Options provided in the Admin > Security area give you the ability to add additional security around the logins and sessions used for your intranet.
Site Level Login
With this setting, you can control whether your users are required to log into the site with a preset username and password assigned through Logins or allow anonymous access.
This setting determines how logins are created and how users log into the site.
Form Authentication is solely for use with user logins that have been manually created with a username and password. The demo accounts that are automatically in the software are form-based logins. Usernames and passwords are stored in the database for authentication purposes. With this setting, users are expected to type in their username and password.
Windows Authentication is solely for use with AD Synchronization. Users’ credentials are synchronized with Active Directory and users can login automatically with their Windows based credentials. Usernames are stored in the database but passwords are not; credentials are passed by the browser to the domain controller specified in your AD Synchronization settings for authentication. With this setting, users can check the Windows Authentication box on the login screen and have the username and password automatically populate.
Mixed Mode Authentication is for use with both of the above. This is the recommended setting immediately after AD Synchronization is enabled until workstation logins have been tested and proven to work without error. With this setting, users can check the Windows Authentication box or type in the credentials based on their login type.
When users log into the site, or they are automatically logged in with Windows authentication, a unique session is created for the user during their time on the site. This session contains information about the user, as well as any elevated rights they may be assigned. You can configure the session expiry so the site automatically logs the user out after the specified length of inactivity. This setting does not apply to Windows Authentication as these users are automatically logged in.
You can enable a captcha to appear on the login screen to help prevent login attempts from internet programs that are designed to guess logins.
You can choose to enforce an End User Licence Agreement (EULA) or any message that you choose. This message would then be mandatory for a user to accept when they log into the site. You may select an interval you wish the EULA to expire, forcing the user to accept the agreement again. If you make a change and choose enforce, all users will be prompted to accept again on their next login.
This feature can be used to prevent all users except administrators from accessing the intranet during periods of maintenance or upgrading. Users who are not administrators will see the message you've entered on the screen under this setting.
From the Intranet Connections Blog
These settings are available only when Authentication Mode is not set to Windows Authentication only. These settings allow you to improve site security by blocking brute force login attempts, expiring your users’ passwords, and enforcing password minimums. These settings are only applicable to Form Based logins.
If you want to remove the Forgot Password link at login, deselect the allow recovery from the login page option. This will work with both Mixed Mode and Form logins.
Password Reset for Form Logins
If the authentication mode is set to Form Authentication, a user can reset the password by clicking on the Forgot Your Password link on the login page.
Requirements to reset the password:
- The email address should exist in the database and it should be a valid email address.
- The email address should be unique for each user
- If enable strength checking is checked under Admin > Security > Password Options, weak passwords will get rejected by the system.
Steps to reset the password:
- Click “Forgot Your Password” link on the login page
- Enter the email address associated with the user requesting password reset
- Click the password reset link in your email and enter the New Password and Confirm Password
Please note that the password reset link expires in 1 hour.
Create your own welcome message which will be sent to all new users. Use this to include links to key instructions or tasks you'd like all new users to see. If this option is re-enabled again, you will be asked whether to send the welcome message to all users in the system.
Login Error Handling
You can specify what message appears to users with failed login attempts.
Application Delete Lock
This setting allows you to require the entry of a confirmation password when triggering the deletion of an app or site. This password is not required for Super Admins. Learn more about User Rights in the Security Tab & Permissions article.
Lucee’s XSS protection is limited.