Security settings allow the administrator to configure security-related options without looking for support technicians to help solve security breaches. Using security settings, the administrator can configure safeguards for the application from potential vulnerabilities and security breaches.
You can configure security settings by navigating to Admin >> General >> Security Settings.
Role Required: SDAdmin
Configure account lockout threshold and duration: Using this option, you can ensure a user account is locked after a pre-specified number of failed login attempts. You can customize the message to be displayed if the user is locked out due to too many login attempts. This configuration applies to all types of authentication.
To configure account lockout threshold and duration,
- Enable Configure account lockout threshold and duration.
- Specify the account lockout threshold.
- Specify the number of login attempts (N) allowed and the duration to reset a locked user account.
- Choose whether to lock the user account only on the computer where the login was attempted or any computer.
- Customize the message to be displayed when the user account is locked.
- Choose to notify technicians either by email or as a technician space notification in the header.
Server Port and Protocol Configuration: You can choose whether to run the application in HTTP or HTTPS mode.
- For HTTP: Specify the default Server port where the application has to run.
- For HTTPS: After specifying the server port and NIO port, the Administrator can choose from the listed TLS versions and Ciphers that help in proper encryption of data, thus preventing hackers from stealing it.
Configure expiry date for "Keep me signed-in" feature: You can set the duration the user can be kept signed into the application. On the expiry date, the user has to re-authenticate by entering the login information again. By default, the user has to re-authenticate every 45 days.
Enable password protection for all file attachments: You can protect the file attachments stored in your application from unauthorized access by encrypting them at the server level. This will prevent security breaches over the server data. The password is available only to the SDAdmin and can also be used in case of encryption failure.
Add security response headers:
Configure security headers to safeguard the application from XSS attacks and other vulnerability attacks.
- Choose the required security response header from the list.
- Enter the response header value.
You can also include or exclude one or more response headers.
Domain Filtering during Login : This option will filter the domains listed during login based on the username entered. If disabled, the entire domain list will be displayed, reducing the probability of hackers knowing the domains where a particular user is present. Note that you can enable domain filtering only if domain drop-down in enabled.
Stop uploading scanned XMLs via non-login URL: Agent sends scanned XML to the application and through a non-login URL, there is a chance that any other scanned XML data can be uploaded into the application. By enabling this option, the application will not respond to the unwanted upload process in between as proper authentication is necessary.
Allow Technicians to generate their own API keys: This option enables technicians to generate their API keys for connecting ServiceDesk Plus with third-party applications. If disabled, only the administrator can generate API keys for the technicians.
Enable antivirus scanning for file uploads:
You can configure your existing antivirus software in ServiceDesk Plus to detect any vulnerable files during file uploads and email attachment receipts. Antivirus software that uses ICAP protocol can only be configured.
To configure an antivirus scan in the application,
- Go to Admin > Security Settings > Advanced.
- Click on the checkbox beside Enable Antivirus scanning for file uploads.
- Enter the Host Name where the antivirus is installed.
- Enter the Service Name and the Port of the antivirus tool. This can be found in your Antivirus tool's Settings page.
- Click Save.
- Once configured, the file uploads and attachment receipts will be scanned for vulnerable files.
Enable password policy: Password Policy allows the administrator to configure and enforce the criteria for creating passwords. This ensures the better security of user passwords. Password policy is enabled by default.
The configured password policy will be applied when:
Users change/reset their account passwords.
SDAdmin changes user passwords.
New users are added via Web form, CSV import, Active Directory import, or LDAP import.
Dynamic users are added.
Local authentication password is set - both auto-generated and predefined passwords.
To configure the password policy,
Select Enable password policy checkbox.
Select the minimum password length between 8 and 99. The default value is 8.
Select if the password must include:
Both uppercase and lower case letters
Choose the number of previous passwords to remember and prevent reuse. The application can remember up to 8 passwords.
Select the expiry period for the password.
Application must be restarted for the saved settings to take effect.