Endpoint & Detection
Field-tested hardening guide for the tax software CPA firms actually use — Lacerte, Drake, CCH Axcess, UltraTax, and ATX — covering account hygiene, MFA, server isolation, audit logging, and the e-file PIN problem.
Tax software runs the practice. It holds every client's SSN, EIN, bank routing data, full corporate financials, dependents, and prior-year returns. It is also one of the least-hardened categories of software in any small business vertical, because the people who install it are trained on workflow and deadlines — not on Windows server hardening, SQL Server defaults, or FTC Safeguards-grade audit logging.
This is a practitioner guide for the five platforms I see most often: Lacerte, Drake Tax, CCH Axcess, UltraTax CS, and ATX. The vendors document what the software does. They rarely document how to deploy it in a way the IRS, the FTC, or a cyber insurer would call reasonable. The defaults are not secure, and the defaults are what most firms are running.
Every tax software vendor publishes an installation guide. None publishes a security baseline that maps to the FTC Safeguards Rule at 16 CFR Part 314, IRS Publication 4557, or the WISP every paid preparer with a PTIN has been required to maintain since 2024. The installation guide tells you how to get returns flowing. It does not tell you to disable shared logins, rotate sa, audit portal integration tokens, deprovision seasonal contractors on April 16, or test your restores.
That gap is what threat actors walk through. A shared Reception account at the front desk. A TaxPrep1 login every contractor reuses. MFA on the SSO but a portal integration that bypasses it. An EFIN PIN in a Word document called "logins.docx." None of it requires a zero-day.
The most common finding on a CPA firm assessment is a shared Reception or FrontDesk account with broad tax software access. The second most common is a TaxPrep1 or Seasonal1 login the firm reuses across every seasonal contractor.
Both break the same things. The Safeguards Rule at 314.4(c)(1) requires access controls and least privilege; a shared login satisfies neither. The audit log becomes useless because every action is attributed to a generic identity. Offboarding becomes impossible because rotating the password means retraining everyone, so most firms skip it.
Every platform supports per-user accounts and role-based access. Lacerte and ProConnect have per-preparer accounts with role-based permissions. Drake Tax has per-user logins with security groups. CCH Axcess has a granular permission model that can scope to specific clients and return types. UltraTax CS supports per-user accounts through the Admin Console and ties to Onvio identities. ATX supports per-user logins with role-based templates.
One account per preparer, per staff member, per seasonal contractor. No shared logins. Access scoped to the clients each person works on. Do this before anything else — most controls below depend on it.
Every platform supports MFA. The mistake firms make is assuming MFA on the Microsoft 365 or Google Workspace SSO is sufficient because preparers log into the firm tenant first. It is not.
The failure mode that catches every firm: the SSO has MFA, but a vendor support path, a service account, or an integration token bypasses it. Tax ecosystems are full of these — portal integrations, e-signature, bank product partners, document management connectors. Inventory them.
Cloud-hosted tax software (ProConnect, Lacerte SaaS, CCH Axcess, UltraTax SaaS, Drake Cloud) shifts the server-hardening burden to the vendor. On-prem installs leave it with the firm.
In cloud, the dominant threat is account compromise and integration token theft. The control set is identity-layer: MFA, conditional access, managed identity threat detection on the Microsoft 365 or Google Workspace tenant.
In on-prem, the dominant threat is server compromise. The firm owns the Windows Server build, SQL Server hardening, backup, patching, and EDR. Most ransomware incidents I have seen in small CPA firms began with an on-prem tax server untouched since installation, running SQL Server with a default sa password reachable from the LAN.
If you run Lacerte network, Drake server, CCH Axcess on-prem, or ATX network, the tax server is a Windows machine holding the firm's most sensitive data.
sa password is weak or vendor-default. Rotate it, remove sa from interactive use, create named SQL accounts for maintenance, audit sysadmin membership monthly.Remote access is where small CPA firms get breached. The wrong patterns repeat: unattended TeamViewer or AnyDesk on a partner's home laptop with a static password and no MFA; port-forwarded RDP from the firm's public IP to a preparer's workstation on TCP 3389 "during tax season"; a shared MSP RMM agent on the tax server with no per-technician audit trail.
The right patterns are not exotic. Entra ID conditional access on every firm device — including the partner's home laptop — requiring compliance and MFA before any session touches the tax software. MFA on every remote session. Time-boxed, just-in-time access for the vendor's support team, granted when a case is open and revoked when it closes, with a written breach notification clause. No port-forwarded RDP from the internet.
If you only do one thing this quarter, remove the unattended TeamViewer and the port-forwarded RDP.
Every platform in this guide records who did what to which return at what time. Almost no small firm has ever opened the log.
Monthly review is the off-season minimum. During tax season — January through April 15, plus extensions through October 15 — the cadence should be weekly. Flag after-hours access, bulk return exports, deleted returns, preparer or status changes, and activity on returns assigned to a preparer who is out or has left. Thirty to sixty minutes a week from a designated admin. Cheapest control on the list; most consistently skipped.
Seasonal contractors are unique to tax practice and unique in their risk profile. The same contractor may work for two or three competing firms across a filing season. They are onboarded fast, given access to sensitive client data, and offboarded faster — or not offboarded at all.
Seasonal1 login every contractor reuses is a Safeguards Rule violation.Quarterly access reviews catch what the seasonal cycle misses, including former contractors who retained access months after their last return.
The firm-level EFIN, each preparer's PTIN, and the IRS-issued EFIN PIN authenticate to the IRS e-file system, not to the tax platform. Treat them as privileged identities.
The EFIN authorizes a firm to file. Treat it like the firm's most sensitive identity, because it is.
Every modern tax platform lives inside an ecosystem of integrations: SmartVault, SafeSend Returns, DocuSign, Adobe Sign, bank product partners, document management connectors like Doc.It or GoFileRoom, the Outlook plugin. Each authenticates with a token that bypasses front-door MFA.
Verify each integration's breach notification clause in its TOS or signed MSA. If a portal vendor breaches and the firm finds out from a news article, the FTC will not accept "we did not know" as a Safeguards Rule defense.
The traditional 3-2-1 rule does not survive a ransomware-active threat model. The version I deploy for CPA firms is 3-2-1-1-0: three copies, two media types, one offsite, one immutable, zero errors verified.
For cloud tax software, the firm still needs its own backup. The vendor SLA is not a backup, and the vendor's retention policy is not aligned with IRS or state CPA record retention obligations. Use a third-party SaaS backup for Microsoft 365 and any cloud tax data the vendor exposes for export, and verify recovery quarterly.
For on-prem tax servers, the immutable copy is the control that survives ransomware: S3 Object Lock, Backblaze B2 Object Lock, Wasabi compliance mode, or equivalent. Test the restore monthly off-season and weekly during the season — restore to a non-production machine, open the database, confirm a recent return opens correctly. Most firms have not tested a restore in over a year.
Preparers want to work from home, especially during the season's worst weeks. The friction between that expectation and the Safeguards Rule is real and unavoidable.
The compliant pattern is a managed configuration on the personal device — Intune App Protection Policies (MAM, not full MDM) on the firm's access path to the tax software. Encrypted container for firm data. Remote wipe scoped to firm data only, not the preparer's personal files.
The non-compliant pattern is the preparer emailing returns to a personal Gmail, or saving client data to a personal OneDrive or Dropbox. We find this during onboarding more often than not. It is the number one security awareness focus area for tax firms — quarterly training, with documented completion, that calls out the patterns staff actually try.
When we onboard a CPA firm, the typical sequence is straightforward:
None of this is exotic. All of it is the difference between a firm that recovers from an incident in a week and a firm that pays a ransom, notifies clients under state breach law, and explains itself to the IRS Office of Professional Responsibility.
If you run a CPA firm and are not sure where you stand against this list, book a briefing or review the accounting cybersecurity program. We will walk through your tax software configuration, audit logs, integration tokens, seasonal contractor process, and backup strategy, and tell you what to fix first.
Last updated
May 16, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Every action in a tax platform — opening a return, exporting a client list, changing a bank routing number on a refund deposit — is attributed to whoever is signed in. If a reception account or a generic TaxPrep1 login is shared across staff and seasonal contractors, the audit log cannot answer who touched a specific return the day a fraudulent refund was filed. The FTC Safeguards Rule at 16 CFR 314.4(c)(1) requires access controls and least privilege, and a shared login satisfies neither. Lacerte, Drake, CCH Axcess, UltraTax, and ATX all support per-user accounts. The work is enabling them and training staff to use them.
Yes. The SSO front door is one path in. The tax platform itself almost always has its own user accounts, service accounts, vendor support paths, and API tokens for portal and e-signature integrations that do not flow through Entra ID. We routinely find firms where every preparer has SSO with MFA, but an integration token for a portal vendor the firm stopped using two years ago still authenticates with full read access to the return store. Turn on MFA inside the tax software, and audit integration tokens separately.
Seasonal contractors are the highest-risk identity surface in a CPA firm. Provision on a fixed start date — typically late January or early February — with a unique per-contractor account, never shared. Background check and signed confidentiality agreement before access. Documented training before first login covering anti-phishing and IRS-impersonation themes. Deprovision the tax software account and the Microsoft 365 or Google Workspace account on the same day, no later than April 16 unless the contractor is documented as continuing on extensions. Put it on a calendar invite — drift is what gets firms breached.
Only with a managed configuration. Tax data on a preparer's personal laptop is a Safeguards Rule violation waiting to happen. The compliant pattern is Intune App Protection Policies — mobile application management, not full MDM — on the firm's tax-software access from personal devices, with an encrypted container and remote wipe scoped to firm data. The non-compliant pattern is the preparer emailing returns to a personal Gmail to work from there, which we still see in nearly every onboarding.
Treat the firm EFIN, each preparer's PTIN, and the EFIN PIN as privileged identities separate from tax software logins. Document a named owner. Rotate when staff with knowledge of the PIN depart. Never store the PIN unencrypted in a shared drive or email. Complete the IRS annual EFIN re-verification under Pub 3112. The EFIN PIN belongs in the firm's password manager, not in a spreadsheet on the server.
Monthly is the minimum during off-season. During tax season the cadence should be weekly. The events worth flagging are after-hours access, bulk return exports, deleted returns, preparer or status changes on a return, and any activity on returns assigned to a preparer who is on vacation or has left the firm. Lacerte, Drake, CCH Axcess, UltraTax, and ATX all record these events. Reviewing them takes a designated admin thirty to sixty minutes a week in season.
For most firms under twenty preparers, cloud-hosted tax software (ProConnect, Lacerte SaaS, CCH Axcess, UltraTax SaaS, Drake Cloud) is the more defensible choice because the vendor owns the server, the patching, and the underlying infrastructure. The residual risk is account compromise and integration token theft, which managed identity threat detection addresses. On-prem network installs (Lacerte, Drake, CCH Axcess on-prem, ATX) keep more control with the firm and put the full Windows Server hardening, SQL Server, backup, and EDR burden on the firm.
Treat the tax software vendor as a vendor under the Safeguards Rule. Time-box the access — granted when a support case is open, revoked when it closes. MFA on the session. Recorded if your remote-access platform supports it. Written breach notification clause in their TOS or a signed addendum. Do not leave a permanent unattended remote-access agent for the vendor on the tax server. Open access on demand, close it when the case is closed.
Related reading
MDR, EDR, MSSP, and SOC-as-a-service compared honestly for small business buyers — what each delivers, what each costs, and a five-question decision tree that gets to the right answer.
Read articleA field-tested hardening guide for Dentrix, Eaglesoft, and Open Dental — server isolation, account hygiene, backup strategy, audit logging, and the specific defaults that get practices breached.
Read articleA field-tested hardening guide for the document management and practice management systems law firms actually use — access controls, audit logs, MFA, BYOD policy, and the integration gaps that get firms breached.
Read article