By default, Web Interface users connect to the Web Interface using an HTTP transport, which does not encrypt the data transferred from a Web browser to the Web Interface. To use a secure transport for transferring data to the Web interface, it is recommended to use an HTTPS transport.
The secure hypertext transfer protocol (HTTPS) uses Secure Sockets Layer (SSL) provided by the Web server for data encryption. For instructions on how to enable SSL on your Web server, see https://support.microsoft.com/en-in/help/324069/how-to-set-up-an-https-service-in-iis.
Any Web interface is prone to security issues such as Cross-Site Request Forgery (CSRF) and Cross-site Scripting (XSS ) attacks. To prevent and protect against such attacks Active Roles can now be configured to enable CSRF and XSS for the Web interface.
Cross-Site Request Forgery (CSRF) attacks can force users to execute unwanted actions on the Active Roles web application in which they are currently authenticated. To prevent CSRF requests Active Roles must be enabled to use Anti Forgery protections.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Hence, any script that is sent to Active Roles must be validated for malicious content before accepting and executing the script. To perform the script validation XSS must be enabled for Active Roles.
To configure keys in the Web interface
|NOTE:ARWebAdmin is the default Active Roles application.|
Current Active Roles Web Interface does not use Anti Forgery protections to prevent Cross-Site Request Forgery (CSRF) request by default. The CSRF option must be enabled to use the Anti Forgery protections.
<add key="IgnoreValidation" value="choosecolumns,savetofile,customizeform,default,2fauth,formmap"/>
Current Active Roles Web Interface does not perform validation for cross-site scripting by default. The Cross-Site Scripting (XSS) option must be enabled to use the feature that allows Active Roles to determine whether a request contains potentially dangerous content.
For environments having Lync Server or Skype for Business Server, in the IgnoreForValidation key add the following to the existing value: