Login and passwords credentials are used as a method of defense to prevent illegal access to FOIAXpress. The Security Configuration screen provides a means for Administrators to set up a security policy for FOIAXpress.
Steps to Configure Security for the Application
Click Administration > Security > Security Configuration. The Security Configuration screen displays as shown below:
To change the system default values, enter information in the fields described below.
Field | Description |
|---|---|
Passwords Never Expire | If this checkbox is selected, passwords will never expire. |
Passwords are Valid for ...Days | Specifies how many days a password will remain valid. (!!) Note: This field becomes disabled when the Passwords Never Expire option is selected. |
Remind User...Days before Password Expiration | Provides a system prompt for a specified number of days before the password is to expire, and allows the user to change the password. (!!) Note: This field becomes disabled when the Passwords Never Expire option is selected. |
Do Not Allow Reuse of Last...Passwords (Including Current) | Limits the use of a previous password used to access FOIAXpress. |
Password can Contain up to...Repeating Characters | Sets the maximum number of recurring characters in a password. |
Minimum Password Length...Characters | Sets the minimum number of characters in a password. |
Password must Contain at least...Upper Case Letters | Sets the minimum number of upper case letters in a password. |
Password must Contain at least...Lower Case Letters | Sets the minimum number of lower case letters in a password. |
Password must Contain at least...Special Characters | Sets the minimum number of special characters in a password. |
Password must Contain at least...Numeric Characters | Sets the minimum number of numeric characters in a password. |
Login Fails after...Invalid Login Attempts | Sets how many times a user can unsuccessfully access the system. If the number of attempts exceed this value, the user account will become inactivated by the system. |
Session Time out after...Minutes | Sets how long a user can remain logged into FOIAXpress (in minutes) before the application terminates. The user must login to the application again to continue any activity currently in progress. |
Alert User Before Session Expires for...Minutes | Sets the time period (in minutes) to remind the user before the session expires. The system will prompt the user when the session is to terminate and provide options to continue or end the session. |
Temporary Password Update after login | This option is to be used when assigning temporary passwords to users. When selected, a user will be prompted to change the generic password upon initial access to the application. |
User Account Inactivation | Disables a user account for use in FOIAXpress. |
Inactivate User Account After...Days of Non-Usage of Application | Sets a number of days of non-usage of the application, after which a user account will be inactivated. This field becomes enabled once the User Account Inactivation option is selected. |
Send Inactivity Notification...Days Prior to Inactivation | Sets number of days prior to a user's account being inactivated when they will be notified of the impending inactivation. For example, a setting of 1 would send a notification one day prior to the account being inactivated. |
Deleted User Login can be Reused...Days after Deletion | Sets the number of days that must pass after a user login has been deleted, before the login can be reused. |
Restrict using numeric at beginning/ending of the password | Select this checkbox to not allow numbers at the beginning or end of a password. |
Enable Web Vulnerabilities Validation | It is recommended to select this option to increase IT security of the application against SQL injections and other malicious code. |
Enable Error Log for Admin Users Only | Select this checkbox to only allow users in the Admin group to have access to error logs (with potential detailed information). |
Separate Database Error Log from Application Error Log | Select this checkbox if Database Administrators and Application Administrators are not the same. The error logs for such activities will be separated. |
Use FIPS Compliant Encryption Algorithm for ADX, if applicable | Select this checkbox if you want to use the FIPS Compliant Encryption Algorithm for ADX. |
Enable Audit Log API | Select to enable the Audit Log API |
Send User Account Update Notifications | Select to enable automatic notifications to apoplication users when updates are made to their user accounts. |
OTP Notification Types | Type of notification to provide for the One-Time Password (OTP). Select None to disable OTP use, Email to use an email notification, or SMS to use an SMS notification. |
OTP Expiry Minutes | Length in minutes that the OTP is active before expiring |
Click Save. A confirmation message displays.
Click OK to accept the settings and close the message window.
Configuring IIS Worker Process Settings for Session Time-Out
It is necessary to configure a worker process to close after a specified period of time. The idle time period value should be greater than or equal to the Session Time Out after setting.
NOTE: The steps below need to be taken on the server.
Click Start > Administrative Tools > Internet Information Services (IIS) Manager.
Expand the Start Page and select Application Pools.
Locate FXAppPool and click Advanced Settings from the Actions pane on the right. The Advanced Settings window displays as shown below.
Scroll down and locate the Idle Time-out (minutes) field in the Process Model section.
Enter the number of minutes that you want to elapse before shutting down the idle worker process. The default value is 20 minutes.
Click OK to accept the settings.