Security Settings

Using Integrated Security and Directory Integration

Enabling Integrated Security

Integrated Security allows Analysts to use their workstation login ID and password to access ASM Core. This means that when they launch ASM Core, they do not need to enter a username and password, which makes logging in quicker. However, it also means that only the Analyst logged in to a particular workstation can access ASM Core from that workstation. You will still need to select the system you want to work with if there is more than one (such as Dev, Test, etc).

If you want to log in using the default Admin account and use integrated security, append noauth=true to the system URL to bring up the login window (e.g.: .../core.aspx?noauth=true). However, most administration functions can be performed by any Analyst as long as they have the permissions through their General Access security role.

If your system is configured for Active Directory integration through the Integration Platform Settings, Alemba recommends that you enable Integrated Security. If it is enabled for another type of directory server integration and Authenticate Imported People against Source is selected in the Integration Source Details for this directory server, this setting is ignored.

If you enable integrated security and select Authenticate Imported People against Source in the Integration Source Details for the directory server, a person record imported through a directory server integration scan will be authenticated using the details stored in the ASM database or the directory server. If you do not enable integrated security, people logging in will be authenticated using the details stored in the ASM database.

1. Select the Menu button , then Admin, and then select System Administration.

   The System Administration window is displayed, with a menu of options available. In the Explorer pane, expand Security.

2. Select the Security Settings option. The Security Settings window appears. Select the appropriate settings for your system:

Multi-Factor Authentication

Multi-Factor Authentication (MFA) adds an extra layer of security to your account by requiring both your password and a one-time code generated on your phone.

1. Admin/User Activation

Administrators can enable MFA for your account through the Core system (Person Details page) or the User can enable the MFA via the Self-Service Portal in the Update profile section.

When the Enable MFA button is clicked, the form will be submitted as usual. The User's existing MFA configuration (if any) will be cleared, and they will be redirected to the MFA Setup page to complete the configuration process. This action will be logged in the audit trail. The Enable MFA button will only be visible if MFA configuration is permitted.

MFA can be enabled by default for any user accounts created via: Entra ID (Azure Active Directory)/AD Connector if the MFA is enabled on the person template selected in the Resource type mapping page/Action/Import as Person/Using template.

MFA will work on top of any other authentication type: e.g. when using SAML, when using Windows authentication, LDAP, etc.

1. Accessing the User Interface

• Sign In to the ASM Core, NANO, API, Portal interface

• Once enabled, sign in as usual with your username and password.

• You will be automatically redirected to the MFA Setup page.

• Download an Authenticator App: Google Authenticator, Microsoft Authenticator or Authy

• Scan the QR Code

• Open the app and choose Scan QR code.

• Point your camera at the QR code shown on the screen.

• If you cannot scan, you can manually enter the secret key shown under the QR.

• Enter the Code

• Your app will now generate 6-digit codes.

• Enter the current code into the setup screen and submit.

• Once successful, your MFA setup is complete.

1. Additional info

During future sign-ins, you will be prompted to enter a 6-digit TOTP code from your app after entering your password.

If your code has expired (based on the admin-defined expiry window), you’ll be prompted to revalidate.

Resetting MFA: If you change phones or uninstall the app: contact your Administrator. They can reset MFA on your behalf from the ASM Core system.

Configuring Security Settings for Passwords

You can configure the security settings for Passwords that are used to log into ASM Core.

1. Select the Menu button , then Admin, and then select System Administration.

   The System Administration window is displayed, with a menu of options available. In the Explorer pane, expand Security.

2. Select the Security Settings option from the Explorer pane to display the Security Settings window. The Password Configuration options are in the second section of the window.

Password Policy

Enabling the Common Password Blacklist is just one aspect of implementing a good password policy. A well-rounded policy can bring numerous benefits, such as:

1. Enhanced Security: Strong, unique passwords reduce the risk of unauthorized access, protecting sensitive information from potential cyber threats.

2. Compliance: Many industries have regulations requiring stringent password policies. Adherence to these standards helps avoid legal and financial penalties.

3. User Awareness: Educates users on the importance of password security, encouraging safer online practices both at work and in personal life.

4. Reduced Breach Impact: By ensuring that each account has a unique, strong password, the impact of any single breach can be minimized.

5. Improved Security Posture: A good password policy is a foundational element of a robust security framework, enhancing overall system integrity and trustworthiness.

The following Attributes are available to control password complexity and other parameters:

• Upper Case

• Lower Case

• Number

• Special Characters

• Does not contain part of Name, Login ID, or email

  • Minimum Length (6 by default, you can alter this figure) Please see Caution above

• Password History (prevents reusing the same password and allows you to specify how many passwords are remembered.)

  • Passwords Remembered

• Minimum period between changes (you can set a figure in hours)

  • Hours

• Password Expiry (When checked, passwords will expire at the given interval you enter)

  • Expiry Period (Days)

• Encrypt Password (This encrypts the password in the database)

• Disable access on login failure (you will then specify how many failed attempts it takes to disable access and whether or not you want a call logged automatically. See Security Settings/Partitioned)

  • Max Failed Logins

  • Log Call on Access Disabled

• reCAPTCHA is a free service from Google that helps protect websites from spam and abuse. It does this by challenging users to prove they are human by selecting images or typing in text.

  To implement reCAPTCHA on your website, you need the following:

  • API URL: The endpoint to which you will send verify requests.

  • Site Key: A public key provided by Google that is used in the HTML code of your site to display the reCAPTCHA widget.

  • Secret Key: A private key used in the server-side request to Google's reCAPTCHA verify API, ensuring the response is from Google.

Common Password Blacklist - Enable Common Password Blacklist

Enabling the Common Password Blacklist feature in ASM enhances your security measures by preventing the use of easily guessable or commonly used passwords. This blacklist is a collection of passwords that are deemed too weak or have been frequently exposed in data breaches. Administrators have the flexibility to update and customize this list according to their organization's specific security requirements, ensuring that users cannot choose these passwords when creating or updating their passwords. This is a crucial step in safeguarding your system against unauthorized access and potential security threats.

ASM contains a common password blacklist that when enabled, you may update as required. For example: