SpendMap User Guide (v14.8)

Field

Description

After (#) failed login attempts

•This setting can be used to ward off automated attempts to gain access to the system (i.e. hacking in) by cycling through user ID and password combinations. This setting applies whether you are using internal passwords or Active Directory Integration.

•Enter the number of permitted failed login attempts (i.e. when someone tries to log in with an invalid user ID and/or password) and then select an option, below, for what to do when this limit is exceeded. Enter zero (0) do disable this feature and allow an unlimited number of failed login attempts (not recommended).

Options when max failed login attempts are exceeded:

•Force User to exist (but user can try again): With this option, the application will exit after the specified number of failed login attempts but the user can immediately re-run the app and try again. This option applies to the Desktop Application only. If you are using the SpendMap Web App and/or the Mobile Web App, , select one of the other options (to lock the IP address). •Lockout IP address for (#) minutes:  This applies to all front-end applications (Desktop, Web App and Mobile Web App).   With this option, after the specified number of failed login attempts, a lock/hold will be put on the IP address that the user is connecting to the system from and the lock will remain in effect for the specified number of minutes, after which the user can try again. In the case of the Desktop Application, the user’s Windows/network ID will be locked (IP addresses do not apply to desktop applications). •Lockout IP address – Management must re-activate: This applies to all front-end applications (Desktop, Web App and Mobile Web App).   With this option, after the specified number of failed login attempts, a lock/hold will be put on the IP address that the user is connecting to the system from and the lock will remain in effect until released with Unlock User Account or IP Address. In the case of the Desktop Application, the user’s Windows/network ID will be locked (IP addresses do not apply to desktop applications). Related settings A sophisticated hacker can spoof (fake) an IP address, effectively negating these protections (i.e. use a separate IP address for each login attempt, thereby never reaching the max permitted failed login attempts from an IP address). Please see the next setting, below, for additional settings that can detect IP address spoofing.

Consider it a threat when X single IP address failures occur (helps detect IP address spoofing)

•This setting applies to the full Web App and the Mobile Web App.

•This setting attempts to detect IP address spoofing (faking) by allowing for a maximum number of total IP address failures. Once this threshold is reached, a threat notification can be logged (see below).

•Unlike the “Maximum number of failed login attempts” setting, above, that applies to a user attempting to gain access from a single IP address, this setting applies to any IP address. Therefore, this setting will apply if someone is trying to gain unauthorized access by cycling/modifying (i.e. “spoofing”) their IP address in an attempt to get around the “Maximum number of failed login attempts” restriction.

Peer IP addresses for connections to Web App servers.

•These IP addresses are permitted to connect to the application server used for the SpendMap Web App. Typically, these would be the IP addresses of the web server(s) that communicate with the application server. If a connection is made to the application server from an IP address that is not included in this setting, the request is denied and the socket is closed.

•If this value is left blank, any peer will be allowed to connect to the application server (assuming proper authentication is provided).

•You can enter multiple IP addresses separated by spaces or on separate lines (will be reformatted with one IP address per line when saved) but do NOT include spaces within the IP address itself.

•Note: In the case where a peer is connecting via a proxy server, the proxy server’s IP address (and not the end node’s IP address) needs to be entered here.

Peer IP addresses for connections to Mobile Web App server

•Similar to the setting above, these IP addresses are permitted to connect to the application server used for the Mobile Web App. Typically, this would be the Mobile App web server(s).

•If this value is left blank, any peer will be allowed to connect to the mobile web application server (assuming proper authentication is provided).

Log login/connection failure attempts?

•Check this box to log potential security threats to a text file called SECURITY.LOG in the system’s root folder on the file server. This file can be viewed using the [VIEW LOG] button (you may need to associate the .LOG file extension with a text file viewer like NotePad) or can be viewed externally using any text file viewer. A new log can be started by selecting the [START A NEW LOG] button (i.e. the existing security log will be deleted).

•For security reasons, only general messages are returned to the client. Therefore, to obtain a more accurate error message for connection failures, the security log can be used which lists the actual reason for the failure.

Notify [USER] of possible threats

•In addition to the Log described above, you can optionally enter a User ID to receive automatic notifications of possible threats as they are added to the security log  (don’t forget to include an e-mail address for the user ID). To reduce the number of messages that are sent, messages are queued in 5-minute intervals before an e-mail notification is sent out.

Allowable file extensions for attachments.

•You can optionally specify a list of file extensions that are permitted when uploading attachments into the system.

•If this field is left blank, the following file extensions will be allowed:
 
PDF, DOC, DOCX, XLS, XLSX, PPS, PPT, PPTX, TXT, CSV, GIF, BMP, JPG, JPEG, TIF, TIFF, PNG, MSG, VCF, MP3, DRW, DWG, DXF, URL, HTM, HTML