iDashboards is not in the business of system security. However, we do want to help with some of the best practices we have found. By no means does this insure the security of your system. This should help mitigate some of the risks.
All security scans should be performed on the most current version of iDashboards. When running the scan please turn the system log level to 'Debug (most Verbose)'. You can do this by going into ../iDashboards/admin click on the 'System' tab then 'System Logs' and look for the 'General Level' drop down.
Removes the Tomcat server version issues if a missing page is requested. Also adding a 404 page will help but it's recommended using both.
<Connector port="6700" protocol="HTTP/1.1"
Force traffic to use HTTPS; Secure="true"
Redirects the traffic to https from http requests.
<Connector port="8080" protocol="HTTP/1.1"
Allow Auto-Completion of Passwords:
This setting indicates whether or not iDashboards passwords can be stored by the browser and automatically supplied by the browser upon logging into the browser-based iDashboards applications.
To turn this off go into the Admin page -> System -> Sitting Category select Security Settings -> Allow Auto-Completion of Passwords = False. Buy default the option is set to True and a lot of security Scan appliations do not like this option so if you are planning on running a security scan please turn this setting off.
This issues help prevent the POODLE SSL exploit.
server.xml add : sslEnabledProtocols="TLSv1.2"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSL" sslEnabledProtocols="TLSv1.2" />
Cookies not sent over SSL: useHttpOnly=”true”
User Application can be framed by another web page. To disallow this go under the Admin page to system -> security settings. You will see two options by default they are set as follows.
- User Application X-Frame-Options Header = None
- HTML Viewer X-Frame-Options Header = None
- Admin Application X-Frame-Options Header = Deny
Set all to DENY to prevent framing of iDashboards.
Removing tomcat manager will prevent anyone from trying to login to this application. By default there is no password and username to login but brute force attaches can strain the system resources and cause slow running dashboards.
Create a index.html page and past the following code into it.
<html><META http-equiv="refresh" content="0;URL=../idashboards"></html>
What this does is anyone hitting the root directory will be forwarded to the iDashboards application by default. This also prevents having to type /idashboards.
Custom 404 Page
Adding this page will sent people to the 404 and then redirect them to the iDashboards application when used in conjunction with the page redirect. Great for people that mistype the URL or people probing for information.
In the directory ROOT/WEB-INF/Web.xml
In the ROOT directory under webbaps/root add a 404.html place what ever HTML you would like in this document.
You will then need to add the following to the bottom of the web.xml document.