12Security Practices

Oracle Service Cloud security and compliance

Security is a changing landscape with new attack methods continuously developing, many of which are based on social engineering that takes advantage of user trust. An important constituent in product security is your diligence in configuring Oracle Service Cloud and your vigilance in its use. This document discusses important security issues and provides specific information about configuration settings that address product security.

The protection of our customers’ assets is a high priority at Oracle. We strive to make your Oracle Service Cloud experience secure by holding ourselves to industry-standard security and privacy requirements in our software development practices and operational methods. For added protection, Oracle Service Cloud can be hosted within our community cloud environments that align with well-known regulatory control frameworks. Depending on the cloud environment you purchased, accreditations, attestations, and certifications may include:

  • DIACAP—Department of Defense Information Assurance Certification and Accreditation Process

  • DISA ATO—Defense Information Systems Agency–Authority to Operate

  • FedRAMP pATO—Federal Risk and Authorization Management Program - Provisional Authority to Operate

  • HIPAA—Health Insurance Portability and Accountability Act

  • NIST 800-53—National Institute of Standards and Technology

  • PCI-DSS—Payment Card Industry Security Standards Council

  • SSAE 16 Type II

  • SOC2 Type II

Network and hosting infrastructure

Oracle uses “defense in depth” with multiple levels of security crafted to protect everything in the hosted environment from the network infrastructure to the software.

Oracle Service Cloud sites are hosted in security-hardened pods where each is protected by redundant firewalls and a demilitarized zone architecture. All major services, which include web, database, and mail services, are separately hosted and load balanced. The pods are audited daily, both internally and externally, and every quarterly software release is subjected to a third-party audit. In addition, a dedicated security staff monitors all systems for events that could jeopardize system reliability or data integrity.

Developing a Security Plan

When configuring your Oracle Service Cloud site, your goal is to obtain the maximum effectiveness for your staff and your customers, while ensuring that your site is safe from threats.

Although Oracle Service Cloud is designed and implemented with the highest levels of security, we recognize that our customers’ needs vary. Therefore, we offer configuration options that let you accept various levels of risk. Your sensitivity to those risks should dictate the configuration and management options you use in your site.

Note: Never assume that your security system is foolproof. New attacks are designed every day, so you should expect that any weakness will eventually be exploited. Ongoing vigilance and process improvement are required to minimize risk.

Common security threats

Risks to using a web-facing software product like Oracle Service Cloud to collect and store data include but are not limited to:

  • Data leaks to unauthorized persons.

  • Attacks to subvert security measures.

  • Vandalism of the host site.

  • Attacks against site users.

Security considerations

To start developing your security plan, we’ve compiled a list of questions and considerations that relate to the use of Oracle Service Cloud. Your answers should help determine the content of your security plan.

The following list is a minimal set of considerations that relate to the use of Oracle Service Cloud.

  • What type of data will you collect and store?

    • Is personal information such as name, address, telephone number, and email address collected?

    • Is medical or financial information collected and stored?

    • Are there required data security standards or certifications, such as HIPAA or PCI?

  • What methods will be used to obtain the data?

    • Does information come over the Internet or a private intranet?

    • Does information come from a voice-based system?

  • What is the access method for the data?

    • Are users required to provide credentials, such as a user name and password, or is data openly available?

  • What are the risks associated with compromised data?

    • What is the monetary cost?

    • What is the non-monetary cost, such as loss of reputation?

    • Are there legal ramifications?

  • Who are your user groups?

  • What authentication methods are available and which should be used for each type of user?

  • For each type of data, which types of users should have access and how should the authorization be accomplished?

  • What communication methods will be used and what efforts should be made to protect communication from being compromised?

While there are many resources available that can help you develop security policies and procedures, keep in mind that you should rely only on those resources that you find reliable and trustworthy. The following is a list of suggested reading on security topics.

  • Writing Information Security Policies by Scott Barman

  • Information Security Policies and Procedures by Thomas Peltier

  • SANS Institute—for information about security training and security certification

  • OWASP—A nonprofit organization focused on improving software security

Configuring the Administration Interface

Properly configuring the administration interface is critical to your site security because staff members can be granted permission to view and modify virtually everything in an Oracle Service Cloud site, including your site controls and data.

Oracle Service Cloud uses role-based access control through profile permissions, navigation sets, and workspaces that you define. All staff members are assigned a profile that is associated with a navigation set and one or more workspaces.

  • Navigation sets—A navigation set is a combination of navigation buttons and their associated navigation lists. Each navigation list contains unique reports and items based on staff member responsibilities, and every profile must include a navigation set that all staff members with that profile use when working in Oracle Service Cloud. By carefully examining staff member responsibilities before you create navigation sets, you can grant access to functionality to only those individuals who require it. See About Navigation Sets, Creating navigation sets, and Assign a navigation set to a profile.

  • Workspaces—Workspaces define the appearance of the agent desktop when staff members add, view, and edit records in Oracle Service Cloud. Each profile has one or more workspaces that can be designed to provide only the functionality that is needed by the staff member. Along with navigation sets, workspaces provide macro-level control over access rights. See Quick Access toolbar and controls for complete details and procedures about standard and custom workspaces.

  • Profile permissions—Profiles let you control what areas of Oracle Service Cloud your staff members can access and what specific actions they can perform in those areas. See Customizing profiles.

Note: You must create navigation sets before profiles in order for staff members to have access to reports and other components. In addition, if you use custom workspaces, we recommend creating them before creating profiles so you can assign the workspaces to specific profiles.

Using role access to define permissions

Setting permissions carefully and thoughtfully greatly enhances the security of your site. This is particularly true regarding administrator permissions, which typically let staff members edit configuration settings and administrative controls.

One method for determining the permissions you grant is to use a role-access method. While no contrived set of roles will represent any organization perfectly, the four job types used here demonstrate a general scenario of how permissions might be set up.

  • Administrator—Staff member with access to all functionality.

  • Supervisor—Staff member with supervisory responsibilities but no responsibility for configuring your site.

  • Staff member—Staff member with access to data but no administrative controls.

  • Developer—Staff member with access to development and integration interfaces.

The following table is not a complete list of all the permissions available, but an abbreviated set representing those permissions with direct security ramifications.

Table Role-Access Scenario

Setting Functionality Roles
Administration—See Select Administration permissions
Administration Create and edit the following items:
  • Custom Fields

  • Messages

  • Mailboxes

  • Currencies and Exchange Rates

  • Service Level Agreements

  • Response Requirements

  • Chat Hours

  • Quote Templates

  • Territories

  • Promotions

  • Strategies

  • Sales Periods

  • External Suppression List

  • Thread Type Correction

Administrator
Groups/Accounts/Distribution Lists Access staff accounts and distribution lists. Administrator

Supervisor

System Error Log Access log files under Site Configuration. Administrator

Supervisor

Workspace Designer Access Workspaces and Workflows explorers and designers. Administrator

Supervisor

Scripting Create and edit agent scripts. Administrator

Developer

Object Designer Create custom objects. Administrator

Developer

Message Templates Customize administrator notifications, administrator emails, and contact emails. Administrator
Access Control Access the Access Control editor to configure staff and customer settings permissions for Community Self Service. Administrator

Supervisor

CP Promote Promote customer portal pages from the staging area to the production area. Administrator

Developer

CP Stage Copy customer portal development files to the staging area. Administrator

Developer

CP Edit Access the Customer Portal Administration site and edit customer portal pages in the development area using WebDAV. Administrator

Developer

Rules View View business rules. Administrator

Supervisor

Staff member

Data Import Import data, including answers, contacts, incidents, organizations, and custom objects. Administrator

Supervisor

Process Designer Create custom processes. Administrator

Developer

Supervisor

Staff member

Virtual Assistant Edit Access to configuration of the virtual assistant. Administrator
Broadcast Notifications Send messages to other staff members. Administrator

Supervisor

Configuration Access to the following areas and functionality:
  • Password Configuration

  • Configuration Settings

  • Configuration Wizard

  • Message Bases

  • File Manager

  • Interfaces

  • Add-In Manager

  • Email Address Sharing

Administrator
Business Process Settings Define interface appearance and functionality, including:
  • Navigation Sets

  • Customizable Menus

  • Countries

  • Products/Categories/Dispositions

  • Standard Text

  • Variables

  • Holidays

  • Product Catalog

  • Price Schedules

  • Tracked Link Categories

Administrator

Supervisor

Rules Edit Edit business rules. Administrator

Supervisor

Profiles Add and edit profiles. Administrator
SSO Login (SAML 2.0) Allows login only through an identity provider, that is, using a single sign-on process.

Oracle Service Cloud uses the SAML 2.0 protocol for single sign-on.

Administrator
Skill Edit Access to configuration of advanced routing. Administrator

Supervisor

Agent Browser User Interface Access to the Oracle Service Cloud using the Agent Browser UI through account authentication. Administrator

Supervisor

Staff member

Public SOAP API Access the public SOAP API through account or session authentication. Administrator

Developer

Public Knowledge Foundation API Access the public Knowledge Foundation API through account or session authentication. Administrator

Developer

Supervisor

Staff member

Mobile Agent App Access Oracle Service Cloud on a mobile device through account authentication. Administrator

Supervisor

Staff member

Organizations—See Select Organizations permissions
  Add, edit, delete, and view organizations. Administrator
  Edit and view organizations. Supervisor
  View organizations. Staff member
Contacts—See Select Contacts permissions
  Add, edit, delete, view, and move contacts. Administrator
  Add, email, edit, delete, and view contacts. Supervisor
  Email, edit, and view contacts. Staff member
Service—See Select Service permissions
Incidents Add, edit, view, and delete incidents; propose incidents as answers; respond to incidents. Administrator

Supervisor

Add, edit, and respond to incidents. Staff member
Answers Add, edit, and delete answers; set answers to public status. Administrator

Supervisor

Add and edit answers. Staff member
Asset Add, edit, delete, and view assets. Administrator

Supervisor

View and edit assets. Staff member
Opportunities—See Select Opportunities permissions
  Create, edit, delete, view, respond to leads, and send quotes. Administrator
  Create, edit, and view leads, and send quotes. Supervisor
  View leads and send quotes. Staff member
Outreach—See Select Outreach permissions
  Create, edit, delete, and view mailings, campaigns, documents, templates, snippets, file attachments, tracked links, segments, and contact lists. Administrator
  Edit and view mailings, campaigns, documents, templates, snippets, file attachments, tracked links, segments, and contact lists. Supervisor
  View mailings, campaigns, documents, templates, snippets, file attachments, tracked links, segments, and contact lists. Staff member
Feedback—See Select Feedback permissions
  Create, edit, delete, and view surveys, questions, documents, templates, snippets, file attachments, tracked links, segments, and contact lists. Administrator
  Edit and view surveys, questions, documents, templates, snippets, file attachments, tracked links, segments, and contact lists. Supervisor
  View surveys, questions, documents, templates, snippets, file attachments, tracked links, segments, and contact lists. Staff member
Tasks—See Select Task permissions
  Create, edit, delete, and view tasks. Administrator
  Edit, view, and delete tasks. Supervisor
  View tasks. Staff member
Analytics—See Select Analytics permissions
  Create, edit, view, customize, print, export, and forward reports. Administrator
  Edit, view, customize, print, export, and forward reports. Supervisor
  View, edit, print, export, and forward reports. Staff member

Email Security

Most email sent over networks is not encrypted. However, we recommend encrypting all data that you deem sensitive. Oracle Service Cloud is designed to prevent the inadvertent release of information, but there are also a number of configuration settings related to email that you can use to increase your protection.

Certificates

Secure sockets layer (SSL) protocol provides encryption services for client-server communication security. To accomplish this, digital certificates are used to convey identification information and encryption keys. Since all agent desktop communication is over SSL, your site already uses a certificate issued by Oracle. This certificate can be used for other secure communication links, including staff member and customer access and email. See Configure SSL security settings, S/MIME, and Certificate validation options.

For a discussion about the configuration settings you can use to protect your site and improve your security, see Site protection.

Emailing links to answers

You can email links to answers from the customer portal or the administration interface. If a login is required for customers to access an answer, a user name and password will be required.

Answer visibility depends on who is trying to access the answer—a customer or a staff member—and where they are accessing it from—the customer portal or the administration interface. From the customer portal, visibility is controlled by a number of fields, including the Status field, which is defined on the administration interface. For example, if an answer status has been set to Private, then that answer is not visible to customers. See visibilityinterfaceSLAs.

For customers accessing answers from the customer portal, each answer link is protected by a security token with a limited lifetime that is defined in the configuration setting SEC_EU_EMAIL_LINK_EXPIRE. The default value is eight hours, meaning that a customer has eight hours to click the link and read the information published in the answer. We recommend using this security token to limit the time answers are available to customers. Because attackers need time to build phishing sites (for luring a user into clicking a link), the smaller the window of time you allow for access to your answers, the more secure your site will be.

For example, if an email with an answer link is copied by an attacker, access to the security token and the link has been compromised. If your site requires customers to log in to see an answer, the answer itself is safe, but the attacker can create a phishing scenario using a modified link that takes customers to an external site where their login credentials are stolen. It takes time to accomplish this, so the shorter the window of opportunity, the lower the likelihood of success. Setting the security token expiration in SEC_EU_EMAIL_LINK_EXPIRE helps discourage attackers. See Customer passwords.

From the administration interface, profile permissions control staff members’ access to answers. Permissions of the staff member who sends an email link to an answer do not transfer to the receiver, so data security is maintained.

Abuse Detection Security

A potential threat to any website is a “denial of service” (DoS) attack where the attacker issues a large number of requests for service. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks and credit card payment gateways. These attacks can slow the response time to legitimate visitors, overwhelm the database server, and generate excessive emails that interfere with normal operation.

To prevent these attacks, Oracle Service Cloud provides web form and survey security through CAPTCHA, which automatically requires human validation when abuse is suspected. CAPTCHA validation is typically triggered only if there appears to be active abuse of a website. However, you can customize CAPTCHA requirements from the customer portal. See Web form and survey security and Web form security.

Security-Related Configuration Settings

Certain configuration settings have a direct effect on security. Some affect the administration side of Oracle Service Cloud and others affect the customer portal or an external website. By making a conscious decision to determine the appropriate level of security that fits your business, you can define configuration settings to reflect a suitable security level.

This section lists configuration settings that specifically impact security. Paths to each setting in the Configuration Settings editor, descriptions, and default values are also listed. Configuration settings in this section are grouped into the following categories.

  • Site protection

  • Session data

  • Password protection

  • File attachment security

  • Chat security

  • Social experience security

For a complete list of security-related configuration settings by security level and significance, see Security level.

Note: Depending on your site’s configuration, some settings may be hidden. If you cannot find a certain configuration setting, contact your Oracle account manager.

Site protection

One of the most important steps you can take to protect your site is to limit access to the greatest extent possible while still meeting the requirements of your staff members and customers.

By restricting access to your site or certain functionality within your site, you can reduce opportunities for unwanted visitors with malicious intent to gain access to your assets. Configuration setting descriptions that affect your site’s protection are listed in the following two tables.

Table Administration Interface Settings for Site Protection

Configuration Setting Description Default Value
Common/General/Security

SEC_VALID_ADMIN_HOSTS

Defines which hosts can access the administration interface.

Blank

SEC_VALID_INTEG_HOSTS

Defines which hosts can access the integration interface. Only staff members who log in from the listed IP addresses, including network groups, can access the API interface.

Blank
RightNow User Interface/General/Security

CLIENT_SESSION_EXP

Requires staff members to log in again after a specified period of inactivity on the Service Console. To reduce the risk of a misappropriated agent session, we recommend keeping the default value of 15.

Note: This setting is not used strictly for security. It is also used in the desktop usage administration feature.
15
RightNow User Interface/Tool Bar/General

LOGIN_SECURITY_MSG

Defines a message to display after staff members click the Login button on the Login window.

You can use this setting to issue a security statement, distribute terms of a use agreement, or any login message you want staff members to agree to before the Service Console opens.

Blank

Table Customer Portal Settings for Site Protection

Configuration Setting Description Default Value
Common/General/Security

CP_REDIRECT_HOSTS

Defines which hosts are allowed as redirect targets from the customer portal. The default setting (blank) prevents all redirects outside of your interface domain.

If you have more than one interface that you need to redirect to, each interface domain name must be specified in CP_REDIRECT_HOSTS.

  • Blank = Prevents all redirects outside of your interface domain.

  • * = Allows all redirects, including redirects to external sites. (Not recommended.)
Note: Redirects within your interface domain, as well as hosts specified in related configuration settings are implicitly allowed. Therefore, those domains do not need to be listed in the CP_REDIRECT_HOSTS setting.
Blank

SEC_VALID_ENDUSER_ HOSTS

Note: This setting applies only to PHP pages. It does not block access to static assets such as URLs, images, JavaScript, folders, or files. For more information, contact your Oracle account manager.

Defines which hosts can access the customer portal. Only customers coming from a host in the valid list are allowed access to the customer portal.

Tip: The valid list is practical only if the set of allowed hosts is confined to 10 or fewer domains.
Blank

SEC_INVALID_ENDUSER_ HOSTS

Defines which hosts are not allowed access to the customer portal. The invalid list is used to prevent spiders from known locations.

Blank
RightNow User Interface/General/Security

SUBMIT_TOKEN_EXP

Defines the amount of time, in minutes, that the submit token used for token verification is valid.

30

Clickjacking protection

Clickjacking is an attack on browser security that can mislead your customers into clicking a concealed link. On a clickjacked page, attackers load another page in a transparent layer over your original page. Users think they are clicking visible buttons, while they are actually performing actions on the hidden page. The hidden page may even be an authentic one, such as a page from a well-known, reputable business. This makes it possible for attackers to trick your customers into performing unintended actions.

A common defense against clickjacking is to attempt to block the site you are trying to protect from being loaded into a frame.

Customer Portal

The ClickjackPrevention widget, included by default in the standard and mobile templates, ensures that your customer portal cannot be viewed inside a frame or iFrame.

If you do not use frames, you can edit the standard.php file of your template file to minimize the risk of clickjacking. For the complete procedure, see Remove the ClickjackPrevention widget from the template.

For more information on clickjacking, including definitions for X-Frame-Options response headers, search for the Clickjacking Defense Cheat Sheet on the OWASP website.

Cross-site request forgery

Cross-site request forgery (CSRF) causes a user’s browser to load pages (including forms) that typically require authentication in an attempt to perform actions on behalf of the user. If the user has a valid authenticated session for the site the attacker is causing to load into the browser, those requests will succeed. If proper protections are not in place, this may let the attacker perform unintended actions on behalf of the user.

Submit tokens ensure that the contact who opened the page is the only contact who can submit the form. The SUBMIT_TOKEN_EXP configuration setting lets you define the amount of time the submit token is valid and is set, by default, to expire 30 minutes from the time the token was sent. After 30 minutes, the contact will receive a new token. The expiration process is invisible to the contact making for a seamless user experience.

For more information about CSRF vulnerabilities, search for the CSRF Prevention Cheat Sheet on the OWASP website.

Specifying valid redirect domains

Linking from one page to another is a security risk you should consider. For example, to redirect users to different locations within your site, you may have placed a link in your URL. Typically, these are links to other files on your site but they can also be links to another interface, either on your site or on an external site.

Attackers can take advantage of redirects by creating URL links in the following locations.

  • Questions on your page

  • Uploaded files

  • Emails

In each of these scenarios, an attacker bets that users will click the link they create and be redirected to an external site where data can be maliciously harvested.

To protect your site from this type of attack, you can set the value of CP_REDIRECT_HOSTS to a list of interface domains that are legitimate redirect targets. The default value is blank, which limits redirects to pages only within your interface domain. Keep in mind that redirects to domains specified in related configuration settings are implicitly allowed.

The following table displays sample values for CP_REDIRECT_HOSTS.

Table Sample Values for CP_REDIRECT_HOSTS

Value Meaning

Blank

Prevents all redirects outside of your interface. (Default)

*

Allows all redirects. (Not recommended.)

*.example.com

Allows redirects to all sites in the example.com domain.

one.example.com, two.example.com

Allows redirects to sites one and two in the example.com domain.

example.custhelp.com, *.test.com

Allows redirects to example.custhelp.com and any interface in the test.com domain.

For information about securely publishing answer links on your site, see Email Security.

Session data

To maintain state information about staff members and customers, we use session data that is passed between the staff member’s or customer’s system and the web server. When an individual is logged in, data from the session can provide the necessary authentication for accessing your data that would not otherwise be available.

Session data security prevents attacks that stem from the trust the system has in authenticated users. Without session data security, attackers may be able to capture session data and reuse it. These are commonly referred to as “replay” attacks or “man-in-the-middle” attacks.

The SESSION_HARD_TIMEOUT configuration setting helps reduce session exploitation by forcing staff members to reauthenticate after a specified period of time. Set to twelve hours by default, this setting creates a new session while destroying the previous session each time the staff member reauthenticates. See Forcing session expiration.

The CP_FORCE_PASSWORDS_OVER_HTTPS configuration setting is enabled by default and helps protect staff members and customers from malicious activity such as password theft. This setting requires that all login operations, such as login name and password, be performed over HTTPS. Therefore, logged-in users interact entirely on HTTPS.

Note: Pages that use passwords within standard widgets are automatically redirected to HTTPS.

If your site is password protected, you should require customers to log in to the customer portal. Even if only your answer pages are password protected, the CP_CONTACT_LOGIN_REQUIRED configuration setting enforces secure logon to your pages and controls on the customer portal. The CP_CONTACT_LOGIN_REQUIRED variable also prevents unauthenticated chat sessions.

Oracle Service Cloud offers different session management schemes for the administration interface and the customer portal. However, for both interfaces, we perform the following actions:

  • Encrypt session data stored in cookies.

  • Set the Secure flag and the HTTP Only flag on cookies.

  • Make session data difficult to use from a different computer system.

  • Require staff members to reauthenticate after twelve hours. See the SESSION_HARD_TIMEOUT setting description in the following table.

  • Require staff members to reauthenticate after a specified period of inactivity. See the CLIENT_SESSION_EXP setting description in the following table.

  • Require all login operations to be performed over HTTPS. See the CP_FORCE_PASSWORDS_OVER_HTTPS setting description in Customer Portal Settings for Session Data below.

Configuration setting descriptions that affect your site’s session data are listed in the following two tables.

Table Administration Interface Settings for Session Data

Configuration Setting Description Default Value
RightNow User Interface/General/Security
CLIENT_SESSION_EXP

Requires staff members to reauthenticate after a specified period of inactivity on the Service Console.

Note: This setting is not used strictly for security. It is also used in the desktop usage administration feature. See Controlling desktop usage.
15 minutes
SESSION_HARD_TIMEOUT

Requires staff members to reauthenticate after a specified period of time.

This setting creates a new session each time the staff member reauthenticates. The previous session is destroyed.

12 hours

Table Customer Portal Settings for Session Data

Configuration Setting Description Default Value
RightNow User Interface/General/Security
CP_LOGIN_MAX_TIME

Defines the time (in minutes) a customer can be logged in without needing to log in again. If a session goes past the defined setting, the customer is required to log in again.

The default is 0, which means that the time is set by CP_LOGIN_COOKIE_EXP.

0
RightNow User Interface/Customer Portal/Login
CP_CONTACT_LOGIN_ REQUIRED

Defines whether the customer portal requires a customer to be logged in when accessing most pages or controls.

Also prevents unauthenticated chat sessions.

Note: This setting does not apply to the login, password recovery, and account creation pages, or pass-through authentication (PTA). PTA is described in the Pass-Through Authentication Guide. If you do not have this guide, contact your Oracle account manager.
No
CP_COOKIES_ENABLED

Defines whether the customer portal tries to set cookies on a visitor’s browser.

Yes
CP_FORCE_PASSWORDS_ OVER_HTTPS

Requires all login operations to be performed over HTTPS.

Pages that use passwords within standard widgets are automatically redirected to HTTPS.

Yes
CP_LOGIN_COOKIE_EXP

The time (in minutes) before the customer portal login cookie expires. Set the value to -1 if you want the cookie to expire when the browser is closed. Set the value to 0 if you never want the cookie to expire.

60
CP_MAX_LOGINS

Defines the total number of concurrent users that can be logged in to your support site at any given time.

A value of 0 means there is no limit. If you set a value for this setting, you must also set a non-zero value for CP_LOGIN_MAX_TIME.

0
CP_MAX_LOGINS_PER_ CONTACT

Defines the total number of active, concurrent logins a single user can be logged in with. A value of 0 means there is no limit.

If you set a value for this setting, you must also set a non-zero value for CP_LOGIN_MAX_TIME.

0

Password protection

No matter your security situation, you have considerable flexibility in setting up passwords for your staff and your customers.

If the data protected by a password is not critical or subject to privacy legislation, the default values in Oracle Service Cloud may be acceptable. The most compromising dangers to passwords include:

  • Password cracking by brute-force attack or an exhaustive key search.

  • Nefarious activities, such as phishing and other social engineering attacks.

  • Inadvertent release by users (staff members or customers) who write down their passwords, send them in emails, or expose them to the public in other ways.

The choice of password controls depends on your security situation. For example, if users do not log in often, setting password expiration parameters can result in unnecessary locked accounts and frustrated users. While locking accounts can prevent some brute-force and denial-of-service attacks, it can also increase administrative overhead.

If you require your users to change their passwords regularly, you need to save history data to prevent reuse (at least five previous passwords). It is common for users to make a minor change to their password and eventually cycle back to the original, so it is difficult to assess the value of this strategy.

If you are concerned that passwords could be compromised by poor user-handling (writing passwords down) or by some form of attack, consider requiring regular changes. However, mandating frequent password changes in an environment where they are strong and are not shared does not enhance security and may actually hamper it by creating an environment that causes people to store passwords in electronic or written media.

No matter your security situation, you have considerable flexibility in setting up passwords for your staff and your customers. The following sections describe your configuration options and identify some tips for configuring secure passwords throughout your system.

Staff member passwords

You can strengthen passwords by defining requirements such as minimum password length, maximum number of character repetitions and occurrences, and the minimum number of upper and lowercase characters, numbers, and special characters allowed. The options available to you in setting up password requirements can enhance security on your site as well as help protect your customers’ information.

You configure passwords for your staff from the configuration list on the navigation pane (Configuration > Staff Management > Password Configuration). See Configure password requirements.

The following table describes the security benefits of defining specific requirements for passwords.

Table Password Security Benefits

Password Configuration Security Benefit
Number of Invalid Logins

Locking accounts after a designated number of consecutive login failures makes it more difficult, but not impossible, for attackers to use brute-force password cracking. If an attacker is able to obtain an encrypted password, they can guess the algorithm used to encrypt it and simply run different strings looking for a match. While time-consuming, current computing technology makes it possible to guess up to - million passwords per second (and this number increases by 10 percent per year).

In Oracle Service Cloud, the default is 5 invalid login attempts before the account is locked.

Expiration Interval

The password expiration interval helps mitigate risk for accounts that have been compromised or accounts that have not been used for long periods of time. By setting a conservative value for the number of days a password stays in effect, you can help lower the risk of attack. (Default = 90.)

Note: PCI-compliance requires expiration interval to be 90 days or less.
Password Length

While it is helpful to use case changes and special characters to enlarge the character set, enforcing longer passwords is an easy way to improve password strength. (Default = 8.)

For example, if 76 characters are used randomly, it takes no more than 12 hours to crack a 6-character password. Cracking time increases to 6 years for an 8-character password, and it would take 230 million years to crack a 12-character password. Of course, password cracking typically takes advantage of the tendency to use common words in passwords so dictionary attacks can break passwords more quickly.

For maximum security, even longer passwords (no less than 10 characters) are necessary. For example, a 12-character password composed of 3 words from a 100,000 word dictionary could take more than 7 years to crack. Add a small amount of randomness to the password, and the cracking time rapidly increases to 230 million years.

Numbers and Special Characters

Requiring numbers and characters can add to the random factor of a password. They also make it easier for a user to come up with a password that is easy to remember, but still unique. For example, MaryhaddaL1tlelam. (Default = 0.)

Uppercase and Lowercase Characters

Requiring a mix of upper and lowercase characters can add to the random factor of a password. They also make it easier for a user to come up with a password that is easy to remember, but still unique. For example, 2BeOrNot2Bee?.(Defaults = 1.)

Number of Previous Passwords

Password history prevents the repetition of passwords when a staff member changes a password that is set to expire. Enforcing password expiration without setting the number of previous passwords allowed makes password expiration less effective. We recommend allowing 6 to 10 previous passwords. (Default = 10.)

Customer passwords

You have two ways to configure customer passwords in Oracle Service Cloud.

Configuration settings

The configuration setting EU_CUST_PASSWD_ENABLED controls the visibility of the Password field on the customer portal login window. This setting is enabled by default because it offers significant protection for your organization and your customers. However, if your organization does not require customer passwords, you can remove the Password field from the login window by disabling this setting.

Table Customer Portal Settings for Passwords

Configuration Setting Description Default Value
Common/General/Security
SEC_EU_EMAIL_LINK_ EXPIRE

Defines the duration in hours that a temporary link to reset a customer’s password is valid. This setting also defines the length of time a customer has access to answers on your site. See Emailing links to answers in Email Security.

8
RightNow User Interface/General/End-User
EU_CUST_PASSWD_ ENABLED

Displays the password field on the customer portal page.

Yes

Password Requirements

As with staff member passwords, you can define requirements to strengthen passwords on your customer portal. The editor for configuring customer passwords contains the same fields as those for staff passwords (see Staff member passwords). The only differences between the two editors are the default values.

See Define customer password requirements for the procedure to define requirements for customers accessing your customer portal.

Forgotten passwords

There’s no way around it—user names and passwords can be forgotten. For administrators, there is no way to recover forgotten credentials other than to contact their Oracle account manager. Other staff members can recover both their user name and password by using the Oracle Service Cloud account self-service feature. You can also use this functionality as a tool to maintain the integrity of your organization’s login policies for all staff members.

The account self-service feature, accessed by clicking Login Help on the Login window, can be set up to open the login procedure in online help or send staff an email if they have forgotten their user name or password. This functionality is also available if your site has single sign-on (SSO) enabled. See Redirecting users to the Oracle Service Cloud login page.

The following table describes the configuration settings for your forgotten-password options.

Table Account Self-Service Settings for Passwords

Configuration Setting Description Default Value
RightNow User Interface/Tool Bar/General
ACCT_RECOVER_STATUS

Specifies the functionality of the Login Help link on the Oracle Service Cloud Login window. See Configuring Login Help.

  • 0 = Opens the login procedure in online help.

  • 1 = Sends an email containing user name or a link to the Password Reset page for entering a new password (default).

  • 2 = Changes the email message staff members receive when they click Login Help. The alternate message is defined in ACCT_RECOVER_ALT.

1
ACCT_RECOVER_ALT

Specifies the alternate email message to send when the configuration setting ACCT_RECOVER_STATUS is set to 2.

Blank

Customers can also recover user names and passwords from the login window on the customer portal. See Change the open login options on the login window and Create an Account form and Remove the open login options from the login window and Create an Account form. In both cases, if the password is forgotten, the correct user name must be entered, and then a link to the Password Reset page is emailed to the address associated with that user name. The password is reset when the link is sent and login is not allowed until the process is completed. Customers must do this within the time frame contained in SEC_EU_EMAIL_LINK_EXPIRE. See Customer passwords and Email Security.

Secure password recommendations

After assessing your specific security situation, you may want to consider enforcing the following password requirements.

  • Lock staff accounts after three to five invalid login attempts. (The default is 5 in Oracle Service Cloud.)

  • Set password length to a minimum of 10 characters.

  • Require special characters and numbers.

  • Require both uppercase and lowercase characters.

  • Avoid using words or phrases that can be identified with a person, such as their name, address, telephone number, job title, type of car, and so on.

  • Encourage users to choose passwords that are easy to remember and to type. For example, common words, song lyrics, poems and so on, with slightly misspelled words, go a long way toward security.
    • 2BeOrNot2Bee?

    • MaryhadaL1ttlelam

    • JollyBARN+be4Cow

  • Stress the importance of keeping passwords secure by memorizing them and keeping them secret.

File attachment security

Oracle Service Cloud allows for attachments to incidents and answers as well as documents, templates, and snippets that are used in mailings and surveys. Attachments are a security concern because they can contain malicious code (malware) or data that is part of an attack on your site. All incoming attachments are scanned for malware, but you should always consider the possibility that attackers could evade detection.

Uploaded files containing HTML are a particular problem because they can provide links to sites that can harvest private data from unsuspecting people. For example, an attacker could upload a file that appears to be a link to an incident, but is actually a link to the attacker’s site, which prompts the receiver to enter user name and password credentials. Staff members should never follow a link unless they are confident that it is safe, and no data should ever be entered to a linked site. If it is necessary to access a referenced site, instead of clicking a link, look at the web address and verify that it goes where you think it should. Then type the correct web address into your browser.

The other problem with HTML files is that they may contain executable code in the form of JavaScript or ActiveX controls that potentially can have a significant impact on your system. If browser security works properly, this should not happen. However, browsers are one of the least secure types of software. You can disable some of this functionality, but you may need it for many complex sites or applications, including Oracle Service Cloud. Therefore, be careful when working with data from untrusted sources and educate your users about the risks associated with improper handling of uploaded files.

As an additional precaution, you can prevent attachment viewing by requiring that users download file attachments in order to be viewed. This protects the Oracle Service Cloud application as well as the associated data, and it also allows additional levels of scanning to be applied. The configuration setting FATTACH_OPEN_ENABLED lets staff members view attachments on the agent desktop. As a preventative measure, this setting is disabled. Disabling FATTACH_OPEN_ENABLED does not change the display of attachments for customers, so attachments from external sources can be verified as safe before they are placed in answers.

Even so, it is possible for a malicious user to create incidents with very large attachments that could be used to attack site. To prevent this, the configuration setting FATTACH_MAX_SIZE controls the maximum allowable attachment. The default (and the maximum allowable limit) is approximately twenty megabytes per attachment.

Note: Regardless of the file attachment limits you define, file upload will fail if the upload takes more than five minutes.

To learn how to restrict the number of file attachments on the Ask a Question page, see Configure file attachments.

The following table describes configuration settings for file attachments.

Table Settings for File Attachments

Configuration Setting Description Default Value
RightNow User Interface/General/File Attach
FATTACH_MAX_SIZE

Defines the maximum file size in bytes that can be uploaded to the server as an attachment. File upload will fail if the upload takes more than five minutes.

Tip: Too much available disk space can make your site vulnerable to DoS attacks. Consider the types of attachments that will be uploaded to your site, and then set this value to as small as practical for your needs. As far as security goes, the more disk space you can fill, the better.

20971520 (20 MB)

The maximum allowable limit is 20 MB.

FATTACH_OPEN_ENABLED

Lets staff members open file attachments on the agent desktop.

No

Chat security

Oracle RightNow Chat Cloud Service (Chat) lets customers experience interactive, real-time conversations with agents. There are a number of configuration options that protect these exchanges of information and the underlying services that make them possible.

For complete details and procedures about configuring Chat see the following:

The following table describes Chat configuration settings.

Table Settings for Chat

Configuration Setting Description Default Value
CHAT_WS_API_IP_HOST

Defines the list of IP addresses and subnet masks to make requests to the Chat API. If this setting is enabled and left blank, all hosts are allowed.

To enable this hidden setting and define your allowed IP addresses and subnet masks, submit an incident to our support site.

Blank
Common/General/Security
SEC_VALID_CHAT_API_HOSTS

Defines which hosts and subnet masks of hosts are allowed to access the Chat SOAP interface from any chat-related request coming from a customer to the server.

Note: If this setting is left blank, the server accepts requests from all hosts.
Blank
CP_CONTACT_LOGIN_REQUIRED

When enabled, enforces secure logon to prevent unauthorized chat sessions.

No
Chat/General/Server
CHAT_CORS_WHITELIST

Defines the list of origins allowed to make cross-origin requests through the Chat server.

Note: If this setting is left blank, the server accepts requests from all origins.
Blank
Chat/General/Create Incident
INC_PRIVATE_TRANSCRIPT_ ONLY

Allows chat transcripts to be added to incidents as private notes.

Note: If enabled, customers cannot see past chats.
No

Server protection

The Chat SOAP interface can be protected from potential threats by restricting access to valid chat servers.

The configuration setting SEC_VALID_CHAT_API_HOSTS defines the list of IP addresses and subnet masks specifying the legal chat servers that are allowed to access the Chat SOAP interface. If this setting is left blank, all hosts are allowed.

Additionally, users can be protected from cross-origin resource sharing (CORS) attacks by defining the origins allowed to make CORS requests in CHAT_CORS_WHITELIST. See Cross-origin resource sharing protection under Chat API.

Chat API

The Oracle Service Cloud supports a Chat API that must be enabled by Oracle. When enabled, the API is protected by a configuration setting that specifies the IP addresses and subnet masks to make requests to the Chat API. If this setting is enabled and left blank, all hosts are allowed.

Note: Access to the Chat API is defined by the hidden configuration setting CHAT_WS_API_IP_HOST. To enable this setting and specify the IP addresses and subnet masks you want to allow, submit an incident to our support site.
  • User protection— By enabling INC_PRIVATE_TRANSCRIPT_ONLY, you can change the privacy of the information in a Chat exchange. Instead of being added to an incident as public information, it is added as a private note, which restricts access to the data. If there is a chance that staff members will enter sensitive information during a chat session, this setting should be enabled.

    It is also possible to configure Chat to allow off-the-record chats in which the exchanged data is not recorded and can be seen only in real time by the agent. See Configure chat off the record.

  • Cross-origin resource sharing protection— Cross-origin resource sharing (CORS) lets client-side code make requests from one origin to another origin. This functionality can be abused by an attacker to retrieve information from your site or to perform actions as a valid user. You can protect your site from potential threats by restricting access to valid requests. The CHAT_CORS_WHITELIST configuration setting defines the list of hosts or IP addresses allowed to make cross-origin domain requests. If this setting is left blank, all origins are allowed.
    Tip: Keep in mind that restricting cross-origin resource sharing does not prevent cross-site request forgery (CSRF). For information about CSRF protection, see Cross-site request forgery and Social Experience security.

    For more information about testing for CORS vulnerabilities, search “Test cross origin resource sharing” on the OWASP website.

External queues

External chat queues allow sites outside of Oracle Service Cloud that use the Chat API to access Oracle Service Cloud chat data.

Since external queues may be subject to more risk, we recommend allowing only those external queues that are operationally necessary. To prevent potential misuse, you must add the chat queues that you deem acceptable from the Chat Session Queue editor on the Customizable Menus page. Then, you must designate those queues for use with third-party-initiated chat requests as external. Chat requests pre-routed to the external queues you define will be routed to agent desktops by an external routing system. The chat server and the external routing system exchange data through the third-party queue API. See Add or edit a chat session queue.

Social Experience security

Oracle RightNow Social Experience (Social Experience) is your organization’s gateway to the social cloud and includes the following features.

  • Channels

  • Social Monitor

  • Self Service for Facebook

Channels

When providing service through social media, it is essential to maintain the security and confidentiality of your organization’s social account logins. For this reason, Oracle Service Cloud lets you define channel accounts, which are shared credentials that allow designated agents to perform service functions through your social media accounts by securely storing the account logins and passing authentication parameters on behalf of your agents.

If you are currently providing service through social media channels directly through the web, we strongly recommend considering the security benefits of managing those efforts within Oracle Service Cloud instead. See Understanding social channels.

When monitoring certain channel types, Oracle Service Cloud can store your customers’ social media user names in their contact records. By tracking this identifying information, Oracle Service Cloud can associate incoming social monitor incidents with contacts based on their social media accounts. However, unlike channel accounts, channel types do not store passwords—they are used only to track the social identities of your customers across different services. See Storing social media user names.

You may also want to consider SSL encryption options for social media services. Then traffic between Oracle Service Cloud and the social media site is encrypted. See Email Security.

Note: Social Experience includes several APIs so you can access major social features from custom code. APIs offer tremendous flexibility, but it is important to recognize that accessing any part of Oracle Service Cloud through an API moves a significant part of the security responsibility to the external code.

Social Monitor

There are opportunities to access external data and code from within Social Experience, such as Oracle RightNow Social Monitor Cloud Service (Social Monitor).

Consequently, these features may not have the same level of security as Oracle Service Cloud and the exchange of data may not be secure. Configuring your site in a high-security environment requires special care when implementing social features.

Self Service for Facebook authentication

Oracle RightNow Self Service for Facebook Cloud Service (Self Service for Facebook) lets you embed a set of Oracle Service Cloud service and community features directly on your organization’s Facebook page.

After you create a Facebook page, you must enable Facebook on the Configuration Settings editor (FACEBOOK_ENABLED).

When the Self Service for Facebook application is installed on your Facebook page, it provides two values—your application ID and your secret key. You must assign these values to their respective configuration settings (FACEBOOK_APPLICATION_ID and FACEBOOK_APPLICATION_SECRET) in order to authenticate the link between Facebook and Oracle Service Cloud. To ensure the integrity and security of your connection, you should keep these values confidential.

In addition, incidents can be created from your Facebook page. This functionality is enabled by default (FACEBOOK_INCIDENTS_ENABLED) so your customers can submit questions without leaving Facebook. If you do not want incidents to be created from your Facebook page, then you must disable this setting. See Open login credentials for social accounts.

To learn more about Self Service for Facebook, see Self Service for Facebook: Overview.

Twitter security

When you add Twitter channel accounts, designated agents can respond to Twitter messages publicly or privately from the agent desktop.

Due to Twitter’s unique functional design, we recommend that you encourage your customers to communicate privately when resolving support issues through the Twitter channel. Because your organization’s tweets can be read, reposted, and replied to by any other Twitter user, using public tweets to resolve sensitive service issues can be risky. For this reason, it is vital that your agents follow the best practices for using Twitter’s private messaging feature. See Responding to Twitter posts.

If you prefer that all Twitter searches be done securely over an SSL channel, contact your Oracle account manager.

Open login credentials for social accounts

Oracle Service Cloud supports two open login standards, OAuth and OpenID. Both allow easy integration of sites that support either one of those open login standards from the customer portal.

For details on the customer portal open login as it relates to Facebook and Twitter, as well as other customer portal login methods, see Logging in to the Customer Portal.

When your Facebook page or your Twitter account is created, they provide two values—your application ID and your secret key. To allow single sign-on, the following values must be assigned to their respective configuration settings in Oracle Service Cloud.

  • FACEBOOK_OAUTH_APP_ID and FACEBOOK_OAUTH_APP_SECRET

  • TWITTER_OAUTH_APP_ID and TWITTER_OAUTH_APP_SECRET

The following table describes Social Experience configuration settings.

Table Settings for Social Experience

Configuration Setting Description Default Value
RightNow Common/3rd-Party Applications/Facebook
FACEBOOK_APPLICATION_ ID

Specifies the Facebook application ID used to host Facebook for Oracle Service Cloud.

Blank
FACEBOOK_APPLICATION_ SECRET

Specifies the Facebook application secret key used to host Facebook for Oracle Service Cloud. This setting is also used to authenticate staff members and customers who use Self Service for Facebook.

Blank
FACEBOOK_INCIDENTS_ ENABLED

Lets customers and staff members create private incidents from your Facebook page.

Yes
RightNow User Interface/Open Login/OAuth Apps

FACEBOOK_OAUTH_APP_ID

Specifies the Facebook application ID used to request the customer’s or staff member’s credentials for open login with Self Service for Facebook.

Blank

FACEBOOK_OAUTH_APP_ SECRET

Specifies the Facebook secret key used to request the user’s credentials for open login with Self Service for Facebook.

Blank

TWITTER_OAUTH_APP_ID

Specifies the Twitter application ID used to request the customer’s or staff member’s credentials for open login with the Oracle Service Cloud channel, Twitter.

Blank

TWITTER_OAUTH_APP_ SECRET

Specifies the Twitter secret key used to request the customer’s or staff member’s credentials for open login with the Oracle Service Cloud channel, Twitter.

Blank

Security level

The following table describes configuration settings that you should consider using or setting to achieve your designated level of security—high, medium, or low. To make the settings easy to find, the list is ordered alphabetically with each setting’s respective path on the Configuration Settings editor.

Table Recommended Security-Related Settings

Path/Configuration Setting For high-security environment For medium-security environment For low-security environment

CHAT_WS_API_IP_HOST

Set to allowed IP addresses and subnet masks.

Note: To enable this hidden setting and define your allowed IP addresses and subnet masks, submit an incident to our support site.
Chat/General/Server

CHAT_CORS_WHITELIST

Set to allowed origins.

Set to allowed origins.

Blank (default)

RightNow User Interface/General/Security

CLIENT_SESSION_EXP

This setting is also used in the desktop usage administration feature.

15 (default)

16 to 45

0

RightNow User Interface/Customer Portal/Login

CP_CONTACT_LOGIN_REQUIRED

Yes

Yes

No (default)

CP_COOKIES_ENABLED

Yes (default) for all security environments.

CP_FORCE_PASSWORDS_OVER_ HTTPS

Yes (default)

Yes

Yes

CP_LOGIN_COOKIE_EXP

5 to 30

31 to 60 (default = 60)

-1

RightNow User Interface/General/Security

CP_LOGIN_MAX_TIME

As needed for all security environments (default = 0).

RightNow User Interface/Customer Portal/Login

CP_MAX_LOGINS

If you set a value for this setting, you must also set a non-zero value for CP_LOGIN_MAX_TIME.

As needed for all security environments (default = 0).

CP_MAX_LOGINS_PER_CONTACT

If you set a value for this setting, you must also set a non-zero value for CP_LOGIN_MAX_TIME.

0 (default)

0

0

Common/General/Security

CP_REDIRECT_HOSTS

As needed for all security environments (default = blank).

RightNow User Interface/General/End-User

EU_CUST_PASSWD_ENABLED

Yes (default)

Yes (default)

No

RightNow Common/Service Modules/Oracle Email

EGW_PASSWD_CREATE

Yes (default)

Yes (default)

No

EGW_SECURE_UPDATE_ENABLED

Yes (default)

Yes (default)

No

RightNow Common/3rd-Party Applications/Facebook

FACEBOOK_INCIDENTS_ENABLED

No (default = Yes)

As needed.

As needed.

RightNow User Interface/Open Login/Oauth Apps

FACEBOOK_OAUTH_APP_ID

Facebook application ID for all security environments (if Facebook is enabled).

FACEBOOK_OAUTH _APP_SECRET

Facebook secret key for all security environments (if Facebook is enabled).

RightNow User Interface/General/File Attach

FATTACH_MAX_SIZE

Tip: Consider the types of attachments that will be uploaded to your site, and then set this value to allow the minimum disk space that you need. As far as security goes, the more disk space you can fill, the better.

As small as practical for your needs. Applies to all security environments (default and maximum allowable limit = 20 MB).

Note: File upload fails if the upload takes more than 5 minutes.

FATTACH_OPEN_ENABLED

No (default)

No

As needed.

Chat/General/Create Incident

INC_PRIVATE_TRANSCRIPT_ONLY

Yes

Yes

No (default)

LOGIN_SECURITY_MSG

As needed for all security environments (default = blank).

RightNow User Interface/Contact Services/Security

MYSEC_AUTO_CUST_CREATE

No (default = Yes)

No

As needed.

Common/General/Security

SEC_BROWSER_USER_AGENT

Set to allowed user agent strings.

Blank (default)

Blank (default)

SEC_EU_EMAIL_LINK_EXPIRE

8 (default)

12

24

SEC_INVALID_ENDUSER_HOSTS

Set to allowed IP addresses.

Blank (default)

Blank (default)

SEC_INVALID_USER_AGENT

Set to user agent strings that are not allowed.

Blank (default)

Blank (default)

SEC_SPIDER_USER_AGENT

Set to list of known web spider user agent strings.

Blank (default)

Blank (default)

SEC_VALID_ADMIN_HOSTS

Set to allowed IP addresses.

Set to allowed IP addresses.

Blank (default)

SEC_VALID_CHAT_API_HOSTS

Set to allowed hosts and subnet masks for all security environments (default = blank).

SEC_VALID_ENDUSER_HOSTS

Set to allowed IP addresses.

Set to allowed IP addresses.

Blank (default)

SEC_VALID_INTEG_HOSTS

Set to allowed IP addresses.

Blank (default)

Blank (default)

SESSION_HARD_TIMEOUT

12 (default)

12-24

As needed.

RightNow User Interface/General/Security

SUBMIT_TOKEN_EXP

30 to 60 (default = 30)

30 to 300

30 to 1000

RightNow User Interface/Open Login/Oauth Apps/

TWITTER_OAUTH_APP_ID

Twitter application ID for all security environments (if Twitter is enabled).

TWITTER_OAUTH_APP_SECRET

Twitter secret key for all security environments (if Twitter is enabled).

Outreach and Feedback/General/Campaigns

WEBFORM_ID_BY_COOKIE_ DEFAULT

As needed for all security environments (default = No).

WEBFORM_ID_BY_LOGIN_ DEFAULT

As needed for all security environments (default = No).

WEBFORM_ID_BY_LOGIN_ REQUIRED_DEFAULT

As needed for all security environments (default = No).

WEBFORM_ID_BY_URL_PARAM_ DEFAULT

As needed.

As needed.

No (default)

WEBFORM_SET_COOKIE_DEFAULT

As needed.

As needed.

No (default)

RightNow User Interface/Customer Portal/Syndicated Widgets

WIDGET_INSTALLATION_HOSTS

As needed.

As needed.

Blank (default)

Security significance

The following table describes recommended security-related settings by significance. They are grouped by high, medium, and low in security significance.

Table Recommended Security-Related Settings By Significance

Significance Configuration Setting Recommended Setting
High

CHAT_WS_API_IP_HOST

Set to allowed IP addresses and subnet masks.

Note: To enable this hidden setting and define your allowed IP addresses and subnet masks, submit an incident to our support site.

CLIENT_SESSION_EXP

15

This setting is also used in the desktop usage administration feature.

CP_FORCE_PASSWORDS_OVER_ HTTPS

Yes

CP_LOGIN_COOKIE_EXP

As needed.

CP_REDIRECT_HOSTS

Set to allowed hosts or leave default setting (blank) to prevent all redirects outside of the interface domain, including external sites.

EU_CUST_PASSWD_ENABLED

Yes

SEC_VALID_ADMIN_HOSTS

Set to allowed IP addresses.

SEC_VALID_CHAT_API_HOSTS

Set to allowed hosts and subnet masks.

SESSION_HARD_TIMEOUT

12

Medium

CHAT_CORS_WHITELIST

Set to allowed origins.

CP_CONTACT_LOGIN_REQUIRED

As needed.

CP_LOGIN_MAX_TIME

As needed.

EGW_PASSWD_CREATE

Yes

EGW_SECURE_UPDATE_ENABLED

Yes

FACEBOOK_INCIDENTS_ENABLED

Yes

FATTACH_OPEN_ENABLED

Yes

INC_PRIVATE_TRANSCRIPT_ONLY

Yes

SEC_EU_EMAIL_LINK_EXPIRE

8

SUBMIT_TOKEN_EXP

30

WEBFORM_ID_BY_COOKIE_ DEFAULT

As needed.

WEBFORM_ID_BY_LOGIN_ DEFAULT

As needed.

WEBFORM_ID_BY_LOGIN_ REQUIRED_DEFAULT

As needed.

WEBFORM_ID_BY_URL_PARAM_ DEFAULT

As needed.

WEBFORM_SET_COOKIE_DEFAULT

As needed.

WIDGET_INSTALLATION_HOSTS

Set to allowed domain names.

Low

CP_COOKIES_ENABLED

As needed.

CP_MAX_LOGINS

As needed.

CP_MAX_LOGINS_PER_CONTACT

As needed.

Note:  If you set a value for this setting, you must also set a non-zero value for CP_LOGIN_MAX_TIME.

FACEBOOK_OAUTH_APP_ID

As needed.

FACEBOOK_OAUTH _APP_SECRET

As needed.

FATTACH_MAX_SIZE

As small as practical for your needs.

Note: Regardless of the file attachment limits you define, file upload will fail if the upload takes more than 5 minutes.

LOGIN_SECURITY_MSG

As needed.

MYSEC_AUTO_CUST_CREATE

As needed.

SEC_BROWSER_USER_AGENT

As needed.

SEC_INVALID_ENDUSER_HOSTS

As needed.

SEC_INVALID_USER_AGENT

As needed.

SEC_SPIDER_USER_AGENT

As needed.

SEC_VALID_ENDUSER_HOSTS

As needed.

SEC_VALID_INTEG_HOSTS

As needed.

TWITTER_OAUTH_APP_ID

As needed.

TWITTER_OAUTH_APP_SECRET

As needed.