Skip to main content
Version: 2.2.0

Security considerations

The security information in this section is provided to help the user in the security planning process. Nevertheless, it does not contain a thorough description of any security resource or support level. For general information about the SoftExpert Suite security architecture, refer to the SoftExpert Suite - System Architecture Overview document, "Security architecture" section.

warning

As of version 2.2, the HTTPS protocol is mandatory in order to increase security within SoftExpert Suite. We suggest using a valid digital certificate issued by certificate authorities. If the organization does not have a valid certificate available, a self-signed one can be generated; however, keep in mind that self-signed certificates are intended for nonproductive environments only.

Understanding IIS access rights

SoftExpert Suite requires a local or domain user, a Guests group member, or a member of any group that allows executing the PHP exec function.

warning

The #exec function is required in order for Server-Side Includes (SSI) to be enabled in IIS. By default, this function is already enabled. The Windows group policy configuration may also disable the cmd execution.

Understanding the Firewall configuration

SoftExpert Suite uses services with specific functions, such as: report generation, activity execution, and more. Communication between the application and those services is defined through the communication ports that will be set up in the firewall. Thus, LAN or WAN workstations may access those services.

caution

For more information about the SoftExpert Suite network, refer to the SoftExpert Suite - System Architecture Overview document, "Network architecture" topic.

warning

SoftExpert Suite uses internal communication ports to access the services. If those services are installed on another server, set up the firewall to allow access between the Web server and the server in which the services are installed.

Determine the browser configuration security requirements

SoftExpert Suite requires that the rights to download files, open popups, and execute ActiveX and scripts be enabled in your browser. We recommend you add the SoftExpert Suite URL to the Trusted Sites zone, and set the security level to Low for that zone.

Set security software configurations

SoftExpert Suite may have sessions, URL content, popups, and file types blocked by security software such as Antivirus, URL Scan, Firewall, Proxy, etc. Please check if your security software is correctly configured and, if necessary, set SoftExpert Suite as exception in those pieces of software.

Set the e-mail server configuration security

SoftExpert Suite uses an external e-mail server to send notifications. Make sure your e-mail server is configured to accept e-mails sent from the Web server and that your e-mail account is configured in SoftExpert Suite.

warning

E-mail filter rules may block e-mails sent by SoftExpert Suite. Check if the e-mail rules are configured correctly.

Understanding “Single Sign-on Authentication”

SoftExpert Suite is integrated with LDAP servers, especially with Microsoft Active Directory, by means of a service. This service is responsible for user authentication in LDAP and for notifying SoftExpert Suite to allow access to the system. It also synchronizes user data between LDAP and SoftExpert Suite, allowing new users to be imported, information to be updated, and/or deleted users to be disabled.

caution
  • For information about browser settings for single sign-on to work, refer to the SoftExpert Suite - Installation Guide (Linux) or (Windows).
  • For information about system settings for single sign-on to work, refer to the SoftExpert Configuration documentation, "Authentication configuration" section.