Difference between revisions of "Security"

From ICA-AtoM
Jump to navigation Jump to search
m
m
Line 7: Line 7:
 
User authentication is cookie based, so privileged users should restrict access to a trusted network (e.g. internal LAN or encrypted Wifi connection) or using [http://en.wikipedia.org/wiki/Transport_Layer_Security Transport Layer Security (TLS)] to prevent [http://en.wikipedia.org/wiki/Session_hijacking Session hijacking].  See the ''require_ssl_admin'' setting below for forcing TLS access in [[Release 1.3]] and later.
 
User authentication is cookie based, so privileged users should restrict access to a trusted network (e.g. internal LAN or encrypted Wifi connection) or using [http://en.wikipedia.org/wiki/Transport_Layer_Security Transport Layer Security (TLS)] to prevent [http://en.wikipedia.org/wiki/Session_hijacking Session hijacking].  See the ''require_ssl_admin'' setting below for forcing TLS access in [[Release 1.3]] and later.
  
Because '''AtoM''' is a web application, it is necessary to adequately secure the web server against attacks, both at the operating system (e.g. Windows, Mac OS X, Ubuntu Linux) and web server application (e.g. Apache, IIS, nginx) level.  The web server environment should be configured by an experienced administrator in accordance with current "best practice" standards.
+
Because '''AtoM''' is a web application, it is necessary to adequately secure the web server against attacks, both at the operating system (e.g. Windows, Mac OS X, Ubuntu Linux) and web server application (e.g. Apache, IIS, nginx) level.  The web server environment should be configured by an experienced systems administrator in accordance with current "best practice" standards.
  
 
== Settings ==
 
== Settings ==

Revision as of 11:45, 1 August 2012

Please note that ICA-AtoM is no longer actively supported by Artefactual Systems.
Visit https://www.accesstomemory.org for information about AtoM, the currently supported version.

AtoM implements web application best practice for security.

Security features include:

  • User passwords are hashed using the SHA-1 hashing algorithm with a randomly generated salt
  • Protection against SQL Injection attacks via the PHP PDO database interface

User authentication is cookie based, so privileged users should restrict access to a trusted network (e.g. internal LAN or encrypted Wifi connection) or using Transport Layer Security (TLS) to prevent Session hijacking. See the require_ssl_admin setting below for forcing TLS access in Release 1.3 and later.

Because AtoM is a web application, it is necessary to adequately secure the web server against attacks, both at the operating system (e.g. Windows, Mac OS X, Ubuntu Linux) and web server application (e.g. Apache, IIS, nginx) level. The web server environment should be configured by an experienced systems administrator in accordance with current "best practice" standards.

Settings

In Release 1.3 three new security settings are added to AtoM:

  • require_ssl_admin: see TLS for more details
  • require_strong_passwords: enhance login validation to force use of strong passwords. At least 8 characters long, contains characters from 3 of the following classes:
    1. Upper case letters
    2. Lower case letters
    3. Numbers
    4. Special characters
  • limit_admin_ip: limit incoming requests for all administrator functionality to an IP address IP range. Two examples:
    1. 192.168.0.1
    2. 192.168.0.1-192.168.0.255

These options are changeable under the settings page. You must be an administrator.

Options 'require_ssl_admin' and 'limit_admin_ip' can be bypassed using the Debug mode.