立即与支持人员聊天
与支持团队交流

Active Roles 8.0.1 LTS - Web Interface Administration Guide

Introduction Deploying the Web Interface Getting Started Web Interface Basics Performing Management Tasks Using Approval Workflow Customizing the Web Interface Default Commands

Configuring Web interface for enhanced security

 

By default, Web Interface users connect to the Web Interface using an HTTP transport, which does not encrypt the data transferred from a Web browser to the Web Interface. To use a secure transport for transferring data to the Web interface, it is recommended to use an HTTPS transport.

The secure hypertext transfer protocol (HTTPS) uses Secure Sockets Layer (SSL) provided by the Web server for data encryption. For instructions on how to enable SSL on your Web server, see https://support.microsoft.com/en-in/help/324069/how-to-set-up-an-https-service-in-iis.

Any Web interface is prone to security issues such as Cross-Site Request Forgery (CSRF) and Cross-site Scripting (XSS ) attacks. To prevent and protect against such attacks Active Roles can now be configured to enable CSRF and XSS for the Web interface.

Cross-Site Request Forgery (CSRF) attacks can force users to execute unwanted actions on the Active Roles web application in which they are currently authenticated. To prevent CSRF requests Active Roles must be enabled to use Anti Forgery protections.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Hence, any script that is sent to Active Roles must be validated for malicious content before accepting and executing the script. To perform the script validation XSS must be enabled for Active Roles.

 

To configure keys in the Web interface

  1. From Windows Run, open IIS and Expand Default Website.
  2. Click the Active Roles Application.

    NOTE:ARWebAdmin is the default Active Roles application.
  3. In the right pane, in the Configuration Editor, from the Section drop-down menu, select <Settings>.
  4. Click on the button corresponding (Count=*), and click Add in the right Pane.
  5. Enter the following values:
    1. Key: "<keyname>"
    2. Value: "<value>"
  6. Close the window and click Apply under Actions menu in the right pane.
  7. Restart the App pool.

Enabling CSRF

Current Active Roles Web Interface uses Anti Forgery protections to prevent Cross-Site Request Forgery (CSRF) request, by default.

To modify CSRF add the following scripts in web.config | <appSettings> section:

  • <add key ="EnableAntiForgery" value="true"/> <!--Key to enable or disable Antiforgery , Values= true or false -->
  • <add key="IgnoreValidation" value="choosecolumns,savetofile,customizeform,default,2fauth,formmap"/>

Working with Cross-Site Scripting validation for Web interface

The Cross-Site Scripting (XSS) option allows Active Roles to determine whether a request contains potentially dangerous content. The current Active Roles Web Interface validates XSS by default. You can either disable XSS or modify its behavior with the IgnoreForValidation script.

To disable XSS in web.config:

  1. In the <appSettings> section, set the value of the following script to false:

    <add key="EnableRequestValidation" value="false"/>
  2. In the <system.web> section, set the key in <pages />:

    validateRequest="false"

To modify XSS behavior in web.config:

  1. In the <appSettings> section, find the following script:

    <add key="IgnoreForValidation" value="hiddenxml,homepagestruct,txtconditionsforoperationsinreadableform"/>
  2. For environments having Lync Server or Skype for Business Server, add the following to the existing value:

    dialplanpolicytextbox,voicepolicytextbox,edsva-lync-conferencingpolicy,edsva-lync-clientversionpolicy,edsva-lync-pinpolicy,edsva-lync-externalaccesspolicy,edsva-lync-archivingpolicy,edsva-lync-locationpolicy,edsva-lync-mobilitypolicy,edsva-lync-persistentchatpolicy,edsva-lync-clientpolicy

Enabling XSS

If you enable the CSRF settings, except the Home page, you can not copy the URLs of any other page and open them in a new tab or a new window on the browser. You can not open the bookmarked URLs also.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级