Difference between revisions of "Security"
m |
m (→Settings) |
||
Line 27: | Line 27: | ||
These options are changeable under the settings page. You must be an administrator. | These options are changeable under the settings page. You must be an administrator. | ||
− | Options 'require_ssl_admin' and 'limit_admin_ip' can be bypassed using the [[Qubit:Debug mode|Debug mode]]. | + | Options 'require_ssl_admin' and 'limit_admin_ip' can be bypassed using the [[Qubit:Debug mode|Debug mode]], which can only be accessed from the local machine (localhost) by default. |
Revision as of 11:39, 8 August 2012
Please note that ICA-AtoM is no longer actively supported by Artefactual Systems.
Visit https://www.accesstomemory.org for information about AtoM, the currently supported version.
AtoM implements web application best practice for security.
Security features include:
- User passwords are hashed using the SHA-1 hashing algorithm with a randomly generated salt
- Protection against SQL Injection attacks via the PHP PDO database interface
User authentication is cookie based, so privileged users should restrict access to a trusted network (e.g. internal LAN or encrypted WiFi network) or use Transport Layer Security (TLS) to prevent Session hijacking. See the require_ssl_admin setting below for forcing TLS access in Release 1.3 and later.
Because AtoM is a web application, it is necessary to adequately secure the web server against attacks, both at the operating system (e.g. Windows, Mac OS X, Ubuntu Linux) and web server application (e.g. Apache, IIS, nginx) level. The web server environment should be configured by an experienced systems administrator in accordance with current "best practice" standards. See the Qubit Toolkit Security documentation for more information about sensitive files within AtoM that may require extra protection.
Settings
In Release 1.3 three new security settings are added to AtoM:
- require_ssl_admin: see TLS for more details
- require_strong_passwords: enhance login validation to force use of strong passwords. At least 8 characters long, contains characters from 3 of the following classes:
- Upper case letters
- Lower case letters
- Numbers
- Special characters
- limit_admin_ip: limit incoming requests for all administrator functionality to an IP address IP range. Two examples:
- 192.168.0.1
- 192.168.0.1-192.168.0.255
These options are changeable under the settings page. You must be an administrator.
Options 'require_ssl_admin' and 'limit_admin_ip' can be bypassed using the Debug mode, which can only be accessed from the local machine (localhost) by default.