23
RightNow ® 7.x Security Hardening Manual

RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

RightNow® 7.x

Security Hardening Manual

Page 2: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

2

Table of Contents Introduction.................................................................................................................................. 3

Security Policy ........................................................................................................................ 3 Critical Security Processes ..................................................................................................... 5

Site Protection ........................................................................................................................ 5 Admin Site Protection ........................................................................................................... 5 End User Site Protection ...................................................................................................... 5 Email Configuration............................................................................................................... 6 Password Configuration ...................................................................................................... 7 Cookies ..................................................................................................................................... 8 Session ID’s ............................................................................................................................. 9 Emailing Links ........................................................................................................................ 9 File Attachments .................................................................................................................... 9 Pass-Through Authentication........................................................................................... 10

Security-related Configuration Verbs ................................................................................. 11 Appendix A................................................................................................................................. 17 Appendix B................................................................................................................................. 19 Appendix C................................................................................................................................. 21 Appendix D................................................................................................................................. 22

Page 3: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

3

1

Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products will not expose our customers or their customers to risk. To meet the needs of a wide variety of customers, the Right Now products are highly configurable, and some of those configuration choices can impact the security profile of the products. The purpose of this document is to provide our customers with information about the configuration settings that have security ramifications and to provide guidance in making configuration choices. Security Policy When configuring a Right Now product, your goal is to obtain the maximum effectiveness for your employees and customers, but security concerns may require that you accept something less. Just as having locks on doors is an inconvenience and an expense, making your site and data secure may require you to accept less convenience and some loss of productivity. The threats to using a software product to collect and store data are:

• The leakage of data to unauthorized people. • An attacker tampering with data. • Vandalism of the host site.

In developing a security plan for using the product you should consider:

• The type of data that will be collected and stored. For example, are personal information such as names, addresses, telephone numbers and email addresses collected. Are medical or financial information collected and stored? Are there standards that apply to some or all of the data, such as HIPPA?

• The methods used to collect the data. For example, does information come over the public Internet or from a private intranet? Does information come from a voice-based system?

• Access method for the data. For example, do viewers have to provide credentials such as a user id and password or is data openly available?

• What are the risks to the organization if data is released to unauthorized people? Is the potential cost small, or would it have a significant impact? Are there legal ramifications to data leakage?

Page 4: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

4

Asking such questions should help you determine the content of the security plan, which should cover the following issues:

• Users – define the various groups of users? • Authentication – what authentication methods are available and which should be

used for each type of user. • Authorization – for each type of data, which types of users should have access

and how should the authorization be provided? • Communication – what communication methods will be used and what efforts

should be made to protect communications from being compromised? It is important to remember that you should never assume that your security system is foolproof. New vulnerabilities are found daily and you should expect that any weakness will eventually be exploited. Continuing vigilance and process improvement are required to minimize risk. This is a minimal set of issues that relate to the use of Right Now Technologies software. If you want more information about establishing an enterprise security plan, you are referred to:

• Writing Information Security Policies by Scott Barman • Information Security Policies and Procedures by Thomas Peltier • http://www.sans.org/resources/policies/

Page 5: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

5

2

Critical Security Processes Listed below are some of the issues that are vital to maintaining a secure system. These are complex utilize multiple configuration verbs and require consideration of the broader perspective. Site Protection There are a number of configuration verbs that provide protection for the site. SEC_CONFIG_PASSWD is the password required to access the configuration editor. It should never be blank to avoid providing a back door for an attacker. SEC_VALID_INTEG_HOSTS specifics which hosts are allowed to access the integration interface. Only users logging in from these hosts will be allowed access. This should be set carefully to allow only the necessary hosts as the integration interface provides access to much of the product functionality. Admin Site Protection If it is possible to use the VALID_ADMIN_HOSTS and the SEC_ADMIN_HTTPS settings it is highly recommended. The Administrative site provides access to all of your site information so limiting its availability greatly improves security. VALID_ADMIN_HOSTS limits access to the administrative site to a smaller set of DNS domains. The only disadvantage is that if the number of domains is large or changes often, additional administrative effort is needed to keep the set of domains up-to-date. SEC_ADMIN_HTTPS makes all communications with the Admin interface secure, providing protection from attempts to capture data from the network. Together, they reduce risk to the data that is stored in the Right Now product database. End User Site Protection The end user site can also be protected by setting configuration verbs to control functionality. DE_CUST_PASSWD_ENABLED enables the password field on the end user pages and on the admin contact page. If not set, users are not required to have a password. If this is turned off on an active site where users have passwords, they will be unable to log in. SHP_PASSWD_REQD specifies whether end users must enter a login/password combination to access any end user page. If disabled a password is required only for accessing user profile information and the “Ask” part of the service product. If enabled, users will not be able to access pages to create accounts, and it is likely that you don’t want existing users to create accounts, so you will probably want to disable MYSEC_AUTO_CUST_CREATE which determines whether end users can create accounts (enabled) or no (disabled). SEC_VALID_ENDUSER_HOSTS and SEC_INVALID_ENDUSER_HOSTS are lists of hosts that are allowed or not allowed access to the end user interface respectively. Any

Page 6: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

6

user coming from a host in the valid list is allowed access and any user coming from a host in the invalid list will be denied access. The valid list is practical only where the set of end users is confined to a relatively small number of domains. The invalid list is available primarily to prevent web spidering from known locations. SEC_END_USER_HTTPS will allow only access using the SSL protocol, which provides the maximum level of protection for communications between the user and the Right Now service. Email Configuration The Service module allows the configuration of service mailboxes for managing email through a facility named techmail, and there are a number of security settings that are available. The Service Mailboxes are configured through Service Configuration > Communication Configuration > Service Mailboxes. On this page there is a tab marked Security that has settings for configuring communication security and for email authentication. The communication settings concern the use of Secure Socket Layer methods (SSL):

SSL Method If possible, this should be set to one of the two SSL settings unless you have no choice. If your email server is part of a subnetwork with the Right Now product server and access is limited to a known group of people, unsecured communications are acceptable, but barely. Open communications are easily captured by anyone with a network connection and should be avoided, Disabled

Use unsecured email communication with the mail server. Using POP3 SSL port

Use this option to use POP3 with SSL on port 995. Using STLS Command

Use this option to use standard POP3 on port 110 with a TLS command used to switch to SSL encryption after initiating a connection.

Accept untrusted SSL certificates If not set, techmail will exchange email with email servers that do not have certificates from trusted authorities. If your email server is captive, this is unnecessary. If your one or more email servers are under the control of another entity or remote, you may want to require this to insure that you are communicating with the correct server.

Accept expired or not yet valid SSL certificates If not set, techmail will exchange email with servers without checking that their SSL credentials are currently valid. This can avoid problems with expired credentials causing workflow disruptions, but there is some risk that an attacker could spoof credentials. The choice depends on the trust relationship between the mail server and the host site.

Accept SSL certificates with incorrect host name If not set, techmail will exchange email with servers without checking that the server name listed in techmail matches the name in the SSL certificate. If there is any risk that the email server could be spoofed this should be set. This would be a problem if the mail server was remote. The only problem likely to occur if set is that moving the mail server to a new host will require a reconfiguration of techmail.

Page 7: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

7

S/MIME

These settings provide the certificate and private key file values if some form of SSL is used. Mailbox personal certificate and key

Using the browser, you can select the file containing the public certificate and private key assigned to the mailbox by the certification authority. This must be done if SSL is used. If you are unsure about this step see the Right Now System Configuration Manual.

Import untrusted personal certificates If not set, the personal certificate can only come from an S/MIME message that has been signed by a trusted authority. If you are certain of the source of your personal certificate and key, this is unnecessary, but it is an added check if you not certain.

Import expired or not yet valid personal certificates If not set, the personal certificate can only come from an S/MIME message that has a current date that is unexpired and is currently valid. If you are certain of the source of your personal certificate and key, this is unnecessary, but it is an added check if you not certain.

In order to receive signed emails, you will need intermediate certificates. These can be automatically extracted from email, or you may need to upload certificates. Refer to the Right Now System Configuration Manual for information on using the File Manager to perform this task.

Password Configuration The Common Configuration > Staff Management > Passwords configuration section allows for the setting of rules for passwords. The parameters are:

• Number of failures allowed before the account is locked. • Minimum password length. • Number of allowed repetitions. • Minimum allowable number of lowercase characters. • Minimum allowable number of uppercase characters. • Minimum allowable number of special characters (things like digits or :, $, *, etc.). • Number of previous passwords saved to prevent reuse. • Password expiration time in days. • Grace period after expiration before account is locked. • Warning period during which the user will be warned at each login. • Although not stated, the maximum password length is 20 characters.

If the data protected by a password is not critical or subject to privacy legislation, the default values may be acceptable. The largest dangers to passwords are the ability to guess a password by brute force means, or the release of a password due to nefarious activities (phishing for example) or inadvertent release (such as writing it down). So it is important that your users be made aware of the need to protect their passwords by choosing something that is easy to remember, but hard to guess.

Page 8: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

8

If accounts are locked after a number of consecutive login failures, it makes it more difficult for an attacker to brute force password guessing, but it is not impossible. If a user is able to obtain an encrypted password, they can guess as to the algorithm used to encrypt it and simply try different strings looking for a match. This is time consuming, but with current computing technology, it might be possible to guess up to 5 million passwords per second (and this number increases by 10 percent per year). While it is helpful to use case changes and special characters to enlarge the character set in passwords, the key to strong passwords is to use long lengths. If 76 characters are used randomly, it would take no more than 12 hours to guess a six character password. The time increases to 7 years for 8 character passwords and 230 million years for a 12 character password. Of course, password cracking typically takes advantage of the tendency for people to use common words in passwords so dictionary attacks can break passwords much more quickly. The lesson is that for maximum security, long passwords are necessary. For example, if a password is composed of three words from a 100,000 word dictionary with a total length of 12 characters, it could take more than 7 years to guess by brute force methods. With even a small amount of randomness built in, the problem rapidly increases to the 230 million year value. So encourage users to choose long (no less than 10 characters), but easy to remember and type passwords. Compositions of common words, song lyrics, poems and so on, and have them misspell some words slightly, and their passwords will be secure, if they don’t write them down or reveal them. It is always good to add special characters and digits, and to mix cases, but the important feature is sufficient length to prevent brute force attacks. And, of course, avoid using words or phrases that can be identified with a person, such as their name, address, telephone number, job title, type of car and so on. Good passwords are, 2BeOrNot2Bee?, MaryhadaL1ttle|am, o|dr0amin4Um or JollyBARNbeFore. The choice of other password handling parameters depends on the situation. If your users don’t login often, expiring passwords will result in many accounts being locked because the users don’t get the warning. This will result in increased administration unless the warning time and grace time are very long. Locking accounts can prevent direct brute force attacks and some denial-of-service attacks, but it can also increase administrative overhead. If you require users to change their passwords regularly, you need to save some history information to prevent reuse; at least five past passwords. You will find that most users will make a minor change in their password and eventually cycle back to the original, so it is difficult to assess the value of this strategy. If you are concerned that passwords could be compromised by poor user handling of passwords or by some form of attack, it is wise to require regular changes. Cookies Cookies are small pieces of information that are stored on a local user’s system by a web site to save information that might be useful at a later date when they return to a site. The Right Now enduser logic stores a cookie to indicate that the user has been authenticated by the site and to provide minimal identification information. Because cookies are stored on the user’s local system, they are a security risk. If more than one user has access to a system, other users may be able to hijack a cookie and use it to access data for which they should not have access.

Page 9: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

9

The users can protect themselves by disabling cookies in their browser, and authentication on the local machine may prevent misuse, but it is not under the site administrator’s control. If the data available to endusers is critical, it will be more secure to disable cookies. The trade-off is between convenience for the user and security, because no important information is stored in the cookie, but the user will have to login each time they go to the site. If cookies are enabled, setting the cookie timeout period (MYSEC_COOKIE_EXP) to as short a period as possible limits the security risk by limiting the time during which a hijacked cookie can be used. Session ID’s Session Identifiers or SID’s provide a means for a user to be authenticated over a period of time. A web interface like the Right Now software consists of a series of independent page turns as a user interacts with the site via the browser to access the features of the site. In order to avoid having to authenticate on every page turn, a user is issued an SID upon an initial authentication (either by logging in, as an anonymous user or due to a valid cookie being presented) and that SID is valid for accessing certain features for a period of time. If an attacker can obtain an SID before it expires, it can be used to authenticate the attacker just as well. So the expiration time for SID’s should be set to the minimal acceptable time (MYSEC_SESSION_ID_EXP). An SID is continuously renewed while the user is accessing the product, so it only becomes an issue when the user’s site activity is idle for the SID expiration time period. This may require some thought as to how users typically access the site to find the best timeout period, but it should not be longer than necessary. Emailing Links A security risk is produced when agents send links to users that they copy out of their browser. These links contain the agent’s SID, which provides the enduser with the same privileges as the agent. For that reason, agents should never send links copied from their own browsers. Incidents and answers can be easily mailed to users via the end user or administrative console and that is the appropriate method to use. When links are emailed to users from the administrative console they may or may not contain the user’s password in the link. If the password is included, the user will be granted access to the target without logging in, otherwise, they will be required to provide their login credentials. The functionality is controlled by the configuration verb MAIL_SECURE_LINK. When enabled, the password is not included and that is the preferred method. If the password is included, an attacker with access to the link would have full privileges on the user account. File Attachments For many organizations, the ability to upload file attachments is critical to their service function. The Right Now product allows that functionality unless the EU_FA_ENABLED configuration verb is set to False. Uploaded files can be used to attack a site unless you are careful to avoid certain behaviors. No file that could contain a Trojan Horse, worm, rootkit, virus or other malware should be opened by an agent or administrative user unless it is first tested for safety by one of the common malware scanners. It may be necessary to save the uploaded files to disk and then run the scanner on the product to insure that it is safe. Likewise, uploaded files should not be posted or mailed to users until it has been verified as safe or you may spread malware to customers. Typically,

Page 10: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

10

dangerous files are those with extensions like .exe, .bat, .doc, .xls or .zip, but that is not a guarantee. Any file can contain code that can damage your system and spread through your network. HTML files are a problem because they can provide links to sites that can harvest private data from unsuspecting people. This process is commonly called Cross Site Scripting or Phishing. Uploaded HTML files pose a unique problem because they can’t be tested to determine if they are legitimate, so all uploaded HTML files should be tested to insure that they do not pose a threat. The most extreme measure is to not allow HTML files that have links to other pages, but that may be impractical. No agent or administrative user should follow a link unless it is known to be safe, and no data should ever be entered at a linked site. If it is necessary to go to a referenced site, obtain the correct address and type it into the browser. An HTML file should never be posted for user access or emailed to users unless it is known to be safe to avoid creating a threat for users. The other problem with HTML files is that they may contain Javascript or ActiveX controls. This allows an HTML file to infect your system with a virus or Trojan Horse simply by opening it. If browser security works properly, this should not happen, but browsers are one of the least secure types of software. For all browsers accessing uploaded files, disable plug-ins and configure security settings not to run Java applets, JavaScript, VBScript, ActiveX controls or other executable content from untrusted sources. If you need to have a plug-in for a particular activity, enable it temporarily for that activity only, and then disable it again. Finally, educate users about the risks associated with improper handling of uploaded files. Pass-Through Authentication Pass-through authentication is a login integration capability that allows the Right Now product to require authentication from another server. The authentication server passes a string to the Right Now product providing the user credentials and a password that controls the pass-through functionality. To learn more, go to the Right Now Integration Manual. MYSEC_LI_PASSWD is the configuration verb that provides the value of the password. This value should never be blank, as that would allow an attacker to spoof user credentials to access the system.

Page 11: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

11

3

Security-related Configuration Verbs In the following, Right Now Technologies software configuration verbs that impact security are described and suggestions for setting their value are provided. The Appendices display this information in tabular form:

Common > General > Security > SEC_CONFIG_PASSWD

This setting protects the Configuration Editor. If access to configuring the product is to be more restrictive than access to the administrator account it should be protected from general distribution. Because the configuration editor can be used to change the security settings of the system, this value should always be set.

Common > General > Security > SEC_VALID_ADMIN_HOSTS This setting limits access to the administrative interface to only those DNS domains that are specifically listed. If access to the administrative interface is from a large set of DNS domains, it may be difficult to have this set, but it should be used if possible as it provides excellent protection from random attacks.

Common > General > Security > GOB_VALID_ADMIN_HOSTS

If you are using a Google OneBox with the Right Now product, this setting provides the IP address of the Google OneBox to the application so that it will respond to requests from the Google OneBox. If this value is not set, the Google OneBox will not work properly.

Common > General > Security > SEC_VALID_ENDUSER_HOSTS

This setting limits access to the enduser interface to only those DNS domains that are specifically listed. This setting would normally be used only if the set of endusers for the Right Now product is localized to a relatively small set of domains, such as a campus or a business.

Common > General > Security > SEC_INVALID_ENDUSER_HOSTS

The IP addresses listed in this setting are prevented from accessing the enduser interface. This configuration is primarily to prevent spidering of the site from particular sites.

Common > General > Security > SEC_VALID_INTEG_HOSTS

This setting limits access to the Integration interface to only those DNS domains that are specifically listed. The Integration interface allows considerable access to resources on the site so it is important that the value be restrictive rather than permissive.

Page 12: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

12

Common > General > Security > SEC_EU_ADMIN_HOSTS This IP addresses listed in this setting are allowed to access the enduser interface without being counted in the statistics collection.

Common > General > Security > SEC_ADMIN_HTTPS

If set, the administrative interface can only be accessed by using the Secure Socket Layer (SSL) protocol, which encrypts all communications. If your site is capable of handling SSL, this setting can provide additional security by encrypting all communication of sensitive data. It is highly recommended that this setting be enabled to prevent third parties from “snooping” your network traffic and viewing possibly sensitive data.

Common > General > Security > SEC_END_USER_HTTPS

If set, the certain pages in the enduser interface can only be accessed by using the Secure Socket Layer (SSL) protocol, which encrypts all communications. If your site is SSL capable it adds additional security, but it also requires that all endusers have browsers that are SSL enabled. All modern browsers are SSL enabled, but it is a business as well as a security decision. If the data you collect from endusers is sensitive, this setting should be enabled to reduce the risk of data leakage. The pages secured are primarily those used for submitting data.

Common > General > Security > SEC_INVALID_USER_AGENT

The list of user agent names provided here is denied access to the enduser interface. This is generally used to prevent spidering by particular user agents.

Common > General > Security > SEC_SPIDER_USER_AGENT

The list of IP addresses provided here are considered to be web spidering sites, so they are handled differently in statistic collection and they will experience different enduser interface behavior.

Common > General > Security > SEC_P3P_COMPACT_HDR This setting describes the Platform for Privacy Preferences (P3P) used in setting and using cookies. The P3P standard provides a common language and methodology for browsers to interact with web site and insure that the user’s security requirements are met by the web server. This setting should not be changed unless customization results in a change in cookie handling and should be performed only by someone knowledgeable about P3P.

Common > General > Error Logging > ERR_INT_ERROR_DETAILS_ENABLED

If disabled, error messages displayed by the site will be minimal, while if enabled, more detail is provided. To prevent attackers from gaining information about your site, this setting should be disabled. If enabled for the purposes of troubleshooting the site, it should be disabled immediately after.

Common > Database > User Account > DB_LOGIN

For others, this name is the user to be used for the database server. It should not be the administrator or root user of the system or a default account, and should preferably be unique to the Right Now application. By avoiding a known name, you avoid providing attackers with information they can use maliciously.

Page 13: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

13

Common > Database > User Account > DB_PASSWD For others, it should be set to a value that is not likely to be guessed. It should be long enough to prevent brute force guessing, which is at least 12 characters, and the longer the better. See the section below on setting passwords.

Common > Database > MySQL > DB_PORT

This setting does not pertain to Right Now hosted sites. If a remote MySQL server is used, this is the port at which the MySQL server it will be listening. On the remote server, a firewall should be used to insure that access to this port is limited to those IP addresses that need access. This would include the servers for the Right Now software and any other hosts that need access to your MySQL server.

RN Common > File Attachments > Configuration > EU_FA_ENABLED

If it is desirable for endusers to have the ability to provide attachments with their questions, this setting should be enabled. Uploaded files can contain malware, such as Trojan Horses, viruses or executable programs. You should implement policies to protect your systems by not opening attachments that could contain malicious code unless they have been tested.

RN Common > Service Modules > Right Now Email > EGW_PASSWD_CREATE If disabled, contacts created as part of the email gateway will not have passwords. Unpassworded accounts should not be used unless the data on the site includes no personal or valuable business information.

RN Common > Service Modules > Right Now Email >EGW_SECURE_UPDATE_ENABLED

Disabling this setting allows an incident to be updated by an email from any address (rather than having to match the contact record in the database). While not a particular security threat, it does provide an opportunity for your database to be contaminated by a malicious attacker if not enabled.

RN Common > External Events > Incoming Integration > II_CONNECT

This enables the RightNow Connect integration. It should be disabled unless this part of the product is being actively used.

RN Common > External Events > Incoming Integration > II_EMAIL_ERROR_ADDR

This is the address where XML API error data is sent. If set, the email address should not be such that the error data is exposed to a potential attacker during transmission or after being stored.

RN Common > External Events > Incoming Integration > II_SEC_EMAIL_STR This is the string needed in email subject to authenticate with the XML API. If this value is blank, the XML API via email is disabled.

RN Common > External Events > Incoming Integration > II_SEC_WEB_STR

This is the XML trigger phrase that must be sent as the value for sec_string to authenticate with the XML API. If this value is blank, the XML API is disabled.

Page 14: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

14

RN User Interface > General > Data Entry > DE_CUST_PASSWD_ENABLED When enabled, endusers and administrative users must login with a password. It is highly recommended that all users be required to login unless the data collected on the site has no personal data or business relevance.

RN User Interface > General > File Attach > FATTACH_MAX_SIZE

Sets the maximum size of a file attachment that can be uploaded from the end user interface. Setting this to a value that is as small as practical given the types of attachments that might be uploaded reduces the likelihood of a denial-of-service attack by filling the available disk space.

RN User Interface > My Stuff > Security > MYSEC_AUTO_CUST_CREATE

This setting determines whether new accounts can be created by customers accessing the end user interface. If disabled, only users with existing accounts will be granted access, typically through the actions of an administrative user or the integration API; if enabled, anyone accessing the end user site can create an account.

RN User Interface > My Stuff > Security > MYSEC_LOGIN_COOKIE_EXP

This setting determines the length of time before a cookie expires. If this value is set to a large value, it can provide an opportunity for an attacker to hijack the cookie and use it to gain access. The recommended maximum lifetime for a cookie is 24 hours or 1440 minutes and a shorter time provides better security.

RN User Interface > My Stuff > Security > MYSEC_SESSION_ID_EXP

When an enduser logs in to the Right Now site, they are assigned a session id (sid) that contains important information about the user. These session ids expire so that they can no longer be used and this setting determines the expiration time. Shorter times are better because they prevent the hijacking of a session id to compromise the site. The default value of 60 minutes is considered to be the maximum, particularly if the sid’s may be exposed to endusers.

RN User Interface > My Stuff > Security > MYSEC_LI_PASSWD

This setting applies only if pass-through authentication is used. This password is included in the pass-through authentication string and should be as strong as any other password. The length should be at least 12 characters to prevent brute force guessing. This password should not be blank as that provides a path for an attacker to gain access to the product without providing full credentials.

RN User Interface > My Stuff > Security > MYSEC_MIN_PASSWD_LEN

The minimum password length for endusers should be set to a value that is reasonable for the criticality of the data collected. The minimum length should be 6-8 for data that has low significance. For more important data, the minimum length should be 10-12. Studies show that users, in spite of warnings, tend to pick passwords that are easy to guess, but long passwords require very long times to crack even if they made up of common words. See the section below on password issues.

Page 15: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

15

RN User Interface > Security > SUBMIT_TOKEN_EXP Certain exchanges between parts of the end user interface are protected by a token to insure that an attacker cannot capture user entered data. For example, entering data for a new user account is the first part and processing it is the second part. A critical part of the exchange is the time period for which the token is active, and that value is set by this configuration verb. Making it too long can make the product vulnerable too attacks and making it too short can cause user exchanges to fail as the token times out. The default is 30 minutes and since these exchanges should normally take only a few minutes, it should be adequate.

RN User Interface > Support Console > Organization Tab > CT_PASSWD_DISP

This setting can allow passwords to be displayed on the Support and Sales Organization tabs, primarily so that users can be provided with their passwords by agents. The display can be the encrypted password or the text password. There is some risk in providing text password information unless there are controls to insure that the Support and Sales consoles are available only to trusted individuals, and depending on the significance of the data collected. It is more secure to not display passwords at any time.

RN Live > General > Server > ADMIN_PORT

Open ports provide attackers with a locale for exploiting a system. A firewall or other means should be used to limit access to only those systems with legitimate need for accessing this port.

RN Live > General > Servlet > SERVLET_HTTP_PORT

Open ports provide attackers with a locale for exploiting a system. A firewall or other means should be used to limit access to only those systems with legitimate need for accessing this port.

Right Now Live > General > Agent > AGENT_PORT

Open ports provide attackers with a locale for exploiting a system. A firewall or other means should be used to limit access to only those systems with legitimate need for accessing this port.

RN Live > General > User > USER_PORT

Open ports provide attackers with a locale for exploiting a system. A firewall or other means should be used to limit access to only those systems with legitimate need for accessing this port.

RN Live > Server > SRV_CHAT_INTERNAL_NET This setting should provide the IP address(s) of the Right Now Chat Server(s). This address is used to validate requests to the Right Now server by the Chat Server, so it should be limited to legitimate Chat servers and if it is not set, Chat will not function.

RN Marketing > General > RNM Daemon > RNMD_PORT

Open ports provide attackers with a locale for exploiting a system. A firewall or other means should be used to limit access to only those systems with legitimate need for accessing this port.

Page 16: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

16

RN Marketing > General > Campaigns There are five settings in this category that determine the default strategies for authenticating users in marketing campaigns.

• WEBFORM_ID_BY_LOGIN_DEFAULT – If set, the Identify User By option will be enabled in the Campaign Editor.

• WEBFORM_ID_BY_LOGIN_REQUIRED_DEFAULT – Provides the same functionality as WEBFORM_ID_LOGIN_DEFAULT, but also forces the display of the login/password screen for all users.

• WEBFORM_ID_BY_COOKIE_DEFAULT – If set, the Set Browser Cookie on Submit option will be enabled in the Campaign Editor.

• WEBFORM_ID_BY_URL_PARAM_DEFAULT - If set, the Identify User By option will be enabled in the Campaign Editor.

• WEBFORM_SET_COOKIE_DEFAULT - If set, the Set Browser Cookie on Submit option will be enabled in the Campaign Editor.

By setting these values, it provides master control over the security of the campaign pages by setting functionality by default rather than allowing it to be done manually by the designer. If possible, it is preferred that this method be used to prevent an inadvertent reduction in the desired security. Using a login/password combination is the highest level of security, but it may be impractical.

RN Marketing > General > Miscellaneous > RNW_COOKIE_EXP This setting determines if a cookie is set on the Marketing site and the length of time before the cookie expires. Cookies are a convenience but the opportunity for hijacking a cookie implies some risk. If this value is positive, the value should be reasonably short to prevent misuse of a cookie. The recommended maximum lifetime for a cookie is 24 hours or 1440 minutes and a shorter time provides better security.

Page 17: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

17

Appendix A

Recommended Settings Alphabetically Note: Some configuration settings are not available to hosted sites.

Configuration Verb Criticality Recommended Setting

ADMIN_PORT Low

AGENT_PORT Low

Campaigns Med Depends on need

CT_PASSWD_DISP Med Display as password or nothing

DB_LOGIN High Avoid common names

DB_PASSWD High 12 character minimum

DB_PORT Low

DE_CUST_PASSWD_ENABLED High Enabled

EGW_PASSWD_CREATE Med Enabled

EGW_SECURE_UPDATE_ENABLED Med Enabled

ERR_INT_ERROR_DETAILS_ENABLED High Disabled

EU_FA_ENABLED Med Depends on need

GOB_VALID_ADMIN_HOSTS High Depends on need

FATTACH_MAX_SIZE Low As small as practical

II_CONNECT Low Enable only if needed

II_EMAIL_ERROR_ADDR Low

II_SEC_EMAIL_STR Low

II_SEC_WEB_STR Low

MYSEC_AUTO_CUST_CREATE Low Depends on need

MYSEC_LI_PASSWD Med 12 character minimum, not blank

MYSEC_LOGIN_COOKIE_EXP High Less than 1440 minutes

MYSEC_MIN_PASSWD_LEN High 8-12 characters

MYSEC_SESSION_ID_EXP High Less than 60 minutes

RNMD_PORT Low

RNW_COOKIE_EXP High Less than 60 minutes

SEC_ADMIN_HTTPS High Enabled

SEC_CONFIG_PASSWD High 12 character minimum

Page 18: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

18

Configuration Verb Criticality Recommended Setting

SEC_END_USER_HTTPS Med Enabled

SEC_P3P_COMPACT_HDR Low

SEC_VALID_ADMIN_HOSTS High Enabled and set

SEC_VALID_ENDUSER_HOSTS Low Depends on need

SEC_INVALID_ENDUSER_HOSTS Low Depends on need

SEC_VALID_INTEG_HOSTS Low Depends on need

SEC_EU_ADMIN_HOSTS Low Depends on need

SEC_SPIDER_USER_AGENT Low Depends on need

SEC_INVALID_USER_AGENT Low Depends on need

SERVLET_HTTP_PORT Low

SRV_CHAT_INTERNAL_NET High Depends on need

SUBMIT_TOKEN_EXP Med 30 minutes

USER_PORT Low

Page 19: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

19

Appendix B

Recommended Settings by Criticality Note: Some configuration settings are not available to hosted sites.

Configuration Verb Criticality Recommended Setting

DB_LOGIN High Avoid common names

DB_PASSWD High 12 character minimum

DE_CUST_PASSWD_ENABLED High Enabled

ERR_INT_ERROR_DETAILS_ENABLED High Disabled

GOB_VALID_ADMIN_HOSTS High Depends on need

II_CONNECT High Enable only if necessary

MYSEC_LOGIN_COOKIE_EXP High Less than 1440 minutes

MYSEC_MIN_PASSWD_LEN High 8-12 characters

MYSEC_SESSION_ID_EXP High Less than 60 minutes

RNW_COOKIE_EXP High Less than 60 minutes

SEC_ADMIN_HTTPS High Enabled

SEC_CONFIG_PASSWD High 12 character minimum

SEC_VALID_ADMIN_HOSTS High Enabled and set

SRV_CHAT_INTERNAL_NET High Depends on need

Campaigns Med Depends on need

CT_PASSWD_DISP Med Display as password or nothing

EGW_PASSWD_CREATE Med Enabled

EGW_SECURE_UPDATE_ENABLED Med Enabled

EU_FA_ENABLED Med Depends on need

MYSEC_LI_PASSWD Med 12 character minimum, not blank

SEC_END_USER_HTTPS Med Enabled

SUBMIT_TOKEN_EXP Med 30 minutes

ADMIN_PORT Low

AGENT_PORT Low

DB_PORT Low

FATTACH_MAX_SIZE Low As small as practical

II_EMAIL_ERROR_ADDR Low

Page 20: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

20

Configuration Verb Criticality Recommended Setting

II_SEC_EMAIL_STR Low

II_SEC_WEB_STR Low

MYSEC_AUTO_CUST_CREATE Low Depends on need

RNMD_PORT Low

SEC_P3P_COMPACT_HDR Low

SEC_EU_ADMIN_HOSTS Low Depends on need

SEC_INVALID_ENDUSER_HOSTS

SEC_INVALID_USER_AGENT Low Depends on need

SEC_SPIDER_USER_AGENT Low Depends on need

SEC_VALID_ENDUSER_HOSTS Low Depends on needs

SEC_VALID_INTEG_HOSTS Low Depends on need

SERVLET_HTTP_PORT Low

SRV_CHAT_INTERNAL_NET High Depends on need

USER_PORT Low

Page 21: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

21

Appendix C

Recommended Settings By Type The following is a list of the minimal set of security related items that should be considered when configuring the product. Not all must be modified from the default, but the effect should be considered in the context of the security needs of your site. Note: Some configuration settings are not available to hosted sites.

□ Authentication ○ DE_CUST_PASSWD_ENABLED ○ DB_LOGIN ○ DB_PASSWD ○ SEC_CONFIG_PASSWD ○ MYSEC_MIN_PASSWD_LEN ○ MYSEC_LI_PASSWD ○ EGW_PASSWD_CREATE ○ GOB_VALID_ADMIN_HOSTS ○ SRV_CHAT_INTERNAL_NET

□ Administrative site protection ○ SEC_ADMIN_HTTPS ○ SEC_VALID_ADMIN_HOSTS ○ EU_FA_ENABLED ○ FATTACH_MAX_SIZE ○ SEC_INVALID_ENDUSER_HOSTS ○ SEC_INVALID_USER_AGENT ○ SEC_SPIDER_USER_AGENT ○ SEC_VALID_ENDUSER_HOSTS

□ Session Management ○ MYSEC_LOGIN_COOKIE_EXP ○ MYSEC_SESSION_ID_EXP ○ RNW_COOKIE_EXP

□ Other ○ EGW_SECURE_UPDATE_ENABLED ○ SEC_VALID_ENDUSER_HOSTS ○ SEC_VALID_INTEG_HOSTS ○ OT_PASSWD_DISP ○ CT_PASSWD_DISP ○ SEC_END_USER_HTTPS ○ ERR_INT_ERROR_DETAILS_ENABLED ○ Campaigns

Page 22: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

22

Appendix D

Security Level Settings Each site has unique considerations, but the following represent configuration settings that should be considered to achieve the level of security indicated. A blank entry indicates that the setting can be ignored for the given level. Note: Some configuration settings are not available to hosted sites.

Configuration Verb High Moderate Low

ADMIN_PORT

AGENT_PORT

Campaigns

CT_PASSWD_DISP

DB_LOGIN Set Set Set

DB_PASSWD Set Set Set

DB_PORT

DE_CUST_PASSWD_ENABLED Enable Enable

EGW_PASSWD_CREATE Enable Enable

EGW_SECURE_UPDATE_ENABLED Enable Enable

ERR_INT_ERROR_DETAILS_ENABLED Disable Disable

EU_FA_ENABLED (1) (1) (1)

FATTACH_MAX_SIZE (3) (3) (3)

GOB_VALID_ADMIN_HOSTS (1) (1) (1)

II_CONNECT (1) (1) (1)

II_EMAIL_ERROR_ADDR (1) (1) (1)

II_SEC_EMAIL_STR (1) (1) (1)

II_SEC_WEB_STR (1) (1) (1)

MYSEC_AUTO_CUST_CREATE Disable Disable

MYSEC_LI_PASSWD Set Set Set

MYSEC_LOGIN_COOKIE_EXP -1 < 480 < 14,400

MYSEC_MIN_PASSWD_LEN 10 characters 8 characters 6 characters

MYSEC_SESSION_ID_EXP Minimum Time < 30 min < 60 min

CT_PASSWD_DISP 0 2

Page 23: RightNow 7.x Security Hardening Manual...3 1 Introduction Right Now Technologies takes the security of its products very seriously and makes every effort to insure that its products

23

Configuration Verb High Moderate Low

RNMD_PORT

RNW_COOKIE_EXP -1 < 480 < 14,400

SEC_ADMIN_HTTPS Enable (2)

SEC_CONFIG_PASSWD Set Set Set

SEC_END_USER_HTTPS Enable

SEC_P3P_COMPACT_HDR Configure

SEC_VALID_ADMIN_HOSTS (2) (2)

SEC_VALID_ENDUSER_HOSTS (2)

SEC_INVALID_ENDUSER_HOSTS (2)

SEC_VALID_INTEG_HOSTS (2)

SEC_EU_ADMIN_HOSTS (2)

SEC_SPIDER_USER_AGENT (2)

SEC_INVALID_USER_AGENT (2)

SERVLET_HTTP_PORT

SRV_CHAT_INTERNAL_NET (1)

SUBMIT_TOKEN_EXP 30-60 sec 30-300 sec 30-1000 sec

USER_PORT

Notes: Some configuration settings are not available to hosted sites. (1) Set if necessary for site needs. (2) Set if practical (3) Set this value as small as practical given the needs of the site.