QuerySurge employs various methods of ensuring user accounts and sessions are secure. This document will highlight some of the main features built into QuerySurge.
A session timeout can be enabled which will automatically logout idle users after a specified period of time. The setting which controls this functionality is "Idle User Session Timeout" and is located under Administration -> Server Properties.
By default this setting is disabled (Timeout set to 0). To enable this feature, enter the number of minutes which the session can be idle before logging the user out.
Max Login Attempts
To minimize vulnerability to intrusions/brute-force attacks on QuerySurge, accounts are automatically locked if an incorrect password is entered in excess of the maximum login attempt settings. There are three settings which control the maximum login attempts which are listed below. All of these settings can be found in Administration -> Server Properties
Maximum Allowed Login Attempts - The number of invalid username/password attempts which are possible during a given time frame, before the account is locked.
Time Period for Max Allowed Login Attempts - The time-period in which a user can exceed the maximum login attempts limit on the path to a lockout (in sec). This time-period starts at the first login attempt for that user.
Login Lockout Time Period - The time (in minutes) in which the user account will be locked once the login attempt threshold is reached.
Maximum Allowed Login Attempts: 10 sec
Time Period for Max Allowed Login Attempts: 5 attempts
Login Lockout Time Period: 10 min
- A login attempt was made on the QuerySurge admin account at 5:39:14 PM.
- A rolling window is created between 5:39:14 PM and 5:39:24 PM. If 4 more unsuccessful attempts are made to log into the admin account during this time-frame, the account will be locked.
- The admin account will remain locked for 10 min.
QuerySurge supports two types of user authentication. The first type is local authentication in which each user is added manually to the QuerySurge system and a username/password is provided. These account credentials are all stored in the QuerySurge database as hashes. The second approach to user authentication is to link QuerySurge directly to your existing LDAP environment. User accounts will need to still be created in QuerySurge, but controls on passwords, user locking and deactivation will be handled by your local LDAP server. For more information on LDAP please see our Knowledge Base article here.
SSL (Secure Socket Layer) provides an additional layer of security between QuerySurge and end users. By enabling SSL, all communication between the users' browser and the QuerySurge App server (and between Agents and the App server) is encrypted. For more information on enabling/setting up SSL with QuerySurge please see our Knowledge Base article here.