By default, Web Interface users connect to the Web Interface using an HTTP transport, which does not encrypt the data transferred from a web browser to the Web Interface. To use a secure transport for transferring data to the Web Interface, One Identity recommends using an HTTPS transport.
The secure hypertext transfer protocol (HTTPS) uses Secure Sockets Layer (SSL) provided by the web server for data encryption. For instructions on how to enable SSL on your web server, see How to Set Up SSL on IIS 7 or later in the Microsoft IIS documentation.
Any Web Interface instance is prone to security issues, such as Cross-Site Request Forgery (CSRF) and Cross-site Scripting (XSS ) attacks. To prevent and protect the Web Interface against such attacks, you can also configure CSRF and XSS protection.
-
Cross-Site Request Forgery (CSRF) attacks can force users to run unwanted actions on the Active Roles web application in which they are currently authenticated. To prevent CSRF requests , configure Active Roles to use anti-forgery protections.
-
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To prevent against such attacks, any script that is sent to Active Roles must be validated for malicious content before accepting and running the script. To perform the script validation, enable XSS for Active Roles.
To configure a key-value pair for a Web Interface site in IIS
-
In the operating system, launch Internet Information Services (IIS) Manager.
-
Under the Connections node, navigate to <computer-name> > Sites > Default Web Site, then select the Web Interface site you want to configure. The default sites are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.
-
In the center pane, double-click Configuration Editor. Then, from the Section drop-down, select <Settings>.
-
Click on the button corresponding (Count=*), and click Add in the right pane.
-
Enter the following values:
-
Key: <keyname>
-
Value: <value>
-
Close the window, then under the Actions menu in the right pane, click Apply .
-
To apply your changes in Active Roles, restart the app pool.
To prevent Cross-Site Request Forgery (CSRF) requests, the Active Roles Web Interface uses anti-forgery protection. This protection is enabled by default: if you must modify it for any reason (for example, to specify any exceptions), perform the following steps.
NOTE: If CSRF is enabled, then with the exception of the Web Interface Home page:
To modify Cross-Site Request Forgery settings for a Web Interface site
-
In the operating system, launch Internet Information Services (IIS) Manager.
-
Under the Connections node, navigate to <computer-name> > Sites > Default Web Site, then select the Web Interface site you want to configure. The default sites are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.
-
In the center pane, double-click Configuration Editor. Then, from the Section drop-down, select web.config > <appSettings>.
-
To modify the existing CSFR settings, add the following script:
<add key ="EnableAntiForgery" value="true"/> <!--Key to enable or disable anti-forgery , Values= true or false -->
<add key="IgnoreValidation" value="choosecolumns,savetofile,customizeform,default,2fauth,formmap"/>
-
Close the window, then under the Actions menu in the right pane, click Apply .
-
To apply your changes in Active Roles, restart the app pool.
Cross-Site Scripting (XSS) protection allows Active Roles to determine whether a request contains potentially dangerous content. This protection is enabled by default in the Active Roles Web Interface, but you can disable or modify it via the Internet Information Services (IIS) Manager application of the operating system.
NOTE: One Identity strongly recommends to:
To disable Cross-Site Scripting protection for the Web Interface
-
In the operating system, launch Internet Information Services (IIS) Manager.
-
Under the Connections node, navigate to <computer-name> > Sites > Default Web Site, then select the Web Interface site you want to configure. The default sites are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.
-
In the center pane, double-click Configuration Editor. Then, from the Section drop-down, select web.config > <appSettings>.
-
To disable XSS, set the value of the following script to "false":
<add key="EnableRequestValidation" value="false"/>
-
In the Section drop-down, select system.web > <pages />, then set the following key:
validateRequest="false"
-
Close the window, then under the Actions menu in the right pane, click Apply.
-
To apply your changes in Active Roles, restart the app pool.
To modify Cross-Site Scripting settings for the Web Interface
-
In the operating system, launch Internet Information Services (IIS) Manager.
-
Under the Connections node, navigate to <computer-name> > Sites > Default Web Site, then select the Web Interface site you want to configure. The default sites are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.
-
In the center pane, double-click Configuration Editor. Then, from the Section drop-down, select web.config > <appSettings>, and find the following script:
<add key="IgnoreForValidation" value="hiddenxml,homepagestruct,txtconditionsforoperationsinreadableform"/>
-
For environments that also use Microsoft Lync Server or Skype for Business Server, add the following exceptions to the existing value:
dialplanpolicytextbox,voicepolicytextbox,edsva-lync-conferencingpolicy,edsva-lync-clientversionpolicy,edsva-lync-pinpolicy,edsva-lync-externalaccesspolicy,edsva-lync-archivingpolicy,edsva-lync-locationpolicy,edsva-lync-mobilitypolicy,edsva-lync-persistentchatpolicy,edsva-lync-clientpolicy
The following sections list the default commands available in the default Web Interface sites.