Service and Application Layer

The Service and Application Layer focuses on securing the software components and runtime environment of BioStar X.

Apply principle of least privilege to services

Run BioStar X services under dedicated service accounts instead of Local System or Administrator.
Grant only the minimal rights required (logon as a service, read/write specific directories).
Use separate accounts for each BioStar X service component where possible.

Create a dedicated local user account for BioStar X services.
Open Services.msc → Right-click the BioStar X service → Properties → Log On tab.
Assign the dedicated account.
Apply file system ACLs so the account can only access necessary directories.
Deny interactive logon rights for these accounts.

Caution

Using shared accounts between multiple services makes it harder to audit breaches.

Restrict access to configuration files that contain secrets (e.g., database connection strings, API keys).
Use Windows Data Protection API (DPAPI) or Key Vault solutions if supported.
Store secrets separately from binaries; avoid hard-coding.

Restrict NTFS permissions so only the BioStar X service account has read access.
Deny access to standard users and interactive logins.
Back up the util/ directory securely before upgrades (offline storage recommended).

Caution

Loss or compromise of these files may result in data loss or unauthorized decryption.

Best Practice

Rotate stored secrets (DB passwords, API keys) periodically.

Keep BioStar X and its dependent runtime components (e.g., Visual C++ Redistributables) up to date.
Subscribe to vendor advisories for patches.
Document update procedures to avoid downtime.

Use Windows Defender Application Control (WDAC) or AppLocker to allow only trusted binaries.
Block execution from temporary directories (e.g., %TEMP%, %APPDATA%).