TAC Security Configuration Best Practices

TAC being a gateway to your internal resources, it can be configured to ensure optimal security of outside application access through TAC gateway.

PortSys recommended to do following TAC configuration in order to secure TAC Gateway and eliminate outside threats.

Account Lockout Policy:

TAC allows administrators to set account lockout policy if a user is trying to access the site using an incorrect password. TAC provides extra settings to control user access through TAC site to prevent and cover security holes that may arise through user access.

Administrators can configure Account Lockout Policy globally or per site. To configure globally, open Global Site Settings under Configuration Menu in TAC Management Console. 

Under Logon section you will be finding following options:

Logon lockout threshold: Here, administrators can specify the threshold value  to lock the account  after reaching the configured number of consecutive failed logon attempts. Default value is 4.

Logon lockout threshold for IP: This setting prevents login from an IP that has reached the threshold configured for the number of consecutive failed login attempts from an IP. Default value  is 50.

Logon lockout reset: This setting configures the number of seconds that should elapse  before lockout threshold is reset. Default is 300 seconds.

The best practice is set Account Lockout Policy value in Active Directory higher  than the settings in the TAC. So any breaching of threshold TAC will block the access and actual AD user account will not be locked out.

Additionally Administrator can set above settings per Site by going to Security tab of the site's configuration.

Content Security Policy:

For highest level of security, PortSys recommends using Strict mode. But if there are clients who doesn’t support CSP2 and support CSP1 only, “Default” mode can be used which is based on CSP1. In particular, TAC supports script and style incline hashes, which were introduced with CSP2.

More details : https://caniuse.com/#search=CSP

Administrators may also use develop tools and console to see any potential page errors and work on that to set TAC settings.

More information about CSP can be find here: 

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Content Security Policy is a per site setting and administrator may configure it in HTTP Header section under Security tab of the site's configuration.

Expect-CT

Expect CT header allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed.

To enable this option, the SSL certificate used for the TAC site must be available in public cert logs.

Certificate Known-logs can be viewed here: https://www.certificate-transparency.org/known-logs

More details about Certifcate Transparency can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

Note: currently Expect-CT is seems to be limited to Chrome Browser.

 PortSys recommends to enable "Enforce" mode for the site. To make sure "Enforce" mode support for your Site; do the following:

  1. Enable Enforce-Report mode.
  2. Check site with Chrome browser.
  3. Get browser report json data from TAC logs, if any present:

"C:\Program Files\PortSys\TAC Gateway\Log\Execution\Env\XXXXXX\Portal_00000YYYY.log", where XXXXX – is TAC configuration ID.

  1. If browser report looks good, go to TAC configuration and enable Enforce mode.

IMPORTANT: Report and Enforce-Report should not be used in production for a long time, as it creates potential risk for browser report flooding. However, TAC will still limit total log space.

SameSite:

SameSite prevents the browser from sending the cookie along with cross-site requests. The main goal is mitigating the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks.

PortSys recommends to Enable this setting under following conditions:

  • It’s support is limited and has to be verified against clients network.
  • It should not be enabled for TAC’s site which is expected to be sharing session with another TAC site.

More information about SameSite cookie can be found here: https://caniuse.com/#feat=same-site-cookie-attribute

It is safe to enable it, even if browser doesn’t support it. To enable SameSite Cookie in TAC, do the following:

  1. Select the Site in TAC and go to the Site Configuration.
  2. Under session tab select Lax or Strict mode in "SameSite mode for session HTTP cookie"  depend on the requirement. The "Strict" value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context.
  3. Click OK and Apply Configuration

Auto-complete prevention

Auto-complete prevention tries to prevent storing credentials in user browser’s auto-complete history. However due to browser limitation TAC can’t completely disable auto-complete mode. To enable Auto-complete prevention for a site, do the following:

  1. Select the Site and go to Site Configuration.
  2. Under Authentication tab select the cehckbox next to "Try to prevent from auto-complete at login page" settings.
  3. Click OK and apply configuration.