Security

 

The following settings are available in this menu:

  • Server public address template (Added support for external load balancer for ISL Conference Proxy)
  • Use single public address in GRID (This option has to be enabled to use external load balancer for ISL Conference Proxy, make sure you also set Server public address template (above) and have correct settings in DNS Server Zones tab.)
  • Do not use service public addresses for web pages
  • Alternate (for CDN)  addresses for web pages (Enter alternate addresses of web pages used by Content delivery network)
  • Alternate (for CDN) addresses for other services (Enter alternate addresses for services used by Content delivery network)
  • Allow X-Forwarded-For header (for CDN) for IP ranges
  • Record client IPs (Enable to record client IP addresses)
  • Max recorded client IPs to hold in memory (Number of IP addresses stored)
  • Save recorded client IPs interval in seconds
  • Disable automatic SSL usage on web pages (enable/disable automatic usage of SSL on web pages)
  • Force SSL for all user web pages (enable/disable forcing SSL for user web pages)
  • Use SSL only for login on user web pages
  • Hide server version in HTTP response (allow/deny server version to be shown in HTTP response)
  • Disable autocomplete for web login forms (Disable autocomplete function for forms on login pages)
  • Do not cache encrypted web pages to disk (Enable/disable caching of encrypted web pages to disk)
  • Hide account status when performing forgotten password procedure
  • Allow sending forgotten password emails to unregistered email accounts (Allow sending forgotten password emails to addresses not registered with ISL Online account)
  • Enable insecure redirect handler(backwards compatibility only)
  • Disable framing of web pages
  • Force SSL for WebSockets (enable/disable forcing SSL for WebSockets)
  • Force SSL for WEBAPI (enable/disable forcing SSL for WEBAPI)
  • Force SSL for WEBAPI2 (enable/disable forcing SSL for WEBAPI2)
  • Filters that define access to webapi2 (Define filters for accessing webapi2 and web pages. Example of filter syntax:
[user_id=s-1_0_0|path=/users/isllight]

allow_ip 1.2.3.0/24;

[/users/isllight]

[/users]

allow_ip 1.2.3.0/24;


Note: In the example above -> user web pages can be accessed only from 1.2.3.0/24. ISL Light cannot be accessed by anyone except user with id s-1_0_0 in 1.2.3.0/24

#[ip 172.16.120.180]

#filter deny_method utils/counters/query;

#filter deny_user s20_1_1
  • Filters that define access to web pages (Similar syntax applies than for the filters that define access for webapi/webapi2)
[/users/main/login.html]

allow_ip 1.2.3.0/24;

allow_ip 172.16.1.0/24;

allow_ip 172.16.99.0/24;
  • User privileges settings
  • User can view list of domains on server (specifies whether users can view a list of their own domains on the server)
  • User can view list of users in own domain (specifies whether users can view other users in the domain)
  • User can view list of users on server (specifies whether users can view a list of other users who have access to the server)
  • User can view own sessions (specifies whether users can view their own sessions)
  • User can control own sessions (specifies whether users can terminate their own sessions)
  • User can view sessions in domain (specifies whether users can view sessions within their domains)
  • User can control sessions in domain (specifies whether users can terminate any sessions within their domains)
  • User can view all sessions on server (specifies whether users can view all sessions on server)
  • User can control all sessions on server (specifies whether users can terminate any sessions on server)
  • View network status in /network_status (specifies whether users can view network status at /network_status)
  • Enable system information in /sysinfo (specifies whether to enable system information in /sysinfo)
  • Configuration (backwards compatibility only)
  • Allow stress test (Allow the stress test to be performed)
  • User can change full name (specifies whether users can change full names)
  • User can change e-mail (specifies whether users can change e-mail addresses)
  • User can change nickname (specifies whether users can change nicknames)
  • User can change password (specifies whether users can change passwords)
  • User can change time zone (specifies whether users can change time zones)
  • Store last used language in account (specifies whether to save the last used language in account)
  • Mail template for forgotten password (Customize template for email sent when user forgets his or hers password)
  • Mail template for forgotten password (backwards compatibility v1) (Mail template for forgotten password used for backwards compatibility)
  • Forgot password e-mail token expiry in seconds (Expiry time for forgotten password toke, if the password isn't changed in this time, a new password has to be requested again)
  • Valid password format (regex) (use this option to specify a valid password format using a regular expression)

When user enters a new password it has to match the regex you specified in ISL Conference Proxy. 

Example

^(?=.*[A-Z].*[A-Z])(?=.*[!@#$&*])(?=.*[0-9].*[0-9])(?=.*[a-z].*[a-z].*[a-z]).{8,}$

The regex above requires the user password to be in the following form:

  • 8 characters length
  • 2 letters in Upper Case
  • 1 Special Character (!@#$&*)
  • 2 numerals (0-9)
  • 3 letters in Lower Case 

Explanation:

  • ^                             Start anchor
  •  (?=.*[A-Z].*[A-Z])           Ensure string has two uppercase letters.
  •  (?=.*[!@#$&*])               Ensure string has one special case letter.
  •  (?=.*[0-9].*[0-9])           Ensure string has two digits.
  •  (?=.*[a-z].*[a-z].*[a-z])    Ensure string has three lowercase letters.
  •  .{8,}                        Ensure string is at least of length 8.
  •  $                            End anchor. 

More regex information and tutorials can be found here: https://regexone.com/. 

  • Invalid e-mail error (use this option to modify the invalid e-mail error notification)
  • Valid e-mail format (regex) (use this option to specify a valid e-mail format using a regular expression)
  • Invalid e-mail error (use this option to modify the invalid e-mail error notification)
  • Error message for disabled module (Use this option if you wish to show an error message when using disabled mode)
  • License specification
  • Application SSL test port
  • Application SSL protocol
  • Application SSL cipher suite
  • HTTP proxy for web client (you can use this option to specify a web proxy that should be used by ISL Conference Proxy, the syntax is proxyaddress:proxyport or username:password@proxyaddress:proxyport if you need to specify a username and a password for your web proxy)
  • Do not use HTTP proxy for addresses (if you set the option above, you can use this setting to specify the addresses where a web proxy should not be used; use commas to separate the addresses)
  • Allowed IP addresses for administration (By default, you can only access ISL Conference Proxy administration from a local machine - you can specify allowed IP addresses in two ways, either list the IP addresses separated with commas or specify an allowed subnet, e.g. 192.168.0.1/255.255.255.0.)
  • Must use SSL for administration (set to Yes to allow only SSL encrypted access to ISL Conference Proxy administration - note that you will need to use the appropriate https link for administration: https://localhost:7615/conf)
  • Allowed IP addresses for XMLMSG (use this option to set allowed IP addresses that can use the XMLMSG interface for ISL Conference Proxy administration)
  • Must use SSL for XMLMSG (set to Yes to allow only SSL encrypted access to ISL Conference Proxy administration through the XMLMSG interface - note that you will need to use the appropriate https link for administration: https://localhost:7615/xmlmsg)
  • Force networks to public internet address (use this option to override server's autodetect for internet/intranet)
  • Force networks to private intranet address (use this option to override server's autodetect for internet/intranet)
  • Internet Explorer plugin trusted sites (this setting is used when installing ISL WebStart from the server)
  • Enable email matching on authentication (Enable users to also log in with their account e-mail address instead of their username)
  • Max accounts when authenticating with email matching
  • Maximum failed logins for user (default 5) - maximum number of failed attempts to log in as specific user
  • Maximum failed logins for address (default 5) - maximum number of failed attempts to log in from a specific IP address
  • Maximum failed logins period in seconds (default 60) - time period defined in seconds for limiting the above two rules
  • GRID-wide maximum failed logins (default YES) - option to define whether above login settings are defined on whole GRID network
  • System hashed password scheme (Select the scheme for storing passwords and account settings  for services that don't require reversible storing scheme)
    • You can select between following options:
      • islhash1 - selected by default, most secure amongst the available options. It uses the following algorithm for encrypting passwords:
rounds = 10000

salt = random_bytes(16)

output = rounds + ':' + base64(salt) + ':' + base64(PKCS5_PBKDF2_HMAC(password, salt, rounds, sha512))

verify = unbase64(output[2]) == PKCS5_PBKDF2_HMAC(password, unbase64(output[1]), output[0], sha512)


      • islstatic1 - Internal reversible password scheme - LESS SECURE
      • plain text - passwords are stored in plain text

Note: Passwords on ISL Conference Proxy were stored as plain text. With ISL Conference Proxy 4.1.0 new account and password resets use islhash1 scheme for encrpytion/hashing of passwords. User accounts and settings are no longer stored in plain text. Account created before updating to ISL Conference Proxy 4.1 will be still stored as plain text, password change is needed for all old accounts.

  • System reversible password scheme (Select the scheme for storing passwords and account settings for services that require reversible storing scheme)
    • You can select between following options:
      • islstatic1 - Internal reversible password scheme
      • plain text - passwords are stored in plain text
  • Login password scheme (Select scheme for hashing and storing login passwords)
    • You can select between following options:
      • islhash1 - selected by default, most secure amongst the available options.
      • islstatic1 - Internal reversible password scheme - LESS SECURE
      • plain text - passwords are stored in plain text
  • islhash1 salt size (Set the salt size in bytes, default value is 16)
  • islhash1 rounds (Set the number of rounds when hashing the passwords, default value is 10 000)

Possible problems when using islhash1 (PBKDF2):

ISL Light Desk 3.2.1 or older cannot authenticate (3.2.2+ sends password correctly), if the user account has password stored with PBKDF2 scheme, change scheme to plain/reversible and set the password again

ISL AlwaysOn: light::web_session was committed in https://fisheye.islonline.com/changelog/ISL?cs=14670, ISL AlwaysOn Connect 1.2.0 is required for normal operation (uses web session id), 1.1.0 or older will ask for password and won't connect automatically.

ISL Pronto: latest build of module (2.2.1beta48+) is required for normal operation, otherwise ISL Light Desk will ask for password and won't connect automatically

Other important info:

Latest ISL Conference Proxy (4.0.3beta1+), will automatically start using islhash1 scheme for all new accounts or password resets. However, you must use ISL Pronto module 2.2.1beta48+, otherwise ISLCP will keep default mode as plain text!

Latest ISL AlwaysOn module (2.2.3beta7+) is required, if you wish to support users with ISL AlwaysOn Connect 1.1.0 or older and using reversible encryption for passwords (islstatic1)

  • Require signature for Online update (Check validity of index.xml and software_policy.xml downloaded from http://www.islonline.com/system/updates when determining which updates are available. If this is disabled it is possible to trick ISL Conference Proxy to download third party files, but ISL Conference Proxy will reject them once they are downloaded as all update files are signed.)
  • Require signature for Manual update (Check validity of index.xml and software_policy.xml stored localy when determining which updates are available during a Manual upadte. If this is disabled it is possible to trick ISL Conference Proxy to download third party files, but ISL Conference Proxy will reject them once they are downloaded as all the update files are signed.)
  • External authenticator (use this option to specify an external authenticator for all users, you can use existing Microsoft Active Directory, Novell eDirectory, OpenLDAP, Radius or FreeRADIUS for user authentication)
  • External authenticator allows empty passwords (default value: no , added support for preventing empty password being passed on to external authenticator)
  • External authenticator backend error reports
  • One time passwords (Set to allow one time passwords for login)
  • Authenticode tool
  • Use authenticode from license (Set whether code signing should be done from license or from certificate file )
  • Use authenticode packed parameters (BASE64)(the input expects base64 encoded authenticode license key. This setting overrides other authenticode settings including the setting defined in license)

Note: Software downloaded from ISL Conference Proxy is by default now signed with two different certificates (SHA-1 & SHA-2) to follow latest security standards and at the same time enable backwards compatibility for systems that only support SHA-1 signatures. The options below are duplicated, first set of settings enable you to set up your own SHA-2 certificate, and [compat] settings  enable you to set up your own SHA-1 certificate.

  • Authenticode enabled (Use this option to enable/disable authenticode - code signing for all executables downloaded from the server)
  • Authenticode hash function (Select hash algorithm used by authenticode, you can select between MD5, SHA1, SHA256 , SHA384 and SHA512. Default value: Autodetect)
  • Authenticode publisher certificate file (PKCS#7) (use this option to set the certificate file - in DER PKCS#7 format)
  • Authenticode private key file (PEM) (use this option to set the private key file)
  • Authenticode private key passphrase (use this option to set the private key passphrase in case you use an encrypted private key)
  • Authenticode enabled [compat] (Use this option to enable/disable authenticode - code signing for all executables downloaded from the server)
  • Authenticode hash function [compat] (Select hash algorithm used by authenticode, you can select between MD5, SHA1, SHA256 , SHA384 and SHA512. Default value: Autodetect)
  • Authenticode publisher certificate file [compat] (PKCS#7) (use this option to set the certificate file - in DER PKCS#7 format)
  • Authenticode private key file [compat] (PEM) (use this option to set the private key file)
  • Authenticode private key passphrase [compat] (use this option to set the private key passphrase in case you use an encrypted private key)

Was this article helpful?