Restrict data folder permissions

The data folder of MyQ Print Server contains highly sensitive data, including the user database and TLS certificate private key. Its current location is displayed in the MyQ Easy Config application:

Data folder settings in MyQ Easy Config

All users (local/domain) have read access by default:

Windows folder permissions

Only Administrators, SYSTEM, and MyQ service account should have access to this directory. Here is a sample batch script that can be used for permission hardening:

@ECHO OFF
REM Add the virtual account SIDs to all MyQ Print Server services:
sc sidtype Apache unrestricted
sc sidtype FirebirdServerDefaultInstance unrestricted
sc sidtype KNM_PM unrestricted
sc sidtype MyQ unrestricted
sc sidtype traefik unrestricted

REM Grant rights to the virtual service accounts:
icacls "%ProgramData%\MyQ" /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)F" /grant
"BUILTIN\Administrators:(OI)(CI)F" /grant "NT SERVICE\MyQ:(OI)(CI)M" /grant "NT
SERVICE\Apache:(OI)(CI)M" /grant "NT SERVICE\FirebirdServerDefaultInstance:(OI)(CI)M"
/grant "NT SERVICE\Apache:(OI)(CI)M" /grant "NT SERVICE\traefik:(OI)(CI)M" /inheritance:r
/Q

Enable database encryption

Always encrypt the database using a custom certificate to lower the risk of data leaks:

Encrypting the database in MyQ Easy Config

The certificate needs to have the “Encrypting File System” Enhanced Key Usage (EKU) and it must be located in one of the following computer certificate stores:

  • Personal

  • Trusted Publishers

  • Third-Party Root Certification Authorities

  • Other people

 The Personal store is the preferred one.

Encrypt backups

Database backups should be protected by secure, randomly generated passwords:

Data Backup password
Enable disk encryption

If possible, a full disk encryption technology like Microsoft BitLocker should be enabled on the MyQ Print Server to protect the data at rest:

Encrypting your Windows data