In my last post, my aim was to provide value to IT administrators supporting their intranets and discuss how to optimize performance, covering topics around browsers, server hardware, and configuration options available to you within the IC Thrive platform. Continuing along that path, I would like to share security, the common vulnerabilities found in intranet applications, and the features available to you within IC Thrive, including how to address these.
Last week, I had an interesting conversation with a prospective intranet customer who broached the subject of securing our intranet application and asked how we address known web application security threats as published in the top 10 list from the Open Web Application Security Project (OWASP). So, lets’ do a broad overview of the collaboration tools available to you to protect your intranet and the critical data it houses.
Creating a secure intranet application in 5 ways
An important point to cover is whether your company intranet is exposed to the internet. Some of our customers do allow access to the intranet for mobile employees without the requirement of a VPN or equivalent connection to their LAN. In this scenario, it is much more vital to consider how you configure access to your server and what security features to implement. If you’re entirely behind a firewall, clearly you will be much more protected than if you’ve opened up to the web.
The first thing to look at, which is entirely in your control, is making sure you’re not open to known vulnerabilities in the software pieces used to run your intranet. Are you on a modern OS (2012 R2) or at least the very latest service pack with Windows Updates occurring routinely? Similarly, with your database server, is SQL up to date? IC Thrive can comfortably run on SQL 2014 Express, with roughly half of our customers running Express editions of SQL.
Is your intranet application server up to date? Do you use SSL encryption to protect your client/server traffic? If yes, are you using a 256-bit Secure Sockets Layer (SSL) certificate?
Most browsers will begin reporting to end-users sites with less secure connections (128-bit). Finally, on the client-side, make sure you are applying security updates and upgrading browsers regularly.
IC Thrive supports two authentication mechanisms, built-in Windows Authentication, and Form authentication. You can enable both (mixed mode) or one, and you can also select whether you want to allow anonymous access (Site Secure option). If you only want people with valid Windows credentials, then make sure you configure it that way in the product and the Internet Information Server (IIS).
If you do want to make use of Form logins, make use of the features available to prevent session hijacking, password guessing, brute force attacks, dictionary attacks, and so on. You can implement strong passwords, password expiry, CAPTCHA on login, lock out for repeated failed logins, session IP checking, and short session timeouts, all of which can be done on the administration screen under the Security section on your intranet software.
External to your intranet application, make sure you also use strong passwords for your SQL logins and application server logins. These typically come with stock passwords, and it would be prudent to alter them for your environment. If you do, make sure you update your data source so the application can connect with the database, and keep track of your passwords somewhere safe internally. The last thing you want to do is bring down your intranet accidentally!
In general, permissions are granted based on roles (elevated rights) for users, or standard view/add/update/delete permissions for content. In terms of roles, users can be assigned rights such as administrator, site designer, profile manager, site owner, or app owner. These are typically easy to understand and grant you rights to fully manage content at a particular level or within a given area.
Content is generally organized in folders (or categories) inside intranet applications under a given site. This hierarchy allows you to control the standard CRUD granularly (create, read, update, delete) actions at any given level. When assigning these permissions, you can always target individual users or groups, which often makes administration easier.
The configuration for the logged-in user is checked on every application server request to ensure that no one can obtain indirect access to sensitive data you have secured. Items such as Mega Menus, navigation links, widget content, or folders that a user does not have access to will not be presented to a user at all.
One extra feature you may want to implement is the File Migration Utility under security. By default, the intranet will upload files within the webroot. If you want to prevent direct access, you can use this to begin storing your uploaded files somewhere else (e.g., separate drive, SAN). Thus, you can force file access to occur through a secure intranet application server request within IC Thrive, which has the aforementioned security checking layered on top.
New threats crop up every year, requiring action on public websites. In some instances, these trickling into the intranet space. In addition to our own internal testing, our valuable clients have run penetration tests on their intranets and have kindly shared these results with us. This has been valuable feedback for us, helping us strengthen the security features in IC Thrive.
IC Thrive is focused and concerned with creating a secure intranet for our customers. We proactively test and work with our customers to stay on top of potential vulnerabilities. By doing your part, keeping your servers up to date, and following the best intranet application security practices, you can create a secure intranet.
As always, we do our part to build protection into IC Thrive for a secure intranet any way we can. If you have any questions surrounding the security and features discussed, please comment below.
But before you move ahead, do not miss taking our complimentary internal communications assessment to see how well are you sharing information and keeping your employees engaged. Moreover, if you’ve not yet started your intranet journey, feel free to book yourself a FREE DEMO with our product specialist, and discuss all your challenges.