Our web based room booking and resource scheduling software provides a number of security features and settings. Plus there's plenty that users, administrators and system/network administrators alike can do to make your MIDAS booking system more secure!
Install MIDAS on your internal intranet to prevent access from the outside world
If MIDAS is only to be used internally by your own staff when they are in work, and there's no requirement for your booking information to be accessed by others remotely/off site/at home, then consider installing MIDAS on your own internal local Intranet/corporate LAN, rather than on a publicly accessible external web server.
All .dat files should have CHMOD 0600 permissions.
All other files should have CHMOD 0644 permissions.
It's important to ensure that .dat files have CHMOD 600 permissions to prevent read access to the outside world.
Ensure the server only accepts https connections
If your server only allows insecure http connections, consider installing an SSL certificate and migrating to https. If your server allows a mix of http and https connections, consider disabling http connections & redirecting http to https. Enforcing https connections throughout strengthens communication between end user's browsers and your MIDAS server, hardening against "Man In The Middle" (MITM) style attacks.
Additionally, be aware that newer versions of Chrome & Firefox etc now warn users if they're entering credentials on an insecure http site. Your users will see such warnings if they're accessing your MIDAS system over insecure http instead of secure https.
For MIDAS administrators:
Settings to control system security can be found via MIDAS Admin Options → Manage MIDAS → Security.
Enable Two-Factor Authentication
MIDAS v4.10 and later includes optional two-factor authentication to provide an additional layer of security to your scheduling system. With Two-Factor Authentication enabled, each time a user logs in, a security code is automatically sent to their email address. This code must then be entered in order to complete the login process.
As a general rule, the longer a password is, the more secure it is. Use the "Minimum Password Length" setting to specify the minimum length that all passwords in the system should be. We'd suggest a minimum of at least 8 characters.
Note: This won't affect existing user's passwords - it will only be enforced the next time they change their password
Don't offer to save credentials
The "Offer to save credentials?" setting controls whether the "Remember Me?" option is available on your MIDAS login screen. It has three options: No Yes - off by default Yes - on by default
Setting this to "No" will remove the "Remember Me?" option from the login screen. This is the most secure option.
Note: Even with the "Remember Me?" option removed, some browsers may still offer to save your credentials themselves when logging in to MIDAS
Decrease idle session timeout length
By default, if a user becomes "idle" (they don't interact with the system) once logged into MIDAS for more than an hour, they will automatically be logged out. The "Inactivity forces logout after" setting can be used to control the length that an idle user session remains logged in. Lowering this value will mean that idle users will be logged out quicker, therefore improving security if they've left their computer/workstation unattended.
Prevent multiple simultaneous logins from the same account
If your MIDAS is licensed for more than a single user account, then an "Allow Multiple Logins By Users?" setting becomes available. This setting controls whether user accounts can be logged into concurrently from multiple devices. For enhanced security, consider disabling this option. That way, each time a user logs in, all other instances currently logged in to MIDAS under the same user account will be automatically logged off.
Decrease the number of failed login attempts before an account is locked
The system can automatically suspend individual accounts if a high number of consecutive failed login attempts are detected. This could occur if someone is trying to "brute force" or "guess" a particular account's password. Decreasing the "Max Invalid Login Attempts" setting will mean that user accounts will be automatically locked quicker if consecutive failed login attempts are made.
Once an account becomes "locked" in this way, the system will automatically send an email to the address associated with the affected account. This email will contain an unlock link for the user to quickly restore their own account access.
Additionally, administrators can lock/unlock user accounts at any time. This option is found via MIDAS Admin Options → Manage Users & Permission → [select user] → Account is suspended?
Tip: If an administrator manually suspends an account in this way, the user isn't emailed an "unlock" link - i.e. they cannot "unlock" their own account, and only an administrator can restore their access
Force SSL connections
If your web server allows connections over both http (unsecured) and https (secured), the "SSL Access" setting within MIDAS can be used to redirect all http requests to their https equivalents.
With "SSL Access" set to "Enabled" (which is the default setting), users would be able to connect via either http or https (assuming https is available on your server). If set to "Disabled", any attempts to connect via https will be redirected to http.
However, If SSL is available on your server, you should consider setting "SSL Access" to "Forced". This ensures that any connections made via http will be automatically redirected to https for greater security.
Generate secure passwords for new users
When adding accounts to your MIDAS system (via MIDAS Admin Options → Manage Users & Permissions → Add New User) be sure to create a strong password for the new account. You can use the "Generate" button adjacent to the password field to generate a random password (containing a mixture of numbers, upper/lower case letters, and symbols). Alternatively, you can manually enter a desired password for the user.
The most secure passwords are those which are randomly generated, long, and contain a mixture of upper & lower case letters, numbers, and symbols in a jumbled order.
Grant users only the minimum permissions they require
An extensive range of user permissions are available within our software.
Consider granting only the minimum permissions needed for each user, as this can help improve security. For example, consider whether every user really needs access to the "Manage Users & Permissions" screen?
Monitor user activity
MIDAS includes a "Recent Activity" audit log. This records all recent visible user's actions occurring within your MIDAS system. Each action is time-stamped with the user who performed the action and their IP address. This log can be useful for monitoring and detecting any unusual, unauthorized or suspicious activity taking place within your system.
Run a Security Audit
MIDAS includes a handy "Security Audit" tool, accessible via MIDAS Admin Options → Manage MIDAS → Security. This one-click tool will analyze a number of key metrics of your MIDAS system (including your database setup, MIDAS files, and recommended MIDAS settings) and provide a detailed report with appropriate advisories for improving the general security of your MIDAS system.
Keep your MIDAS up-to-date
Ensuring that you're running the most recent version of MIDAS will mean that you're not missing out on any important security patches and updates to help keep your MIDAS system safe. Software updates are available to all customers with active subscriptions. Self-hosted customers with an active Support Subscription can check for and quickly install updates via MIDAS Admin Options → Manage MIDAS → Update. Settings are also available to automatically check for updates on a regular basis. Our cloud-hosted customers don't need to do anything - you'll always be running the very latest version of MIDAS, as we install all updates for you!
For MIDAS end-users:
Avoid password reuse
It's good practice to use a unique password for each website/app/service requiring one. The reason being that if you reuse the same password across all your sites/apps/services and one of these is compromised, all other sites/apps/services where you've used the same password can then potentially be accessed with the compromised credentials. With that in mind, Two-Factor Authentication in MIDAS would offer no additional security benefits if you reuse the same password to login to both your own email account and MIDAS system.
Make your passwords at least 12 characters long
Generally speaking, the longer your password, the harder it is for computers to "crack".
Include a mixture of numbers, upper & lowercase letters, and symbols in your password
If your passwords contain purely numbers or purely letters it can easily be cracked. The more "complex" a password is, the harder it is to "guess" or for computers to "crack". The most secure passwords contain a random mixture of numbers, letters (both upper AND lower case), and symbols.
Avoid common passwords such as "123456", "password", "[email protected]", and "qwerty"
Make your passwords hard to guess by avoiding common passwords such as; common number patterns, single words, substituting letters for numbers/symbols, passwords based upon a standard keyboard layout, names and dates of birth - mix it up a bit! Incidentally, MIDAS - from v4.13 onwards - prevents you from using any of the 1,000 most common passwords that are in use today!
If using a shared computer, don't let MIDAS/your browser save your login credentials
If the computer you use to access your bookings in MIDAS is also used by others, make sure you untick the "Remember Me?" box on the login screen.
When logging in, if your browser itself offers you the choice to save credentials, make sure you select "Never for this site".
Also make sure that if you leave your computer unattended for any reason that you log out of MIDAS/lock your workstation.
