Here are some solutions that have been tried and tested in conjunction with One Identity Manager tools to guarantee secure operation of One Identity web applications. You decide which security measures are appropriate for your individually customized web applications.
About this guide
Configuring the Web Portal
IT shop configuration
WebAuthn security keys
Starling Two-Factor Authentication
Requesting by reference user
Sending the shopping cart
Approver options
Approval decisions about URL links
Displaying user-specific processes in the Web Portal
Configuring self-registration of new users
Configuring the four eyes principle for issuing a passcode.
Configuring password questions
Configuring the search
Setting up Starling Two-Factor Authentication
Starling Two-Factor Authentication for specific people
Logging in without Starling 2FA tokens
Activating Starling Two-Factor Authentication for the Operations Support Web Portal
Application Governance Module
Configuring password questions
Password Reset Portal
Setting up a Password Reset Portal
Recommendations for secure operation of web applications
Installing the Password Reset Portal
Authentication
Settable passwords
Excluding passwords from being reset
Central password
Setting up a new application token
Configuring Password Reset Portal login using target system user accounts
Using HTTPS
Disable automatic password storage
Disabling the HTTP request method TRACE
Using HTTP Strict Transport Security (HSTS)
Disabling insecure encryption mechanisms
Setting the "HttpOnly" attribute for ASP.NET session cookies
Setting the "same-site" attribute for ASP.NET session cookies
Setting the "secure" attribute for ASP.NET session cookies
Disabling Windows IIS 8.3 short names
Removing the HTTP response header in Windows IIS
Creating X-Frame-Options HTTP response header
Running web applications in release mode
Recommendations for secure operation of web applications
Recommendations for secure operation of web applications
Using HTTPS
Always run the One Identity Manager's web application over the secure communications protocol "Hypertext Transfer Protocol Secure" (HTTPS).
In order for the web application to use the secure communications protocol, you can force the use of the "Secure Sockets Layer" (SSL) when you install the application. For more information for using HTTPS/SSL, see the One Identity Manager Installation Guide.
Disable automatic password storage
Use this setting to prevent auto-filling of your user data on the login page. This setting is made in the Web Designer and can help running of web applications more securely.
|
Configuration parameter |
Description |
|---|---|
|
VI_Common_Login_PrefillLoginData |
Prevents auto-filling user data on the login page. |
To disable automatic password storage
- Open the Web Designer.
- In the menu bar, select the Edit > Configure project > Web project menu item.
- On the Configure Project tab, search for "VI_Common_Login_PrefillLoginData".
- In the Allow prefill of login data key, in the Value (custom) column, click
.
This sets the default value to "false". This disables automatic password storage.
Disabling the HTTP request method TRACE
The TRACE request allows the path to the web server to be traced and to check that data is transferred there correctly. This allows a trace route to be determined at application level, meaning the path to the web server over various proxies. This method is particularly useful for debugging connections.
IMPORTANT: TRACE should not be enable in a productive environment because it can reduce performance.
To disable the HTTP request method TRACE using Internet Information Services
- You will find instructions by following this link:
https://docs.microsoft.com/en-us/iis/configuration/system.webserver/tracing/