Set a minimum of 1.

Minimum Number of Digits

Set a minimum of 1.

Minimum Number of Special Characters

Set a minimum of 1.

Allowable Special Characters

Allow all special characters.

Password Age

Minimum Password Age

Set a Minimum Password Age to 1.

page: 56 www.goanywhere.com GoAnywhere Hardening Guide

Users / Web User Settings

Maximum Password Age

Do not set the Maximum Password Age to zero (0). The industry standard is 90
days. Consult your internal security team for recommendations.

NOTE:
Applying a Maximum Password Age can affect automated and service level
accounts that are not LDAP managed.

Password History

Enforce Password History

Enable.

User Name Policy

Set password policy parameters in accordance with company password policy.

Consult your internal security team for recommendations.

NOTE:
If you use Active Directory to authenticate users, your password policy is
managed by Active Directory.

Device Policy
PIN Verification Required
Enable PIN verification.

PIN Length
Set a PIN length of at least 6 digits.

Admin Approval Required

Require admin approval for all devices.

Notify Web User Device Managers

Enable so that Device Managers are notified via email when a Web User registers
a device.

GoAnywhere Hardening Guide www.goanywhere.com page: 57

Users / Web User Self-Registration

Notify Additional Email Addresses

Add one or more email recipients to be notified when a Web User registers a
device for GoDrive and the device requires admin approval or has become
activated. Separate multiple email addresses with commas.

Require Device Reauthentication

Enable.

Reauthenticate Every
Set reauthentication to every 7 days. Consult your internal security team for
recommendations.

Profile

Enable the 'Unique Email Addresses' setting to allow for consolidated

permissions and better traceability. Consult your internal security team for
recommendations.

Anonymous

Disable 'Allow Anonymous Web User'.

Web User Self-Registration

The following section provides all recommended settings for Web User Self Registration.
Only fields and options with recommended settings will be addressed.

To access the Web User Self-Registration page:

1. Log in as an Admin User with the Security Officer role.

2. From the main menu bar, select Users, and then click the Web User Self-
Registration link.

page: 58 www.goanywhere.com GoAnywhere Hardening Guide

Users / Web User Self-Registration

Web User Self-Registration

Self-Registration Allowed
Disable this feature. Web User Self-Registration allows your employees and
trading partners to create an account in GoAnywhere through the Web Client
interface.

NOTE:
If using Certified Delivery, users will need to be manually created or sync'd
with LDAP/SAML if this setting is disabled.

If your environment requires the use of Web User Self-Registration, it is

recommended to ensure the following configurations are in place.

Email Pattern
Limit the email patterns allowed to self register.

Permission
Allow only the emails necessary to register. Deny all others.

Web User Template

Select a Web User Template that gives created Web Users the minimum
permissions necessary to GoAnywhere.

NOTE:
When configuring the Home Directory for created Web Users, it is
recommended to generate the users' home folders based upon the user.name
variable. The default setting for Home Directory will use this value to create
the Web Users home directory under the configured webdocs location. Using
the other offered variable values is not recommended, as these values are not
required to be unique within GoAnywhere. Ensure that careful consideration is
given to any folder access given to a Web User, to ensure that selected
variable values do not unintentionally give Web Users access to the same
directory locations.

Requires Approval
Enable Requires Approval

GoAnywhere Hardening Guide www.goanywhere.com page: 59

Users / Domains

Notify Web User Managers

Enable Notify Web User Managers

User Email as User Name

Enable Use Email as User Name

Domains
The following section provides all recommended settings for GoAnywhere Domains. Only
fields and options with recommended settings will be addressed.

To manage Domains:

1. Log in as an Admin User with the Security Officer role.

2. From the main menu bar, select Users, and then click the Domains link.

Allow Execute Native Command

This option determines if Projects and Triggers in this Domain can use the Execute Native
Command task or Execute Native Command Trigger action to run commands on the
server where GoAnywhere is running. Use the principle of least privilege.

File Access Restrictions

The File Access Restrictions options determine if Web Users, Admin Users, and
Resources in this Domain are restricted to specific folders. Use the principle of least
privilege.

Key Management System

Allow File Based Keys

Disable file based keys whenever possible as file based keys are accessible from the file
system.

page: 60 www.goanywhere.com GoAnywhere Hardening Guide

Users / Login Settings

Login Settings
The following section provides all recommended settings for user Login Settings. Only
fields and options with recommended settings will be addressed.

To manage Login Settings:

2. From the main menu bar, select Users, and then click the Login Settings link.

Two-Factor Authentication Options

Enable two-factor authentication. If you are using LDAP or SAML SSO, enable
multi-factor authentication through your authentication provider.

GoAnywhere Hardening Guide www.goanywhere.com page: 61

Reporting / Log Settings

Reporting
Logs, reports, and log settings are available to authorized Admin Users from the Reporting
drop-down menu.

Logs are useful for troubleshooting errors and monitoring events such as file transfers and
server activity. The logs can be sorted by column, as well as exported to a CSV formatted
file.

Log Settings
The following section provides all recommended settings for Log Settings. Only fields and
options with recommended settings will be addressed.

To administer Logs, log in as an Admin User with the Product Administrator role.

From the main menu bar, point to Reporting and then click Log Settings.

General Tab
Tamper-Evident Logging
Enable Tamper-Evident Logging

NOTE:
If you have any log exemptions configured, those events will not be logged.

page: 62 www.goanywhere.com GoAnywhere Hardening Guide

Encryption
Encrypted Folders
The Encrypted Folders page allows authorized users to create and manage encrypted
folders for use within GoAnywhere.

To manage encrypted folders:

2. From the main menu, select Encryption, and then click the Encrypted Folders link.

3. Fortra recommends encrypting as many locations accessed by GoAnywhere

MFT as possible.

Folder Restrictions
To prevent encryption of vital GoAnywhere system resources, GoAnywhere has
restrictions on which folders can be encrypted:

l You cannot encrypt a root drive. For example, you would not be able to encrypt C:\.
l You cannot encrypt the GoAnywhere install directory, or any parent directory of the
install directory.
l The WebDocs and Workspace directories are the only directories within the
GoAnywhere install directory where encryption is allowed. The locations of these
folders are configured on the Domain.
l You cannot encrypt a child folder of a directory that is already encrypted.
l You cannot encrypt a parent folder of a directory that contains an encrypted child
directory.

GoAnywhere Hardening Guide www.goanywhere.com page: 63

Encryption / Master Encryption Keys

NOTE:
When using encrypted folders in GoAnywhere, data at rest can only be accessed
through the GoAnywhere application.

Master Encryption Keys

GoAnywhere MFT ships with a product encryption key that, by default, is used to encrypt
passwords, keys, and other sensitive data. The Master Encryption Keys feature allows
administrators to create and manage master keys. The most recently created Master
Encryption Key will always be set to the 'current' key and will be labeled as such in the list
of keys.

To manage Master Encryption Keys:

1. Log in as an Admin User with both Product Administrator and Security Officer
roles. If your user account is assigned to a custom Admin User Role, your ability to
view, modify, or execute actions on this page is based on the permissions specified
for that role.

2. Select Encryption from the main menu bar and then click the Master Encryption
Keys link.

IMPORTANT: Fortra recommends creating a new Master Encryption Key. Rotate Master
Encryption Keys as directed by your organization’s security policy.

page: 64 www.goanywhere.com GoAnywhere Hardening Guide

System
Global Settings
The following section provides all recommendations for Global Settings. Only fields and
options with recommended settings will be addressed.

These settings can be viewed and modified by an Admin User with the Product
Administrator role. If your user account is assigned to a custom Admin User Role, your
ability to view, modify, or execute actions on this page is based on the permissions
specified for that role.

From the main menu, select System, and then click the Global Settings link.

SMTP Tab

Connect to an SSL enabled port. Configure the SMTP settings to use User Name
and Password whenever possible.

SMS Tab

When using SMS, refer to your SMS provider for best practices.

Security Settings
The following section provides all recommended settings for the Security Settings page.
Only fields and options with recommended settings will be addressed.

The Security Settings option is only available to Admin Users with the Security Officer
role.

Any changes to Security Settings are implemented globally throughout GoAnywhere MFT.

From the main menu bar, select System, and then click Security Settings.

GoAnywhere Hardening Guide www.goanywhere.com page: 65

System / Security Settings

NOTE: Changes to Security Settings requires a restart of GoAnywhere MFT.

Cryptography Tab

FIPS 140-2 Compliance

Enable FIPS 140-2 Compliance Mode

Enabling FIPS mode is optional but strongly recommended.

DRBG Required Entropy

DRBG Required Entropy Bits

The ‘Default’ option represents the minimum required entropy bits to meet the
latest security standard. Configuration above this level is supported, but it may
affect performance. Check with your security team to determine an acceptable
number of entropy bits to use.

SSL/TLS Algorithms Tab

Protocols
Enable only TLSv1.2 and TLSv1.3, if available.

NOTE:
Connecting to outdated servers may cause connectivity issues.

page: 66 www.goanywhere.com GoAnywhere Hardening Guide

System / Security Settings

Cipher Suites
Consult with your Security Team to determine which cipher suites should be
allowed globally. For more information on cipher suite support, please review the
‘Security Settings’ section of the GoAnywhere MFT User Guide.

Trust Settings Tab

Certificate Validation

CA Basic Constraints Validation

Enable all certificate checks.

Date Validation
Enable all certificate checks.

Extended Key Usage Validation

Enable all certificate checks.

GoAnywhere Hardening Guide www.goanywhere.com page: 67

System / Antivirus Settings

NOTE:
If running in a clustered system with Agents, rotate the Agent server key to an
SSL certificate that has been generated with the Client and Server Extended
Key Usage attributes defined.

NOTE:
If enabling client SSL certificate validation, make sure that any users
authenticating with SSL certificates are using certificates that have the Client
Extended Key Usage attribute defined.

Certificate Revocation Lists (CRL)

Enable all certificate checks. Consult your security team to determine which CRL
to pull from and how often it is refreshed.

Hostname Verification

Strict Hostname Verification

Enable.

Implicit Trust

Allow Implicit Trust (SSL/TLS)

Disable. This helps prevent man-in-the-middle attacks.

Allow Implicit Trust (SSH)

Disable. This helps prevent man-in-the-middle attacks.

Antivirus Settings
The following section provides all recommendations for Antivirus Settings. This section
will only address fields and options that have recommended settings.

Antivirus Settings are used to configure automatic antivirus scanning for files uploaded to
GoAnywhere Services.

These settings can be viewed and modified by an Admin User with the Product
Administrator role. If your user account is assigned to a custom Admin User Role, your

page: 68 www.goanywhere.com GoAnywhere Hardening Guide

System / Antivirus Settings

ability to view, modify, or execute actions on this page is based on the permissions
specified for that role.

From the main menu, select System, and then click the Antivirus Settings link.

Enabled

Enabling antivirus scanning can help prevent the upload of malicious or unwanted data to
your GoAnywhere server.

Upload Options

File Buffer Size

The maximum file size GoAnywhere will store in memory while awaiting a response from
the ICAP server. Therefore, limiting the file buffer size according to your company's needs
and security policy can help prevent attacks that consume server resources. Fortra also
recommends limiting disk space for Web Users and Web User Groups to help prevent this
type of attack.

Service Limits

It is best practice to scan all uploads made to GoAnywhere Services with an ICAP
Solution.

File Actions

Default file actions have been configured with best practices in mind. If your team
needs to adjust these rules, ensure that uploads which receive an ICAP response
signifying the discovery of unwanted data within the file are denied.

Default File Action

Fortra recommends selecting deny for the Default File Action. Denying uploads
that do not return any of your expected ICAP responses can help prevent the
upload of unwanted or unexpected data.

ICAP Server is Unavailable

GoAnywhere Hardening Guide www.goanywhere.com page: 69

System / Admin Server

Fortra recommends selecting deny if the ICAP server is unavailable. This will
ensure that no malicious data is uploaded to your server in the event the ICAP
server becomes inaccessible to GoAnywhere.

File Exemptions

Do not configure file exemptions. File Exemptions help narrow the scope of the
ICAP configuration (for example, by a particular user or file size). Therefore,
uploads that meet exemption criteria will not be scanned by ICAP.

Admin Server
The following section provides all recommended settings for the Admin Server page. Only
fields and options with recommended settings will be addressed.

IMPORTANT: Fortra recommends not making the admin web portal publicly available.

To manage the Admin Server:

2. From the main menu, select System and then click the Admin Server link. From
the Admin Server page, click Edit to edit the Admin Server.

Listener

General Tab
Server Header
Set the Server Header name to something generic (such as 'Null', 'None', or 'Web
Server'). Information gathered from the header name can help attackers in
malicious activities.

page: 70 www.goanywhere.com GoAnywhere Hardening Guide

System / Admin Server

Force Identity Provider Login

If you are using SAML Single Sign-On, enable this field. This will force all
authentication requests to be routed through your identity provider.

SSL Tab
SSL Enabled
Enable. It is best practice to enable SSL on Listeners unless redirecting from
HTTP to HTTPS.

SSL Protocol
Use the default, TLS protocol.

Enabled SSL Protocols

Leave this field blank. Settings will be inherited from the Global Security Settings
page.

Client Authentication
If all users are authenticating with certificates, set this option to 'Required'. If only
some users are authenticating with certificates, use 'Optional'. Otherwise, use
'None'.

Enabled Cipher Suites

Use this list to further limit the protocol specific Cipher Suites beyond those
specified in the Security Settings.

GoAnywhere Hardening Guide www.goanywhere.com page: 71

System / Database Configuration

Database Configuration
The Database Configuration page displays the current database configuration and
provides options to edit the current database configuration or migrate the embedded
GoAnywhere database to an external database.

To manage the database:

1. Log in as an Admin User with the Product Administrator role.

2. From the main menu, select System, and then click the Database Configuration
link.

By default, GoAnywhere stores its configuration settings and application data in an

embedded Derby database. Fortra recommends switching to an external database so that
a database administrator can manage database security. Enable SSL communication with
the database if possible.

WARNING:
Only perform the database switch when no other users are using GoAnywhere. The
migration will stop Monitors, Scheduled Jobs, Service Level Agreements, and Projects
from executing. Additionally, all services, Web User sessions, and the GoAnywhere
Gateway connection will be stopped.

See the Switch Database topic in the GoAnywhere User Guide for instructions on how to
switch databases.

page: 72 www.goanywhere.com GoAnywhere Hardening Guide

System / System Alerts

NOTE:
You need to export the internal database’s certificate to a local file-based trust store,
then specify that trust store in your JDBC URL Example: &trustStore=C:\Program
Files\HelpSystems\GoAnywhere\userdata\keys\x509\trustedCertificates.jks&trustStor
ePassword=goanywhere

System Alerts
The following section provides recommendations for System Alerts settings. Only fields
and options with recommended settings will be addressed. The System Alert settings do
not directly affect the security of the application, however they can alert administrators to
potential security issues.

When system alerts are enabled, GoAnywhere can email Product Administrators when the
system is started, shut down, when memory is reaching a set threshold, the GoAnywhere
license is set to expire, or when changes are made to a GoAnywhere Cluster. System
Alerts are useful in pointing to stability and security issues.

To modify System Alerts:

1. Log in as an Admin User with the Product Administrator role.

2. From the main menu, select System, and then click the System Alerts link.

General Settings
System Alerts Enabled
Enable.

Administration

GoAnywhere Started

Notify Product Administrators

Enable.

GoAnywhere Hardening Guide www.goanywhere.com page: 73

System / System Alerts

GoAnywhere Shutdown

Notify Product Administrators

Enable.

JVM Memory

Available Memory Less Than

Set a memory limit.

Notify Product Administrators

Enable.

Notify Additional Email Addresses

Enable this feature if additional users need to be notified.

License Expiring

License Expiring Within

Set a time limit.

Notify Product Administrators

Enable.

Web Users

Web User Deactivated

Notify Web User Managers

Enable.

Certificates

Certificate Expiring

Certificate Expiring Within

Set a time limit.

Notify Key Managers

Enable.

page: 74 www.goanywhere.com GoAnywhere Hardening Guide

System / IP Filter

PGP Keys

PGP key Expiring

PGP Key Expiring Within

Set a time limit.

Notify Key Managers

Enable.

Triggers

Trigger Failed

Notify Trigger Managers

Enable.

Gateway

Gateway Connected

Notify Product Administrators

Enable.

Gateway Disconnected

Notify Product Administrators

Enable.

Clustering

Cluster Membership Changes

Notify Product Administrators

Enable.

IP Filter
The IP Filter page provides the options to create and configure the global IP filter list. To
manage IP filters, log in as an Admin User with the Security Officer role.

GoAnywhere Hardening Guide www.goanywhere.com page: 75

System / IP Block Listing

From the main menu, select System, and then click the IP Filter link.

Set 'IP Filtered Enabled' to true.

Filter Entries

As a best practice, create a list of allowed addresses to limit who can connect to
GoAnywhere's Admin Client and hosted services.

IP Block Listing
The following section provides all recommendations for IP Block Listing settings. Only
fields and options with recommended settings will be addressed.

The Automatic IP Block List feature in GoAnywhere monitors the active services for
repeated unsuccessful access attempts. The Automatic IP Block List can detect brute-
force and denial of service (DoS) attacks, as well as monitor for malicious user names.

To manage Automatic IP Block Lists:

1. Log in as an Admin User with the Security Officer role.

2. From the main menu, select System, and then click the Automatic IP Block List
link.

WARNING: Some networking devices may mask the true remote IP address of a client
connection. Please work with your networking team to ensure GoAnywhere MFT is
receiving the correct remote IP address. Receiving an incorrect IP may negatively
affect GoAnywhere’s IP Filter and IP Block Listing functionality.

Automatic IP Block List

Automatic Block List Enabled
Enable this feature.

page: 76 www.goanywhere.com GoAnywhere Hardening Guide

System / IP Block Listing

Brute-force Attack Monitor Enabled

Enable the brute-force monitor and set the Sensitivity to 'Very High' with a Ban
Type of 'Permanent'.

DoS Attack Monitor Enabled

Enable the DoS attack monitor and set the Sensitivity to 'Very High' with a Ban
Type of 'Permanent'.

Malicious User Name Monitor Enabled

Enable malicious user name monitoring and add a list of common user names that
you are not using within the application. (root, admin, administrator, ec2-user,
etc.).

Automatic IP Block List Exemptions

The Automatic IP Block List Exemptions feature in GoAnywhere excludes

specified IP addresses from being block listed after repeated unsuccessful access
attempts.

To manage Automatic IP Block Lists Exemptions, log in as an Admin User with the
Security Officer role. If your user account is assigned to a custom Admin User
Role, your ability to view, modify, or execute actions on this page is based on the
permissions specified for that role.

From the main menu, select System, and then click the Automatic IP Block List
link. Click the Exemptions icon Exemptions button on the Automatic IP Block List
page.

GoAnywhere Hardening Guide www.goanywhere.com page: 77

Security Settings Audit
Report
While the Security Settings Audit report is intended to analyze your GoAnywhere product’s
security settings and determine if they comply with the Payment Card Industry Data
Security Standards (PCI-DSS), this report is also useful in locating potential weaknesses
in your GoAnywhere configuration.

For each security setting, the report will indicate if the setting meets the PCI-DSS standard
using one of the following statuses:

l Pass - The setting meets the PCI-DSS requirement.

l Fail - The setting does not meet the PCI-DSS requirement. Recommended steps to
correct the setting are provided.
l Warning - Further research is required to ensure your system meets the specified
requirement. Recommended steps to correct the setting are provided.
l Not Applicable - A check on this setting is not required, typically due to
GoAnywhere features that you are not licensed to use.
l Fatal - Indicates a configuration problem is preventing GoAnywhere from
accessing the appropriate data.

NOTE:
Running the Security Settings Audit Report requires the Advanced Reporting Module.
If you do not have access to this feature, reach out to your sales rep for temporary
access.

GoAnywhere Hardening Guide www.goanywhere.com page: 78

Glossary
N

nonrepudiation
Creating a proof of the origin or delivery of data, thus preventing the recipient from
falsely denying that data has been received and preventing the sender from falsely
asserting that data has been sent.

principle of least privilege

A user should be given only those privileges needed to complete a given task. If a
user does not need an access right, the user should not have that right.

GoAnywhere Hardening Guide www.goanywhere.com page: 79

Ga6 5 1 Api Guide
100% (2)
Ga6 5 1 Api Guide
291 pages
Ga7 7 0 User Guide
No ratings yet
Ga7 7 0 User Guide
3,712 pages
Software Security Patch Management - A Systematic
No ratings yet
Software Security Patch Management - A Systematic
48 pages
EDR vs. XDR vs. SIEM vs. MDR vs. SOAR
No ratings yet
EDR vs. XDR vs. SIEM vs. MDR vs. SOAR
7 pages
GitHub Education
No ratings yet
GitHub Education
1 page
Ch03 Crypto7e
No ratings yet
Ch03 Crypto7e
37 pages
FortiOS 7.0.5 Administration Guide
No ratings yet
FortiOS 7.0.5 Administration Guide
2,435 pages
Best Practices For Firewall Rules Configuration
No ratings yet
Best Practices For Firewall Rules Configuration
3 pages
Ethical Hacker v1 0 Scope and Sequence
No ratings yet
Ethical Hacker v1 0 Scope and Sequence
6 pages
FortiOS 7.6.0 Administration Guide
100% (1)
FortiOS 7.6.0 Administration Guide
3,948 pages
Akamai AAP
100% (1)
Akamai AAP
27 pages
NITTTRchd FDP Portal
No ratings yet
NITTTRchd FDP Portal
2 pages
FortiOS 7.2.8 Administration Guide
No ratings yet
FortiOS 7.2.8 Administration Guide
3,364 pages
FortiOS 7.0.10 Administration Guide
No ratings yet
FortiOS 7.0.10 Administration Guide
2,688 pages
Gagateway3 2 0 Guide
No ratings yet
Gagateway3 2 0 Guide
107 pages
Gaoutlook3 3 0 Guide
No ratings yet
Gaoutlook3 3 0 Guide
35 pages
GoAnywhere SaaS Policies
No ratings yet
GoAnywhere SaaS Policies
16 pages
Critical Information Infrastructures Security: Erich Rome Marianthi Theocharidou Stephen Wolthusen
No ratings yet
Critical Information Infrastructures Security: Erich Rome Marianthi Theocharidou Stephen Wolthusen
269 pages
Class-7 Dated 26-08-2023 Cloud Computing
No ratings yet
Class-7 Dated 26-08-2023 Cloud Computing
15 pages
Instant
No ratings yet
Instant
13 pages
Patient-Centric Fine-Grained Access Control For Electronic Medical Record Sharing With Security Via Dual-Blockchain
No ratings yet
Patient-Centric Fine-Grained Access Control For Electronic Medical Record Sharing With Security Via Dual-Blockchain
14 pages
VWAF WebUI User Guide V3.5
No ratings yet
VWAF WebUI User Guide V3.5
685 pages
12.2.6.1 Install Screens-2224375
No ratings yet
12.2.6.1 Install Screens-2224375
27 pages
GA File Transfert Project Examples
No ratings yet
GA File Transfert Project Examples
34 pages
Guide Complete FTP
No ratings yet
Guide Complete FTP
286 pages
Last Resort
No ratings yet
Last Resort
63 pages
Document 3070544.1
No ratings yet
Document 3070544.1
2 pages
Document 1329274.1
No ratings yet
Document 1329274.1
2 pages
4 Benefits of On-Premises Enterprise File Sync and Sharing
No ratings yet
4 Benefits of On-Premises Enterprise File Sync and Sharing
3 pages
Msu24 85 2011
No ratings yet
Msu24 85 2011
8 pages
Key Budget Items For CISOs To Ensure Compliance With SEBI's CSCRF Circular (2025-26)
No ratings yet
Key Budget Items For CISOs To Ensure Compliance With SEBI's CSCRF Circular (2025-26)
3 pages
Cve 2024 0204
No ratings yet
Cve 2024 0204
3 pages
MC File Express Scheduler User Guide
No ratings yet
MC File Express Scheduler User Guide
43 pages
EvoHtmlToPdf 1
No ratings yet
EvoHtmlToPdf 1
5 pages
Agent2 4 0 Admin Guide
No ratings yet
Agent2 4 0 Admin Guide
97 pages
Synology QuickConnect White Paper
No ratings yet
Synology QuickConnect White Paper
18 pages
Levereging Apache Guacamole Linux LXD and Docker Containers To Deliver A Secure Online Lab For A Large Cybersecurity Course
No ratings yet
Levereging Apache Guacamole Linux LXD and Docker Containers To Deliver A Secure Online Lab For A Large Cybersecurity Course
9 pages
CERT-In Vulnerability Notes
No ratings yet
CERT-In Vulnerability Notes
2 pages
vWAF WebUI User Guide V3.3
No ratings yet
vWAF WebUI User Guide V3.3
593 pages
Passage Reading
No ratings yet
Passage Reading
1 page
GoAnywhere System Architecture Guide
No ratings yet
GoAnywhere System Architecture Guide
29 pages
GoAnywhere - MFT Positioning
No ratings yet
GoAnywhere - MFT Positioning
59 pages
Axway Datasheet Securetransport en
No ratings yet
Axway Datasheet Securetransport en
6 pages
Ga7 8 0 Installation Guide
No ratings yet
Ga7 8 0 Installation Guide
60 pages
Ga7 8 0 Upgrade Guide
No ratings yet
Ga7 8 0 Upgrade Guide
46 pages
Ga MFT Buyers Guide
No ratings yet
Ga MFT Buyers Guide
27 pages
Ga7 5 1 Upgrade Guide
No ratings yet
Ga7 5 1 Upgrade Guide
41 pages
Edinaja Kompleksnaja Sistema Dlja Bezopasnoj I Jeffektivnoj Peredachi Fajlov
No ratings yet
Edinaja Kompleksnaja Sistema Dlja Bezopasnoj I Jeffektivnoj Peredachi Fajlov
4 pages
Ga Ebook 15 Use Cases For MFT
No ratings yet
Ga Ebook 15 Use Cases For MFT
38 pages
A Survey On Cryptography Algorithms
No ratings yet
A Survey On Cryptography Algorithms
23 pages
Kofax Markview: Planning Guide For Oracle E-Business Suite
No ratings yet
Kofax Markview: Planning Guide For Oracle E-Business Suite
25 pages
19D075 Rohith
No ratings yet
19D075 Rohith
50 pages
Customer Care Manual: Publication Date: 02/23/2017
No ratings yet
Customer Care Manual: Publication Date: 02/23/2017
27 pages
FortiOS-7.4.5-Administration - Guide (2) - Parte1
No ratings yet
FortiOS-7.4.5-Administration - Guide (2) - Parte1
300 pages
Document 1360479.1
No ratings yet
Document 1360479.1
5 pages
Ga7 3 0 Installation Guide
No ratings yet
Ga7 3 0 Installation Guide
61 pages
FortiOS 7.0.1 Administration Guide
No ratings yet
FortiOS 7.0.1 Administration Guide
2,150 pages
Document 1265297.1
No ratings yet
Document 1265297.1
4 pages
Ga7 6 1 Webclient Guide
No ratings yet
Ga7 6 1 Webclient Guide
100 pages
Gaclient7 4 2 Iseries
No ratings yet
Gaclient7 4 2 Iseries
7 pages
Week#2 Info Sec CMPC 302
No ratings yet
Week#2 Info Sec CMPC 302
16 pages
RightFax 10.5 Administrators Guide
No ratings yet
RightFax 10.5 Administrators Guide
372 pages
Data ONTAP 831 NFS Configuration Power Guide
No ratings yet
Data ONTAP 831 NFS Configuration Power Guide
68 pages
Information Systems Security Versus Privacy 1 Running Head: Information Systems Security
No ratings yet
Information Systems Security Versus Privacy 1 Running Head: Information Systems Security
9 pages
Ga MFT Ds
No ratings yet
Ga MFT Ds
4 pages
Guide Enterprise DT
No ratings yet
Guide Enterprise DT
286 pages
GlobalScape Datasheet
No ratings yet
GlobalScape Datasheet
1 page
CVE. Fortra's GoAnywhere MFT (En)
No ratings yet
CVE. Fortra's GoAnywhere MFT (En)
6 pages
IMVU User Information Request Guidelines: Available Data
No ratings yet
IMVU User Information Request Guidelines: Available Data
2 pages
OpenText RightFax 10.5 FP1 Administrators Guide
No ratings yet
OpenText RightFax 10.5 FP1 Administrators Guide
372 pages
EFT and MFT PDF
No ratings yet
EFT and MFT PDF
171 pages
Ga Installation Guide
No ratings yet
Ga Installation Guide
62 pages
DINION Inteox 7100i Data Sheet enUS 88520674955
No ratings yet
DINION Inteox 7100i Data Sheet enUS 88520674955
6 pages
MF - MZ
No ratings yet
MF - MZ
50 pages
Gadesktop3 2 1 User Guide
No ratings yet
Gadesktop3 2 1 User Guide
35 pages
Gagateway3 2 0 Upgrade Guide
No ratings yet
Gagateway3 2 0 Upgrade Guide
22 pages
GOA User Guide
No ratings yet
GOA User Guide
377 pages
Lecture 2 - Risk Analysis
No ratings yet
Lecture 2 - Risk Analysis
31 pages
Ga3 2 0 User Guide
No ratings yet
Ga3 2 0 User Guide
315 pages
Roadmap To Cyber Security
100% (2)
Roadmap To Cyber Security
32 pages
AV Cyber Security Guide
No ratings yet
AV Cyber Security Guide
1 page
Ga4 0 0 User Guide PDF
No ratings yet
Ga4 0 0 User Guide PDF
377 pages
Cybersecurity Risks in Robotics
No ratings yet
Cybersecurity Risks in Robotics
19 pages
Ga4 5 0 Installation Guide
No ratings yet
Ga4 5 0 Installation Guide
41 pages
2015 IEHP Code of Business Conduct and Ethics
No ratings yet
2015 IEHP Code of Business Conduct and Ethics
28 pages
Technologyresume
No ratings yet
Technologyresume
2 pages
Tony Yesudas: #07-163, BLK 407 ST 41 Tampines, Singapore 520407
No ratings yet
Tony Yesudas: #07-163, BLK 407 ST 41 Tampines, Singapore 520407
4 pages
Penetration Testing: Edmund Whitehead Rayce West
No ratings yet
Penetration Testing: Edmund Whitehead Rayce West
14 pages
Mfe PDF
No ratings yet
Mfe PDF
47 pages
Best Remote Software
No ratings yet
Best Remote Software
2 pages
117 303
No ratings yet
117 303
34 pages
Abs Red Team Adversarial Attack Simulation Exercises Guidelines v1 5 PDF
No ratings yet
Abs Red Team Adversarial Attack Simulation Exercises Guidelines v1 5 PDF
47 pages
Mcafee Activate PDF
No ratings yet
Mcafee Activate PDF
6 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.