MIDAS KnowledgebaseMIDAS Knowledgebase

Tips for keeping your MIDAS system secure

MIDAS Security TipsOur web based room booking and resource scheduling software provides a number of security features and settings, and there's plenty users, administrators and system/network administrators alike can do to make your MIDAS booking system more secure!

For system/network administrators:

Install MIDAS on your internal intranet to prevent access from the outside world

If MIDAS is only to be used internally by your own staff when they are in work, and there's no requirement for your booking information to be accessed by others remotely/off site/at home, then consider installing MIDAS on your own internal local Intranet/corporate LAN, rather than on a publicly accessible external web server.

If we currently "cloud host" your MIDAS, you can migrate to a "self hosted" edition at any time. For more information, please click here

Ensure file/folder permissions prevent unauthorized access

Ensure that all the files/folders within your MIDAS installation have correctly set permissions. All .pl files should have CHMOD 0775 permissions. All .dat files should have CHMOD 0600 permissions. All other files should have CHMOD 0644 permissions.

It's important to ensure that .dat files have CHMOD 600 permissions to prevent read access to the outside world.

Ensure the server only accepts https connections

If your server only allows insecure http connections, consider installing an SSL certificate and migrating to https. If your server allows either http or https connections, consider disabling http connections & redirecting http to https. Using https connections throughout strengthens communication between end user's browsers and your MIDAS server, hardening against "Man In The Middle" (MITM) style attacks.

Additionally, be aware that newer versions of Chrome & Firefox etc now warn users if they're entering credentials on an insecure http site. Your users will see such warnings if they're accessing your MIDAS system over insecure http instead of secure https.


For MIDAS administrators:

Settings to control system security can be found via MIDAS Admin Options → Manage MIDAS → Security

Enable Two-Factor Authentication

MIDAS v4.10 and later includes optional two-factor authentication to provide an additional layer of security to your scheduling system. With Two-Factor Authentication enabled, when a user logs in with their email address and password, a security code is automatically sent to their email address. This code must then be entered in order to complete the login process.
For more information, please see: Two-Factor Authentication in MIDAS

Increase minimum password length

Generally speaking, the longer a password is, the more secure it is. Use the "Minimum Password Length" setting to specify the minimum length that all passwords in the system should be. We'd suggest a minimum of at least 8 characters.
Note: This won't affect existing user's passwords - it will only be enforced the next time they change their password

Don't offer to save credentials

The "Offer to save credentials?" setting controls whether the "Remember Me?" option is available on your MIDAS login screen. It has three options:
No
Yes - off by default
Yes - on by default

Setting this to "No" will remove the "Remember Me?" option from the login screen. This is the most secure option

Note: Even with the "Remember Me?" option removed, some browsers may still offer to save your credentials themselves when logging in to MIDAS

Decrease idle session timeout length

By default, if a user becomes "idle" (they don't interact with the system) once logged into MIDAS for more than an hour, they will automatically be logged out. The "Inactivity forces logout after" setting can be used to control the length that an idle user can remain logged in. Lowering this value will mean that idle users will be logged out quicker, therefore improving security if they've left their computer/workstation unattended for example.

Prevent multiple simultaneous logins from the same account

If your MIDAS is licensed for more than a single user account, then the "Allow Multiple Logins By Users?" setting controls whether user accounts can be logged into concurrently from multiple devices. For enhanced security, consider disabling this option. That way, each time a user logs in, all other instances currently logged in to MIDAS from the same account will be automatically logged off.

Decrease the number of failed login attempts before an account is locked

The system can automatically suspend individual accounts if a high number of consecutive failed login attempts are detected. This could occur if someone is trying to "brute force" or "guess" a particular account's password. Decreasing the "Max Invalid Login Attempts" setting will mean that user accounts will be locked quicker if consecutive failed login attempts are detected.

Once an account becomes "locked" in this way, the system will automatically send an email to the address associated with the affected account, containing a unlock link for the user to restore their own account access.

Additionally, administrators can lock/unlock accounts at any time via MIDAS Admin Options → Manage Users & Permission → [select user] → Account is suspended?

Tip: If an administrator manually suspends an account in this way, the user isn't emailed an "unlock" link - i.e they cannot "unlock" their own account, and only an administrator can restore their access

Force SSL connections

If your web server allows connections over both http (unsecured) and https (secured), the "SSL Access" setting within MIDAS can be used to redirect all http requests to their https equivalents.

With "SSL Access" set to "Enabled" (which is the default setting), users would be able to connect via either http or https (assuming https is available on your server). If set to "Disabled", any attempts to connect via https will be redirected to http.

However, If SSL is available on your server, you should consider setting "SSL Access" for "Forced" to ensure that all connections via http will be automatically redirected to https for greater security.

Generate secure passwords for new users

When adding accounts to your MIDAS system (via MIDAS Admin Options → Manage Users & Permissions → Add New User) be sure to enter a strong password for the new account. You can use the "Generate" button adjacent to the password field to generate a random password (containing a mixture of numbers, upper/lower case letters, and symbols), or you can manually enter a desired password for the user.

The most secure passwords are those which are randomly generated, long, and contain a mixture of upper & lower case letters, numbers, and symbols in a jumbled order.

Grant users only the minimum permissions they require

An extensive range of user permissions are available within the software. Ensuring that users are only granted the minimum permissions they actually require can help with security. For example, does every user really need access to the "Manage Users & Permissions" screen?

Monitor user activity

MIDAS includes a "Recent Activity" audit log, which records all recent visible user's actions within your MIDAS system. Each action is time-stamped with the user who performed the action and their IP address. This log can be useful for monitoring and detecting any unusual, unauthorized or suspicious activity taking place within your system.

Keep your MIDAS up-to-date

Ensuring that you're running the most recent version of MIDAS will mean that you're not missing out on any important security updates to help keep your MIDAS system safe.
Software updates are available to all customers with ongoing Annual Support Subscriptions.
Self-hosted customers with an ongoing Annual Support Subscription can check for and quickly install updates via MIDAS Admin Options → Manage MIDAS → Update. Settings are also available to automatically check for updates on a regular basis.
Our cloud-hosted customers don't need to do anything - you'll always be running the very latest version of MIDAS, as we install all updates for you!

For MIDAS end-users:

Avoid using the same password for multiple websites/services

It's good practice to use a unique password for every web site/app/service requiring one. The reason being that if you use the same password across all your sites/apps/services and one of these is compromised, then all other sites/apps/services where you've used the same password can then potentially be accessed with your compromised credentials. With that in mind, Two-Factor Authentication in MIDAS will offer no additional security benefits if you use the same password for MIDAS as you use to login to your own email account.

Make your passwords at least 12 characters long

Generally speaking, the longer your password, the harder it is for computers to "crack"

Include a mixture of numbers, upper & lowercase letters, and symbols in your password

If your passwords contain purely numbers or purely letters it can easily be cracked. The more "complex" a password is, the harder it is to "guess" or for computers to "crack". The most secure passwords contain a mixture of numbers, letters (both upper AND lower case), and symbols.

Avoid common passwords such as "123456", "password", "p@ssw0rd", and "qwerty"

Make your passwords hard to guess by avoiding common passwords such as; common number patterns, single words, substituting letters for numbers/symbols, passwords based upon a standard keyboard layout, names and dates of birth - mix it up a bit! (MIDAS - from v4.13 onwards - now prevents you from using any of the 1,000 most common passwords that are in use today!)

If using a shared computer, don't let MIDAS/your browser save your login credentials

If the computer you use to access your bookings in MIDAS is also used by others, make sure you untick the "Remember Me?" box on the login screen.

When logging in, if your browser itself offers you the choice to save credentials, make sure you select "Never for this site".

Also make sure that if you leave your computer unattended for any reason that you log out of MIDAS/lock your workstation.

You might also be interested in...
» » »

← Return to Knowledgebase