Security options in Continuum CMS

Several security features are provided in Continuum CMS to enable you to make your environment more secure.

Trusted IP addresses

Prevent users from logging into Continuum CMS from their home computer by setting their access privileges to only allow logins from trusted IP addresses. You will need to set ADMINISTRATOR_IP_ADDRESS_RESTRICTIONS to true and populate TRUSTED_IP_ADDRESSES with a comma separated list of trusted IP addresses to make the feature available. You can then select whether a user is only allowed to access from the trusted IP range, or external to your organization by enabling the feature on a user's profile.

Prevent concurrent logins

You can configure Continuum CMS so that only one session can exist for a particular user at any one time. This prevents an attacker logging into an account from a different machine while a user is active. To enable this feature, set DISALLOW_CONCURRENT_LOGINS to true.

To enable this feature for public users, set DISALLOW_CONCURRENT_FE_LOGINS to true.

Prevent brute force attacks

If an attacker is able to access a login page multiple times with automated software they can use username enumeration to discover valid access credentials on your system. You can mitigate the risk of this by limiting the rate at which a user can repeatedly request and complete the login page with incorrect details.

reCAPTCHA is used to ensure that bots always fail to provide correct details. To enable this feature, To enable this feature, navigate to "Google reCAPTCHA" section in Utilities > Integrations module, enable reCAPTCHA by setting appropriate version, public_key and private_key provided by Google reCaptcha site in the fields provided.

Set the constant CC_LOGIN_RATELIMIT_ENABLED to true in the set constants page.

Once the integration is enabled and the rate limit constant is set, when the user tries to login to jadu control center with 10 or more invalid attempts, reCaptcha should be prompted in the login screen.

Password expiry

It is good security practice to force users to regularly change their password. Continuum CMS will force users to change their password after a set number of days. The default value is 30 days. This can be configured for your organization by setting the value of PASSWORD_EXPIRY_DAYS.

Session expiry

It is good security practice to expire the session when the user is idle for long time. Continuum CMS has the default session expiry time set to 15 minutes. This can be configured for your organization by setting the value of session_expiry_time in config/constants.xml.

Password reuse

It is good practice to prevent admins from reusing old passwords when they have been prompted to change their password after expiry. You can configure the number of old passwords to check for reuse by setting the value of ADMIN_PASSWORD_HISTORY_THRESHOLD.

Password validation policy

Continuum CMS is configured with a standard password validation policy, but this can be made more secure inline with your internal security policies by changing PASSWORD_VALIDATION_PATTERN to a regular expression of your choice. Remember to also update PASSWORD_VALIDATION_MESSAGE to give your administrators appropriate help when selecting a password.

Force passwords to be changed after being set by another user

A password should only be known by the owner of the credentials. It is therefore good practice to force a password to be changed after the users account is created. This feature is enabled by default. It can be disabled by setting FORCE_PASSWORD_RESET_ON_CHANGE to false.

Force the site over HTTPS

Continuum CMS can force connections to be made over HTTPS rather than HTTP. Anyone trying to access a page over HTTP will be redirected to the same page under HTTPS protocol. To enable this feature over the entire website, set FORCE_SECURE and SSL_ENABLED to true. To enable this feature just for the control center, set FORCE_SECURE_CC to true. The maximum age for Strict-Transport-Policy headers is set by HSTS_MAX_AGE, the default value is 2592000.

Disable access

It may on occasion be necessary to prevent users from logging into the control center, such as when a patch is being applied. On these occasions you can set FORBID_ALL_ADMIN_ACCESS to true.

Send a password reset email

To prevent the system generating a new password when a user has forgotten their password, set USE_PASSWORD_RESET_CODES to true and a link to reset the password will be emailed instead.

results matching ""

    No results matching ""