Difference between revisions of "Security"
(Note about web server security) |
m |
||
Line 7: | Line 7: | ||
User authentication is cookie based, so privileged users should restrict access to a trusted network (e.g. internal LAN or encrypted Wifi connection) or using [http://en.wikipedia.org/wiki/Transport_Layer_Security Transport Layer Security (TLS)] to prevent [http://en.wikipedia.org/wiki/Session_hijacking Session hijacking]. See the ''require_ssl_admin'' setting below for forcing TLS access in [[Release 1.3]] and later. | User authentication is cookie based, so privileged users should restrict access to a trusted network (e.g. internal LAN or encrypted Wifi connection) or using [http://en.wikipedia.org/wiki/Transport_Layer_Security Transport Layer Security (TLS)] to prevent [http://en.wikipedia.org/wiki/Session_hijacking Session hijacking]. See the ''require_ssl_admin'' setting below for forcing TLS access in [[Release 1.3]] and later. | ||
− | Because '''AtoM''' is a web application, it is necessary to adequately secure the web server, both at the operating system (e.g. Windows, Mac OS X, Ubuntu Linux) and web server application (e.g. Apache, IIS, nginx) level | + | Because '''AtoM''' is a web application, it is necessary to adequately secure the web server against attacks, both at the operating system (e.g. Windows, Mac OS X, Ubuntu Linux) and web server application (e.g. Apache, IIS, nginx) level. The web server environment should be configured by and experienced administrator in accordance with current "best practice" standards. |
== Settings == | == Settings == |
Revision as of 11:44, 1 August 2012
Please note that ICA-AtoM is no longer actively supported by Artefactual Systems.
Visit https://www.accesstomemory.org for information about AtoM, the currently supported version.
AtoM implements web application best practice for security.
Security features include:
- User passwords are hashed using the SHA-1 hashing algorithm with a randomly generated salt
- Protection against SQL Injection attacks via the PHP PDO database interface
User authentication is cookie based, so privileged users should restrict access to a trusted network (e.g. internal LAN or encrypted Wifi connection) or using Transport Layer Security (TLS) to prevent Session hijacking. See the require_ssl_admin setting below for forcing TLS access in Release 1.3 and later.
Because AtoM is a web application, it is necessary to adequately secure the web server against attacks, both at the operating system (e.g. Windows, Mac OS X, Ubuntu Linux) and web server application (e.g. Apache, IIS, nginx) level. The web server environment should be configured by and experienced administrator in accordance with current "best practice" standards.
Settings
In Release 1.3 three new security settings are added to AtoM:
- require_ssl_admin: see TLS for more details
- require_strong_passwords: enhance login validation to force use of strong passwords. At least 8 characters long, contains characters from 3 of the following classes:
- Upper case letters
- Lower case letters
- Numbers
- Special characters
- limit_admin_ip: limit incoming requests for all administrator functionality to an IP address IP range. Two examples:
- 192.168.0.1
- 192.168.0.1-192.168.0.255
These options are changeable under the settings page. You must be an administrator.
Options 'require_ssl_admin' and 'limit_admin_ip' can be bypassed using the Debug mode.