The default configuration of MyWorkDrive, Windows Server, and your firewall is designed to get the MyWorkDrive server up and running with minimum effort. However, settings should be adjusted to improve security before deploying to production.

This is a specific list of recommendations regarding security settings in MyWorkDrive. A more general discussion of MyWorkDrive security architecture can be found in our Security Overview.

Many of the recommendations made are covered in further detail in our Server Setup Guide and at the links provided below.

General Security Settings

• Use Antivirus on your file shares; set exclusions for the MyWorkDrive server as noted in our Antivirus Settings for MyWorkDrive article.
• Adjust Windows Security settings as recommended in our Steps to Lockdown IIS for Compliance and Security article.
• Adjust Firewall and network security, permitting the appropriate ports, addresses, and services as outlined in our Firewall Settings for MyWorkDrive article.
• NTFS permissions should be set to Least Privileged. Recommended settings for file shares are available in our Windows File Sharing article.

MyWorkDrive Server Settings

• Either enable the Cloud Web Connector, or Setup an SSL certificate and require SSL for login. As of version 5.4.1, the Cloud Web Connector uses Cloudflare, which includes a number of security benefits as outlined in our Cloudflare Integration article.
• Disable any clients you are not using. If you do not intend to support any of the three available clients (web client, mapped drive client, or mobile client), disable them in Settings.
• When enabling the mapped drive and mobile clients, set a minimum version to match the version at install with the MyWorkDrive server. If you are installing a new MyWorkDrive instance, set the minimum version of the clients to match the installed server version. If you are updating the MyWorkDrive server, update the clients as appropriate to take advantage of security updates and performance improvements.
• Set up a Block or Allow list for file types for the mapped drive client to restrict file types.
• Disable WebDAV, unless you are using a device or service that requires it. MyWorkDrive does not require WebDAV to be enabled (this setting allows MyWorkDrive to act as a WebDAV server to permit connections by legacy devices). Note that WebDAV is not available when using Entra ID for the user directory.
• Disable OneDrive and Outlook sharing if you do not intend to support them.
• Adjust Session Timeouts at the bottom of the Settings page to be appropriate for your organization. The time listed is in minutes.

MyWorkDrive Enterprise Settings

• Enable SSO if using Active Directory for your user directory. We support most SSO providers via SAML through manual configuration, and have included easy setup wizards for ADFS, AzureAD, OneLogin, Okta, and Shibboleth. Note that SAML SSO is only available when using Active Directory. When using Entra ID for the user directory, a native Microsoft Login is used.
• Enable MFA if not included with your SSO. We have included Duo for users who do not have an MFA through their SSO. Duo is only available with Active Directory mode.
• Enable Data Leak Prevention and apply it to shares where users should not be permitted to download files.

Alerts/Logs

Either set up the alerts feature to notify you of unusual activity by users/clients accessing shares via email, or set up a log aggregating software to capture the logs and provide monitoring/processing. Logins and User Activities are stored in C:\Wanpath\WanPath.Data\Logs\AdminDashboard\