Account Security Best Practices

Security is a shared responsibility between Server Scout and our users. While we implement robust security measures including TLS encryption, encryption at rest, and SHA-256 agent integrity verification, there are important steps you can take to protect your account and monitoring data.

Use Strong, Unique Passwords

Your password is the first line of defence for your account. Always use a password manager to generate and store complex passwords for your Server Scout account. Password managers create long, random passwords that are virtually impossible to guess or crack.

Never reuse passwords from other services. If one service is compromised, attackers often try the same credentials on other platforms. Each account should have its own unique password.

Enable Two-Factor Authentication (2FA)

Two-factor authentication adds a critical second layer of security to your account. Even if someone obtains your password, they cannot access your account without the second factor.

Enable 2FA for all accounts, but it's especially important for admin accounts that can manage users and settings. You'll find the 2FA settings in your account preferences on the dashboard.

Create Individual Accounts for Team Members

Never share login credentials amongst team members. Instead, create a separate account for each person who needs access to your monitoring data.

Individual accounts provide several benefits:

  • Accountability: The audit log shows exactly who performed each action
  • Access control: You can assign appropriate roles (admin or user) to each person
  • Security: If one account is compromised, others remain secure
  • Convenience: Team members can customise their own dashboard preferences

Review User Access Regularly

Make it a habit to periodically check the Users page in your dashboard. Ensure only current team members have active accounts, and verify that their access levels are appropriate for their roles.

Suspend or delete accounts promptly when staff members leave your organisation. Dormant accounts with valid credentials are a common security risk.

Protect Your API Keys

Server API keys should be treated like passwords. They provide direct access to your server's monitoring data and configuration.

Follow these guidelines for API key security:

  • Never commit API keys to version control systems
  • Don't share them in chat messages, emails, or collaboration tools
  • Avoid storing them in plain text files
  • Use environment variables or secure configuration management tools instead
  • Restrict file permissions when API keys must be stored locally

Rotate API Keys After Staff Changes

If a team member with access to API keys leaves your organisation, rotate the keys on affected servers immediately. This prevents any potential unauthorised access using old credentials.

You can generate new API keys from the dashboard and update them on your servers using the agent installation script.

Monitor Login Activity

Regularly review the audit log in your dashboard for any unexpected activity. Look for:

  • Login attempts from unfamiliar IP addresses
  • Logins at unusual times
  • Actions you don't recognise
  • Failed authentication attempts

The audit log provides a complete history of account activity and is an essential tool for detecting potential security issues.

Consider Google Sign-In

If your organisation uses Google Workspace, consider using Google Sign-In for Server Scout access. This leverages your existing Google security policies, including any multi-factor authentication requirements you've configured there.

Google Sign-In also simplifies user management, as you can control Server Scout access through your Google Workspace admin console.

Log Out on Shared Devices

Always log out of the Server Scout dashboard when using shared or public computers. Simply closing the browser isn't enough—use the proper logout function to ensure your session is terminated.

If you forget to log out, sessions will eventually expire automatically, but it's always better to log out explicitly.

Support and Security Concerns

If you notice any suspicious activity on your account or have security concerns, please create a support ticket immediately. Our AI support bot responds within approximately 1 minute and can escalate urgent security matters to our human support team during business hours (Monday to Friday, Irish timezone).

Remember: taking these proactive security steps helps protect not just your monitoring data, but your entire server infrastructure.

Frequently Asked Questions

how to enable two factor authentication in serverscout

Enable 2FA by accessing your account preferences on the ServerScout dashboard. Two-factor authentication adds a critical second layer of security, ensuring that even if someone obtains your password, they cannot access your account without the second factor. This is especially important for admin accounts that can manage users and settings.

should I share login credentials with team members

Never share login credentials among team members. Instead, create a separate account for each person who needs access. Individual accounts provide accountability through audit logs, proper access control with appropriate roles, enhanced security if one account is compromised, and allow team members to customize their own dashboard preferences.

how does serverscout audit logging work

The audit log in your dashboard provides a complete history of account activity. It shows who performed each action, login attempts from different IP addresses, actions taken by users, and failed authentication attempts. You can use this to monitor for unexpected activity and detect potential security issues.

what to do when employee leaves with api key access

Rotate API keys on affected servers immediately when a team member with API key access leaves your organization. Generate new API keys from the dashboard and update them on your servers using the agent installation script. This prevents any potential unauthorized access using old credentials.

how to store api keys securely

Treat API keys like passwords and never commit them to version control systems. Don't share them in chat messages, emails, or collaboration tools. Use environment variables or secure configuration management tools instead of storing them in plain text files, and restrict file permissions when keys must be stored locally.

can I use google sign in with serverscout

Yes, if your organization uses Google Workspace, you can use Google Sign-In for ServerScout access. This leverages your existing Google security policies, including any multi-factor authentication requirements you've configured. It also simplifies user management through your Google Workspace admin console.

how often should I review user access in serverscout

Regularly check the Users page in your dashboard to ensure only current team members have active accounts and verify their access levels are appropriate. Suspend or delete accounts promptly when staff members leave your organization, as dormant accounts with valid credentials are a common security risk.

what should I do if I notice suspicious account activity

Create a support ticket immediately if you notice any suspicious activity or have security concerns. ServerScout's AI support bot responds within approximately 1 minute and can escalate urgent security matters to the human support team during business hours (Monday to Friday, Irish timezone).

Was this article helpful?

Related Articles