Security
Several security features are provided in Jadu Central to enable you to make your environment more secure.
| Option | Notes |
|---|---|
| Trusted IP addresses | Prevent users from logging into Jadu Central from their home computer by setting their access privileges to only allow logins from trusted IP addresses. You will need to set ADMINISTRATOR_IP_ADDRESS_RESTRICTIONS to true and populate TRUSTED_IP_ADDRESSES with a comma separated list of trusted IP addresses to make the feature available. You can then select whether a user is only allowed to access from the trusted IP range, or external to your organisation by enabling the feature on a user's profile. |
| Prevent concurrent logins | You can configure Jadu Central so that only one session can exist for a particular user at any one time. This prevents an attacker logging into an account from a different machine while a user is active. To enable this feature, set DISALLOW_CONCURRENT_LOGINS to true. |
| Prevent brute force attacks | If an attacker is able to access a login page multiple times with automated software they can use username enumeration to discover valid access credentials on your system. You can mitigate the risk of this by limiting the rate at which a user can repeatedly request and complete the login page with incorrect details. ReCaptcha is used to ensure that bots always fail to provide correct details. This integration should be configured in the integration hub. Set the constant CC_LOGIN_RATELIMIT_ENABLED to true in the set constants page. Once the integration is enabled and the rate limit constant is set, when the user tries to login to jadu control center with 10 or more invalid attempts, reCaptcha should be prompted in the login screen. |
| Password expiry | It is good security practice to force users to regularly change their password. Jadu Central will force users to change their password after a set number of days. The default value is 30 days. This can be configured for your organization by setting the value of PASSWORD_EXPIRY_DAYS. |
| Session expiry | It is good security practice to expire the session when the user is idle for long time. Jadu Central has the default session expiry time set to 15 minutes. This can be configured for your organisation by setting the value of session_expiry_time in config/constants.xml. |
| Password reuse | It is good practice to prevent admins from reusing old passwords when they have been prompted to change their password after expiry. You can configure the number of old passwords to check for reuse by setting the value of ADMIN_PASSWORD_HISTORY_THRESHOLD. |
| Password validation policy | Jadu Central is configured with a standard password validation policy, but this can be made more secure inline with your internal security policies by changing PASSWORD_VALIDATION_PATTERN to a regular expression of your choice. Remember to also update PASSWORD_VALIDATION_MESSAGE to give your administrators appropriate help when selecting a password. |
| Force passwords to be changed after being set by another user | A password should only be known by the owner of the credentials. It is therefore good practice to force a password to be changed after the users account is created. This feature is enabled by default. It can be disabled by setting FORCE_PASSWORD_RESET_ON_CHANGE to false. |
Sensitive data
Depending on its use within your organisation, Jadu Central may store a large quantity of sensitive data.
Sensitive data is defined as:
- Any data submitted by a public user, including their personal details
- The personal details of internal users of the system
- IP addresses
- File system storage locations
Where appropriate sensitive data held by Jadu Central is encrypted. Passwords are hashed using BCrypt and a salt.
Good practice
Jadu recommend following normal system hardening such as removing unrequired users, disabling unrequired services but points to note:
- Windows A unprivileged user should be used to contain the scheduled tasks. This user needs to have “Logon as batch job” privilege configured through Local Security Policy or Group Policy and write permissions set on log files in
JADU_HOME/logsdirectory. Jadu recommend following Microsoft's patching guidelines to ensure the systems are up to date. - PHP versions and distribution security
- Error reporting Error logging can be useful in spotting problems, but can also expose information about your system's architecture to the outside world. In production environments you must therefore ensure that you configuration in php.ini disables
display_errorsanddisplay_startup_errors. Refer to the PHP manual for further information on these settings. - Regular testing Penetration testing should be conducted on at least an annual basis and after significant changes to ensure newly discovered vulnerabilities are not affecting the external infrastructure and web application. This will also ensure that good security practice has been maintained.
- Patching Good practice is to ensure that all systems are patched when a new release containing security fixes is released.