<p>The default security settings of TIM Enterprise allow for ease of installation and are suitable for the needs of most organisations. However, if your organisation's IT security policy demands it, or you plan to expose the system to an untrusted network such as the Internet, it is recommended you harden the security using the methods described below.</p> |
NOTE: After changing any of the following settings, you will need to restart the TIM Enterprise service before changes will take effect. |
<h2>Blocking invalid login attempts</h2> <p>The system can blacklist the source IP address of a would-be attacker if a number of unsuccessful access attempts are made within a specified period of time. The following two Registry entries determine how many invalid login attempts are permissible before the source IP is blacklisted and, if so, for how long the blacklist will remain in place until further attempts are entertained:-</p> <table class="confluenceTable"> <tbody> <tr> <th class="confluenceTh" width=166>Registry String data value</th> <th class="confluenceTh">Description</th> </tr> <tr> <td class="confluenceTd"><span class="keyword">FloodFailCount = 0</span></td> <td class="confluenceTd">Number of attempts</td> </tr> <tr> <td class="confluenceTd"><span class="keyword">FloodLockTime = 60</span></td> <td class="confluenceTd">Lockout duration</td> </tr> </tbody> </table> <p>All Registry keys for TIM Enterprise are located in the following hive:-</p> |
HKEY_LOCAL_MACHINE\SOFTWARE\Tri-Line\TIM Enterprise |
<img id="border" src="http://www.tri-line.com/common/img/documentation/tim_enterprise/windows_registry.png" alt="Windows registry" /> <h2>Changing the default web server port</h2> <p>If you would like to change the default port used for web traffic you can edit the "WWWServerPort" Registry key.</p> <table class="confluenceTable"> <tbody> <tr> <th class="confluenceTh" width=166>Registry String data value</th> <th class="confluenceTh">Description</th> </tr> <tr> <td class="confluenceTd"><span class="keyword">WWWServerPort = port number</span></td> <td class="confluenceTd">Port address for webserver to listen on (Default is 80, unless changed during setup)</td> </tr> </tbody> </table> <h2>Enabling High Security mode</h2> <p>To enable High Security mode, add the following Registry String value:-</p> |
HKEY_LOCAL_MACHINE\SOFTWARE\Tri-Line\TIM Enterprise\Main\HighSecurity = "True" |
<p>Within the Windows Registry, right click and select <span class="keyword">New ? String Value</span></p> <p> Then, enter <span class="keyword">HighSecurity</span> with a Value of <span class="keyword">True</span>, as shown below:</p> <img src="http://www.tri-line.com/common/img/documentation/tim_enterprise/HighSecurity.png" alt="HighSecurity Registry value" /> <p>When the <span class="keyword">HighSecurity</span> Registry value is set to <span class="keyword">True</span>, the following restrictions are imposed:-</p> <ol> <li> Ability to block individual web scripts by including them in a blacklist file: <div style="border-width: 1px;" class="code panel"><div class="codeContent panelContent"> <div><div class="syntaxhighlighter java" id="highlighter_500102"><div class="toolbar"><span><a class="toolbar_item command_help help" href="#">?</a></span></div> <table cellspacing="0" cellpadding="0" border="0"><tbody><tr><td class="gutter"><div class="line number1 index0 alt2">1</div></td><td class="code"> <div title="Hint: double-click to select code" class="container"><div class="line number1 index0 alt2"><code class="java plain">"\ssldata\{class}\blacklist.___"</code></div></div></td></tr> </tbody></table></div></div> </div></div> </li> <li> Enforce password complexity for web users (additional Registry entries required)</li> <li> Forbid direct SQL queries through web interface</li> <li> System alert messages are silently suppressed</li> <li> System database connection tests forbidden</li> <li> Ability to (re)create system database tables inhibited</li> <li> Cannot change or test web (HTTP) port</li> <li> Cannot send test emails</li> <li> Debug information suppressed if a XSL translation error occurs</li> </ol> |