Securing CSM Applications
Security configuration recommendations for on-premise CSM installations are provided for the Cherwell Application Server, CSM Web Applications, and CSM Administrator.
Recommendations for Cherwell Application Server
- Install the Cherwell Application Server with Internet Information Services (IIS) with the Cherwell REST API enabled.
- Configure Secure Sockets Layer (SSL) using a Trusted Agent.
- Change the default password for the CSDAdmin account.
- Configure database security with separate database accounts for the 2-tier connection.
Recommendations for CSM Web Applications
- Configure SSL using a Trusted Agent.
- Use the
/updatebrowserclientsettings/RedirectHttptoHttpscommand in the Command-Line Configure utility to set a value of true.
Recommendations for CSM Administrator
Note: Recommendations for
CSM Administrator
apply to both on-premise and SaaS environments.
- Set the number of allowed failed customer login attempts before lockout to five ().
- Adhere to Open Web Application Security Project (OWASP) best practices for attachments () and password complexity ().
- Validate Windows security accounts (navigate to and then select Validate Windows/LDAP credentials on Server).
- Disable client auto-login (navigate to , and then clear the Allow users to have system remember last password option).
- Set URLs for CSM Web Applications to use HTTPS ().
- Disable iFrame embedding (navigate to Browser Settings and select Do not allow browser applications to be embedded within iFrame).
- Disable detailed error messages (navigate to Browser Settings and select Do not send detailed error information to client).
- Disable linked attachments (navigate to Browser Settings and select Disable linked attachments in the browser applications).
- Disable password auto-complete on the login page (navigate to Browser Settings and select Disable password auto-complete on login page).