Security Considerations to take into account when working with Inventory
- Secure the default Admin account
The admin account is created in the system automtically when installing
the tables. The username and password are known (admin/admin) and this is a security risk. We
recommend one (or more) of the following actions to be taken:
These measures are to prevent abuse of the default account.
- Change the password for this account right after first login using
User Management menu.
- Rename the account
- Create a different Admin account, and disable the default one. (The Admin account
cannot be deleted).
- Usage of the Session Timeout feature
The Session Timeout feature (see User Management) restricts each user's
session length. After the alloted time expires, the user is expelled from the system (forced logout)
and is requied to login to continue usage. This feature can be useful especially if your Inventory
users use the system from a random computer (when taking care of a problem in another dept. or at
a client's office), and you wish to make sure that they do not leave a browser open for unauthorized
persons to access the system using that user's permissions.
- Usage of the Configuration Editor
- The Configuration Editor can be enabled for usage through the web.
All Admin users will have access to this feature once enabled. Only expose this
functionality if you're sure you can allow all Admin users to view these settings.
- Additional Security through Web Server configuration
- You can enhance Inventory's installation by modifying the configuration of the web server
that is serving it:
- Consider if you need to expose Inventory to the Internet. If your access is only
internal (local Intranet), consider serving Inventory from a server that is accessible
only from the local network (and not the Internet); Alternately you can also restrict
the web server to server the Inventory URL to a pre-defined list of IP addresses.
- Restricting access to the Inventory URL by HTTP user/pass can add a layer of security.
Users will then be requested to provide login to access the URL where Inventory is installed
and an additional one when acessing Inventory itself.
- Securing communiations to Inventory by using HTTPS. An addional boost can be provided
by serving the Inventory URL under HTTPS instead of HTTP.