The data folder of MyQ Print Server contains highly sensitive data, including the user database and TLS certificate private key. Its current location is displayed in the MyQ Easy Config application:
All users (local/domain) have read access by default:
Only Administrators, SYSTEM, and MyQ service account should have access to this directory. Here is a sample batch script that can be used for permission hardening:
@ECHO OFF REM Add the virtual account SIDs to all MyQ Print Server services: sc sidtype Apache unrestricted sc sidtype FirebirdServerDefaultInstance unrestricted sc sidtype KNM_PM unrestricted sc sidtype MyQ unrestricted sc sidtype traefik unrestricted
REM Grant rights to the virtual service accounts: icacls "%ProgramData%\MyQ" /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)F" /grant "BUILTIN\Administrators:(OI)(CI)F" /grant "NT SERVICE\MyQ:(OI)(CI)M" /grant "NT SERVICE\Apache:(OI)(CI)M" /grant "NT SERVICE\FirebirdServerDefaultInstance:(OI)(CI)M" /grant "NT SERVICE\Apache:(OI)(CI)M" /grant "NT SERVICE\traefik:(OI)(CI)M" /inheritance:r /Q
Enable database encryption
Always encrypt the database using a custom certificate to lower the risk of data leaks:
The certificate needs to have the “Encrypting File System” Enhanced Key Usage (EKU) and it must be located in one of the following computer certificate stores:
Personal
Trusted Publishers
Third-Party Root Certification Authorities
Other people
The Personal store is the preferred one.
Encrypt backups
Database backups should be protected by secure, randomly generated passwords:
Enable disk encryption
If possible, a full disk encryption technology like Microsoft BitLocker should be enabled on the MyQ Print Server to protect the data at rest:
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
