Quick Search
Browse
Pages
Blog
Labels
Attachments
Mail
Advanced
What’s New
Space Directory
Feed Builder
Keyboard Shortcuts
Confluence Gadgets
Log In
Dashboard
TIM Enterprise
Copy Page
You are not logged in. Any changes you make will be marked as
anonymous
. You may want to
Log In
if you already have an account. You can also
Sign Up
for a new account.
This page is being edited by
.
Paragraph
Paragraph
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Preformatted
Quote
Bold
Italic
Underline
More colours
Strikethrough
Subscript
Superscript
Monospace
Clear Formatting
Bullet list
Numbered list
Outdent
Indent
Align left
Align center
Align right
Link
Table
Insert
Insert Content
Image
Link
Attachment
Symbol
Emoticon
Wiki Markup
Horizontal rule
tinymce.confluence.insert_menu.macro_desc
Info
JIRA Issue
Status
Gallery
Tasklist
Table of Contents
Other Macros
Undo
Redo
Find/Replace
Keyboard Shortcuts Help
<p><img class="editor-inline-macro" src="/plugins/servlet/confluence/placeholder/macro?definition=e3N1bW1hcnlfbGlzdDpUYXNrNj1QYXNzd29yZCBjb21wbGV4aXR5fFRhc2s1PVdlYiBpbnRlcmZhY2UgcHJvdG9jb2xzfFRhc2s3PUF1dG9tYXRpYyBleHBpcnkgb2Ygd2ViIHVzZXIgcGFzc3dvcmRzfFRhc2sxPUludHJvZHVjdGlvbnxUYXNrMj1CbG9ja2luZyBpbnZhbGlkIGxvZ2luIGF0dGVtcHRzfFRhc2szPUNoYW5naW5nIHRoZSBkZWZhdWx0IHdlYiBzZXJ2ZXIgcG9ydHxUYXNrND1FbmFibGluZyBIaWdoIFNlY3VyaXR5IG1vZGV9&locale=en_GB&version=2" data-macro-name="summary_list" data-macro-parameters="Task1=Introduction|Task2=Blocking invalid login attempts|Task3=Changing the default web server port|Task4=Enabling High Security mode|Task5=Web interface protocols|Task6=Password complexity|Task7=Automatic expiry of web user passwords"></p><table class="wysiwyg-macro" data-macro-name="html" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2h0bWx9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre><a id="Introduction"></a></pre></td></tr></table><h1>Introduction</h1><p>The default security settings of TIM Enterprise allow for ease of installation and are suitable for the needs of most organisations. However, if your organisation's IT security policy demands it, or you plan to expose the system to an untrusted network such as the Internet, it is recommended you harden the security using the methods described below.</p><table class="wysiwyg-macro" data-macro-name="info" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2luZm99&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="RICH_TEXT"><tr><td class="wysiwyg-macro-body"><p>After changing any of the following settings, you will need to restart the TIM Enterprise service for the changes to take effect.</p></td></tr></table><table class="wysiwyg-macro" data-macro-name="html" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2h0bWx9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre><a id="Blocking invalid login attempts"></a></pre></td></tr></table><h1>Blocking invalid login attempts</h1><p>The system can blacklist the source IP address of a would-be attacker if a number of unsuccessful access attempts are made within a specified period of time. The following two Registry entries determine how many invalid login attempts are permissible before the source IP is blacklisted and, if so, for how long the blacklist will remain in place until further attempts are entertained:</p><table class="confluenceTable"><tbody><tr><th class="confluenceTh">Registry String data value</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><span class="keyword">FloodFailCount = 0</span></td><td class="confluenceTd">Number of attempts</td></tr><tr><td class="confluenceTd"><span class="keyword">FloodLockTime = 60</span></td><td class="confluenceTd">Lockout duration</td></tr></tbody></table><p>All Registry keys for TIM Enterprise are located in the following hive:</p><table class="wysiwyg-macro" data-macro-name="code" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGV9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Tri-Line\TIM Enterprise</pre></td></tr></table><table class="wysiwyg-macro" data-macro-name="html" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2h0bWx9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre><a id="Changing the default web server port"></a></pre></td></tr></table><h1>Changing the default web server port</h1><p>If you would like to change the default port used for web traffic, you can edit the <span class="keyword">WWWServerPort</span> Registry key.</p><table class="confluenceTable"><tbody><tr><th class="confluenceTh">Registry String data value</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><span class="keyword">WWWServerPort = port number</span></td><td class="confluenceTd">Port address for webserver to listen on (Default is 80, unless changed during setup)</td></tr></tbody></table><table class="wysiwyg-macro" data-macro-name="html" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2h0bWx9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre><a id="Enabling High Security mode"></a></pre></td></tr></table><h1>Enabling High Security mode</h1><p>To enable High Security mode, add the following Registry String value:</p><table class="wysiwyg-macro" data-macro-name="code" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGV9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Tri-Line\TIM Enterprise\Main\HighSecurity = "True"</pre></td></tr></table><p>Within the Windows Registry, right click and select <span class="keyword">New -> String Value</span> and name it <span class="keyword">HighSecurity</span>.</p><p>Next, double-click on it and enter the Value of <span class="keyword">True</span>, as shown below:</p><p><img class="editor-inline-macro" src="/plugins/servlet/confluence/placeholder/macro?definition=e3NjcmVlbnNob3RtYWNybzpCb3JkZXI9ZmFsc2V8U2hhZG93PWZhbHNlfFVSTD0vZG93bmxvYWQvYXR0YWNobWVudHMvMTY3MTMxNi9IaWdoU2VjdXJpdHkucG5nfQ&locale=en_GB&version=2" data-macro-name="screenshotmacro" data-macro-parameters="Border=false|Shadow=false|URL=/download/attachments/1671316/HighSecurity.png"></p><p>When the <span class="keyword">HighSecurity</span> Registry value is set to <span class="keyword">True</span>, the following restrictions are imposed:</p><ol><li><p>Ability to block individual web scripts by including them in a blacklist file:</p><table class="wysiwyg-macro" data-macro-name="code" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGV9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>"\ssldata\{class}\blacklist.___" </pre></td></tr></table></li><li>Enforce password complexity for web users (additional Registry entries required)</li><li>Forbid direct SQL queries through web interface</li><li>System alert messages are silently suppressed</li><li>System database connection tests forbidden</li><li>Ability to (re)create system database tables inhibited</li><li>Cannot change or test web (HTTP) port</li><li>Cannot send test emails</li><li>Debug information suppressed if a XSL translation error occurs</li></ol><table class="wysiwyg-macro" data-macro-name="html" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2h0bWx9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre><a id="Web interface protocols"></a></pre></td></tr></table><h1>Web interface protocols</h1><p>The default behaviour is to allow all protocols TLS1, SSL2 and SSL3.</p><p>You can change the type of connection that TIM will respond to, by adding the Registry String Value <span class="keyword">WWWSSLProtocol</span>.</p><p>Note that this is a case-insensitive string value with one of the following data values:</p><table class="confluenceTable"><tbody><tr><th class="confluenceTh">Registry String data value</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><span class="keyword">nossl</span></td><td class="confluenceTd">No SSL protocols, behave like a standard HTTP server</td></tr><tr><td class="confluenceTd"><span class="keyword">ssl23</span></td><td class="confluenceTd">SSL2 and SSL3 protocols only</td></tr><tr><td class="confluenceTd"><span class="keyword">ssl2</span></td><td class="confluenceTd">SSL2 protocol only</td></tr><tr><td class="confluenceTd"><span class="keyword">ssl3</span></td><td class="confluenceTd">SSL3 protocol only</td></tr><tr><td class="confluenceTd"><span class="keyword">tls1</span></td><td class="confluenceTd">TLS1 protocol only</td></tr></tbody></table><table class="wysiwyg-macro" data-macro-name="html" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2h0bWx9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre><a id="Password complexity"></a></pre></td></tr></table><h1>Password complexity</h1><p>You can configure TIM Enterprise web users with complex passwords to match your organisation's IT password policy.</p><p>To enable complex passwords, a Registry String Value <span class="keyword">PasswordComplexity</span> must be added.</p><p>The use of the following data string values, allows you to configure how complex the passwords are:</p><table class="wysiwyg-macro" data-macro-name="code" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGV9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>"A"+{0-9}+"a"+{0-9}+"!"+{0-9}+"#"+{0-9}</pre></td></tr></table><p>Each part of the complexity string is defined by a pair of characters, a single character denoting the type of policy, immediately followed by a numeric character (0-9) stipulating how many characters of that type are required to satisfy the password policy.</p><p>The <span>Type </span>characters are as follows:</p><ul><li><span class="keyword">A</span>: Upper- or lower-case characters</li><li><span class="keyword">a</span>: Lower-case characters</li><li><span class="keyword">!</span>: Symbol characters</li><li><span class="keyword">#</span>: Numeric characters</li></ul><p>For example, to impose a restriction of at least 6 characters with two numbers, the following Registry entry could be used:</p><table class="wysiwyg-macro" data-macro-name="code" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGV9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Tri-Line\TIM Enterprise\Main\PasswordComplexity = "A6a0!0#2"</pre></td></tr></table><table class="wysiwyg-macro" data-macro-name="info" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2luZm99&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="RICH_TEXT"><tr><td class="wysiwyg-macro-body"><p>The value of <span class="keyword">PasswordComplexity</span> must always be 8 characters, otherwise the policy will not be implemented. The order of each Type pair ( Type character and amount character) is not important.</p></td></tr></table><table class="wysiwyg-macro" data-macro-name="html" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2h0bWx9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre><a id="Automatic expiry of web user passwords"></a></pre></td></tr></table><h1>Automatic expiry of web user passwords</h1><p>You can force Web users to change the password after a predetermined age has been set. Note that this is a system wide setting.</p><p>The server running TIM Enterprise will email the web user advising that a password change is required. The web user must have an email address configured, for notification to take place.</p><p>If the password is not changed by the expiry date, the account is automatically disabled.</p><table class="confluenceTable"><tbody><tr><th class="confluenceTh">Registry String data value</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><span class="keyword">PasswordExpiryTimeUnits</span></td><td class="confluenceTd">Determines the time units that the related expiry entries (below) will use. Valid values are <img class="editor-inline-macro" src="/plugins/servlet/confluence/placeholder/macro?definition=e2tleXdvcmRtYWNybzpMYWJlbD1taW51dGVzfQ&locale=en_GB&version=2" data-macro-name="keywordmacro" data-macro-parameters="Label=minutes">, <img class="editor-inline-macro" src="/plugins/servlet/confluence/placeholder/macro?definition=e2tleXdvcmRtYWNybzpMYWJlbD1ob3Vyc30&locale=en_GB&version=2" data-macro-name="keywordmacro" data-macro-parameters="Label=hours">, <img class="editor-inline-macro" src="/plugins/servlet/confluence/placeholder/macro?definition=e2tleXdvcmRtYWNybzpMYWJlbD1kYXlzfQ&locale=en_GB&version=2" data-macro-name="keywordmacro" data-macro-parameters="Label=days">, <img class="editor-inline-macro" src="/plugins/servlet/confluence/placeholder/macro?definition=e2tleXdvcmRtYWNybzpMYWJlbD13ZWVrZGF5c30&locale=en_GB&version=2" data-macro-name="keywordmacro" data-macro-parameters="Label=weekdays"></td></tr><tr><td class="confluenceTd"><span class="keyword">PasswordExpiryReminder</span></td><td class="confluenceTd">A value, in the units described by the <span class="keyword">PasswordExpiryTimeUnits</span> entry, after which an email is sent to the web user to remind them to change their password.</td></tr><tr><td class="confluenceTd"><span class="keyword">PasswordExpiryDisable</span></td><td class="confluenceTd">A value, in the units described by the <span class="keyword">PasswordExpiryTimeUnits</span> entry, which specifies how long after the reminder email (above) is sent, that a web user's account will be disabled if it hasn't been updated.</td></tr></tbody></table><p>Default values for the above settings are as follows:</p><ul><li><span class="keyword">PasswordExpiryTimeUnits</span> = "days"</li><li><span class="keyword">PasswordExpiryReminder</span> = "7"</li><li><span class="keyword">PasswordExpiryDisable</span> = "7"</li></ul><p>Therefore, using the default settings, a web user will receive an email reminder after 7 days and the account will be disabled after 14 days.</p><p>If the <span class="keyword">PasswordExpiryReminder</span> value is zero then password reminder functionality is disabled and neither a reminder email will be sent, nor will a web user's account be disabled. Since this value has a default of "7", this value must be explicitly set to zero to disable password reminder functionality.</p><p>If the <span class="keyword">PasswordExpiryDisable</span> value is explicitly set to zero, the disabling of a web user's account is skipped.</p><table class="confluenceTable"><tbody><tr><th class="confluenceTh">Registry String data value</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><span class="keyword">PasswordReminderSubject</span></td><td class="confluenceTd">"Password reset notification"</td></tr><tr><td class="confluenceTd"><span class="keyword">PasswordReminderMessage</span></td><td class="confluenceTd">"Your password to access the [%productname%] service will expire in <%expiryamount%> <%expiryunits%>.\r\n You should log in to the service before <%expirydate%> to reset your password, otherwise your account will be disabled"</td></tr></tbody></table><p>The following <%%> variables are permissible in both the subject and the body text of the reminder email message:</p><table class="confluenceTable"><tbody><tr><th class="confluenceTh"><%%> variable</th><th class="confluenceTh">Description</th></tr><tr><td class="confluenceTd"><span class="keyword"><%product%></span></td><td class="confluenceTd">The name of the product, e.g. TIM Enterprise</td></tr><tr><td class="confluenceTd"><span class="keyword"><%expiryunits%></span></td><td class="confluenceTd">The value of <span class="keyword">PasswordExpiryTimeUnits</span></td></tr><tr><td class="confluenceTd"><span class="keyword"><%expirydate%></span></td><td class="confluenceTd">A computed date of the above values relative to the date that the email was sent at, in local date/time format.</td></tr></tbody></table>
Attachments
Labels
Location
< Edit
Preview >
Loading…
Save
Cancel
Next hint
search
attachments
weblink
advanced