The following recommendations exist for functionality that is accessible through the Administration Interface and then by clicking on the "MANAGEMENT" tab followed by clicking the "SECURITY" sub-tab. The Administration Interface allows for changes to the appliance's password policy, multiple login prevention, idle logouts and the ability to force all traffic to transit an encrypted SSL connection.
|
Recommendation |
Rationale |
| 5. |
Network Restrictions
Symantec recommends that access to the /login functionality be restricted to only a subset of networks by choosing "Allow Only the Following Networks" and then supplying a list of networks. Ideally the list of networks would be composed of networks that house application administrators, including any VPN solutions that they may utilize.
If your administrators do not live on a separate network segment, Symantec recommends that the list of networks be composed of your internal network ranges.
Note: The /login interface contains different functionality than the /appliance interface.
If your application administrators reside within a Call Center, that IP address range will need to be included. |
Security best practice is to limit all access to administrative functionality. |
| 6. |
Minimum Password Length
Symantec recommends that the password length be set to comply with your corporate password security policy. If you do not currently have a policy, Symantec recommends a minimum length of 6 characters. |
Security best practice, including ISO 17799, specifies passwords to be a minimum length of 6 characters. Depending on the type of support and the systems that will be remotely supported, this number may be increased to 8. |
| 7. |
Password Complexity
Symantec recommends that the requirement for complex passwords be enabled. |
Secure passwords should utilize a combination of upper and lower case characters, numerals, and symbols. |
| 8. |
Password Expiration
Symantec recommends that the password's expiration be compliant with your corporate password policy. If you do not have a password policy, Symantec recommends that passwords expire every 90 days. |
At a minimum, passwords should be set to expire every 90 days. Depending upon the nature of support or supported systems, the expiration date may be decreased to 30 or 60 days. |
| 9. |
Account Lockout
Symantec recommends that accounts be locked out after 5 consecutive failed login attempts. |
Enforcing account lockouts prevents against brute force attacks launched against the appliance and is a common security best practice. Depending on the nature of support, or supported systems, the lockout attempts may be decreased to 3. |
| 10. |
Terminate Session If Account Is In Use
Symantec recommends that multiple logins should be prevented by enabling the session termination functionality. |
Security best practice is to maintain unique accounts on systems and applications. The prevention of multiple logins enforces the use of unique accounts. |
| 11. |
Log out Idle Representatives
Symantec recommends that idle representatives be logged out of the Bomgar Box™ after 30 minutes of idle time. |
Security best practice is to require screen locks and idle timeouts within applications to prevent unauthorized access if a terminal is left unattended. At a minimum, accounts should be logged out within 30 minutes. |
| 12. |
Force Public Site to Use SSL (https)
Symantec recommends that this feature be enabled such that all communications to the appliance are encrypted. Note: An SSL certificate must be generated and signed by a trusted authority in order to prevent security warnings from appearing on the appliance's public interface. |
Security best practice is to require that all confidential information be encrypted while it transits a network. |
PDF Version (387KB)
Email This Item