/
Backup My Org Security Best Practices

Backup My Org Security Best Practices

Overview

This article outlines the security best practices and minimum configuration standards for securely installing, operating, and maintaining Backup My Org.
It is designed to align with common enterprise IT security policies and compliance requirements.

1. Principle of Least Privilege

Backup My Org and all supporting components should run with the fewest privileges necessary.

OS-Level Permissions

  • Create a dedicated Windows service account for BMO (e.g., svc_backupmyorg).

  • Do not run the service as Administrator or LocalSystem.

  • Grant Read/Write access only to:

    • C:\BACKUPMYORG (application folder)

    • Backup output directories C:\backup\<identity>

  • Remove inherited permissions for “Everyone” or “Users” where possible.

  • If the installer or service must register a Windows service, use temporary elevation via an admin account—not permanent elevation.

Installation Controls

  • Only authorized IT personnel may install or update BMO.

  • Installation scripts must be code-signed and version-controlled.

  • Verify hash signatures for distributed executables (.exe) before installation.

2. MongoDB Security Configuration

Backup My Org depends on MongoDB for data persistence. Best practices include secure configuration.

Authentication and Authorization

  • Set in mongod.conf:

    security: authorization: enabled

  • Create dedicated MongoDB users for:

    • Application access (read/write on the BMO database only)

    • Administrative/maintenance access (limited to admin staff)

  • Example:

    use backupmyorg db.createUser({ user: "bmoAppUser", pwd: "StrongPassword123!", roles: [{ role: "readWrite", db: "backupmyorg" }] })

  • Disable the default test database and remove any unused users.

  • Use SCRAM-SHA-256 authentication or stronger.

  • Rotate credentials regularly and store them securely (see section 5).

Network Exposure

  • Bind MongoDB only to internal or loopback interfaces:

    net: bindIp: 127.0.0.1

  • Use firewall rules or Windows Defender rules to allow only the BMO service host to access the MongoDB port (27017 by default).

  • Do not expose MongoDB to the public internet.

Encryption

  • Enable TLS/SSL between BMO and MongoDB:

    net: tls: mode: requireTLS certificateKeyFile: C:\Mongo\certs\mongo.pem

  • Encrypt MongoDB data at rest using:

    • MongoDB Enterprise “Encrypted Storage Engine” (preferred), or

    • Full-disk encryption (BitLocker or LUKS)

  • Store keyfiles and certificates securely, accessible only to the mongod process user.

Auditing and Logging

  • Enable MongoDB auditing (Enterprise) or standard logging for:

    • Auth attempts

    • Role grants

    • Database configuration changes

  • Forward logs to a central SIEM if available.

  • Retain logs per corporate retention policy (e.g., 90 days minimum).

3. Network and System Hardening

  • Keep all OS and dependencies patched.

  • Disable unused ports and services on the host.

  • Restrict inbound traffic to ports 443 and 8500 (application).

    • You can bypass the 8500 requirement by running in IIS mode.

  • Apply endpoint protection and monitor the BMO host for anomalies.

  • Run the BMO server within an isolated VLAN or private subnet if possible.

  • Limit outbound traffic from the host to known endpoints (e.g., your ArcGIS organizations, cloud endpoints).

4. Secure Configuration of Backup My Org

Configuration File Security

  • The file config\nodeconfig.json contains sensitive credentials.

    • Set NTFS permissions so that only the service account and administrators can read it.

Storage

  • Store local backups and temp files in locations such as C:\backups\<identity name> with restricted access.

Backups

  • Store backups in secure, access-controlled storage (e.g., Azure Blob, S3, internal NAS).

5. Auditing and Maintenance

  • Review permissions quarterly (OS, MongoDB, and application roles).

  • Conduct an annual security review, including:

    • Patch compliance

    • Credential rotation

    • Service account activity logs

  • Regularly test restore procedures to verify that backups remain decryptable and usable.

  • Subscribe to MongoDB and Geo Jobe security advisories for patch notifications.

6. Compliance Alignment

Backup My Org installations should meet the following baseline controls:

  • Encryption: TLS 1.2+ for all connections; AES-256 at rest.

  • Access Control: Role-based access is enforced both in MongoDB and Windows.

  • Change Management: Document all configuration changes and version updates.

  • Incident Response: Define an internal escalation path for suspected data breach or configuration compromise.