Chat now with support
Chat with Support

Active Roles 8.1.5 - Web Interface Configuration Guide

Introduction to the Web Interface Deploying the Web Interface Getting started with the Web Interface Web Interface Basics Performing Management Tasks Using Approval Workflow Customizing the Web Interface
About Web Interface customization Web Interface customization terms Configuring Web Interface menus Configuring Web Interface forms Web Interface customization examples Web Interface global settings Customizing the Web Interface Navigation bar Customizing the Web Interface Home page Configuring Web Interface for enhanced security
Default Commands Glossary

Configuring Web Interface for enhanced security

By default, Web Interface users connect to the Web Interface using an HTTP transport, which does not encrypt the data transferred from a web browser to the Web Interface. To use a secure transport for transferring data to the Web Interface, One Identity recommends using an HTTPS transport.

The secure hypertext transfer protocol (HTTPS) uses Secure Sockets Layer (SSL) provided by the web server for data encryption. For instructions on how to enable SSL on your web server, see How to Set Up SSL on IIS 7 or later in the Microsoft IIS documentation.

Any Web Interface instance is prone to security issues, such as Cross-Site Request Forgery (CSRF) and Cross-site Scripting (XSS ) attacks. To prevent and protect the Web Interface against such attacks, you can also configure CSRF and XSS protection.

  • Cross-Site Request Forgery (CSRF) attacks can force users to run unwanted actions on the Active Roles web application in which they are currently authenticated. To prevent CSRF requests , configure Active Roles to use anti-forgery protections.

  • Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To prevent against such attacks, any script that is sent to Active Roles must be validated for malicious content before accepting and running the script. To perform the script validation, enable XSS for Active Roles.

To configure a key-value pair for a Web Interface site in IIS

  1. In the operating system, launch Internet Information Services (IIS) Manager.

  2. Under the Connections node, navigate to <computer-name> > Sites > Default Web Site, then select the Web Interface site you want to configure. The default sites are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.

  3. In the center pane, double-click Configuration Editor. Then, from the Section drop-down, select <Settings>.

  4. Click on the button corresponding (Count=*), and click Add in the right pane.

  5. Enter the following values:

    1. Key: <keyname>

    2. Value: <value>

  6. Close the window, then under the Actions menu in the right pane, click Apply .

  7. To apply your changes in Active Roles, restart the app pool.

Modifying Cross-Site Request Forgery for Web Interface

To prevent Cross-Site Request Forgery (CSRF) requests, the Active Roles Web Interface uses anti-forgery protection. This protection is enabled by default: if you must modify it for any reason (for example, to specify any exceptions), perform the following steps.

NOTE: If CSRF is enabled, then with the exception of the Web Interface Home page:

  • You cannot copy the URL of any other Web Interface page and open them in a new browser tab or window.

  • You cannot open bookmarked URLs.

To modify Cross-Site Request Forgery settings for a Web Interface site

  1. In the operating system, launch Internet Information Services (IIS) Manager.

  2. Under the Connections node, navigate to <computer-name> > Sites > Default Web Site, then select the Web Interface site you want to configure. The default sites are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.

  3. In the center pane, double-click Configuration Editor. Then, from the Section drop-down, select web.config > <appSettings>.

  4. To modify the existing CSFR settings, add the following script:

    <add key ="EnableAntiForgery" value="true"/> <!--Key to enable or disable anti-forgery , Values= true or false -->
    <add key="IgnoreValidation" value="choosecolumns,savetofile,customizeform,default,2fauth,formmap"/>
    
  5. Close the window, then under the Actions menu in the right pane, click Apply .

  6. To apply your changes in Active Roles, restart the app pool.

Disabling or modifying Cross-Site Scripting validation for Web Interface

Cross-Site Scripting (XSS) protection allows Active Roles to determine whether a request contains potentially dangerous content. This protection is enabled by default in the Active Roles Web Interface, but you can disable or modify it via the Internet Information Services (IIS) Manager application of the operating system.

NOTE: One Identity strongly recommends to:

  • Keep XSS protection enabled.

  • Modify the default XSS protection settings only if your environment contains additional services (such as Skype for Business Server) that require adaptations.

To disable Cross-Site Scripting protection for the Web Interface

  1. In the operating system, launch Internet Information Services (IIS) Manager.

  2. Under the Connections node, navigate to <computer-name> > Sites > Default Web Site, then select the Web Interface site you want to configure. The default sites are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.

  3. In the center pane, double-click Configuration Editor. Then, from the Section drop-down, select web.config > <appSettings>.

  4. To disable XSS, set the value of the following script to "false":

    <add key="EnableRequestValidation" value="false"/>
  5. In the Section drop-down, select system.web > <pages />, then set the following key:

    validateRequest="false"
  6. Close the window, then under the Actions menu in the right pane, click Apply.

  7. To apply your changes in Active Roles, restart the app pool.

To modify Cross-Site Scripting settings for the Web Interface

  1. In the operating system, launch Internet Information Services (IIS) Manager.

  2. Under the Connections node, navigate to <computer-name> > Sites > Default Web Site, then select the Web Interface site you want to configure. The default sites are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.

  3. In the center pane, double-click Configuration Editor. Then, from the Section drop-down, select web.config > <appSettings>, and find the following script:

    <add key="IgnoreForValidation" value="hiddenxml,homepagestruct,txtconditionsforoperationsinreadableform"/>
  4. For environments that also use Microsoft Lync Server or Skype for Business Server, add the following exceptions to the existing value:

    dialplanpolicytextbox,voicepolicytextbox,edsva-lync-conferencingpolicy,edsva-lync-clientversionpolicy,edsva-lync-pinpolicy,edsva-lync-externalaccesspolicy,edsva-lync-archivingpolicy,edsva-lync-locationpolicy,edsva-lync-mobilitypolicy,edsva-lync-persistentchatpolicy,edsva-lync-clientpolicy

Default Commands

The following sections list the default commands available in the default Web Interface sites.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating