8 Replies Latest reply: Sep 14, 2015 4:58 PM by Felipe Ruiz RSS

    Hide server information access

    Felipe Ruiz

      Hello!!

       

      In a current customer did us a test of the security of the platform.

       

      They found us two vulnerabilities:

       

      - When the user access to the "access point" it's possible see critical information, like the name of the server, that can be used to possible attacks. How hide the server information access ??

       

      img.png

      - Once the user authenticates, the browser save the session, so if other user get acces to the computer he can access to the "acces point". They want that each time that the user open the browser the system ask the user name and password. Is there a way to erase the session variable ?.

       

       

      Thanks for the help!!

       

       

      Have a good day!!

        • Re: Hide server information access
          Peter Cammaert

          Hmm, I'm not sure if I can answer these questions to satisfaction but I'll try my best to shed some light on the issues at hand.

           

          • Server name: to connect to a server, you have to know its name. You can remove these details from the access point, but any user only has to enable the address bar in his/her browser to see the server name. I'm not sure how you want to avoid that...

           

          • Log in: actually, authentication is done outside of QlikView, usually by AD. If a user with an enterprise PC logs in into his/her machine, the login for QlikView has already happened though QlikView has not yet been called upon.

           

          I guess you could intercept this kind of blanket authentication by assigning/programming a custom login page to the QlikView AccessPoint and force it to timeout after a certain period of inactivity.

           

          Peter

            • Re: Hide server information access
              Felipe Ruiz

              Hi Peter!!!

               

              I enabled the alternative login page, but when i open the explorer the first time it tries to authenticate.

               

              loginFailed.png

              Once the user is authenticated and sign out the session, it shows the custom login page. Is there a way that when the user opens the browser is not automatically authenticate ?.

               

              What I want is that the user to authenticate twice in the computer and the access point.


              Another question. I tried to authenticate with a user that exists in the domain , but doesn't have an assigned license. I need to restrict access to the access point , if the user doesn't have a license assigned.


              Thanks in advanced!!!

                • Re: Hide server information access
                  Peter Cammaert
                  • Funny, that doesn't happen on my machine. I'm using IE11 and Google Chrome and both show the login page immediately. Whether I enable Integrated Windows Authentication or not. Can you clear the browser cache and try again? Windows also caches authentication information somewhere else but I'm not sure whether this has any impact on web sites.
                  • Not with standard QlikView Server techniques. Remember that QVS also has a feature called Dynamic CAL assignment. That feature would be useless if people without a CAL aren't allowed to visit the AccessPoint, as licenses are only dynamically assigned when they click on a thumbnail and open a QlikView document.
                    You can however customize the code for your own QlikView login page, so that it uses the QMS API to check whether this person actually has a license before letting him/her enter the AP.

                   

                  Best,

                   

                  Peter

              • Re: Hide server information access
                arjun rao

                Hi Bill,

                How it will work. Could you please elaborate? Thank you.

                • Re: Hide server information access
                  arjun rao

                  Hi Julián Felipe Ruiz Vélez

                  Just curious. Did you able to resolve this? Please share the solution. Thanks in advance.

                  • Re: Hide server information access
                    Felipe Ruiz

                    Hi!!!

                     

                    Respect with the two situations:

                     

                    "Once the user is authenticated and sign out the session, it shows the custom login page. Is there a way that when the user opens the browser is not automatically authenticate ?."


                    R/ If i include the complete address "qlikview/FormLogin.htm" it works fine. But with this address "/qlikview/index.htm" it tries to authenticate.



                    "I tried to authenticate with a user that exists in the domain , but doesn't have an assigned license. I need to restrict access to the access point , if the user doesn't have a license assigned.


                    R/ I haven't resolved yet. Do you have any example how customize the login page ?