416.467.9100 | Dundas Data Visualization | Login
Welcome Guest
This is the support page for the legacy Dundas Dashboard application. For assistance with the current Dundas BI application please click here.
Dashboard v5.0

This site makes extensive use of JavaScript.

Please enable JavaScript in your web browser and reload the page before proceeding.

Dundas Dashboard Security

Hide navigation
RSS
Modified on Wed, 22 Aug 2012 11:49 AM Categorized as Configuration, Login, Mobile, Security
Click to return to: Documentation | Installing and Administering Dundas Dashboard


Overview

This article shows how to configure various security-related features in Dundas Dashboard.

HTTPS

HTTPS uses regular HTTP over an encrypted SSL/TLS connection to provide a secure communication channel between a client computer and a network web server.

Dundas Dashboard supports HTTPS out-of-the-box. However, your web server (IIS) and the Dundas Dashboard website must be set up to use SSL/HTTPS. See this article for details: How To Set Up an HTTPS Service in IIS.

Login security

Dundas Dashboard provides safeguards to prevent an external application from trying to guess a local user's password (e.g. by repeatedly trying to log in).

Locking out a local user account after a number of failed login attempts

Use the loginFailureLockoutThreshold key in the Dundas Dashboard Configuration File to specify the number of consecutive login failures that will cause a local user account to be disabled.

Example:

  1. Open the configuration file in Notepad. This file is located in the following folder by default:
    C:\Program Files\Dundas Data Visualization Inc\Dundas Dashboard\{InstanceName}\www
  2. Search for the loginFailureLockoutThreshold key.
  3. Uncomment the key if necessary and set its value to 5.
  4. Save the changes to the configuration file.
  5. Restart the Dundas Dashboard website for the changes to take effect.

Now, when someone (or an external application) tries to log in as a local user, but fails 5 times in a row (⪚ by entering the wrong password), the user account will be locked out. The login screen displays a corresponding message after the 5th attempt:

Locked out due to consecutive login failures.

Locked out due to consecutive login failures.


If you are logged in as a Dundas Dashboard administrator, go to the Administration tab and expand the User Accounts folder to see the disabled user account. The disabled account appears with a lock icon, and its tooltip indicates the reason why the account was disabled.

Tooltip shows why a user has been locked out.

Tooltip shows why a user has been locked out.


If the locked out user simply forgot the password, you can re-enable the account by editing the account and unchecking the “Account is disabled” checkbox:

Editing a locked out account.

Editing a locked out account.


Note: After re-enabling a locked out account, the corresponding user must successfully log in the next time or they will be immediately locked out once more (since it is still considered as a consecutive login failure).

Introducing a delay in the login process after a number of failed login attempts

Use the loginFailureDelayThreshold key in the Dundas Dashboard Configuration File to specify the number of consecutive login failures that will cause a delay to be injected into the process of logging in to that local user's account.

Example:

  1. Open the configuration file in Notepad. This file is located in the following folder by default:
    C:\Program Files\Dundas Data Visualization Inc\Dundas Dashboard\{InstanceName}\www
  2. Search for the loginFailureDelayThreshold key.
  3. Uncomment the key if necessary and set its value to 3.
  4. Save the changes to the configuration file.
  5. Restart the Dundas Dashboard website for the changes to take effect.

Now, when the user tries to log in using a local account, but fails 3 times in a row, a delay will be introduced that forces the user to wait a period of time before being allowed to attempt another log in. The waiting period increases gradually as more login failures occur.

Note: The loginFailureLockoutThreshold and loginFailureDelayThreshold keys are independent and both can be used at the same time.

Password change policy

For local user accounts, Dundas Dashboard supports restrictions on passwords to prevent users from changing their passwords to ones that are too easily guessed.

For example, local users are prevented by default from changing to a password that includes their username.

Password change disallowed because it contains the username.

Password change disallowed because it contains the username.


Further restrictions on passwords can be set using the password policy keys in the Dundas Dashboard configuration file.

Configuration KeyDescriptionDefault Value
PasswordPolicy.AllowChangeA value indicating whether users are allowed to change their password. If set to False, the Change Password button will not be available in the user's Edit Profile screen.True
PasswordPolicy.AllowContainUsernameA value indicating whether a local user's password may contain the username as a substring.False
PasswordPolicy.MinimumLengthThe minimum length of a local user's password. A value of 0 indicates there is no minimum length.0
PasswordPolicy.RequireMixedAlphaNumA value indicating whether a local user's password must contain at least one letter and one number.False
PasswordPolicy.RequireMixedCaseA value indicating whether a local user's password must contain at least one uppercase letter and one lowercase letter.False
PasswordPolicy.RequireSymbolA value indicating whether a local user's password must contain at least one symbol character. A symbol is any keyboard character that is not a letter, number, or whitespace.False

FIPS compliance

Dundas Dashboard can run on servers that have been configured to use only FIPS-compliant (Federal Information Processing Standard) algorithms for encryption, hashing, and signing.

To configure a Windows computer to use only FIPS-compliant algorithms:

  1. Click the Start menu and search for ‘security’.
  2. Click Local Security Policy.
  3. Under Security Settings, expand Local Policies.
  4. Under Local Polices, select Security Options.
  5. Double-click the item in the right pane: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.
  6. Enable or disable the setting as desired.

Enabling use of FIPS-compliant algorithms.

Enabling use of FIPS-compliant algorithms.


Note: If you enable the use of FIPS-compliant only algorithms on Windows XP, Dundas Dashboard will not be able to run. This is because Windows XP does not fully support FIPS-compliant algorithms. Thus, on Windows XP, you must leave this setting disabled in order to use Dundas Dashboard.

Mobile applications security

Dundas Dashboard mobile applications support HTTPS/SSL. Using HTTPS is recommended in this case since all traffic will be encrypted. Note that your web server (IIS) and the Dundas Dashboard website must be set up to use HTTPS/SSL.

The mobile apps also store some preferences and settings in the phone storage. All passwords are encrypted and saved in application-protected storage on each mobile device.

Hiding error details

When an error or exception occurs in the application, normally you will see an error dialog that gives you more information (such as a program stack trace) when you click the Details button. While such information can be of aid in troubleshooting issues, some organizations have a security policy that disallows the use of applications that expose internal information such as stack traces. In this case, there is an optional configuration file key, HideExceptionDetails, which can be used to hide details from any error or exception reporting in the application.

Related topics


Click to return to: Documentation | Installing and Administering Dundas Dashboard

About Dundas | Contact Us Follow us on Twitter! | Privacy Statement | Report Site Issues

Copyright © 2009-2014 Dundas Data Visualization, Inc.