Security Best Practices for EngageIP Billing
Overview
Security is best achieved through a layered approach combining various methodologies to achieve the highest level of security without unduly impacting the user experience. This document will describe methods for improving security of EngageIP, particularly in the AdminPortal.
Starting from EngageIP and moving out to the client's web browser. Steps one to three are minimum security precautions for allowing the AdminPortal to be visible to the Internet. Step four reduces the need by granting the user access to the internal network using your regular authentication and security methods.
Hardening EngageIP by enforcing Strong passwords, failed login limits, password history and account lockouts
Limiting access to AdminPortal using IIS IP restrictions
SSL Encryption and authentication for user traffic between the client browser and the IIS server that is hosting the AdminPortal. Prevents usernames and passwords from being sent in plain text across the internet
VPN connectivity to keep the AdminPortal safe behind your corporate Firewall and requiring users to authenticate with your network before accessing the AdminPortal
Configuration
Configuring Users Within EngageIP Billing
Account Roles are accessible from the Setup tab (Setup tab -> Roles)
Note: the more permissions a role is setup with within EngageIP Billing the stronger the restrictions on the accounts should be
The following fields are configurable for the account roles:
Change Password (Days) - number of elapsed days before a user in the role is prompted to change their password. Regular password changes will reduce the effect of compromised accounts (90 days recommended)
Password Length (Min) - sets the minimum length a password can be set to (at least 8 characters recommended)
Password w/ Numbers - enforces alphanumeric passwords. Having this option checked will require users to have at least one number in the password improving the password strength (passwords containing at least three out of the four conditions recommended: Uppercase Characters, Lowercase characters, Numbers and Special Characters such as @, #, !, %)
Password History Length - records and prevents the reuse of 'X' number of passwords. Recommend setting is 6 to reduce the users recycling of similar passwords
Force Password Change On First Login - requires the user to change their password when first logging into the AdminPortal (recommended)
Failed Login Limit - the number of incorrect attempts to login to an account before the account is locked out to prevent brute force attacks to hack a password (for admin level accounts 3-5 is recommended, for basic users 5-9)
Lockout Duration - time to lock the account after it has hit the failed login limit (a minimum of 1 hour to a max of 3 hours is recommended, a much longer duration would essentially incur an admin manually unlocking the account)
Restricting Access Using IP Restrictions in IIS
http://support.microsoft.com/kb/324066/en-us
To grant or deny access to a computer
In IIS Manager click the local computer then right-click the Web Sites or FTP Sites folder, an individual Web or FTP site, a virtual directory, or a file; and then click Properties
Note: configuration settings made at the Web or FTP Sites level are inherited by all of the Web or FTP sites on the server. You can override inheritance by configuring the individual site or site elementClick the Directory Security or File Security tab, and then do one of the following:
For Web sites, in the IP address and domain name restrictions section, click Edit
For FTP sites, continue to the next step
Click Granted access or Denied access. When you select Denied access, you deny access to all computers and domains, except to those that you specifically grant access. When you select Granted access, you grant access to all computers and domains, except to those that you specifically deny access
Click Add, and then click Single computer
Click DNS Lookup to search for computers or domains by name, rather than by IP address
Type the DNS name for the computer. IIS searches on the current domain for the computer, and if found, enters its IP address in the IP address box
It causes a performance decrease on your server while it is looking up DNS addresses
A user accessing your Web server through a proxy server appears to have the IP address of the proxy server
Some user server access problems can be corrected by entering the "*.domainname.com" syntax, rather than the "DomainName.com " syntax
Click OK three times
Configuring SSL Secured Browsing
This step outlines how to setup TSL/SSL on your IIS server to ensure secured browsing of the Admin portal. There isn't anything special related here as long as you have a standard SSL certificate for your website.
(Source: Transport Layer Security )
What is TLS/SSL - Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers. There are slight differences between SSL and TLS, but the protocol remains substantially the same.
The TLS protocol allows applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communication privacy over the Internet using cryptography.
All this means is your client web browser and your web server are not sending traffic and more importantly user names and passwords in plain text.
Commercial websites use SSL certificates provided by commercial certificate authorities such as VeriSign, and cost between $100 and $400 US per annum.
For EngageIP Billing using the authentication portion of SSL is not as relevant as the encryption portion, so we will detail how to create a Self-signed certificate to allow the use of SSL without the need to purchase a certificate. Also there is a free alternative http://cert.startcom.org/ which provides free certificates. http://www.msexchange.org/tutorials/SSL-Enabling-OWA-2003-Using-Free-3rdParty-Certificate.html is a document for installing Startcoms free SSL cert onto a IIS server.
The IIS resource kit Download IIS 6.0 Resource Kit Tools allows the creation of a self test SSL certificate that can be used to secure your admin portal without the need to purchase or setup a SSL cert through a CA. You will get a pop up when you attempt to view the website from another computer but you can export the certificate and install it on the client computer you wish to access Admin portal from.
Install the resource kit (requires Windows Server 2003, Windows XP)
From the Windows Start Menu, go to the "ProgramsIIS ResourcesSelfSSL" folder and select "SelfSSL".
Instructions will be listed in a command prompt. Type "selfssl" to run the program.
Type "y" to confirm overriding/installing the certificate on the given site.
Test that it worked by visiting https://localhost/
Full instructions with pictures available at http://www.visualwin.com/SelfSSL/
Configuring Session Timeouts
See the article Extending Browser Session Time-Outs For EngageIP
See Also