QuerySurge employs various methods of ensuring user accounts and sessions are secure. This document will highlight some of the main features built into QuerySurge.
Session Timeout
A session timeout can be enabled which will automatically logout idle users after a specified period of time. By default this setting is disabled (Timeout set to 0). To enable this feature, open Global Administration and navigate to Server Configuration (Version 12.0+) or Server Properties (Version 8.0 - 11.2) and specify the amount of time in minutes to automatically log a user out of the system.
Max Login Attempts
To minimize vulnerability to intrusions/brute-force attacks on QuerySurge, accounts are automatically locked if an incorrect password is entered in excess of the maximum login attempt settings. There are three settings which control the maximum login attempts which are listed below.
Maximum Allowed Login Attempts - The number of invalid username/password attempts which are possible during a given time frame, before the account is locked.
Time Period for Max Allowed Login Attempts - The time-period in which a user can exceed the maximum login attempts limit on the path to a lockout (in sec). This time-period starts at the first login attempt for that user.
Login Lockout Time Period - The time (in minutes) in which the user account will be locked once the login attempt threshold is reached.
Sample Scenario
Settings:
Maximum Allowed Login Attempts: 10 sec
Time Period for Max Allowed Login Attempts: 5 attempts
Login Lockout Time Period: 10 min
Example:
- A login attempt was made on the QuerySurge admin account at 5:39:14 PM.
- A rolling window is created between 5:39:14 PM and 5:39:24 PM. If 4 more unsuccessful attempts are made to log into the admin account during this time-frame, the account will be locked.
- The admin account will remain locked for 10 min.
To set any of these features, open Global Administration and navigate to Server Configuration (Version 12.0+) or Server Properties (Version 8.0 - 11.2)
User Authentication
QuerySurge supports two types of user authentication. The first type is local authentication in which each user is managed by the QuerySurge system and a username/password is provided at account creation. These account credentials are all stored in the QuerySurge database as hashes. The second option for user authentication is to link QuerySurge directly to your existing LDAP environment. User accounts will need to still be created in QuerySurge, but credential management, account lockout and deactivation will be handled by your local LDAP server. For more information on LDAP/S please see our Knowledge Base article on this topic. Finally, QuerySurge supports SSO managed authentication. Details are available in this article.
SSL
SSL (Secure Socket Layer) provides an additional layer of security between QuerySurge and end users. By enabling SSL, all communication between the users' browser and the QuerySurge App server (and between Agents and the App server) is encrypted. For more information on enabling/setting up SSL with QuerySurge please see our Knowledge Base article here.
Comments
0 comments
Please sign in to leave a comment.