NetX takes security very seriously. To this end, we provide a number of security layers, as well as a variety of configuration options to meet your specific security requirements.
Session key configuration
When users successfully log in to NetX, they are provided with a session key for access to data within the application. By default, user session keys are valid for 30 minutes; that duration is extended as long as the session key is being used to make calls back to the server. Administrators can modify this behavior to meet security requirements with the following properties:
Property | Description |
---|---|
user.sessionDuration
|
This property controls the length of time in minutes that the internal session keys remain valid. Please only change this value if you know what you are doing as it can affect the security of your installation. The default timeout is 30 minutes. Value options: number Requires restart? Yes |
Login attempt restrictions
The first line of defense is blocking repeated login attempts. By default, accounts are locked after 10 failed login attempts; and locked accounts remain locked for 30 minutes. Both these can be adjusted as you see fit, with the following properties:
Property | Description |
---|---|
user.failedLoginAttemptThreshold |
Any integer value is valid; setting this to zero will disable any login failure attempt blocking. Value options: number Requires restart? Yes |
user.failedLoginAttemptTimeout
|
Any positive, non-zero integer value is valid; measured in minutes. Value options: number Requires restart? Yes |
Additionally, any login attempt to a non-existent account is automatically locked in order to thwart any brute force attacks; in this way, the system can stop making database calls for these non-existent accounts.
Strict passwords
Augmented user control — including control over passwords — is easily gained by integrating authentication with either an external LDAP Directory Server, or an SSO system. But in lieu of those options, NetX has a number of password complexity options. By default, passwords must be at least 8 characters in length. Here are further password configurations that can tighten security:
Changing password restriction settings will not affect existing users until they (or an administrator) attempt the next password change on the account.
Property | Description |
---|---|
sys.minimumPasswordLength |
This property checks the minimum length required for passwords; the default value is 8 (characters). Does not require a restart. Value options: number Requires restart? No |
sys.passwordPattern |
This property value can be specified by providing a number and a letter, separated by commas. The number designates the number of instances of that character required; and the letter designates the type of character required. As an example, a valid value is: "2N,3U,2L"; this would require two numbers, three upper case, and two lower case characters in every password. Requires a restart to take effect. The following are considered "special characters": ! @ # $ % ^ & * ( ) + = _ - { } ? : ; < > . | [ This property requires a restart before it will take effect. Value options:
Requires restart? Yes |
Password protection and encryption
Passwords are encrypted "over the wire" — between the client and the server — via SSL. Passwords are cleansed from any logging facilities on the backend and only stored as hashes in the NetX database. While many applications use SHA-256, NetX goes a large step further; we have recently switched our encryption hashing to use PKCS5 v2.0.
Common security checklist
- Password length, a minimum of 8 characters.
- Password complexity, includes the use of alpha, numeric and special characters.
- Maximum invalid account login attempts: just one.
- Account lockout thresholds: 10.
- Inactive session timeout: 30 minutes
- Passwords are encrypted while in transit using standard cryptographic methods: SSL.
- Passwords are encrypted or hashed in storage using standard cryptographic methods: PBKDF2.