You are viewing limited content. For full access, please sign in.

Question

Question

Laserfiche web access security

Web Client Version 9 Security
Updated December 2, 2013
asked on November 26, 2013

1. how to allow Laserfiche session to authorised PC only (not from cybercafe)

2. how to ensure that if local pc is infected (virus, malware, trojan) our servers will not get infected. e.g infected file is uploaded to Laserfiche server.

Is there any antivirus that integrates with Laserfiche?

3. how to ensure that if local pc has been hacked, the hacker will not be able to retrieve corporate information

4. can we use 2 factor authentication (use of token or any other means). The scenario is accessing Laserfiche via web access from a public pc or cybercafe.

5. how to monitor users have connected remotely? Log report?

6. is there any policies which can be applied for automatic timeout/lockout for web sessions.
0 0

Answer

APPROVED ANSWER
replied on November 27, 2013

Kenneth's answers are mostly correct, but I wanted to throw in my 2 cents.

 

Almost none of the access/authentication issues you ask about are best addressed at the application (Web Access) layer.  You would enforce them at the network/IIS level.  For instance, installing Web Access inside your network and requiring users to use a VPN tunnel to access it can solve the two-factor authentication issue (the VPN connection could require two-factor authentication).

 

If you really want to control which client machines can connect, you can use client certificates.  This is something you would configure in either IIS or your proxy server.  You can also filter by IP address, though this is usually a harder solution to maintain.  A proxy server could also be configured to use two-factor authentication; see e.g. this tutorial.  Similarly, session timeouts can be configured through the IIS management tool.

 

For your concerns about the machine getting hacked, this gets even less specific to the application in question.  Two-factor authentication is one important defense against e.g. keyloggers, but in general a compromised machine can't be trusted to properly secure the data its user has access to.  It could record screen captures and send them to a remote server, and there's little to prevent this once the machine has been hacked.  Your best bet is to follow general IT best practices - keep your software up-to-date, don't give users rights to install software, run periodic malware checks, etc.

3 0

Replies

replied on November 27, 2013 Show version history
  1. If you cannot connect to it from a cybercafe, would you not want it to work from any outside the network location? (You can always have the servers internal to your network and not have it accessible through the outside internet unless you VPN in, but you can VPN from anywhere in a properly configured setup
  2. This is not really a Laserfiche issue, but a general IT issue. Run antivirus on your servers but exclude some of the services of Laserfiche to avoid any issues. I believe there are other questions you can find that refer to what to exclude from scans to avoid complications.
  3. This is Laserfiche. If you really want, you can have the users change there passwords often and be different than active directory account passwords (if you are using those types of accounts/association). This is like any system, it's secure up to it's weakest link and the weak link will likely be the end user as Laserfiche does as best it can to make sure it is secure. You can always have it so that users only have access to certain information so the level of a breach would be quite limited depending on the level of the employee hacked. This is similar to any other system and there are other ways to increase security through add-ons.
  4. yes, there is another question recently that has some better information about this, i recommend you read through it.
    1. EDIT: Link: https://answers.laserfiche.com/questions/44057/Support-for-RSA--two-factor-authentication
  5. Audit Trail
  6. yes, but not entirely sure where or what they are.
1 0
replied on December 2, 2013

For the session timeout in IIS, this is not usually considered a security feature.  Before you make changes to it, make sure you understand the downside (more frequent authentication, potential work interruptions) and that the benefit justifies it.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...