InRule's catalog service offers some configurable protections against common security attacks. The protections which are configurable are:
Brute-Force Login Protection
It is possible to configure your existing InRule installation to protect against brute-force login attacks, provided that you are using a version of InRule that supports it (v5.7.2 or later).
Understanding Brute-Force Login Protection Settings
A brute-force login attack is where a malicious actor can go through a list of potential user credentials hoping that one will be valid, consequently giving them access to sensitive data. The catalog service has configuration settings available to help mitigate against such an attack.
These protection settings are turned off by default.
There are two settings which can be found and edited for the catalog service:
maximumNumberOfLoginAttempts tells the catalog service how many times a user’s credentials can be entered incorrectly before the user is deactivated in irCatalog, which will lock them out until an administrator reactivates them. For example, with maximumNumberOfLoginAttempts set to 4, when there are 4 consecutive failed login attempts against the same username, that user's account is deactivated. The number of attempts can be reset depending on the value of the
loginAttemptsWindowDurationInMinutes setting. If the value of the setting is 0 or less, then the brute-force login protection is disabled.
loginAttemptsWindowDurationInMinutes tells the catalog service how long (in minutes) it should keep track of login attempts before resetting the number of login attempts back to zero. If the value is 0 or less, then there is no reset for the number of failed login attempts, unless the catalog service is restarted. While the maximumNumberOfLoginAttempts is set to a number less than or equal to 0, this setting will not have any effect.
Enabling Brute-Force Login Protection
If you have multiple catalog services, this will need to be done per catalog service.
If you are hosting a catalog service using IIS, navigate to: (Your InRule Installation Root Directory)\irServer\RepositoryService\IisService\Web.config
If you are hosting a catalog service as a Windows Service, navigate to: (Your InRule Installation Root Directory)\irServer\RepositoryService\WindowsService
Open the configuration file and in the <appSettings> section you will find the following settings:
Set those values to any integer value that you desire and then save the file.
Password Complexity Protection
It is possible to enable password complexity requirements for when a new user is created, provided that you are using a version of InRule that supports it (v5.7.2 or later).
Understanding the Password Complexity Settings
Simple or common passwords make it easier for malicious actors to guess user credentials, which then gives them unauthorized access to potentially sensitive data. Your Catalog Manager website can be configured to enable these protection settings.
When protection is turned on, user passwords have to meet the following criteria:
- must contain at least 10 characters
- must contain at least 1 letter
- must contain at least 1 number
- must contain at least 1 special character (see table below for valid special characters)
Number sign (pound or hash)
This protection is turned off by default.
Turning on this protection will not affect existing passwords; it will only be enforced when creating new passwords.
Enabling the Password Complexity Settings in Catalog Manager Website
Navigate to: (Your InRule Installation Root Directory)\irServer\CatalogManagerWeb
Open the Web.config file and in the <appSettings> section you will find the following setting: <InRule.Catalog.AddUser.PasswordComplexityEnabled>
Set this value to true to turn the protection on.