Securing CSM Applications
Security configuration recommendations for on-premise CSM installations are provided for the Cherwell Application Server, CSM Web Applications, and CSM Administrator.
Recommendations for Cherwell Application Server
- Install the Cherwell Application Server with Internet Information Services (IIS) with the Cherwell REST API enabled.
- Configure Secure Sockets Layer (SSL) using a Trusted Agent.
- Change the default password for the CSDAdmin account.
- Configure database security with separate database accounts for the 2-tier connection.
Recommendations for CSM Web Applications
- Configure SSL using a Trusted Agent.
- Use the
/updatebrowserclientsettings/RedirectHttptoHttps
command in the Command-Line Configure utility to set a value of true.
Recommendations for CSM Administrator
Recommendations for CSM Administrator apply to both on-premise and SaaS environments.
- Set the number of allowed failed customer login attempts before lockout to five (Security > Edit security settings > Cherwell Credentials > Lockout customers after 5 failed login attempts).
- Adhere to Open Web Application Security Project (OWASP) best practices for attachments (Security > Attachments) and password complexity (Security > Cherwell Credentials).
- Validate Windows security accounts (navigate to Security > Desktop and then select Validate Windows/LDAP credentials on Server).
- Disable client auto-login (navigate to Security > Desktop, and then clear the Allow users to have system remember last password option).
- Set URLs for CSM Web Applications to use HTTPS (Browser Settings > Portal and Browser Client URLs).
- Disable iFrame embedding (navigate to Browser Settings and select Do not allow browser applications to be embedded within iFrame).
- Disable detailed error messages (navigate to Browser Settings and select Do not send detailed error information to client).
- Disable linked attachments (navigate to Browser Settings and select Disable linked attachments in the browser applications).
- Disable password auto-complete on the login page (navigate to Browser Settings and select Disable password auto-complete on login page).