Best practices: maxing out Resilio Active Everywhere security – Resilio Active Everywhere

User account running Agent/Management Console

Windows
Create a dedicated user account to run the Agent/Management Console service. Ensure they do not run as the LOCAL SYSTEM user.

Note: Make sure you grant permissions to the installation and the storage folder to the user account running Resilio services.

Linux
Do not run as root unless you need to sync POSIX permissions. It is advisable to make a dedicated user account to run the Agent.

Note: A dedicated account is created automatically when installing the Agent from a package.

Limit to a minimum the number of users/groups that have access to the Agent's or Management Console's storage folder. Ideally, only user account that runs the Agent or the Management Console service should have access permissions to the storage folder.
Note: The user account running the Agent must have enough permissions to operate data and permissions that the Agent synchronizes.
Ensure that only the user account running the Management Console has the write permission to the audit.log file.
For extra protection of Agent's service data on Linux-based OS ensure that your VM/hardware provides access to TPM. Agent on Windows uses Data protection API and macOS Agent uses Keychain features automatically. If TPM is not available or Agent runs in a docker container, follow this article to set up encryption key manually.
Delete the sync-<version-<UNXtimestamp>.backup folder in the agent's storage folder as it may contain non-encrypted data from a previous version.
For extra protection of MC service data follow this article to manually set up encryption.
It is recommended to set the env var in srvctrl start/stop script as in this case it will only be available for the Management Console processes only.
Also, it is recommended to customize env var name via MC configuration file.
After enabling sensitive data encryption, delete Management Console backups as they may contain non-encrypted data.

Set Management Console TLS cipher to ECDHE-ECDSA-AES256-GCM-SHA384
Ensure the Identify agent by name setting is disabled in Management Console advanced settings.
Ensure to use agent configuration file with defined certificate fingerprint, do not connect agents using IP:PORT simplified method.
Once all agents are connected - delete the bootstrap token from MC.
Ensure to apply your custom certificate to Agents connection (port 8444 by default).

Set agent TLS ciphers to DHE-PSK-AES256-GCM-SHA384.
Ensure the Encrypt on LAN setting in all Agents profiles is enabled.
Set Token rotation policy of all job profiles to enforced.
Ensure that ATA tokens rotate at least every hour (Advanced settings > Key token lifetime) with the overlap no more than 30 minutes (Advanced settings > Key token overlap).

Ensure to apply a custom certificate to the Management Console web UI connection (default port 8443).
Ensure to have proper Management Console password policy matching your organization demands.
If you are using Azure AD authentication and do not require local users - disable local users login.
If you are using local Management Console accounts - enable 2FA for all users.

If you are using Console API, use separate API tokens for different cases and users. Don't allow several users share the same token, and don't use the same token, for example, for testing and production purposes.
Disable Agent and Console debug logging.
Disabled core dumps/process dumps in your operating system (actual instructions depends on OS type and version).
If you're running the Management Console on a dedicated system that doesn't participate in any Jobs, don't enable the integrated Agent during the installation.
For data distribution workloads, consider enabling the Data Managers Console to limit the number of users allowed to access the Management Console.