Securing CSM Applications

Security configuration recommendations for on-premise CSM installations are provided for the Cherwell Application Server, CSM Web Applications, and CSM Administrator.

Recommendations for Cherwell Application Server

  • Install the Cherwell Application Server with Internet Information Services (IIS) with the Cherwell REST API enabled.
  • Configure Secure Sockets Layer (SSL) using a Trusted Agent.
  • Change the default password for the CSDAdmin account.
  • Configure database security with separate database accounts for the 2-tier connection.

Recommendations for CSM Web Applications

  • Configure SSL using a Trusted Agent.
  • Use the /updatebrowserclientsettings/RedirectHttptoHttps command in the Command-Line Configure utility to set a value of true.

Recommendations for CSM Administrator

Recommendations for CSM Administrator apply to both on-premise and SaaS environments.

  • Set the number of allowed failed customer login attempts before lockout to five (Security > Edit security settings > Cherwell Credentials > Lockout customers after 5 failed login attempts).
  • Adhere to Open Web Application Security Project (OWASP) best practices for attachments (Security > Attachments) and password complexity (Security > Cherwell Credentials).
  • Validate Windows security accounts (navigate to Security > Desktop and then select Validate Windows/LDAP credentials on Server).
  • Disable client auto-login (navigate to Security > Desktop, and then clear the Allow users to have system remember last password option).
  • Set URLs for CSM Web Applications to use HTTPS (Browser Settings > Portal and Browser Client URLs).
  • Disable iFrame embedding (navigate to Browser Settings and select Do not allow browser applications to be embedded within iFrame).
  • Disable detailed error messages (navigate to Browser Settings and select Do not send detailed error information to client).
  • Disable linked attachments (navigate to Browser Settings and select Disable linked attachments in the browser applications).
  • Disable password auto-complete on the login page (navigate to Browser Settings and select Disable password auto-complete on login page).