Security Considerations

This help file applies to an out-of-date version of MainBoss.
The most recent version of MainBoss is MainBoss 4.2.2.
For the latest version of this help file can be found here.

< Previous section  |  Table of Contents  |  Index  |  Next section >

Before proceeding to configure your MainBossRemote web site, you must make some decisions about security. This section discusses various factors that you should consider.

Depending on your ways of working, especially with cell phones and similar devices, you may find you have to sacrifice some level of security in order to get anything done. You may decide this means you won't use cell phones with MainBossRemote; alternatively, you may decide to live with reduced security or other complications. Thinkage takes no responsibility for any problems you may encounter if you opt for reduced security.

Web Requests: In order to use the Web Requests module, users must type in their e-mail address and send it to the MainBossRemote web page. This process must have anonymous authentication: anyone who can access the web page is allowed to type in an e-mail address and submit it. (Processing only continues if the e-mail address is authorized to submit requests.)

If you do not have the Web Requests module, you do not have to allow anonymous authentication to this particular facility.

Web Access: In order to use the Web Access module, your MainBossRemote web site must be able to authenticate people as Windows users on the system where the web site runs. This means that people must enter their Windows login names and passwords.

The safest way to do this is to use ASP.NET's integrated Windows Authentication. When users attempt to use the Web Access module, they will be asked to send the login names and passwords, which will be securely encrypted when transmitted to the MainBossRemote site.

Unfortunately, integrated authentication does not work with some cell phone and PDA services. Whether or not the device itself can handle encryption, the service provider may use proxy servers that do not support integrated authentication. (This may mean that the device works fine when connected to your own Wi-Fi network but not when connecting through the device's usual service provider.) The symptom of this is that you aren't asked for your login name and password; you simply get a "permissions denied" message.

If the cell phones or PDAs that you intend to use can't handle integrated authentication, you must consider your options.

Security Certificates: A security certificate may be obtained from a trusted Certification Authority (CA) or may be self-generated. A CA security certificate may cost a lot of money; however, large organizations often have a CA certificate already, in which case the same certificate may be used for MainBossRemote.

You can create your own self-generated security certificate using the IIS 7 manager. (See Initial Set-Up of this guide for a reference on how to start the IIS manager.) Once you've started the manager, click the entry for the server in the left-hand panel, then click Server Certificates in the IIS section of the middle panel. In the resulting window, click Create Self-Signed Certificate (in the right-hand panel) to create a self-signed certificate.

If you use a self-signed certificate, devices using https to connect to your MainBossRemote web site must be told to trust this certificate. Note that most browsers display strong warning messages when a user first tries to connect with a web site that has a self-signed certificate; therefore, users must be reassured that connecting with your site really is secure.

If you are using SSL/TLS, make sure that your firewall allows such communications through. Typically, SSL/TLS use port 443, so the firewall should allow connections to this port (if you wish to open your web site to outside connections).

< Previous section  |  Table of Contents  |  Index  |  Next section >