Configuring the Application-Level Intrusion Detection System
There are four settings in the
[PRONTO_SECURITY] section of the
ProntoConfig.ini configuration file that control the AlphaTrust e-Sign™ IDS:
IPCheck: set to
1to have all inbound requests checked to see if their IP address is listed on the dynamic block list, and deny access if it is. AlphaTrust e-Sign™ adds IP addresses, as reported via HTTP headers, to a dynamic block list if improper requests are logged. This helps prevent URL guessing attacks such as trolling for valid document retrieval URLs.
Be sure you are passing through the external user's IP address. If you are using a load balanced, proxy, or other web farm mechanism, then the proxy's address is usually passed to IIS. If the end user address is not being passed to AlphaTrust e-Sign™ (you can check a signature audit trail report for a test transaction to see the recorded IP address), you must set a custom header at the proxy to pass the client's address so AlphaTrust e-Sign™ can pick it up. Configure your proxy or load balancer to add a custom HTTP header to requests passed to AlphaTrust e-Sign™. You may choose any name for the header, but
IPAddressis recommended. Set this header name for the
ProntoClientIPHeaderNamevalue. This value is located in the
[PRONTO_MODE]section of ProntoConfig.ini.
IPBlockTime: number of minutes to block an IP address that submits bad requests.
IPBlockLimit: number of bad requests an IP can submit before being added to the dynamic block list.
IPBlockIfBadIP: set to
1to block a request if no IP address is provided or a bad IP address (improper format) is submitted.
0will allow these requests, therefore they will never be blocked. IPv4 and IPv6 addresses are supported.
UpdateAccountAuthData: set to
1to have all AuthData values in the Account table (clear text account passwords) converted to hash values. The clear text AuthData field will be cleared. This process will run approximately every 5 minutes permitting manual updating of AuthData cleartext data, and then having the system automatically clear and hash this data for later authentication use.
AuthBlockTime: number of minutes to block a participant who reaches the bad login limit (see below). Valid values are
AuthPINPAsswordBadLoginLimit: the number of login attempts allowed for a participant requiring PIN/Password authentication before that participant is blocked. Valid values are
AuthThirdPartyKBABadLoginLimit: the number of login attempts allowed for a participant requiring third party Knowledge-Based Authentication before that participant is blocked. Valid values are
AuthRegisteredUserBadLoginLimit: the number of login attempts allowed for a registered user requiring access to a transaction or control panel login before that user is blocked. Valid values are
DisableAutoCompleteOnLoginFields: if set to
1login fields on the signer login page will not support autocomplete if the browser supports disabling of that feature
Default values for the
IPCheck=1 IPBlockTime=15 IPBlockLimit=5 IPBlockIfBadIP=1 UpdateAccountAuthData=0 AuthBlockTime=30 AuthPINPasswordBadLoginLimit=5 AuthThirdPartyKBABadLoginLimit=5 AuthRegisteredUserBadLoginLimit=5 DisableAutoCompleteOnLoginFields=0 ValidDocumentSystemPaths="" EnableMultifactorAuth=0 MultiFactorAuthExpireInDays=30 DisableHtmlDocumentType=0 JWTIssuer=Issuer JWTAudience=Audience JWTAccessExpiresInMinutes=5 JWTRefreshExpiresInMinutes=10080