This requires editing server.xml and context.xml on your server in the server configuration (Server/conf) directory and Admin privileges.
iDashboards is not in the system security experts, however, we would like to help with some of the best practices we have found (by no means does this insure the security of your system). This should help mitigate some of the risks. All scans should be done on a system with valid SSL certificate on the system not a self signed certificate. Make sure you have completed: Tomcat: Server SSL Certificate Installation.
All security scans should be performed on the most current version of iDashboards. When running the scan please turn the system log level to Debug (most Verbose). You can do this by going into iDashboards Admin click System then System Logs and look on the left for the General Level.
Removes the Tomcat server version issues if a missing page is requested. Also adding a 404 page will help but it's recommended using both.
<Connector port="6700" protocol="HTTP/1.1"
Force traffic to use HTTPS
Redirects the traffic to https from http requests.
<Connector port="8080" protocol="HTTP/1.1"
Allow Auto-Completion of Passwords
This setting indicates whether or not iDashboards passwords can be stored by the browser and automatically supplied by the browser upon logging into the iDashboards applications. To turn this off go into iDashboards Admin -> System -> System Settings -> Security Settings -> Allow Auto-Completion of Passwords set to FALSE. The option is set to TRUE by default and a lot of security scan applications do not like this option so if you are planning on running a security scan please turn this setting off.
This issues help prevent the POODLE SSL exploit. (server.xml)
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSL" sslEnabledProtocols="TLSv1.2" />
Cookies Not Sent Over SSL
The user Application can be framed by another web page.
iDashboards Admin -> select System -> then click Security Settings
You will see three options they are set as follows by default:
- User Application X-Frame-Options Header = None
- Embedded Viewer X-Frame-Options Header = None
- IFRAME Dashboard Panels Enabled = False
Set all to None/FALSE to prevent framing of iDashboards.
Removing Tomcat Manager will prevent anyone from trying to login to this application. There is no password and username to login, but brute force attacks can strain system resources and cause slow running dashboards.
Create an index.html page and paste the following code into it:
<html><META http-equiv="refresh" content="0;URL=../idashboards"></html>
Anyone hitting the root directory will be forwarded to the iDashboards application. This also prevents having to type /idashboards
Custom 404 Page
Adding this page will send people to the 404 and then redirect them to the iDashboards application when used in conjunction with the page redirect. Great for people that mistype the URL or people probing for information. In the directory: webapps/ROOT/WEB-INF/Web.xml
You will then need to add the following to the bottom of the file:
For More Information:
- Apache Tomcat 7 Migration
- Apache Tomcat 8 SSL
- Apache Tomcat 9 SSL
- Tomcat: Server SSL Certificate Installation
If the above is unable to resolve the issue, then please contact iDashboards Support for further assistance.