Security
Administrators will use this section to adjust the general settings pertaining to the security of the SmarterTrack installation, including the configuration of password requirements, IP blacklists, upload limitations and more.
To access this section, log into the management interface with an administrator account. Select Settings icon from the Navigator, then click on Security in the navigation pane. The settings will load in the content pane and the following tabs will be available:
Options
Use this tab to edit the following settings:
CAPTCHA
A CAPTCHA is a challenge-response test used to determine whether the user is human. By default, SmarterTrack requires portal visitors to pass a CAPTCHA when registering for new user accounts. In addition, successful CAPTCHA completion is required for unverified users (i.e., users without the "Registered User with Verified Email" role) when they submit new tickets or community threads. Although recommended, this feature can be turned off (set to "None") at any time by an administrator. Two different CAPTCHA options are available: the Built-in option or Google reCAPTCHA. Use of Google's solution requires an API key, and instructions on obtaining a key can be found here: https://www.google.com/recaptcha/intro/android.html. When the site key and secret key have been obtained, enter them in the corresponding fields.
Portal Settings
- Enable password reset - When checked, this setting allows agents, managers and administrators to reset
their passwords from the management interface login screen. Clicking the link and filling out the username and
CAPTCHA will send an email with a password reset link to the email address associated with the username.
note: If using external providers or active directory authentication, this feature should not be enabled.
- Moderate new user community posts - When checked, threads submitted in the Community by new users must be approved by moderators before showing publicly. A user is considered new until they are at least 7 days old and have at least 5 replies or comments on threads.
Security
- Enable brute force protection - For security purposes, SmarterTrack limits the number of times a User unsuccessfully attempts to log in to the customer-facing Portal. By default, Users are temporarily locked out of their account after 10 failed login attempts and will remain locked out for 5 minutes. If needed, a System Administrator can bypass the lockout or disable this feature by disabling brute force protection.
- Force all traffic over HTTPS - Select this option to force all SmarterTrack traffic over HTTPS. This
improves SmarterTrack security by allowing all traffic to be encrypted. Prior to enabling this setting,
SmarterTrack must be set up as a site in IIS and have a valid SSL certificate in place for the SmarterTrack
site.
note: Administrators managing SmarterTrack on their own servers must ensure this SSL certificate is in place. However, Administrators using the Hosted SmarterTrack solution can simply enable this setting, as a secure connection is already in place on the SmarterTools servers.
- Allow interface to be embedded in another site (not recommended) - At times, an administrator may wish to
embed pieces of the customer facing portal (e.g.: KB articles, News items, etc.) within a third-party site. This
is an advanced feature that has security considerations and requires extensive HTML knowledge. Select this
option to allow SmarterTrack's interface to be embedded in another site.
note: When this setting is enabled it overrides any changes/sources set in the frame-ancestors policy of the CSP.
Password Requirements
Use this tab to configure the minimum password requirements for registered users.
Minimum Password Length - The minimum number of characters the password must have.
Password Requirements
- Require numbers - Select this option to force users to include a number in the password.
- Require uppercase letters - Select this option to force users to include a capital letter in the password.
- Require lowercase letters - Select this option to force users to include a lowercase letter in the password.
- Require symbol - Select this option to force users to include a symbol in the password.
- Require password does not match username - Select this option to ensure that the username and password do not match.
Options
- Disable password strength for existing passwords - Select this option to allow changes to the password requirements to only affect new users or new passwords.
Blacklist
Use this tab to add IP addresses to the IP Blacklist. Adding IP addresses to this list prevents users from adding KB or News feedback or marking items as Helpful; creating new Community Threads or interacting with existing Threads (i.e., upvoting, adding comments, etc.), and messaging Community members; starting new Tickets and Live Chats from the Portal or from any live chat script embedded on a Brand's website or other location.
- IP Blacklist (one per line) - Adding IP addresses to this list prevents users from that IP from being able to leave feedback for any knowledge base articles. Only one IP address may be listed on a line.
Uploads
Use this to specify the types of files that can be uploaded to SmarterTrack. (NOTE: By default, the maximum size allowed for any attachments is 2MB.)
- Allowed extensions for document uploads in HTML editor (one per line) - These are the file types that agents can attach to tickets, live chats, knowledge base articles, etc. In general, agents should be able to attach any file type. To allow this, simply add a wildcard, which is a "dot asterisk" (.*). However, there may be times when System Administrators will want to limit file attachments to simply images or documents. To restrict agents to specific file types, add the extensions here, one per line, and include the dot. (I.e., .JPG not simply JPG.)
- Allowed extensions for end user file uploads (one per line) - These are the file types that customers and end users can upload to agents when submitting tickets from the portal or starting live chats, either from the portal or from the custom integration of Live Chat into your own website. This list also impacts attachments to tickets that are started from, or replied to, via email. If an incoming email has an disallowed attachment type, a comment is automatically added to the ticket so that the agent knows something is missing. In general, it's a good idea to limit customers from uploading file types that may prove harmful, such as program files. To restrict end users and allow only specific file types, add the extensions here, one per line, and include the dot (i.e., .JPG not simply JPG).
Organization
When creating an Organization, it's possible to add new Members to that organization simply by referencing a domain name. However, there are many times when customers will use free email services such as Gmail or Yahoo! when they register. Therefore, when adding new Members by domain, administrators will want to exclude free email services when adding Members by Domain. This will ensure that not ALL users of Gmail, for example, are added as Members to any specific Organization.
Therefore, by default, SmarterTrack blocks the domains listed on this page from being used when adding in Members by Domain. This list is fully editable by System Administrators and can be amended as needed.
Portal Probation
This section allows administrators to configure probationary rules for new portal users. These rules help control and limit the actions that newly registered users can take up until new users meet certain trust criteria. This is particularly useful for preventing spam and safeguarding that new users are legitimate before granting full access to the portal. Employees are never subject to these probationary measures.
Probation Settings
The Probation Tab settings can be found by navigating to: Settings → Security → Portal Probation Tab.
- Accounts Age Less Than – When enabled, new users whose accounts are newer than the specified number of days are placed on probation. By default, this is set to 7 days.
- Community Replies Less Than - When enabled, users who have posted fewer replies than the specified threshold are considered on probation. By default, this is set to 10 replies.
Probation Restrictions
These restrictions apply to new probationary users.
- Limit New Threads - Sets the maximum number of new community threads a probationary user an create within a 24-hour period. By default, this is set to 1 thread per 24 hours.
- Limit Replies - Sets the maximum number of replies a probationary user can post within a 24-hour period. By default, this is set to 5 replies per 24 hours.
- Show CAPTCHas - When enabled, probationary users must complete a CAPTCHA challenge when posting new threads or replies.
- Disallow Links in Community - When enabled, probationary users will have any anchor tags stripped from links in their community posts or comments. The link will display, it will just be shown as plain text.
- Limit Communities Search Results – This setting controls the number of community search result pages a user can access. Setting the value to 0 removes the restriction entirely, allowing unlimited pages. Any number greater than 0 restricts users to that specific number of pages in the search results. Users not logged in are restricted to 5 pages unless a value is set between 0-5, this limitation applies to users who are not logged in. By default, this is set to 5 pages.
CSP
The Content Security Policy (CSP) is a computer security standard that was introduced to help prevent specific types of cross-site scripting (XSS) exploits, click-jacking and other types of code injection attacks. Most web applications have a CSP built-in, with little opportunity for administrators to manage the policy without making code-level changes. SmarterTrack, however, allows experienced administrators to add things to SmarterTrack's CSP to expand on its functionality. For example, adding in the ability to embed videos, fonts or scripts from third-party services. These are normally blocked by an application's CSP as it can lead to pages being hijacked to embed, and therefore execute, malicious code.
Policy Directives and Sources
Each text box represents a specific "policy directive" within the CSP. Policy Directives describe the policy for a specific resource type and each has one or more allowed sources. The editable policy directive, its description and the uneditable default sources are listed below. Each policy can have one or more source, and each source should be on its own line.
Additional connect-src Entries
This policy dictates which URLs are able to be loaded via script interfaces. For example, SmarterTrack allows users to add in their Google Analytics Site ID to track usage of their SmarterTrack Portal. SmarterTrack uses the <script> tag to load the Google Analytics tracking code, including that Site ID. Therefore, the URL for Google Analytics is needed to allow that to happen. Wildcards are allowed and the default sources are:
- *.google-analytics.com
- googleapis.com
Additional frame-ancestors Entries
This policy specifies valid "parent URLs" that may embed a page in a frame, iframe, etc. Wildcards are allowed and there are no default sources.
Additional frame-src Entries
This policy specifies valid sources for nested content that are loaded via frames, etc. This content can include embedded videos for KB articles, etc. Wildcards are allowed and the default sources are:
- *.fleeq.io
- *.google.com/recaptcha/
- *.mediaservices.windows.net
- *.metacafe.com
- *.streaming.azure.net
- *.vimeo.com
- *.youtube.com
- *.youtube-nocookie.com
Additional script-src Entries
This policy specifies valid sources for JavaScript. This includes not only URLs loaded directing using a <script> tag, but also things like inline script event handlers (e.g., OnClick events) and XSLT stylesheets, which can trigger script execution. Wildcards are allowed and the default sources are:
- *.google.com/recaptcha/
- *.google-analytics.com
- *.googleapis.com
- *.gstatic.com/recaptcha/
- translate.google.com
Additional style-src Entries
This policy specifies valid sources for stylesheets. Wildcards are allowed and the default sources are:
- fonts.googleapis.com