10.0 Security Basic Configuration

转至元数据起始

The new 10.0 version also brings new features to users: military security, high availability cluster, intelligent operation and maintenance.

1. Application Security

It adopts RSA + SHA256, uses Token instead of Cookie, and fixes a series of known security vulnerabilities to deal with common threats. New cookie enhancement, file upload verification, Security Headers and access control and a series of security protection functions. Click Security Protection for details.

2. Account security

Provides more account security measures, including Single login setting, strong password strategy, login auth etc. See login setting for more information.

At the same time, a more detailed platform log is provided to record all the access to resources under the account, including the operator, operation time, IP address, resource object, operation name and operation status, so as to facilitate security analysis and meet customer requirements.

3. Data security

It provides complete template authentication and multiple authority verification methods. After the role authority control is turned on, no matter from the platform or through the URL, the unauthorized users can not access the corresponding reports, and avoid the occurrence of horizontal and vertical ultra vires.

At the same time, the password information is encrypted and stored in a unified way. All passwords are no longer plaintext in the request, and are encrypted and transmitted in a unified way.

Finally, it provides a more customized watermark function, and will not be blocked by the background, which can reduce the risk of data leakage.

4. Operation and maintenance safety

Provide regular system backup to ensure that the system can be recovered after malicious changes. At the same time, when the administrator account operates on the user or changes the system settings, the log will be saved. Customers can implement security analysis, resource change tracking and compliance audit.

The cluster adopts no host mode, the system can be used normally after the node is down, the load of each node is more balanced, and the concurrency of nodes increases linearly. Simple operation, high consistency, configuration and resource modification can be synchronized at any time. At the same time, it has the function of memory monitoring and dynamic sensing node joining, which adapts to various network environments, systems and web servers.

Intelligent operation and maintenance version 10.0 optimizes the anti downtime mechanism, enhances the rational application of resources, and prevents various problems leading to downtime from the source, thus ensuring the availability of the system. In addition, with the advantages of big computing, zero cost, low threshold and high growth, cloud operation and maintenance can further help users improve the stability of the system by combining with local operation and maintenance.

1. Configure the settings in the security management

In security protection, file upload verification and security headers are enabled by default. If the enterprise has high security requirements, it is recommended that the server configure HTTPS and enable cookie enhancement. 

If an enterprise uses cross domain IFRAME to open a report, it needs to click the advanced settings of security headers to turn off attack protection.

The access control function is turned on by default, and can be adjusted according to the actual situation of the enterprise. For enterprises with large concurrency, the frequency limit can be relaxed appropriately.

Some special keywords that may cause SQL injection are disabled by default in SQL anti injection. If other keywords need to be disabled or special characters need to be escaped, you can add them by yourself

2. Open the template authentication

Open this function to avoid report login free or unauthorized access through URL. It is strongly recommended to open the report server with external network access.

You can also select the templates that need to be certified. Except for the templates that need to be shown to external personnel under special circumstances, it is recommended to select all of them.

For the enterprise whose report content is not sensitive, you can choose to only authenticate the user's password, and the login user can access any template through the URL;

If there is sensitive information in the report, it is recommended to use role permission control. You can configure the template permission to the department role users separately, or do not grant any authorization directly. URL access is prohibited, and only the report can be accessed through the platform;

Digital signature authentication is for some complex systems that need digital signature.

3. Login related security settings

It is recommended to bind the server mailbox or open the SMS platform first, so that the server can use the email or SMS service to receive the verification code.

In the system management login, if there is no special case, it is recommended to enable single sign on to avoid the situation of sharing or falsely using accounts (there is no conflict between mobile and PC login at the same time). There are two single sign on strategies, which can be selected according to the actual needs of the enterprise.

If the enterprise has requirements for password strength or periodic password update, it can open the password periodic update and password strength limit, and adjust the corresponding policy according to the requirements.

To modify the password verification method, if the enterprise is bound with the mailbox or SMS platform, it can consider opening it. After opening it, it needs to use the device to receive the verification code to complete the verification before modifying the password. If it is not opened, it can directly use the old password to modify the password.

Slider verification and login locking are both effective means to prevent brute force cracking. It is recommended to turn on the slider verification. After the slider verification is turned on, the password is wrong twice, and the third login requires slider verification. Login locking can limit the number of wrong passwords, and if the number exceeds the number of errors, the account or IP will be locked. Generally, it is recommended to set up a locked account, which can be used by enterprises mainly using the Internet IP, administrator account lock according to the actual situation of the enterprise to decide whether to open, open if the administrator account is locked, can only wait for the lock time or forget the password to unlock.

SMS verification and e-mail verification are considered based on the binding of user's e-mail and mobile phone of the enterprise. When they are turned on at the same time, only one of them can be used for verification.