|
|
Compliance/Auditing
Posted: 07 Dec 06 12:18 PM
|
fiogf49gjkf0d Anyone now what SalesLogix is doing to be more secure?
I was asked about the following, about SalesLogix: 1. Log People out automatically after a period of inactivity? 2. Disable accounts automatically after a specified number of days of inactivity? 3. Enforce password complexity standards - 8 char min, use of alpha, numeric, caps, etc? 4. Expire passwords after a given number of days?
As far as I know the answer to all those questions is No. Anyone know of solutions around this issue or if Sage is working on this? |
|
|
|
Re: Compliance/Auditing
Posted: 08 Dec 06 2:29 AM
|
fiogf49gjkf0d All your supported options (of which only 3 above is catered for) is in Admin - Tools | Passwords |
|
|
|
Re: Compliance/Auditing
Posted: 08 Dec 06 7:11 AM
|
fiogf49gjkf0d Mike,
I did find some of the password complexity there but the other 3 options are not supported. I talked with SalesLogix about this and their suggestions were as follows (with my interpretation):
1. Log People out automatically after a period of inactivity? ---------------------------------------------------------------------- This isn't currently possible nor does it look likely to be a feature added any time soon. It's been considered by Sage and found to use too much system resources. This is due to the fact that a polling process would have to run to track user activity within the system. Right now the only user activity tracking is done at the table level when a user makes a change to a record. If no changes are made, there is no record of user activity.
2. Disable accounts automatically after a specified number of days of inactivity? ---------------------------------------------------------------------- This could be done with customization. A new table would have to be created that tracked when a user last logged on. A custom script could then be added to kick a user off if the last used date was beyond a set time frame. The password could be reset and it may be possible to completely disable the user account.
3. Enforce password complexity standards - 8 char min, use of alpha, numeric, caps, etc? ---------------------------------------------------------------------- SalesLogix does have some password complexity standards. The following can be set: • Minimum password length • Passwords must contain numbers and letters (Special characters/high ASCII are not required and do not look to be options.) • Force user to change default password • Do Not allow blank passwords • Do no allow username as password Additional complexity could be added with customization at the client level.
4. Expire passwords after a given number of days? ---------------------------------------------------------------------- This could be done with customization. This would likely be tied into #2. Store the date of last password set and check the date and force the user to change their password.
So out of the box SalesLogix has limited user account/password auditing but it could be added. |
|
|
|
Re: Compliance/Auditing
Posted: 08 Dec 06 8:10 AM
|
fiogf49gjkf0d Yep.. you've got it right... Also, remember that in order to use SalesLogix one must login (to their pc) via their Windows Login to get to launch SalesLogix.
I'd make sure that the Windows layer met requirements before beating on application login(s).
just a thought.. -- rjl |
|
|
|
Re: Compliance/Auditing
Posted: 08 Dec 06 8:18 AM
|
fiogf49gjkf0d Oh yea, that's already in place. The company is going through a complete comprehensive audit of all it's software tools to fix any weak links or at least be aware of where they are.
I doubt that SalesLogix is considered a serious problem in these areas but they needed to be defined and it'll be up to my boss and his bosses to deturmine if SalesLogix really needs to have that level of security implemented.
Still it's an interesting topic to discuss. My last company didn't bother with much security at all with SalesLogix. We used the Windows Authentication option so the SalesLogix password was pretty much irrelevant. Even then most of the SLX passwords were blank or the users phone extention or something like that. Nothing too difficult. |
|
|
|
Re: Compliance/Auditing
Posted: 08 Dec 06 8:36 AM
|
fiogf49gjkf0d Have you thought about using NT Authentication instead of having users login using the SLX login? The nice thing about this is authentication is done at the network level when the user logs in. So as long as you have the criteria in place at the network login you are covered. Other benefits are one less password to keep track of and when starting SLX it logs in automatically.
The only requirement is that when creating a new SLX user account is to set the password to something really obscure (using the guidelines you already outlined. As long as NT authentication is being used there is no need to know what the SLX password is. The only caveat to this is Intellisync. Kind of a pain in the side at times because it does use the SLX password and not NT authentication. If you are using Intellisync you will have to copy that obscure password down and then setup the Intellisync login.
If you don't use Intellisync.. well.. then no problem!
John G. |
|
|
|
Re: Compliance/Auditing
Posted: 10 Dec 06 8:33 AM
|
fiogf49gjkf0d Originally posted by John Gundrum
Have you thought about using NT Authentication ..... John G. |
|
He IS already .. It's called "Windows Auth..."
-- rjl |
|
|
|