Microsoft 4.5.X User Manual
Page 78 of 94 - Administration Manual - Copyright 2007 - Lieberman Software Corporation - All Rights Reserved
button. The default timeout period is 20 minutes, but if you have a need to make your
environment more secure, you can set this as low as 1 minute.
environment more secure, you can set this as low as 1 minute.
•
Allowed charset – This is the set of characters (case insensitive) which are acceptable
in user-defined answers. Both the answer configuration and identity verification login
will use this set to filter the answers before performing any queries to the database.
This prevents SQL injection attacks and use of SQL escape characters in the answer
strings. By default, this includes the letters A-Z, the number 0-9, and the space
character.
in user-defined answers. Both the answer configuration and identity verification login
will use this set to filter the answers before performing any queries to the database.
This prevents SQL injection attacks and use of SQL escape characters in the answer
strings. By default, this includes the letters A-Z, the number 0-9, and the space
character.
The Account Reset Console also protects you from other malicious attacks in the following
automatic ways:
automatic ways:
•
Sessions, not cookies – ARCWeb uses only server-side sessions to store login
information, not client-side cookies. Names and passwords are not transmitted
repeatedly over the network.
information, not client-side cookies. Names and passwords are not transmitted
repeatedly over the network.
•
Entirely SSL-capable – ARCWeb can be run on a secure HTTP (HTTPS) web server.
This will protect all network communications from interception.
This will protect all network communications from interception.
•
Server-side answer verification – All user-provided answer strings are checked in the
application logic, not transmitted to the database. Thus, your source databases are
protected against SQL injection attacks.
application logic, not transmitted to the database. Thus, your source databases are
protected against SQL injection attacks.
Super-User Configuration
Overview
Super-Users, or users who can access the “Configuration” menu in the Account Reset
Console, are not set by normal administrators. These users must be set through the Super-
User configuration screen. Super-Users have all access rights to the console, although they
do not necessarily have any reset rights for other groups (see “Managing Group Access
Rights”, above).
Console, are not set by normal administrators. These users must be set through the Super-
User configuration screen. Super-Users have all access rights to the console, although they
do not necessarily have any reset rights for other groups (see “Managing Group Access
Rights”, above).
Super-User configuration is located under the “Configuration” menu item, in the “Super-Users”
tab. The Super-User configuration can be managed by users with super-user account
privileges.
tab. The Super-User configuration can be managed by users with super-user account
privileges.
Adding new Super-User Groups
Super-Users are designated at the domain or local group level, not by individual user account
name. Any domain or local group may be designated as a super-user group.
name. Any domain or local group may be designated as a super-user group.
The group(s) which are granted super-user access will be able to configure the properties of
ARC such as database, logging, and verification question information.
ARC such as database, logging, and verification question information.