Security Best Practices¶

This guide covers security recommendations for SPSA deployments.

SPSA Security Architecture¶

SPSA is designed with security in mind as a hardened appliance:

flowchart TB subgraph SPSA["SPSA Appliance Security Layers"] direction TB FW[Host Firewall - nftables] OS[Alpine Linux - Minimal OS] DOCKER[Docker Isolation] GUAC[Guacamole 1.6.0] MFA[TOTP Multi-Factor Auth] end USERS[Users] -->|HTTPS 443| FW FW --> OS OS --> DOCKER DOCKER --> GUAC GUAC --> MFA GUAC -->|RDP/SSH/VNC| TARGETS[Target Systems] style SPSA fill:#eff6ff,stroke:#2563eb

Security Layer	Implementation
Network Security	Integrated host firewall (nftables)
OS Hardening	Alpine Linux (minimal attack surface)
Application Isolation	Docker containers
Authentication	TOTP-based MFA required
Transport	TLS encryption (Caddy)

Integrated Host Firewall¶

SPSA includes a pre-configured firewall that blocks all unnecessary network access.

Default Firewall Rules¶

Inbound (Allowed):

TCP 443 (HTTPS - SPSA Portal)
TCP 80 (HTTP - Let's Encrypt validation, public-facing only)

Inbound (Blocked by Default):

TCP 22 (SSH - disabled unless sshon used)
All other ports

Outbound (Allowed):

TCP 3389 (RDP to targets)
TCP 22 (SSH to targets)
TCP 5900-5910 (VNC to targets)
TCP 23 (Telnet to targets)
UDP 53 (DNS)
UDP 123 (NTP)
TCP 80/443 (Appliance updates)

No Manual Configuration

The host firewall is pre-configured. Administrators do not need to manage firewall rules on the SPSA appliance.

SSH Access Control¶

Default State: Disabled¶

SSH access to the SPSA appliance is disabled by default for security.

Enable SSH Temporarily¶

Only enable when required for maintenance:

# From VM console as spadmin
sudo sshon

Disable SSH After Use¶

Always disable when finished:

sudo sshoff

Critical Security Warning

A permanently enabled SSH server is a security risk for:

The SPSA appliance itself
All target systems reachable through SPSA

Never leave SSH enabled unattended.

Valid Use Cases for SSH¶

Installing SSL certificates
Collecting logs for support
Applying updates (when directed by Skillplan)
Brief administrative access

Network Security¶

Network Placement¶

Place SPSA in a network segment that:

Is protected by firewall from the internet
Can reach target systems
Is isolated from general user workstations

Recommended: DMZ or dedicated management VLAN

Firewall Rules (External)¶

Configure your network firewall:

Inbound to SPSA:

ALLOW TCP 443 from authorized user networks
ALLOW TCP 80 from internet (Let's Encrypt, if using)
DENY all other inbound

Outbound from SPSA:

ALLOW TCP 3389 to Windows targets
ALLOW TCP 22 to Linux targets
ALLOW TCP 5900-5910 to VNC targets
ALLOW TCP 23 to Telnet targets (if needed)
ALLOW UDP 53 to DNS servers
ALLOW UDP 123 to NTP servers
ALLOW TCP 80/443 to internet (appliance updates)
DENY all other outbound

Network Segmentation¶

For high-security environments:

Place SPSA on a dedicated VLAN
Use firewall rules to restrict which targets are accessible
Log all traffic to/from SPSA for audit

Authentication Security¶

Strong Passwords¶

Console Account (spadmin): - Minimum 12 characters - Uppercase and lowercase letters - Numbers - Avoid Z and Y (keyboard layout issues)

Portal Accounts: - Follow your organization's password policy - Minimum 12 characters recommended - Unique password (not reused from other systems)

Change Defaults Immediately

Both console and portal default passwords must be changed on first use.

Multi-Factor Authentication¶

SPSA enforces TOTP-based MFA for all portal users:

Google Authenticator
Microsoft Authenticator
Authy
Any TOTP-compatible app

MFA cannot be disabled - this is by design for security.

User Account Security¶

Practice	Recommendation
Individual accounts	Create unique account per user
No shared accounts	Shared accounts prevent accountability
Remove unused accounts	Delete or disable when no longer needed
Regular access review	Monthly review of active accounts
Time-limited access	Use account restrictions for contractors

Access Control¶

Principle of Least Privilege¶

Grant only necessary connection access
Users should see only the connections they need
Review permissions regularly

Connection Security Settings¶

For high-security environments:

Setting	Recommendation	Reason
Disable clipboard from remote	Enable	Prevents data exfiltration
Disable file download	Enable	Blocks file transfers out
Disable file upload	Enable	Blocks file transfers in
Disable audio	Enable	SPSA not designed for audio
Use NLA	Always	Most secure RDP mode

Security for Contaminated Zones¶

When accessing potentially compromised systems:

Disable all clipboard functionality
Disable all file transfer options
Enable read-only mode if only observation needed
Log all sessions (SPSA Pro)

SSL/TLS Configuration¶

Certificate Options¶

Option	Use Case
Self-signed (default)	Testing, internal lab
Internal CA	Enterprise environments
Public CA	External user access
Let's Encrypt	Public-facing with automation

Production Requirements¶

Replace self-signed certificate before production use
Use certificates signed by a trusted CA
Monitor certificate expiration
Renew 30 days before expiry

Installing Certificates¶

Certificates are installed via SSH access to the appliance. Contact Skillplan support for certificate installation procedures.

Operational Security¶

Updates¶

Keep SPSA appliance updated (contact Skillplan for update procedures)
Apply security patches promptly
Keep target systems updated

Monitoring¶

Monitor	Action
Session history	Review in History tab
Failed logins	Investigate unusual patterns
Unusual activity	Check for unauthorized access attempts
Connection attempts	Monitor which connections are being used

Backup¶

Back up SPSA configuration regularly
Test backup restoration procedures
Store backups securely (encrypted, access-controlled)

Logging¶

SPSA maintains logs for:

User authentication (success/failure)
Session start/end times
Connection usage
Administrative actions

SPSA Pro adds session recording for full audit trail.

Compliance Considerations¶

SPSA supports common compliance frameworks:

Framework	SPSA Support
GDPR	On-premises data storage, European product
NIS2	Access control, logging, authentication
ISO 27001	Access management, audit trails
SOC 2	Authentication, session monitoring

Key Compliance Features¶

Requirement	SPSA Capability
Access Control	Role-based permissions, connection access
Authentication	MFA required for all users
Encryption	TLS for all connections
Audit Logging	Session history, user actions
Data Sovereignty	On-premises deployment (EU)
Session Recording	Full recording (SPSA Pro)

Security Checklist¶

Initial Deployment¶

[ ] Console password changed (spadmin)
[ ] Portal password changed (spadmin)
[ ] MFA configured for admin accounts
[ ] SSH disabled (sshoff confirmed)
[ ] SSL certificate installed (production)
[ ] Firewall rules configured (network)

Ongoing Operations¶

[ ] User access reviewed (monthly)
[ ] Unused accounts disabled/removed
[ ] Session history reviewed
[ ] Certificate expiration monitored
[ ] Updates applied when available
[ ] Backup verified

For High-Security Environments¶

[ ] Clipboard disabled for sensitive connections
[ ] File transfer disabled
[ ] Session recording enabled (Pro)
[ ] Time-based access restrictions used
[ ] Network segmentation implemented
[ ] Traffic logging enabled

Security Incident Response¶

Suspected Compromise¶

If you suspect SPSA has been compromised:

Isolate - Disconnect SPSA from network
Preserve - Do not modify or restart
Contact - Reach out to Skillplan support immediately
Document - Record timeline and observations

Contact¶


Security Issues	support@skill-plan.com
Website	https://www.skill-plan.com