LuxSci Security & Privacy Focus

LuxSci's Web Interface supports optional two-factor authentication to further secure logins. The first factor is the user's username and password. The second is one of:

• www.Duo.com
• Google Authenticator
• A token sent via text message/SMS
• A token sent to an alternate email address

The Web Interface integrates with any Duo.com account that you have for advanced two-factor authentication. Options which include: text message, Phone call, hardware token, Mobile device APP, user management, logging, auditing, and more.

Allow and/or deny access to WebMail, POP, IMAP and SMTP, SFTP based on IP or IP Range. Rules can be implemented per-user, per-domain and/or account wide.

Optionally allow access to POP, IMAP, and SMTP and SFTP based on a successful prior login to the Web Interface.

Custom firewall rules can also apply to FTP and Secure FTP access.

Read More

We track all logins to your account via POP, IMAP, SMTP and WebMail. This includes the exact time and the IP address used, among other information. This auditing information is available to you, your account administrator and technical support at all times. You can easily check if unwanted people or programs are logged into your accounts. Additionally, you will be sent automated alerts when login attempts to your account fail.

We track all messages sent from WebMail, your email servers (via SMTP) and your web sites. This allows you, your administrator and our support team to review what email messages are being sent and from where. It also allows LuxSci to proactively stop Spam attempts even if the Spam messages are unintentional or the result of web site insecurity. Note, records of message content are not available to your administrators or to our standard support teams, so this auditing does not tread on privacy concerns.

This option can restrict users' access to WebMail to a specified set of IP addresses or IP blocks (CIDR). It can also restrict the login availability of users to a selected set of countries and/or regions.

You can also choose to restrict user's access by time of day and day of week.

Account administrators and users can customize their WebMail session timeout. The default timeout is 2 hours but this range can be designed for timeout flexibility between 5 minutes and 8 hours. Account administrators also have the option to monitor user timeouts and program them to be no longer than the account-wide default.

Users are blocked from WebMail if they fail to successfully login (from their IP) 5 times within a 10 minute span. Administrators can customize this range (i.e. number of failures and the period of time) globally and on a per-domain basis.

This feature mitigates password guessing via the WebMail interface login screens.

We provide secure web site hosting using Transport Layer Security encryption. We can provide TLS certificates for you, alternately you can provide your own. We provide dedicated IP address(es) for your secure site(s).

Upload and download files from your web site or file storage location using Secure Copy or Secure FTP. This protects your username and password and the contents of your data from cyber-intruders.

Web-based file manager allows secure uploads, downloads and file management though LuxSci's secure web interface. This option is ideal if you need to make changes but do not have access to an SFTP program.

Simple user interface enables and manages password protection for entire web sites and/or individual directories. It can create and manage users or groups of users to determine who has read and write access (i.e. for WebDAV). This eliminates the need to deal directly with .htaccess or .htpasswd files. .htaccess or .htpasswd files.

Custom web-based MySQL database management tools allows you to securely upload and execute SQL scripts with ease. It also offers secure download dumps of your database and executes commands on demand.

Daily anti-virus scans of your web server file spaces.

Protection against some forms of denial of service attacks is taken care of automatically by your server.

Your web server can automatically detect and alert LuxSci support on many kinds of system intrusions.

In addition to the TLS-protection of usernames and passwords, administrators can customize the required degree of complexity for user passwords. The range of complexity is manageable. It can be designed to require a very weak password or very strong passwords (16+ alphanumeric characters that pass entropy-based password guessing criteria and restrict passwords from containing parts of a user's username).

You can also optionally enable "hacked password checking" ... where passwords are checked against a large database of passwords that have been publicly exposed by breaches across the Internet.

LuxSci tracks previously used passwords and the time period when they were in use. We keep "hashes" of these passwords for security reasons. However, we cannot determine what these passwords actually were!

Preventing password reuse helps protect an account from unauthorized access. When a user changes his/her password, the new password must be different from any password that he/she used in the past year. It must also differ from their four previous passwords.

Account administrators can customize their password reuse requirement. It can be established weakly; requiring that new passwords merely be different from the current password. The requirement can also be established with strength; requiring that the new password differs from the user's last eight passwords and be different from any password in use over the previous two-year period.. This can be configured account-wide and/or on a per-domain basis.

Administrators can optionally force users to change their passwords after a certain length of time to keep them from being "too old". If a user's password expires, all services (except WebMail) are auto-disabled until the user logs in to reset his/her passwords. Administrators can configure the password expiration based on password age. The expiration can be configured from anywhere between seven days to one year. Additionally, administrators can specify when expiration warnings are sent to their users. Two such messages will be sent to all users.

Users will be prohibited (locked-out) from logging into WebMail for 10 minutes after five unsuccessful login attempts. This helps prevent password guessing attempts on our WebMail login page.

Administrators can further customize lock-out parameters. They can choose how many login failures result in a lock-out (from one to twenty) and they can choose how long the lock-out window lasts (from one minute to two hours). All of these configurations help limit password guessing, especially by automated systems. However, some accounts have specific requirements in this regard.

The password lock-out feature applies "per IP address", so users cannot be locked out by another user trying to guess his/her password at another location. It is also configurable on an account-wide or per-domain basis.

LuxSci Support Staff can typically retrieve a user's forgotten password. All the user must do is click the link on the LuxSci login page and fill out a basic form. With that information LuxSci Support Staff can verify the user's identity (manually) based on certain criteria such as pre-configured alternate email addresses, phone numbers and security questions. Support would then send the user a password reset link.

In some cases, account administrators do not want their users (or specific) users to be directed to Support, but to be given specific instructions for lost passwords.

Administrators have the option to specify "Lost Password Instructions" account-wide, per-domain and/or per-user. Any affected users who request password help from the login page will get these instructions instead of being sent to Support.

Account administrators can configure a maximum WebMail login session timeout (for all users) from anywhere from five minutes to eight hours of inactivity.

Administrators can delegate administrative access to other account users on a per-domain basis as needed. Administrators can also manage multiple LuxSci accounts from a single login if needed.

Account administrators can quickly enable SecureLine^TM email encryption settings on an account-wide and/or domain-wide basis. This includes auto-creation of user PGP and S/MIME certificates, forced use of email encryption, inbound email auto-decryption, etc.

Users can receive email alerts detailing successful and/or failed logins to their accounts. These alerts can go to a custom list of email address and can be enabled/disabled per service (e.g. POP, IMAP, WebMail, SMTP, FTP).

By default, failed login alerts are enabled and successful login alerts are disabled.

LuxSci provides account administrators with a "Maximal Security" button. This feature allows them to configure all of the global or domain-wide security options to settings that ensure maximal security in one click. This configures such things as forced use of TLS, strong passwords and forced use of SecureLine^TM (where applicable).

Account managers can also request Support "Lock Down" these settings to ensure nobody in the account can alter them without contacting support directly, getting approval and leaving an audit trail.

If you want maximum email security and the assurance that your email account is setup correctly and cannot be circumvented, this is for you.

With this feature you can choose to encrypt individual Blog entries and Documents using PGP encryption. The feature also supports the creation of personal and group PGP keys. It allows you to specify recipients of encrypted data on a per-entry basis and verify digital signatures of all encrypted content. Entries encrypted via PGP are secure. Even the LuxSci technical staff cannot access their content without access to your PGP key password (which is never saved in plain text on our servers).

You can enable access tracking on your Blogs, Documents and Passwords WebAides^TM. This allows users to see who created or edited every entry and when the action occurred.

Only those with a login to LuxSci's web site could possibly access your WebAides^TM (they are not public). You can also determine exactly who has permission to view your WebAides^TM, add entries, edit entries, make comments and administer your Blog. You can specify this per user, per user group, per domain and/or per account. You can however choose to share your WebAides^TM with other members of your account and/or members of other LuxSci accounts; the decision is yours.

WebAide Feeds (links to access certain WebAide data from external locations) can be secured via:

• Password protection
• Allowed access from certain IP addresses or ranges
• Required feeds that can only be accessed over TLS

These options ensure that even if your feed is "published", you can control who has access.