How-to: High Security Mode

This article explains the High Security Mode feature in Enterprise Feedback Suite (EFS), which provides additional protective measures for enhanced web application security. It covers various aspects of this mode, including stricter password criteria, tightened brute force protection, and other security enhancements.

High Security Mode Features

High Security Mode in Enterprise Feedback Suite includes the following features:

  • Stricter security criteria for account names and passwords
  • Tightened brute force mechanism
  • HTML Escaping
  • Session limitations to a single IP or IP address range
  • Reduced session time
  • Prevention of URL manipulations (referer checking)
  • Deactivation of caching in sensitive areas
  • Enforcing HTTP-only cookies

Note that while these features enhance security, they may impose certain restrictions on usability. High Security Mode is not included in the standard version of EFS and must be activated by the support team.

Password Security

High Security Mode implements stricter criteria for passwords:

  • Account names are checked for proper usage of upper and lower case
  • No character may be used twice in passwords
  • Passwords must be at least eight characters long

These criteria apply to the admin area, EFS Survey Status, EFS Translator Interface, and Org Processor logins.

Additional Password Requests

When working with accounts in the EFS Users admin or People module, additional password validation requests will be shown for:

  • Creating new EFS admin users
  • Editing existing EFS admin users
  • Creating new panelists in the People module
  • Changing passwords of panelists in the People module

Brute Force Protection

High Security Mode enhances brute force protection:

  • Staff members are logged out and their accounts suspended for 30 minutes after six incorrect password attempts when changing passwords
  • The Login Interface no longer indicates the reason for suspension, preventing discovery of existing account names

Session Security

Session security is enhanced in the following ways:

  • Session time for staff members in the admin area is reduced to 15 minutes
  • Sessions are tied to the IP or IP address range from which the user logs in
  • Users are logged out if their IP or IP range changes during a session

Other Security Measures

HTML Escaping

When High Security Mode is activated, HTML code is not interpreted within the admin area. For instance, an image inserted in an answer text using <img src="xxx"> will display correctly in the questionnaire, but in online statistics, only the HTML code will be shown, not the image.

Preventing URL Manipulations (Referer Checking)

In High Security Mode, EFS checks if URLs in the admin area are accessed internally to prevent manipulation or external access. Manually changed URLs cause the browser to stop transmitting a referer. Note that anonymity and security tools removing referers will prevent use in High Security Mode. From EFS 7.0, referer checks are not performed for users with Microsoft Internet Explorer due to its handling of http referers.

Smarty Security Mode

In EFS Survey, Smarty’s security mode is always active. For panel installations on EFS 7.1 or later, it is always activated, whereas for earlier versions it is only active in High Security mode.

Deactivation of Caching in Sensitive Areas

Sensitive functions like password entry have measures to prevent data from being stored in the browser cache.

Enforcing HTTP-only Cookies

From EFS 8.1, HTTP-only cookies are used in High Security mode, preventing user programs like JavaScript from accessing these cookies.

FAQ

How is High Security Mode activated?

High Security Mode is activated by the EFS support team upon request. It is not included in the standard version of EFS.

Does High Security Mode affect usability?

Yes, High Security Mode may impose certain restrictions on usability, such as no access to the print version of the questionnaire and additional pop-up warnings in export and download processes.

Can I use anonymity tools with High Security Mode?

No, anonymity and security tools that remove the referer from browser requests are not compatible with EFS in active High Security Mode.

Leave a Reply

Your email address will not be published. Required fields are marked *