Security
Administrators will use this section to adjust the general settings pertaining to the security of the SmarterTrack installation, including the configuration of password requirements, IP blacklists, upload limitations and more.
To access this section, log into the management interface with an administrator account. Select Settings icon from the Navigator, then click on Security in the navigation pane. The settings will load in the content pane and the following tabs will be available:
Options
Use this tab to edit the following settings:
Captcha
A CAPTCHA is a challenge-response test used to determine whether the user is human. By default, SmarterTrack requires portal visitors to pass a CAPTCHA when registering for new user accounts. In addition, successful CAPTCHA completion is required for unverified users (i.e., users without the "Registered User with Verified Email" role) when they submit new tickets or community threads. Although recommended, this feature can be turned off (set to "None") at any time by an administrator. Two different CAPTCHA options are available: the Built-in option or Google reCAPTCHA. Use of Google's solution requires an API key, and instructions on obtaining a key can be found here: https://www.google.com/recaptcha/intro/android.html. When the site key and secret key have been obtained, enter them in the corresponding fields. (NOTE: Google reCAPTCHA will not work in locations that have blocks on Google services/servers.)
Portal Settings
- Enable password reset - When checked, this setting allows agents, managers and administrators to reset their passwords from the management interface login screen. Clicking the link and filling out the username and CAPTCHA will send an email with a password reset link to the email address associated with the username. Note: If using external providers or active directory authentication, this feature should not be enabled.
- Moderate new user community posts - When checked, threads submitted in the Community by new users must be approved by moderators before showing publicly. A user is considered new until they are at least 7 days old and have at least 5 replies or comments on threads.
Security
- Enable brute force protection - For security purposes, SmarterTrack limits the number of times a User unsuccessfully attempts to log in to the customer-facing Portal. By default, Users are temporarily locked out of their account after 10 failed login attempts and will remain locked out for 5 minutes. If needed, a System Administrator can bypass the lockout or disable this feature by disabling brute force protection.
- Force all traffic over HTTPS - Select this option to force all SmarterTrack traffic over HTTPS. This improves SmarterTrack security by allowing all traffic to be encrypted. Prior to enabling this setting, SmarterTrack must be set up as a site in IIS and have a valid SSL certificate in place for the SmarterTrack site. Note: Administrators managing SmarterTrack on their own servers must ensure this SSL certificate is in place. However, Administrators using the Hosted SmarterTrack solution can simply enable this setting, as a secure connection is already in place on the SmarterTools servers.
- Allow interface to be embedded in another site (not recommended) - At times, an administrator may wish to embed pieces of the customer facing portal (e.g.: KB articles, News items, etc.) within a third-party site. This is an advanced feature that has security considerations and requires extensive HTML knowledge. Select this option to allow SmarterTrack's interface to be embedded in another site. NOTE: When this setting is enabled it overrides any changes/sources set in the frame-ancestors policy of the CSP.
Password Requirements
Use this tab to configure the minimum password requirements for registered users.
Minimum Password Length - The minimum number of characters the password must have.
Password Requirements
- Require numbers - Select this option to force users to include a number in the password.
- Require uppercase letters - Select this option to force users to include a capital letter in the password.
- Require lowercase letters - Select this option to force users to include a lowercase letter in the password.
- Require symbol - Select this option to force users to include a symbol in the password.
- Require password does not match username - Select this option to ensure that the username and password do not match.
Options
- Disable password strength for existing passwords - Select this option to allow changes to the password requirements to only affect new users or new passwords.
Blacklist
Use this tab to edit the following setting:
- IP Blacklist (one per line) - Adding IP addresses to this list prevents users from that IP from being able to leave feedback for any knowledge base articles. Only one IP address may be listed on a line.
Uploads
Use this to specify the types of files that can be uploaded to SmarterTrack. (NOTE: By default, the maximum size allowed for any attachments is 2MB.)
- Allowed extensions for document uploads in HTML editor (one per line) - These are the file types that agents can attach to tickets, live chats, knowledge base articles, etc. In general, agents should be able to attach any file type. To allow this, simply add a wildcard, which is a "dot asterisk" (.*). However, there may be times when System Administrators will want to limit file attachments to simply images or documents. To restrict agents to specific file types, add the extensions here, one per line, and include the dot. (I.e., .JPG not simply JPG.)
- Allowed extensions for end user file uploads (one per line) - These are the file types that customers and end users can upload to agents when submitting tickets from the portal or starting live chats, either from the portal or from the custom integration of Live Chat into your own website. This list also impacts attachments to tickets that are started from, or replied to, via email. If an incoming email has an disallowed attachment type, a comment is automatically added to the ticket so that the agent knows something is missing. In general, it's a good idea to limit customers from uploading file types that may prove harmful, such as program files. To restrict end users and allow only specific file types, add the extensions here, one per line, and include the dot (i.e., .JPG not simply JPG).
Organization
When creating an Organization, it's possible to add new Members to that organization simply by referencing a domain name. However, there are many times when customers will use free email services such as Gmail or Yahoo! when they register. Therefore, when adding new Members by domain, administrators will want to exclude free email services when adding Members by Domain. This will ensure that not ALL users of Gmail, for example, are added as Members to any specific Organization.
Therefore, by default, SmarterTrack blocks the domains listed on this page from being used when adding in Members by Domain. This list is fully editable by System Administrators and can be amended as needed.
CSP
The Content Security Policy (CSP) is a computer security standard that was introduced to help prevent specific types of cross-site scripting (XSS) exploits, click-jacking and other types of code injection attacks. Most web applications have a CSP built-in, with little opportunity for administrators to manage the policy without making code-level changes. SmarterTrack, however, allows experienced administrators to add things to SmarterTrack's CSP to expand on its functionality. For example, adding in the ability to embed videos, fonts or scripts from third-party services. These are normally blocked by an application's CSP as it can lead to pages being hijacked to embed, and therefore execute, malicious code.
NOTE: It is strongly recommended that this page be left untouched, except by an administrator or experienced web professional. There are some entries by default, which cannot be removed, but any additions to any areas should be made very carefully to avoid any potential security issues.
Policy Directives and Sources
Each text box represents a specific "policy directive" within the CSP. Policy Directives describe the policy for a specific resource type and each has one or more allowed sources. The editable policy directive, its description and the uneditable default sources are listed below. Each policy can have one or more source, and each source should be on its own line.
Additional connect-src Entries
This policy dictates which URLs are able to be loaded via script interfaces. For example, SmarterTrack allows users to add in their Google Analytics Site ID to track usage of their SmarterTrack Portal. SmarterTrack uses the <script> tag to load the Google Analytics tracking code, including that Site ID. Therefore, the URL for Google Analytics is needed to allow that to happen. Wildcards are allowed and the default sources are:
- *.google-analytics.com
- googleapis.com
Additional frame-ancestors Entries
This policy specifies valid "parent URLs" that may embed a page in a frame, iframe, etc. Wildcards are allowed and there are no default sources.
Additional frame-src Entries
This policy specifies valid sources for nested content that are loaded via frames, etc. This content can include embedded videos for KB articles, etc. Wildcards are allowed and the default sources are:
- *.fleeq.io
- *.google.com/recaptcha/
- *.mediaservices.windows.net
- *.metacafe.com
- *.streaming.azure.net
- *.vimeo.com
- *.youtube.com
- *.youtube-nocookie.com
Additional script-src Entries
This policy specifies valid sources for JavaScript. This includes not only URLs loaded directing using a <script> tag, but also things like inline script event handlers (e.g., OnClick events) and XSLT stylesheets, which can trigger script execution. Wildcards are allowed and the default sources are:
- *.google.com/recaptcha/
- *.google-analytics.com
- *.googleapis.com
- *.gstatic.com/recaptcha/
- translate.google.com
Additional style-src Entries
This policy specifies valid sources for stylesheets. Wildcards are allowed and the default sources are:
- fonts.googleapis.com