Configuring Miscellaneous Security Options

You can use the System > Configuration > Security > Miscellaneous page to configure the following security options:

  • Persistent cookie options—Choose whether to preserve or delete persistent cookies when a session is terminated.
  • Lockout options—You can configure lockout options to protect the system from denial of service (DoS), distributed denial of service (DDoS), and password-guessing attacks.

  • Slow Post Attack Defense - You can configure to protect against slow-post DOS attacks from non-authenticated users.

  • Integrity checking options - You can configure scan the system to periodically check for any integrity anomalies. If any anomaly found, information is displayed in the dashboard.

    On low-end machines, a reduction in through-put may be seen. To overcome such issues, opt for scheduled scan option in off-peak hours.

    To configure cookie and lockout options:

    1.Select System > Configuration > Security > Miscellaneous to display the configuration page.

    The following figure shows the configuration page.

    2. Complete the configuration as described in the following table.

    3. Save the configuration.

    The following figure depicts the Miscellaneous Security Options Configuration Page:

To configure cookie and lockout options:

  1. Select System > Configuration > Security > Miscellaneous to display the configuration page.
  2. Complete the configuration as described in table.
  3. Save the configuration.

Settings

Guidelines

Delete all cookies at session termination

For convenience, the system sets persistent cookies on the user’s machine to support functions such as multiple sign-in, last associated realm, and the last sign-in URL. For additional security or privacy, you can choose not to set them.

Lockout options

Rate

Specify the number of failed sign-in attempts to allow per minute.

Attempts

Specify the maximum number of failed sign-in attempts to allow before triggering the initial lockout. The system determines the maximum initial time (in minutes) to allow the failed sign-in attempts to occur by dividing the specified number of attempts by the rate. For example, 180 attempts divided by a rate of 3 results in an initial period of 60 minutes. If 180 or more failed sign-in attempts occur within 60 minutes or less, the system locks out the IP address being used for the failed sign-in attempt.

Lockout period

Specify the length of time (in minutes) the system must lock out the IP address.

Slow Post Attack Defence

Timeout

By default, the POST body is received within 10 seconds. If the browser is unable to send the POST

body within 10 seconds the connection is eventually dropped. (Configurable from 3 - 60Sec)

Maximum

Request Size

By default, now a connection is directly rejected if it tries to POST more than 4KB in POST body

(Configurable from 256 Bytes to 24 KB)

HSTS

Max Age

Specify the maximum age for HSTS. It can be disabled by configuring max age as 0.

Enable

include Subdomain directive

Select the check box to enable/disable the include Subdomain directive. By default, it is turned off.

Enable preload directive

Select the check box to enable/disable the preload directive. By default, it is turned off.

 

Booting Options on Integrity Check Failure

Booting Options on Integrity Check Failure to stop booting if integrity validation fails for manifest file or any executable.

Select the check box to enforce booting options on integrity validation. By default, it is turned off.

The following integrity checks are performed:

  • Checks the SHA512 digital signature of the manifest file.

  • Checks the SHA256 digest of each individual file entries in the manifest.

If enabled and integrity check fails, admin gets an option to roll back to previous working package or perform factory reset or continue to boot

Host Header Validation

Enable Host

Header Validation

to block open

redirect attacks

Select the check box to enforce Host Header validation. By default, it is turned off.

When Host header validation is enabled, every http request will be validated against hostnames

and IP v4/v6 addresses known to the IPS server. If match is not found, the request will be dropped.

Active Directory Encryption type

Enable AES 256 type encryption

for Active Directory

Authentication Server

Select the check box to enable AES256 encryption type. If enabled, this option changes the encryption type to AES256 for all Active Directory Authentication Server using Kerberos Authentication Protocol.

This Feature is applicable only for Active Directory Authentication Server using Kerberos Authentication protocol.

Scenario Illustrating Lockout Settings Workflow

The following scenario illustrates how lockout settings work. For example, assume the following settings:

  • Rate = 3 failed sign-in attempts per minute
  • Attempts = 180 maximum allowed in initial period of 60 minutes (180/3)
  • Lockout period = 2 minutes

The following sequence illustrates the effect of these settings:

  • During a period of 3 minutes, 180 failed sign-in attempts occur from the same IP address. Because the specified value for Attempts occurs in less than the allowed initial period of 60 minutes (180/3), the system locks out the IP address for 2 minutes (fourth and fifth minutes).
  • In the sixth minute, the system removes the lock on the IP address and begins maintaining the rate of 3 failed sign-in attempts/minute. In the sixth and seventh minutes, the number of failed sign-in attempts is 2 per minute, so the system does not lock the IP address. However, when the number of failed sign-in attempts increases to 5 in the eighth minute, which is a total of 9 failed sign-in attempts within 3 minutes, the system locks out the IP address for 2 minutes again (ninth and tenth minutes).
  • In the eleventh minute, the system removes the lock on the IP address and begins maintaining the rate of 3 failed sign-in attempts per minute again. When the rate remains below an average of 3 per minute for 60 minutes, the system returns to its initial monitoring state.