Configuring Web interface for enhanced security
By default, Web Interface users connect to the Web Interface using an HTTP transport, which does not encrypt the data transferred from a Web browser to the Web Interface. To use a secure transport for transferring data to the Web interface, it is recommended to use an HTTPS transport.
The secure hypertext transfer protocol (HTTPS) uses Secure Sockets Layer (SSL) provided by the Web server for data encryption. For instructions on how to enable SSL on your Web server, see https://support.microsoft.com/en-in/help/324069/how-to-set-up-an-https-service-in-iis.
Any Web interface is prone to security issues such as Cross-Site Request Forgery (CSRF) and Cross-site Scripting (XSS ) attacks. To prevent and protect against such attacks Active Roles can now be configured to enable CSRF and XSS for the Web interface.
Cross-Site Request Forgery (CSRF) attacks can force users to execute unwanted actions on the Active Roles web application in which they are currently authenticated. To prevent CSRF requests Active Roles must be enabled to use Anti Forgery protections.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Hence, any script that is sent to Active Roles must be validated for malicious content before accepting and executing the script. To perform the script validation XSS must be enabled for Active Roles.
To configure keys in the Web interface
- From Windows Run, open IIS and Expand Default Website.
- Click the Active Roles Application.
NOTE:ARWebAdmin is the default Active Roles application. - In the right pane, in the Configuration Editor, from the Section drop-down menu, select <Settings>.
- Click on the button corresponding (Count=*), and click Add in the right Pane.
- Enter the following values:
- Key: "<keyname>"
- Value: "<value>"
- Close the window and click Apply under Actions menu in the right pane.
- Restart the App pool.
Enabling CSRF
Enabling Cross-Site Request Forgery for Web interface
Current Active Roles Web Interface does not use Anti Forgery protections to prevent Cross-Site Request Forgery (CSRF) request by default. The CSRF option must be enabled to use the Anti Forgery protections.
To enable CSRF add the following scripts in web.config | <appSettings> section:
- <add key ="EnableAntiForgery" value="true"/> <!--Key to enable or disable Antiforgery , Values= true or false -->
-
<add key="IgnoreValidation" value="choosecolumns,savetofile,customizeform,default,2fauth,formmap"/>
Enabling XSS
Enabling Cross-Site Scripting validation for Web interface
Current Active Roles Web Interface does not perform validation for cross-site scripting by default. The Cross-Site Scripting (XSS) option must be enabled to use the feature that allows Active Roles to determine whether a request contains potentially dangerous content.
To enable XSS add the following scripts in web.config:
- In the <appSettings> section, add the following scripts:
- <add key="EnableRequestValidation" value="true"/>
- <add key="IgnoreForValidation" value="hiddenxml,homepagestruct,txtconditionsforoperationsinreadableform"/>
For environments having Lync Server or Skype for Business Server, in the IgnoreForValidation key add the following to the existing value:
dialplanpolicytextbox,voicepolicytextbox,edsva-lync-conferencingpolicy,edsva-lync-clientversionpolicy,edsva-lync-pinpolicy,edsva-lync-externalaccesspolicy,edsva-lync-archivingpolicy,edsva-lync-locationpolicy,edsva-lync-mobilitypolicy,edsva-lync-persistentchatpolicy,edsva-lync-clientpolicy
- In the <system.web> section, add the following scripts: