OpManager Security Recommendations

The Security Recommendations tab serves as a central hub for configuring various security settings in OpManager. It provides options to enhance user access control, enforce secure communication, protect sensitive data, and apply additional security measures. To access the Security Recommendations tab, navigate to Settings → General Settings -> Security Settings.

1. Secure User Access

  • Enable Two-Factor Authentication: Adds an extra layer of security by requiring users to verify their identity using an OTP in addition to their password.
  • Change default admin password: Recommended to change the default administrator password to a strong and unique one.
  • User session timeout: Automatically logs out inactive users after a defined period to prevent unauthorized access. The security score will only be displayed to admin with access to all modules.

2. Secure Communication

  • Disable HTTP in OpManager: By default, OpManager allows both HTTP and HTTPS access. To enforce secure access, users can disable HTTP and allow only HTTPS. Note that HTTPS will be enabled by default in Enterprise editions.
  • Use a Third-Party SSL certificate: Supports third-party SSL certificates for encrypting communication and securing connections.
  • Disable TLSv1 and TLSv1.1 Protocols: Ensures only modern, secure versions (TLS 1.2 and TLS 1.3) are used.
  • Disable Weak Ciphers for HTTPS Port: Disables weak cipher suites to enforce strong encryption methods.
  • Configure Mail server with SSL/TLS: Recommended to use SSL or TLS encryption for secure email communication.

3. Enforce Data Protection

  • Export data protection: Ensures exported data is handled securely by enabling users to configure a password for scheduled PDF/CSV files.
  • Database backup scheduled: Enables scheduled PostgreSQL database backups to protect against data loss.
  • Secure installation directory: Ensures that OpManager is installed in the C:\Program Files directory, as determined by system environment settings. Note that this applies only to Windows installations.

4. Security Measures

  • Enable HTTP strict transport security (HSTS): Users can enable HSTS via GUI to ensure all connections use HTTPS, preventing insecure access.

  • Content Security Policy: Content Security Policy is a security feature in OpManager designed to prevent unauthorized content execution and mitigate risks such as cross-site scripting (XSS) and clickjacking attacks. CSP restricts which resources (scripts, styles, iframes, etc.) can be loaded or embedded. Apart from the other existing directives, only the following two CSP directives can be configured in OpManager:

    • frame-src: From version 12.8.248, users can control which sources can embed widgets within OpManager, preventing unauthorized content loading via the UI. For older versions, users should configure ALLOWED_FRAME_SRC_URL under the <OPMHOME>/conf/serverparameters.conf
    • frame-ancestors: Allows users to manage where OpManager's widgets or NOC views can be embedded in external applications, preventing unauthorized third-party access.

    Note: By default, the CSP header will be set. It can be disabled by updating the "ADD_CSP_HEADER false" entry under <OPMHOME>/conf/serverparameters.conf.