LuxSci Significantly Boosts Security and Reliability
LuxSci has implemented a number of enhancements which add to its already stringent security and high reliability of services. These features cover areas such as login security, password resets, SecureLine encryption, Widget backups, and more. The enhancements are listed below, by service.
Account Security Audit Report
LuxSci has introduced a new feature which will poll your account and generate a report for you indicating all areas where your account’s security has room for improvement. In moments, an administrator can identify a wide range of things such as:
- All users who have weak passwords
- How closely the account’s settings match the “Maximal Security” settings
- All email addresses that appear to be forwarding messages “off site”
- Use of custom third-party widgets
- If your SecureLine settings are globally secure
- If you have any insecure SecureForms or WebAides Feeds
We recommend the use of the Security Audit for any customer interested in their account’s security settings. It can be found in the “Security” section of the “Advanced Account Administration” area or under the “Reports” and is available to account administrators.
SecureLine Outbound Encryption Exemptions
(The features in this section have been greatly expanded. See the new posts: SecureLine Offers TLS-Only Enforced Outbound Email Encryption and Control Email Forwarding with TLS-Only Restriction.)
SecureLine outbound email encryption permits the sending of secure email messages to anyone on the Internet using either a web-based message pickup (SecureLine Escrow) or PGP or S/MIME encryption. When outbound encryption is locked down, all messages must be encrypted using one of these 3 methods. This provides great security. However, the management of PGP and S/MIME certificates can sometimes be annoying or problematic, especially when communicating frequently with organizations not hosted by LuxSci.
The new “Outbound Encryption Exemptions” feature allows you to specify a list of domain names that users can send email to using “normal” connections. I.e. it will not be encrypted with PGP or S/MIME or Escrow and will be sent over regular insecure email.
Why would this be useful and secure? Here are some examples:
- If you add your own domain name, then all messages between your users will be sent normally. This is as secure as they would be sent from LuxSci to LuxSci and that transmission is secured.
- If you add the domain names of anyone else hosted at LuxSci, you have the security of local delivery just like internal email.
- If you communicate with other organizations whose email servers support SMTP TLS encryption, then you can exempt their domain names, as LuxSci’s servers will always use TLS encryption in such cases and so the messages to these organizations will always be transmitted to them securely.
With exemptions, you can ensure that internal email and email with secured partners flows securely without the unnecessary burden of multiple levels of encryption. However, messages to “anyone else” will still be encrypted normally. See also:
- How Does Secure Socket Layer (SSL or TLS) Work?
- How to Tell Who Supports TLS for Email Transmission
- Enforcing Email Security with TLS when Communicating with Banks
SecureLine Outbound Exemptions can be configured in the “SecureLine” section of your “Advanced Account Administration” area
Account administrators can now choose to ensure that SecureForms created in their accounts are always configured in a secure manner. I.e. all data must be posted over SSL and all emailed form data must be encrypted via PGP or S/MIME.
To enforce secure SecureForms, enable the “Force Secure Forms” option in the “SecureForm” area of your Advanced Account Administration area.
WebAide Feed Security
Account administrators can now ensure that all published public WebAides feeds are secure. I.e. that these feeds can only be accessed over SSL and require a username and password for access. WebAide feeds are used to publish calendars, blogs, documents, links, and notes via URLs that can be accessed by external users or programs. This setting ensures that these feeds cannot be accessed by unauthorized users.
To enforce secure WebAide Feeds, enable the “Force Secure WebAide Feeds” option in the “Passwords & Login” area of your Advanced Account Administration area.
Forced Secure Logins
There is an option on the account-wide, domain-wide, and personal preference levels which can be enabled to “enforce secure logins” to LuxSci services. Previously, this setting only affected logins to the web interface, POP, IMAP, and SMTP. Now, it also affects FTP and MySQL:
- Affected users wishing to use FTP will be required to use “SFTP” (their account administrators may need to enable access to this first.
- Users in accounts with “Forced Secure Logins” enabled account-wide will need to use SSL over port 5001 to access their MySQL databases remotely. MySQL connections from your LuxSci web server are not affected and can remain “insecure” as they are local. We recommend using stunnel for establishing an SSL connection to port 5001 on your database server.
The “Maximal Security” feature, which is a button that can be pressed to lock down your account with all recommended security settings, has been enhanced as follows. When “Maximal Security” is enabled
- SecureForm security is now enforced
- WebAide Feed security is now enforced
- Automatic inbound email decryption is no longer prohibited.
- Secure Logins are required for FTP and remote MySQL access
These are in addition to the standard Maximal Security settings:
- Secure Logins are required for POP, IMAP, SMTP, WebMail
- Passwords must be strong (8+ characters containing letters and numbers which are hard to guess).
- Maximum web interface session idle timeout of 20 minutes
- Automatic generation of S/MIME certificates for SecureLine users
- Forced outbound email encryption for SecureLine users (with sending denial enforced if encryption is not possible).
Administrative Password Reset
Account administrators can now generate a password reset link that can be given/sent to users. The users can utilize this link to reset their passwords. In this way, administrators can authorize and facilitate a user password reset without ever needing to know the user’s new password. Administrators can also flag individual user accounts as needing to reset their passwords the next time that they login to the web interface.
Both of these options can be found in the “Change Password” user administration page.
The contents of NotePad and Custom widgets is now backed up automatically. This content is backed up just like LuxSci’s other standard backups — two daily on-site copies and four weekly off-site copies. If you lose the content of one of these Widgets, LuxSci Support can now easily restore its data from a previous backup snapshot.
The other types of widgets are not individually backed up as they do not store any data within themselves. I.e. a Calendar Widget is just a “window” on a Calendar WebAides, which itself is already backed up and able to be restored.
Custom Web Interface Login Links
Users can now create login links to the regular or Xpress web interfaces that will auto-log them into a specific page of these portals – no password required:
- Append “&Login=1&pass=PASSWORD&username=USERNAME” to the page address, substituting your PASSWORD and USERNAME.
- Use this link to gain quick access to any page.
- This only works for pages requested over SSL (i.e. https://)
As LuxSci does not log the query string information for these links, we will not be saving your password anywhere. Additionally, when using a secure web connection, your user name and password will also be encrypted when transmitted from your computer to our servers.
We do recommend that you only store this link on a trusted computer, because this link has your password embedded in it. You should not use auto-login links like this if there is any question as to the security of your workstation or network. It is provided as a convenience to users who require it.
Account Auditing Improvements
Many more actions taken by account administrators and support staff are permanently logged in the account audit trail (visible only to support). Some of these actions include
- Access to user passwords
- Resetting user passwords and generating password reset links
- Adding OpenIDs to an account
- Any changes to SecureLine settings on the user, domain, or account levels
- Changes to account password strength requirements
- Changes to the account web interface session timeout
- Deleting or renaming domains