Is MetaDefender Managed File Transfer compatible with a Windows Server 2022 system that has been hardened according to CIS Level 2 Benchmarks?
Yes, MetaDefender Managed File Transfer (MFT) has been tested by OPSWAT on the AWS-provided Windows Server 2022 CIS Level 2 hardened image. During functional testing, no issues were encountered, and MFT operated as expected.
Important Considerations
While testing was successful, it is important to note that:
- Custom policy modifications made beyond the standard CIS Level 2 hardening may affect MFT's behavior.
- Variations in security settings, network configurations, or additional system hardening could introduce compatibility issues depending on your specific environment.
Recommendation
To ensure optimal performance and compatibility, we recommend performing validation testing with your hardened Windows Server 2022 system before deploying MFT to production.
This will help confirm that all MFT functions operate correctly within your customized security environment.
If you require support during your PoC or have questions regarding MFT compatibility with hardened systems, please proceed to log a support case or chatting with our support engineer.
Considerations for MS SQL 2022
1) Executive Summary
Running MetaDefender MFT (MFT) on hardened Windows Server 2022 with SQL Server 2022 at CIS Level 2 is feasible with a small number of documented exceptions and compensating controls. The most notable area is:
- MFT Install / Upgrade needs to run as administrator: due to installation and upgrade process constraints, these processes need local administrator rights.
2) Scope, Versions & Assumptions
- OS: Microsoft Windows Server 2022 (member server) — CIS Benchmark v3.0.0, Level 2 profile.
- DB: Microsoft SQL Server 2022 — CIS Benchmark v1.2.0, Level 2 (Database Engine).
- App: OPSWAT MetaDefender Managed File Transfer (MFT). Defaults: web service port 8010 if free; supports Windows Authentication to SQL Server; Windows service user is local administrator.
3) Install & Hardening Runbook (order of operations)
Harden OS first (CIS L2) — apply WS2022 GPO baselines, with pre‑approved exceptions in §4.1.
Choose and reserve ports in advance:
- SQL Server static non‑default TCP port (e.g., 14xxx) — avoid dynamic ports.
- MFT web port (default 8010 or a designated alternative).
- Create host firewall rules accordingly (program + port).
Configure SQL Server TLS before app install (server certificate, Force Encryption = Yes).
Install MFT (as local/domain admin), then complete least‑privilege post‑install steps in §5.
Finalize SQL hardening (enable TDE, hide instance, error log retention, etc.).
4) Exceptions to CIS & Compensating Controls
4.1 Windows Server 2022 (Member Server)
Finding A: MFT Service user needs Administrator rights for install / upgrade. Compensation: Follow guidelines in §5 to drop to least-privilege baseline after Installation is completed.
4.2 SQL Server 2022
- 2.11: Use static non‑default port; configure pre‑install.
- 3.1: SQL Auth preferred with vaulting and strong password, Windows Auth possible.
- 4.1/4.2: Password expiration may be exempted for service accounts with compensating controls.
- 5.1: Set error log file limit (≥12) to avoid running out of allocated space.
5) MFT on Windows Auth — Least Privilege Steps
- Create a domain standard user in AD; map to SQL login.
- Install MFT as admin; post‑install, run service as standard user with Log on as a service.
- SQL permission: dbcreator
- Configure port reservations if needed.
- Grant permission to the service user on MFT folders only.
- Firewall: program‑scoped inbound rules for MFT executable; restrict to chosen ports and subnets.
6) Authentication Choices
- Windows Auth: CIS‑preferred; no DB secrets; requires SPN care.
- SQL Auth: Use long, random password (30–64 chars), vault storage, rotation plan.
7) Network & Porting Plan
- SQL Server: Static TCP port (non‑1433), Hide Instance = Yes; allow inbound only from MFT host.
- MFT Web: Default 8010; restrict inbound to reverse proxy/user subnets; enforce TLS.
- Firewall: Program + port rules; remote IP scoping; enable logging.
8) Notes
WS2022:
- 9.3.4: during testing, this was relaxed to allow use of local configuration for firewall rules
- 9.3.5: during testing, this was relaxed to allow use of local configuration for firewall rules
SQL Server 2022:
- 4.1/4.2: see §5 if using a domain account
- 5.1: recommended to set a log file limit, not unlimited.