Tips for keeping your MIDAS system secureOur web based room booking and resource scheduling software provides a number of security features and settings, and there's plenty users, administrators and system/network administrators alike can do to make your MIDAS booking system more secure!
For system/network administrators:
Install MIDAS on your internal intranet to prevent access from the outside worldIf MIDAS is only to be used internally by your own staff when they are in work, and there's no requirement for your booking information to be accessed by others remotely/off site/at home, then consider installing MIDAS on your own internal local Intranet/corporate LAN, rather than on a publicly accessible external web server.
If we currently "cloud host" your MIDAS, you can migrate to a "self hosted" edition at any time. For more information, please click here
Ensure file/folder permissions prevent unauthorized accessEnsure that all the files/folders within your MIDAS installation have correctly set permissions.All .pl files should have CHMOD 0775 permissions. All .dat files should have CHMOD 0600 permissions. All other files should have CHMOD 0644 permissions.
It's important to ensure that .dat files have CHMOD 600 permissions to prevent read access to the outside world.
Ensure the server only accepts https connectionsIf your server only allows insecure http connections, consider installing an SSL certificate and migrating to https. If your server allows either http or https connections, consider disabling http connections & redirecting http to https. Using https connections throughout strengthens communication between end user's browsers and your MIDAS server, hardening against "Man In The Middle" (MITM) style attacks.
Additionally, be aware that newer versions of Chrome & Firefox etc now warn users if they're entering credentials on an insecure http site. Your users will see such warnings if they're accessing your MIDAS system over insecure http instead of secure https.
For MIDAS administrators:Settings to control system security can be found via MIDAS Admin Options → Manage MIDAS → Security
Enable Two-Factor AuthenticationMIDAS v4.10 and later includes optional two-factor authentication to provide an additional layer of security to your scheduling system. With Two-Factor Authentication enabled, when a user logs in with their email address and password, a security code is automatically sent to their email address. This code must then be entered in order to complete the login process.
Increase minimum password lengthGenerally speaking, the longer a password is, the more secure it is. Use the "Minimum Password Length" setting to specify the minimum length that all passwords in the system should be. We'd suggest a minimum of at least 8 characters.
Don't offer to save credentialsThe "Offer to save credentials?" setting controls whether the "Remember Me?" option is available on your MIDAS login screen. It has three options:
Yes - off by default
Yes - on by default
Setting this to "No" will remove the "Remember Me?" option from the login screen. This is the most secure option
Decrease idle session timeout lengthBy default, if a user becomes "idle" (they don't interact with the system) once logged into MIDAS for more than an hour, they will automatically be logged out. The "Inactivity forces logout after" setting can be used to control the length that an idle user can remain logged in. Lowering this value will mean that idle users will be logged out quicker, therefore improving security if they've left their computer/workstation unattended for example.
Prevent multiple simultaneous logins from the same accountIf your MIDAS is licensed for more than a single user account, then the "Allow Multiple Logins By Users?" setting controls whether user accounts can be logged into concurrently from multiple devices. For enhanced security, consider disabling this option. That way, each time a user logs in, all other instances currently logged in to MIDAS from the same account will be automatically logged off.
Decrease the number of failed login attempts before an account is lockedThe system can automatically suspend individual accounts if a high number of consecutive failed login attempts are detected. This could occur if someone is trying to "brute force" or "guess" a particular account's password. Decreasing the "Max Invalid Login Attempts" setting will mean that user accounts will be locked quicker if consecutive failed login attempts are detected.
Once an account becomes "locked" in this way, the system will automatically send an email to the address associated with the affected account, containing a unlock link for the user to restore their own account access.
Additionally, administrators can lock/unlock accounts at any time via MIDAS Admin Options → Manage Users & Permission → [select user] → Account is suspended?
Force SSL connectionsIf your web server allows connections over both http (unsecured) and https (secured), the "SSL Access" setting within MIDAS can be used to redirect all http requests to their https equivalents.
With "SSL Access" set to "Enabled" (which is the default setting), users would be able to connect via either http or https (assuming https is available on your server). If set to "Disabled", any attempts to connect via https will be redirected to http.
However, If SSL is available on your server, you should consider setting "SSL Access" for "Forced" to ensure that all connections via http will be automatically redirected to https for greater security.
Generate secure passwords for new usersWhen adding accounts to your MIDAS system (via MIDAS Admin Options → Manage Users & Permissions → Add New User) be sure to enter a strong password for the new account. You can use the "Generate" button adjacent to the password field to generate a random password (containing a mixture of numbers, upper/lower case letters, and symbols), or you can manually enter a desired password for the user.
The most secure passwords are those which are randomly generated, long, and contain a mixture of upper & lower case letters, numbers, and symbols in a jumbled order.
Grant users only the minimum permissions they requireAn extensive range of user permissions are available within the software.Ensuring that users are only granted the minimum permissions they actually require can help with security. For example, does every user really need access to the "Manage Users & Permissions" screen?
Monitor user activityMIDAS includes a "Recent Activity" audit log, which records all recent visible user's actions within your MIDAS system. Each action is time-stamped with the user who performed the action and their IP address. This log can be useful for monitoring and detecting any unusual, unauthorized or suspicious activity taking place within your system.
Keep your MIDAS up-to-dateEnsuring that you're running the most recent version of MIDAS will mean that you're not missing out on any important security updates to help keep your MIDAS system safe.
Software updates are available to all customers with ongoing Annual Support Subscriptions.
Self-hosted customers with an ongoing Annual Support Subscription can check for and quickly install updates via MIDAS Admin Options → Manage MIDAS → Update. Settings are also available to automatically check for updates on a regular basis.
Our cloud-hosted customers don't need to do anything - you'll always be running the very latest version of MIDAS, as we install all updates for you!
For MIDAS end-users:
Avoid using the same password for multiple websites/servicesIt's good practice to use a unique password for every web site/app/service requiring one. The reason being that if you use the same password across all your sites/apps/services and one of these is compromised, then all other sites/apps/services where you've used the same password can then potentially be accessed with your compromised credentials. With that in mind, Two-Factor Authentication in MIDAS will offer no additional security benefits if you use the same password for MIDAS as you use to login to your own email account.
Make your passwords at least 12 characters longGenerally speaking, the longer your password, the harder it is for computers to "crack"
Include a mixture of numbers, upper & lowercase letters, and symbols in your passwordIf your passwords contain purely numbers or purely letters it can easily be cracked. The more "complex" a password is, the harder it is to "guess" or for computers to "crack". The most secure passwords contain a mixture of numbers, letters (both upper AND lower case), and symbols.
Avoid common passwords such as "123456", "password", "[email protected]", and "qwerty"Make your passwords hard to guess by avoiding common passwords such as; common number patterns, single words, substituting letters for numbers/symbols, passwords based upon a standard keyboard layout, names and dates of birth - mix it up a bit! (MIDAS - from v4.13 onwards - now prevents you from using any of the 1,000 most common passwords that are in use today!)
If using a shared computer, don't let MIDAS/your browser save your login credentialsIf the computer you use to access your bookings in MIDAS is also used by others, make sure you untick the "Remember Me?" box on the login screen.
When logging in, if your browser itself offers you the choice to save credentials, make sure you select "Never for this site".
Also make sure that if you leave your computer unattended for any reason that you log out of MIDAS/lock your workstation.
← Return to Knowledgebase