Table of contents

MIDAS Documentation v4.38

Manage Security Settings

The Security settings screen may be accessed via MIDAS Admin Options → Manage MIDAS → Security.

Password Settings

Minimum password length

All users will have to choose a password of at least this number of characters.

Force Password Change Every X Days

All users will be required to change their password every X days.

Password Reset links are valid for

When a user initiates a password reset request, by default the reset link contained within the subsequent password reset email sent to them is only valid for 2 hours. If the user fails to click the link in their email to reset their password within this time frame, the link expires and the user would need to generate a new password reset request again. This setting allows you to change how long these emailed password reset links remain valid for.

Disallow Known Breached Passwords

If enabled, users will not be able to change their password to one which appears in any known public data breach and is therefore considered compromised. This option uses the 3rd party Have I Been Pwned? service. For more information, please see this blog post.

Two Factor Authentication (2FA)

Two-Factor Authentication requires all users to sign in with an additional authorization code each time they sign-in with their regular MIDAS credentials.

This helps prevent unauthorized access should a user's MIDAS credentials ever be exposed or compromised.

Info: Two-Factor Authentication is disabled when Single Sign-On (Active Directory integration) is in use

Enable Two-Factor Authentication for all users?

Enabling this option turns on Two Factor Authentication for all user accounts, using one of the following methods:

Authenticator App

Whenever a user signs in to MIDAS, they will need to enter a code displayed on their authenticator app to allow them to complete their sign-in to MIDAS.

Email

Whenever a user signs in to MIDAS, they will be sent an authorization code to their registered email address. The user must then enter this code into MIDAS to complete their sign-in.

WARNING: This options relies on the ability for your MIDAS system to send email. Therefore, please ensure that you have configured the email settings and verified that you can successfully receive emails from your MIDAS system before enabling this options, otherwise you and your users will be unable to sign in

Important: Two-Factor Authentication via email is only effective if users use a different password for MIDAS to the password they use to sign in to their email account

Device Control

Alert users upon sign-ins from unfamiliar devices

When enabled, whenever a user account is signed into from a new or unfamiliar device, an email notification will be sent to the account holder. The content of this notification may be customized via a template.

Session Control

Allow multiple sign-ins for each user?

If selected, each user will be able to be signed in from multiple browsers/devices at the same time. If not selected, a user will only be able to be signed in from one browser/device at any one time. In such instances, signing in from another browser/device will automatically sign out the previous session.

Please Note: The ability for user accounts to be signed in from multiple browsers/devices simultaneously is not available on systems licensed for a just single user account

Offer users option to stay signed in

If enabled, users will see a "Stay signed in" box on the sign-in screen. If a user then selects this "Stay signed in" box when they next sign in, they will not need to re-enter their credentials the next time they access MIDAS in the same browser.

Inactivity leads to sign-out after

Automatically signs out out users if they have been idle for the defined period of time.

Include users who opt to stay signed in

When selected, the "Inactivity leads to sign-out after" setting also applies to users who selected the "Stay signed in" option when signing-in. When not selected, users who opted to "Stay signed in" will not have their sessions expire when they are idle.

Always force sign-out after

Automatically signs out users after a pre-defined length of time from when they last signed-in. This setting applies regardless of whether a user is active, and regardless of whether they opted to "Stay signed in".

Maximum invalid sign-in attempts

To prevent unauthorized access and "brute force" attacks, your MIDAS system can automatically "suspend" accounts if they receive a high volume of consecutive unsuccessful sign-in attempts. Once an account becomes "suspended", the user who owns that account is sent an email from your MIDAS system containing a link allowing them to restore access to their account. Additionally, an administrator user with sufficient privileges can "unlock" a suspended account at any time via the Manage Users & Permissions screen.

Allowed IP Range

(Cloud Hosted editions only)

For increased security, you can limit who can access your MIDAS sign-in page, based upon their Internet IP address, irrespective of whether they have a valid sign-in for MIDAS.

You can restrict access to a single IP address, or an IP range. This can be useful if MIDAS is hosted on a public web server, which potentially could be accessed by anyone worldwide. MIDAS' "Allowed IP Range" setting can be used to restrict access to users in your own country, organization, or to just you!

IPs are made up of a set of 4 numbers, each ranging from 0-255. These four numbers are each separated by a period (dot) character, and together form an IP address. For reference, MIDAS also displays your current IP address in the security screen.

By default, the "Allowed IP Range" setting in MIDAS is set to *.*.*.*

"*" is a wildcard character, meaning that any value is acceptable. This will not restrict IPs, and will allow access from any IP. You can change this to only allow access from a single IP, by entering the target IP in this box - If you only want to allow access for yourself, simply enter your IP here.

To restrict access to within your own organization / site, you could instead enter something along the lines of "192.168.*.*" - This would allow access to anyone with an IP starting "192.168", so "192.168.2.1" and "192.168.10.200" are examples of IPs that would be allowed.

Rather than use the "*" wildcard character, which will allow any value in the range 0-255, you can instead further limit this to a range of values. For example entering [127-255] would only allow IP's that fell within the 127 to 255 values (inclusive). Example: 172.16.10.[127-255] - Allowed IPs fall in the range 172.16.10.127 - 172.16.10.255

Warning: Proceed with extreme caution when restricting access to MIDAS based on an IP address/range - if you're not careful, you could lock yourself out of MIDAS completely!

Warning: If you are restricting access to a single IP address, such as your own, ensure that you have a static IP that will not change, and not a "dynamic" IP, which may periodically change, resulting in you being locked out of MIDAS

Privacy

If the "Honor user's privacy preferences" option is selected and the user is using a web browser which supports (and the user has enabled) either "Global Privacy Control" or "Do-Not-Track" privacy settings in their browser, then MIDAS won't record the user's IP addresses in the Recent Activity log.

Security Audit

Performs an "on-demand" audit on your current security settings. When run, a number of key metrics of your MIDAS system will be analyzed (including your database setup, MIDAS files, and recommended MIDAS settings). A detailed report is then generated with helpful suggestions and advisories for improving the overall security of your MIDAS system.

MIDAS Knowledge Base: Tips for keeping your MIDAS secure
MIDAS » Documentation » Manage Security Settings