Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
HTML
 <p>The default security settings of TIM Enterprise allow for ease of 
installation and are suitable for the needs of most organisations.  
However, if your organisation's IT security policy demands it, or you 
plan to expose the system to an untrusted network such as the Internet, 
it is recommended you harden the security using the methods described 
below.</p>

...

Summary_list
Task6Password complexity
Task5Web interface protocols
Task7Automatic expiry of web user passwords
Task1Introduction
Task2Blocking invalid login attempts
Task3Changing the default web server port
Task4Enabling High Security mode

HTML
<a id="Introduction"></a>

Introduction

The default security settings of TIM Enterprise allow for ease of installation and are suitable for the needs of most organisations. However, if your organisation's IT security policy demands it, or you plan to expose the system to an untrusted network such as the Internet, it is recommended you harden the security using the methods described below.

Info

After changing any of the following settings, you will need to restart the TIM Enterprise service before for the changes will to take effect.

HTML
<h2>Blocking<a id="Blocking invalid login attempts</h2>

<p>The system can blacklist the source IP address of a would-be attacker if
 a number of unsuccessful access attempts are made within a specified 
period of time.  The following two Registry entries determine how many 
invalid login attempts are permissible before the source IP is 
blacklisted and, if so, for how long the blacklist will remain in place 
until further attempts are entertained:-</p>

<table class="confluenceTable">
	<tbody>
		<tr>
			<th class="confluenceTh" width=100>Registry String data value</th>
			<th class="confluenceTh">Description</th>
		</tr>
		<tr>
			<td class="confluenceTd"><span class="keyword">FloodFailCount = 0</span></td>
			<td class="confluenceTd">Number of attempts</td>
		</tr>
		<tr>
			<td class="confluenceTd"><span class="keyword">FloodLockTime = 60</span></td>
			<td class="confluenceTd">Lockout duration</td>
		</tr>
	</tbody>
</table>

<p>All Registry keys for TIM Enterprise are located in the following hive:-</p>

<img id="border" src="http://www.tri-line.com/common/img/documentation/tim_enterprise/windows_registry.png" alt="Windows registry" />attempts"></a>

Blocking invalid login attempts

The system can blacklist the source IP address of a would-be attacker if a number of unsuccessful access attempts are made within a specified period of time. The following two Registry entries determine how many invalid login attempts are permissible before the source IP is blacklisted and, if so, for how long the blacklist will remain in place until further attempts are entertained:

Registry String data valueDescription
FloodFailCount = 0Number of attempts
FloodLockTime = 60Lockout duration

All Registry keys for TIM Enterprise are located in the following hive:

Code Block
HKEY_LOCAL_MACHINE\SOFTWARE\Tri-Line\TIM Enterprise
HTML
<a id="Changing the default web server port"></a>

Changing the default web server port

If you would like to change the default port used for web traffic, you can edit the WWWServerPort Registry key.

Registry String data valueDescription
WWWServerPort = port numberPort address for webserver to listen on (Default is 80, unless changed during setup)
HTML
<a id="Enabling High Security mode"></a>

Enabling High Security mode

To enable High Security mode, add the following Registry String value:

Code Block
HKEY_LOCAL_MACHINE\SOFTWARE\Tri-Line\TIM Enterprise\Main\HighSecurity = "True"

Within the Windows Registry, right click and select New -> String Value and name it HighSecurity.

Next, double-click on it and enter the Value of True, as shown below:

Screenshotmacro
Borderfalse
Shadowfalse
URL/download/attachments/1671316/HighSecurity.png

When the HighSecurity Registry value is set to True, the following restrictions are imposed:

  1. Ability to block individual web scripts by including them in a blacklist file:

    Code Block
    "\ssldata\{class}\blacklist.___" 
  2. Enforce password complexity for web users (additional Registry entries required)
  3. Forbid direct SQL queries through web interface
  4. System alert messages are silently suppressed
  5. System database connection tests forbidden
  6. Ability to (re)create system database tables inhibited
  7. Cannot change or test web (HTTP) port
  8. Cannot send test emails
  9. Debug information suppressed if a XSL translation error occurs
HTML
<a id="Web interface protocols"></a>

Web interface protocols

The default behaviour is to allow all protocols TLS1, SSL2 and SSL3.

You can change the type of connection that TIM will respond to, by adding the Registry String Value WWWSSLProtocol.

Note that this is a case-insensitive string value with one of the following data values:

Registry String data valueDescription
nosslNo SSL protocols, behave like a standard HTTP server
ssl23SSL2 and SSL3 protocols only
ssl2SSL2 protocol only
ssl3SSL3 protocol only
tls1TLS1 protocol only
HTML
<a id="Password complexity"></a>

Password complexity

You can configure TIM Enterprise web users with complex passwords to match your organisation's IT password policy.

To enable complex passwords, a Registry String Value PasswordComplexity must be added.

The use of the following data string values, allows you to configure how complex the passwords are:

Code Block
"A"+{0-9}+"a"+{0-9}+"!"+{0-9}+"#"+{0-9}

Each part of the complexity string is defined by a pair of characters, a single character denoting the type of policy, immediately followed by a numeric character (0-9) stipulating how many characters of that type are required to satisfy the password policy.

The Type characters are as follows:

  • A:  Upper- or lower-case characters
  • a:  Lower-case characters
  • !:  Symbol characters
  • #:  Numeric characters

For example, to impose a restriction of at least 6 characters with two numbers, the following Registry entry could be used:

Code Block
HKEY_LOCAL_MACHINE\SOFTWARE\Tri-Line\TIM Enterprise\Main\PasswordComplexity = "A6a0!0#2"
Info

The value of PasswordComplexity must always be 8 characters, otherwise the policy will not be implemented. The order of each Type pair ( Type character and amount character) is not important.

HTML
<a id="Automatic expiry of web user passwords"></a>

Automatic expiry of web user passwords

You can force Web users to change the password after a predetermined age has been set. Note that this is a system wide setting.

The server running TIM Enterprise will email the web user advising that a password change is required. The web user must have an email address configured, for notification to take place.

If the password is not changed by the expiry date, the account is automatically disabled.

Registry String data valueDescription
PasswordExpiryTimeUnitsDetermines the time units that the related expiry entries (below) will use.  Valid values are
Keywordmacro
Labelminutes
,
Keywordmacro
Labelhours
,
Keywordmacro
Labeldays
,
Keywordmacro
Labelweekdays
PasswordExpiryReminderA value, in the units described by the PasswordExpiryTimeUnits entry, after which an email is sent to the web user to remind them to change their password.
PasswordExpiryDisableA value, in the units described by the PasswordExpiryTimeUnits entry, which specifies how long after the reminder email (above) is sent, that a web user's account will be disabled if it hasn't been updated.

Default values for the above settings are as follows:

  • PasswordExpiryTimeUnits = "days"
  • PasswordExpiryReminder = "7"
  • PasswordExpiryDisable = "7"

Therefore, using the default settings, a web user will receive an email reminder after 7 days and the account will be disabled after 14 days.

If the PasswordExpiryReminder value is zero then password reminder functionality is disabled and neither a reminder email will be sent, nor will a web user's account be disabled. Since this value has a default of "7", this value must be explicitly set to zero to disable password reminder functionality.

If the PasswordExpiryDisable value is explicitly set to zero, the disabling of a web user's account is skipped.

Registry String data valueDescription
PasswordReminderSubject"Password reset notification"
PasswordReminderMessage"Your password to access the [%productname%] service will expire in <%expiryamount%> <%expiryunits%>.\r\n You should log in to the service before <%expirydate%> to reset your password, otherwise your account will be disabled"

The following <%%> variables are permissible in both the subject and the body text of the reminder email message:

<%%> variableDescription
<%product%>The name of the product, e.g. TIM Enterprise
<%expiryunits%>The value of PasswordExpiryTimeUnits
<%expirydate%>A computed date of the above values relative to the date that the email was sent at, in local date/time format.