Self-Service Banner Security Tips

This Article contains information regarding various security related options that are available within the Self-Service Banner products. It is recommended that you review each of the items listed to help ensure that your institution has configured each of the options appropriately. More detailed information on the Web Tailor options discussed below can be found in the Web Tailor User Guide. More information on the Oracle Application Server configuration can be found in the Middle Tier Implementation Guide.

  1. Self-Service Banner Product Versions

It is recommended that clients install the current version of all Self-Service Banner products, especially Web Tailor. This helps ensure that you will be able to take advantage of all security fixes and enhancements delivered for the products.

  1. Web Tailor Administrators

You should review which users have been assigned the Web Tailor Administrator role. Users with this role have elevated system privileges which allow them to configure options for Self-Service Banner. The following SQL query can be used to identify users with the Web Tailor Administrator role:

SELECT spriden_id "ID",

f_format_name (spriden_pidm,'LF') "Name"

FROM spriden

WHERE spriden_pidm IN (

SELECT twgrrole_pidm

FROM twgrrole

WHERE twgrrole_role = 'WTAILORADMIN')

AND spriden_change_ind IS NULL

ORDER BY 2;

  1. Web Rules in Web Tailor

The Web Rules option available on the Web Tailor menu in Self-Service contains several options that are related to security:

A)“Web Timeout in minutes” and “Role Timeout Overrides”

These two settings allow you to configure how long a user can remain idle in Self-Service before they will be forced to login again. The Role Timeout Overrides section allows you to override the general setting with a role specific timeout. For example, you could define a value for the “Employee” role that is larger so that employees have more time before they will be logged out. Clients using the Luminis portal should consider using the same timeout value for both Self-Service and the portal.

B)“Maximum Number of Login Attempts”

Once a user has reached this number of failed login attempts, their account will be disabled. They will then need contact the appropriate group at your institution to have their account re-enabled using form GOATPAC or GOATPAD in INB. This setting should be low enough to discourage guessing by unauthorized users, but high enough to prevent extraneous calls for account resets.

C)“PIN Expiration in days”

When a user changes their PIN in Self-Service, this setting is used to calculate when the new PIN will expire and thus force the user to change their PIN again.

  1. Web Tailor Parameters in Web Tailor

A)Audit options

The AUDIT_SSB_LOGIN and AUDIT_SSB_PAGE settings allow clients to enable auditing both for when users login to the system and when they access given web pages. The specific options available for these two parameters are listed under the Comments section as follows:

Web Tailor administrators can access the audit records by using the “Display Audit for SSB Logins” and “Display Audit for SSB Page Access” options on the Web Tailor menu. The audit records are stored in tables TWGRALGN and TWGRACES respectively. If auditing is enabled you should monitor these tables for size as they could grow quite large depending on what you choose to audit and purge them accordingly.

B)Cookie related options

Self-Service Banner uses a SESSID cookie in the user’s web browser to track their session. The following parameters control various options for this cookie:

  • COOKIE_SESSID_EXPAND – This setting should be Y to create a cookie with more than 16 bytes.
  • COOKIE_SESSID_HTTPONLY – If using Oracle FMW 11.1.1 or higher, then this setting can be set to Y to add the HTTPONLY flag to the SESSID cookie. This makes the cookie only readable using the HTTP/HTTPS protocol; script languages such as JavaScript will be prevented from accessing the cookie. Please note, clients using the Cascade UI for Self-Service should leave this setting with a value of N due to known defect CR-000115288 which prevents Cascade from working when this option is enabled.
  • COOKIE_SESSID_SECURE – If using HTTPS protocol for Self-Service Banner, then this option can be set to Y to also pass the cookie with the “secure” attribute.

C)ONEVENT options

There are several ONEVENT_XXXX parameters defined where the XXXX is a four character package prefix. These settings are used to enable filtering which helps prevent cross site scripting attacks that make use of “onevent” triggers, for example “onmouseover”. The parameters should all be set to “REPORT ERRORS”.

  1. PIN Preferences and Question and Answer Preferences on form GUAPPRF in INB

Form GUAPPRF allows you to configure both the PIN preferences and Question and Answer preferences for users in Self-Service Banner. The PIN preferences control the length and format of Self-Service PINs. The Question and Answer preferences control if/how users can use the “Forgot PIN?” button to reset their own PIN. Please note, if you are using LDAP authentication or Single Sign-On (SSO) to Self-Service, then some of these settings may not apply to your environment.

A)PIN Preferences

  • Pin Reset Format can be Numeric or Alphanumeric - use alphanumeric for a more comprehensive solution
  • Pin Reset Value can be Birthdate or Random Value - use Random Value for a more comprehensive solution
  • The minimum length and maximum length can be any value between 6 and 20 - the longer the better
  • The Number and Character Required Indicators should be set to Yes to force pins to have both numeric and alphabetic characters
  • The Password Reuse indicates the number of days before a password can be re-used, the higher the better. Don't use 0 since that allows immediate re-use of a password.
  • Pre-Expire New Pin - set to Yes to force a pin to be reset by a user after it was changed / created by an administrator

B)Question and Answer Preferences

  • Number of Questions - this is the number of questions that a user must answer correctly before they are able to reset their forgotten PIN - the higher the better
  • Minimum Question Length - if you allow Editable Questions (not recommended), this is the minimum length for the question - the larger the better
  • Minimum Answer Length - the minimum number of characters required for an answer to a security question, the larger the better keeping in mind the types of answers that may be given to the questions asked
  • Allow Editable Question – it is recommended that this option be set to No to keep the security questions relevant using the questions defined by your institution. Otherwise a user may have a simple question such as 'Enter 111111 as the answer'
  • Disable Forgot Pin - if this is set to Yes, then the Question and Answer feature will be disabled and Self-Service users would have to contact someone to have their PIN reset. This should be set based upon your available resources
  1. PIN Questions on form GOAQSTN in INB

The GOAQSTN form allows you to specify security questions that are used during the “Forgot PIN?” process. The questions should be ones for which data cannot be found easily thru Internet searches. For example, the answer to “Where did you go to high school?” could be found from Linked In or Facebook. You can define as many questions as you want and the users will pick a set “Number of Questions” (from GUAPPRF settings)from your list which they need to provide answers. The more available questions the better so that the types of questions/answers are mixed within your user population.

  1. PIN Hash option on form GTVSDAX in INB

On form GTVSDAX, the record with internal code GENPIN and group PINHASH determines the encryption of Self-Service PINs in the PIN History Table (GORPAUD). It does not impact the users’ current PINs stored in table GOBTPAC as those are always encrypted. This option should be set to Yunless you have some internal procedures or third party vendors that require PINs to not be encrypted. If so, those processes should be looked at to enable a value of Y if at all possible.

  1. Web Tailor Session and Parameter Tables

Web Tailor uses session table TWGBWSES and parameter table TWGRWPRM to store user data while a user is accessing Self-Service Banner. The tables will correctly be updated or cleaned out when a user either logs in or exits Self-Service Banner. However, if a user simply closes their web browser without clicking Exit, then the data remains in the tables. As such, it’s a good practice to periodically clean out the tables manually. The two example SQL scripts below will remove session records more than a year old and parameter records more than a week old. Clients can adjust these time frames as they see fit for their needs. Please be aware that a user’s last access date for Self-Service Banner is stored in session table TWGBWSES and thus deleting the older records will cause that information to be lost and hence the one year recommendation. The scripts should be run during a maintenance window when users are not accessing Self-Service Banner.

deletetwgbwses

wheretwgbwses_last_accesssysdate - 365;

deletetwgrwprm

wheretwgrwprm_activity_datesysdate - 7;

  1. User-Friendly Error Messages in Oracle Application Server

The Middle Tier Implementation Guide explains how to optionally configure user-friendly error messages using package twbkserr.p_system_error. This is only recommended for non-production environments as the error message will contain the Oracle error code and message. In a production environment, users should only be shown a generic “404 page not found” error message with no Oracle error stack dump.

  1. Before Procedure in Oracle Application Server

As listed in the Middle Tier Guide, you should define the “Before Procedure” for the Self-Service Banner DAD to have a value of “twbklist.p_main”. This procedure does an initial check of all procedures being called by the DAD. Any procedures that are not defined or are not enabled in Web Tailor under the Web Menus and Procedures option will be prevented from executing. It also does an initial check for JavaScript or other strings in the URL that could be used as part of a cross site scripting attack against the system and prevents that as well.

  1. Apache Rewrite Rules in Oracle Application Server

Please reviewArticle "FAQ: 1-2PE6V7: Apache configuration changes for improved security" to identify changes than can be made to tighten web server security to help prevent script injection or cross site request forgery (CSRF) attacks.

  1. Banner Data Defense

Please contact your Ellucian client partner if you are interested in information regarding the Banner Data Defense product which can also be used as another security layer.