Deployment Security

This section outlines security considerations and requirements for deploying Antigen Plus in your environment. Proper deployment configuration is essential for maintaining the security posture of your installation.

Network Requirements and Firewall Configuration

Antigen Plus uses TCP/IP networking for several critical functions:

  • Software licensing
  • Commercial antibody testing panel data
  • Database access
  • Crash reporting

The amount of data transferred is quite small, so there are no specific latency or bandwidth requirements. Antigen Plus does not require any remote access to your workstations or servers.

Firewall Rules

The Antigen Plus client application requires outgoing firewall access to the following locations:

Destination Port Protocol Purpose
api.antigenplus.com 443 TCP/TLS API calls and licensing
gateway.antigenplus.com 443 TCP/TLS Panel data and updates
h5z57ttlmz.database.windows.net 1433 TCP/TLS Cloud database access (if used)

{: .important} Because Microsoft Azure is a high-availability service, these domains have dynamic IP addresses that change over time. Your firewall rules must be DNS-based rather than IP-based, or you will lose access to the application when the IP addresses change.

All communication uses Transport Layer Security (TLS) to prevent server spoofing, third-party eavesdropping, and to protect data in motion. No inbound connections are required.

For complete network planning information, see Networking in the Deployment Planning section.

Database Security Configuration

Antigen Plus supports both cloud-hosted databases (hosted by Antigen Plus in Microsoft Azure) and local databases hosted within your own network. The security considerations differ significantly between these deployment models.

Azure SQL Security Configuration

Cloud databases hosted by Antigen Plus provide several security advantages:

Transport Security:

Connections use TLS 1.2 or higher depending on the workstation’s operating system:

  • Windows 11 and Windows Server 2022 or later: TLS 1.3
  • Windows 10 and earlier supported versions: TLS 1.2

.NET Framework 4.7+ automatically negotiates the highest TLS version supported by both the workstation’s operating system and the Azure SQL Database server.

  • The connection endpoint (h5z57ttlmz.database.windows.net) must be accessible via TCP port 1433

Data at Rest:

  • All Azure-hosted databases have Transparent Data Encryption (TDE) enabled
  • TDE protects the database, associated backups, and transaction log files
  • Encryption is managed automatically by Microsoft Azure

Application-Level Encryption:

  • All patient health information (PHI) is encrypted with AES-256 before leaving the workstation
  • This encryption is in addition to TLS and TDE
  • The AES-256 encryption key is generated randomly for each database
  • The key is itself encrypted with your RSA-2048 private company key
  • Only workstations possessing your company key can decrypt PHI
  • Each patient record is salted with a unique random number to thwart brute-force attacks

Access Control:

  • Authentication uses your RSA-2048 company key
  • The private key never leaves your network
  • Antigen Plus staff cannot access PHI in your database
  • Microsoft Azure manages availability, security updates, and patching

Backup and Recovery:

  • Point-in-time restoration available for the previous 7 days by default
  • Extended retention (up to 35 days) available for additional fee
  • Long-term backups (weekly, monthly, yearly) available for additional fee

For information about configuring cloud databases, see Databases in the Deployment Planning section.

On-Premise SQL Server Hardening

If you choose to host databases locally, you are responsible for security hardening and maintenance. Follow these security best practices:

SQL Server Version:

  • Use SQL Server 2008 or later (any edition supported)
  • Keep SQL Server updated with the latest security patches
  • Follow Microsoft’s SQL Server security best practices

Access Control:

  • When initializing or upgrading an on-premises databases, make sure that the user launching Antigen Plus has db_owner access to the Antigen Plus database.
  • Everyday users should have db_datareader and db_datawriter access to the Antigen Plus database.
  • Create an Active Directory group for Antigen Plus users
  • Create a SQL Server login based on this AD group with db_owner access
  • Use Windows Authentication rather than SQL Server Authentication when possible
  • Limit SQL Server sysadmin privileges to database administrators only

Network Security:

  • Configure SQL Server to use TLS encryption for all connections
  • Consider using TLS 1.2 or higher exclusively
  • Restrict network access to the SQL Server to only necessary workstations
  • Use firewall rules to limit access to the SQL Server port (typically 1433)

Data at Rest:

  • Consider enabling Transparent Data Encryption (TDE) if your SQL Server edition supports it
  • Use Windows BitLocker or equivalent for disk encryption
  • Store database files on encrypted volumes

Backup Security:

  • Regular backups are the customer’s responsibility for local databases
  • Encrypt backup files
  • Store backups in a secure location with appropriate access controls
  • Test restoration procedures regularly
  • Maintain backup retention policies consistent with your organization’s requirements

Audit and Monitoring:

  • Enable SQL Server audit logging
  • Monitor for failed login attempts
  • Review access logs regularly
  • Implement alerting for suspicious activity

For detailed information about local database configuration, see Databases and Configuring Databases in the Installation and Configuration section.

Windows Security Baseline

Antigen Plus is designed to operate within standard Windows security environments without requiring special exceptions or elevated privileges for normal operation.

Operating System Requirements

Supported Versions:

  • Windows 7 SP1 or later
  • Windows Server operating systems are supported for database servers

Required Components:

  • .NET Framework 4.7.2 or later
  • 40 MB of disk space for installation

System requirements for the .NET Framework are documented on Microsoft’s website.

Security Software Compatibility

Antigen Plus places no restrictions on:

  • Windows security patching and updates
  • Antivirus software
  • System management applications
  • Endpoint detection and response (EDR) tools
  • Application whitelisting solutions

Organizations should maintain their standard Windows security baseline when deploying Antigen Plus. The application is designed to work within locked-down environments.

User Privileges

Client Workstation:

  • Standard user privileges are sufficient for normal operation
  • Administrative privileges may be required during initial installation
  • The application stores user-specific preferences (such as window locations) in per-user locations; it does not store core configuration in user accounts

Cryptographic Key Storage:

  • The RSA-2048 company key pair is stored in the Windows system cryptographic store
  • The .APCompanyKey file is also saved during registration and should be backed up securely
  • The private company key never leaves your network

Security Recommendations

  1. Keep Windows Updated: Apply security patches regularly using Windows Update or your organization’s patch management system

  2. Use Antivirus Software: Deploy standard antivirus/anti-malware solutions on all workstations

  3. Application Whitelisting: If using application whitelisting (e.g., Windows Defender Application Control), add Antigen Plus to your approved application list

  4. User Account Control (UAC): Maintain standard UAC settings; Antigen Plus does not require UAC to be disabled

  5. Disk Encryption: Use BitLocker or equivalent full-disk encryption on workstations and database servers

  6. Secure Boot: Enable Secure Boot on UEFI-capable systems

  7. Network Isolation: Consider deploying Antigen Plus workstations on a dedicated VLAN with appropriate network segmentation

For complete system requirements, see System Requirements in the Deployment Planning section.

Deployment Architecture Considerations

Trust Boundaries

Understanding trust boundaries is critical for secure deployment. For a full explanation of Antigen Plus trust boundaries—including graphical data flow diagrams and details of each security zone—see the Security Architecture section in this cybersecurity guide.

This section provides comprehensive information on:

  • User Workstation Zone
  • Application Zone
  • Database Zone (local SQL Server or Azure SQL)
  • External Data Zone
  • Internet connectivity and security boundaries

Refer to the diagrams and descriptions in the Security Architecture for authoritative guidance on data flows and trust boundaries in all supported deployment models.

Shared Responsibility Model

Antigen Plus Responsibilities:

  • Security of cloud infrastructure
  • TLS configuration for cloud services
  • Azure SQL Server management (for cloud databases)
  • Application security updates
  • PHI encryption at the application level

Customer Responsibilities:

  • Network security and firewall configuration
  • Workstation security and patching
  • Local SQL Server security (if used)
  • Access control and user management
  • Physical security of workstations and servers
  • Backup procedures for local databases
  • Secure storage of the company RSA key

Security Checklist for Deployment

Use this checklist when deploying Antigen Plus:

  • Firewall rules configured for required outbound connections
  • DNS-based (not IP-based) firewall rules for Azure services
  • TLS connectivity verified to all cloud endpoints
  • Database server selected (cloud or local)
  • If cloud: Cloud database provisioned through registration
  • If local: SQL Server hardened according to best practices
  • If local: TLS encryption enabled on SQL Server
  • If local: Backup procedures implemented and tested
  • Windows security baseline maintained (patching, antivirus, etc.)
  • User access controls configured appropriately
  • Company RSA key backed up securely
  • Network segmentation implemented as appropriate
  • Disk encryption enabled on workstations and servers

For information about the ongoing security monitoring and incident response procedures, see Section 6: Monitoring and Incident Response in this cybersecurity guide.