
Tips for keeping your MIDAS system secure

For server and network administrators:
Install MIDAS on your internal intranet to prevent access from the outside world
If MIDAS is only to be used internally by your own staff when they are in work, and there's no requirement for your booking information to be accessed by others remotely/off site/at home, then consider installing MIDAS on your own internal local Intranet/corporate LAN, rather than on a publicly accessible external web server.If we currently "cloud host" your MIDAS, you can migrate to a "self hosted" edition at any time.
Ensure file/folder permissions prevent unauthorized access
Ensure that all the files/folders within your MIDAS installation have correctly set permissions.All .pl files should have CHMOD 0775 permissions.
All .dat files should have CHMOD 0600 permissions.
All other files should have CHMOD 0644 permissions.
It's important to ensure that .dat files have CHMOD 600 permissions to prevent read access to the outside world.
Ensure the server only accepts https connections
If your server only allows insecure http connections, consider installing an SSL certificate and migrating to https. If your server allows a mix of http and https connections, consider disabling http connections & redirecting http to https. Enforcing https connections throughout strengthens communication between end user's browsers and your MIDAS server, hardening against "Man In The Middle" (MITM) style attacks.Additionally, be aware that newer versions of Chrome & Firefox etc now warn users if they're entering credentials on an insecure http site. Your users will see such warnings if they're accessing your MIDAS system over insecure http instead of secure https.
For MIDAS administrators:
Settings to control system security can be found via MIDAS Admin Options → Manage MIDAS → Security.Enable Two-Factor Authentication
MIDAS v4.10 and later includes optional two-factor authentication to provide an additional layer of security to your scheduling system.MIDAS v4.38 and later additionally supports 2FA via external authenticator apps.
With Two-Factor Authentication enabled, each time a user signs in, a security code can either be sent to their email address, or they can use a TOTP Authenticator app to generate a code. This code must then be entered in order to complete the sign-in process.
Increase minimum password length
As a general rule, the longer a password is, the more secure it is. Use the "Minimum Password Length" setting to specify the minimum length that all passwords in the system should be. We'd suggest a minimum of at least 8 characters.Don't offer to save credentials
No
Yes - off by default
Yes - on by default
Setting this to "No" will remove the "Remember Me?" option from the login screen. This is the most secure option.
Disable the "Stay signed in" option
No
Yes - off by default
Yes - on by default
Setting this to "No" will disable, remove, and hide the "Stay signed in" option from the sign-in screen. This is the most secure option.
Decrease inactivity timeout duration
By default, if a signed-in user doesn't interact with the booking system for a period of time they will automatically be signed out. The "Inactivity leads to sign-out after" setting (called "Inactivity forces logout after" in earlier versions of MIDAS) can be used to control the length of time before an user's inactive session is automatically signed-out. Lowering this value will mean that inactive sessions will be signed out quicker, therefore improving security if a user has left their computer/workstation unattended.For enhanced security, consider also selecting the "Include users who opt to stay signed in" option (MIDAS v4.39+) for inactivity limits to also apply to users who have chosen to stay signed in.
Prevent multiple simultaneous logins from the same account
If your MIDAS is licensed for more than a single user account, then an "Allow multiple sign-ins for each user" setting becomes available. (In earlier versions of MIDAS, the setting was called "Allow Multiple Logins By Users?"). This setting controls whether user accounts can be signed into concurrently from multiple devices. For enhanced security, consider disabling this option. That way, each time a user signs in, all other instances currently signed into MIDAS under the same user account will be automatically signed out.Decrease the number of failed login attempts before an account is locked
The system can automatically suspend individual accounts if a high number of consecutive failed login attempts are detected. This could occur if someone is trying to "brute force" or "guess" a particular account's password. Decreasing the "Maximum Invalid Login Attempts" setting will mean that user accounts will be automatically locked quicker if consecutive failed login attempts are made.Once an account becomes "locked" in this way, the system will automatically send an email to the address associated with the affected account. This email will contain an unlock link for the user to quickly restore their own account access.
Additionally, administrators can lock/unlock user accounts at any time. This option is found via MIDAS Admin Options → Manage Users & Permission → [select user] → Account is suspended?
Alert users upon sign-ins from unfamiliar devices
Whenever a user account is signed into from a new or unfamiliar device, an email notification can be sent to the account holder. This setting can be enabled via MIDAS Admin Options → Manage MIDAS → Security → Device Control.Generate secure passwords for new users
When adding accounts to your MIDAS system (via MIDAS Admin Options → Manage Users & Permissions → Add New User) be sure to create a strong password for the new account. You can use the "Generate" button adjacent to the password field to generate a random password (containing a mixture of numbers, upper/lower case letters, and symbols). Alternatively, you can manually enter a desired password for the user.The most secure passwords are those which are randomly generated, long, and contain a mixture of upper & lower case letters, numbers, and symbols in a jumbled order.
Grant users only the minimum permissions they require
An extensive range of user permissions are available within our software.Consider granting only the minimum permissions needed for each user, as this can help improve security. For example, consider whether every user really needs access to the "Manage Users & Permissions" screen?
"Geofence" sign-ins to your MIDAS system
Our optional Geolocation Addon allows you to restrict sign-ins to users with IP addresses within certain countries, or with IP addresses within a radius of a certain geographic location. So if your users are based entirely within the United States, you could automatically block all login attempts from outside of the US.Monitor user activity
MIDAS includes a "Recent Activity" audit log. This records all recent visible user's actions occurring within your MIDAS system. Each action is time-stamped with the user who performed the action and their IP address. This log can be useful for monitoring and detecting any unusual, unauthorized or suspicious activity taking place within your system.Remove Inactive Users
Consider removing user accounts which were last signed into a long time ago. Removing inactive user accounts is generally considered good practice.Run a Security Audit
MIDAS includes a handy "Security Audit" tool, accessible via MIDAS Admin Options → Manage MIDAS → Security. This one-click tool will analyze a number of key metrics of your MIDAS system (including your database setup, MIDAS files, and recommended MIDAS settings) and provide a detailed report with appropriate advisories for improving the general security of your MIDAS system.Keep your MIDAS up-to-date
Ensuring that you're running the most recent version of MIDAS will mean that you're not missing out on any important security patches and updates to help keep your MIDAS system safe.Software updates are available to all customers with active subscriptions.
Self-hosted customers with an active Support Subscription can check for and quickly install updates via MIDAS Admin Options → Manage MIDAS → Update. Settings are also available to automatically check for updates on a regular basis.
Our cloud-hosted customers don't need to do anything - you'll always be running the very latest version of MIDAS, as we install all updates for you!
For MIDAS end-users:
Avoid password reuse
It's good practice to use a unique password for each website/app/service requiring one. The reason being that if you reuse the same password across all your sites/apps/services and one of these is compromised, all other sites/apps/services where you've used the same password can then potentially be accessed with the compromised credentials. With that in mind, Two-Factor Authentication in MIDAS would offer no additional security benefits if you reuse the same password to login to both your own email account and MIDAS system.Make your passwords at least 12 characters long
Generally speaking, the longer your password, the harder it is for computers to "crack".Include a mixture of numbers, upper & lowercase letters, and symbols in your password
If your passwords contain purely numbers or purely letters it can easily be cracked. The more "complex" a password is, the harder it is to "guess" or for computers to "crack". The most secure passwords contain a random mixture of numbers, letters (both upper AND lower case), and symbols.Avoid common passwords such as "123456", "password", "p@ssw0rd", and "qwerty"
Make your passwords hard to guess by avoiding common passwords such as; common number patterns, single words, substituting letters for numbers/symbols, passwords based upon a standard keyboard layout, names and dates of birth - mix it up a bit! Incidentally, MIDAS - from v4.13 onwards - prevents you from using any of the 1,000 most common passwords that are in use today!If using a shared computer, don't let MIDAS/your browser save your login credentials
If the device you use to access your bookings in MIDAS is also used by others, make sure you untick the "Stay signed in" box (MIDAS v4.39+) or the "Remember Me?" box (MIDAS v4.38 and earlier) on the sign-in screen.When signing in, if your browser itself offers you the choice to save credentials, make sure you select "Never for this site".
Also make sure that if you leave your computer unattended for any reason that you sign-out of MIDAS and lock your workstation.
← Return to the Knowledge Base