action.skip

Best Practices for Securing InfoConnect Desktop

InfoConnect Desktop has a number of security features designed to protect your personal data and prevent it from being read by unauthorized users.

Following these best practices for securing InfoConnect Desktop will help you design a secure terminal emulation solution.These best practices include high-level recommendations and considerations. For additional detailed information about the security features supported by InfoConnect Desktop, see Reflection Security in the InfoConnect Desktop Help.

Monitor InfoConnect Desktop security alerts. Open Text regularly publishes security alerts in knowledge base articles. You can find the most recent alerts at Security Alerts – InfoConnect Desktop
Use the highest level of TLS for secure connections. InfoConnect Desktop versions 17.0 and higher support TLS 1.3 for IBM, VT, Unisys, T27, and FTP sessions. If your environment supports TLS 1.3, consider using this version.
Use the strongest encryption ciphers available in your environment. InfoConnect Desktop v18.0sp1 contains enhanced capabilities that allow you to disable cipher suites which are less secure, and also to enable ciphers used in your environment that you consider to be more secure.
Stay current with versioning in InfoConnect Desktop. Staying current with major new releases, service packs and updates (when available) ensures you have deployed the latest security patches and fixes to your end-users. Open Text strives to make each new version of InfoConnect Desktop more secure than the last. The Host Connectivity team responsible for the development of new versions is a dedicated staff of senior engineers who have a strong focus on making the product more secure. They evaluate all security alerts against the currently released products and incorporate updates in the next versions. Open Text Development teams use a Secure Development Lifecycle process, where ongoing training and product review ensures that our software does not contain security vulnerabilities and that all new features are developed with security in mind.
Use Certificates in a secure manner. Configure InfoConnect Desktop to prevent security risks associated with certificates:
- Don't allow host authentication with invalidated certificates. To prevent this security risk, make sure the Retrieve and validate certificate chain setting in the SSL/TLS Security Properties Dialog Box is enabled. This setting specifies whether certificates presented for host authentication are checked to determine if they are valid and signed by a trusted CA. Disabling this option can make connections vulnerable to man-in-the-middle attacks, which could compromise the security of the connection.
- Consider disabling the use of the Windows certificate store for InfoConnect connections. InfoConnect applications can be configured to authenticate using only those certificates located in the Reflection store or using both the Windows and the Reflection store. Disabling use of the Windows certificate store enables you to have greater control over which certificates are used for authentication. Certificates can be added to the Windows store in a variety of ways, and you may not want to allow use of all of those certificates for authenticating InfoConnect sessions. When use of the Windows store is disabled, only the certificates you have imported into the Reflection store are used for host authentication.
Control access to product features that are not needed. Limit access to settings and controls and consider setting up custom templates with locked down settings so that users must use security settings, such as the latest TLS versions, when they create new sessions.
You can restrict access to almost any of the InfoConnect settings or controls to prevent users from changing values, like the host address that a session connects to. This allows you to simplify support requirements and resolve security concerns. Administrative access is required to change settings and users cannot change these options unless they elevate their access level to administrator.
Access to almost every InfoConnect Desktop feature can be enabled or disabled with Microsoft Group Policy or *.ACCESS files that you can create with InfoConnect Desktop administrative tools. See Lock Down InfoConnect To Restrict Access to Controls.
Control Access. Lock down or disable features which can be used in an insecure manner. For example, allowing users access to programming and macro languages could allow users to record or write automation code that includes user IDs and passwords. This code could then be freely distributed among users, creating a security risk:
- Using Group policy settings, as documented in Technical Information Document 7024743, and Control Access to Settings and Controls with Microsoft Group Policy to disable specific features leads to more secure user environments.
- Alternatively, you can use InfoConnect Desktop administrative tools to create and deploy .ACCESS files that lock down specific settings. See Control Access to Settings and Controls with InfoConnect Administrative Tools.
Set up Session Templates. Deploy session templates using pre-configured settings to control the types of sessions users can create. For example, you can create templates that have pre-configured SSL/TLS settings and then lock down these settings with Group Policy or InfoConnect Desktop administrative tools. Then configure InfoConnect to hide the built-in templates so that only the custom templates are available. See Set up Session Templates.
Configure the InfoConnect Desktop Trust Center to protect data and information privacy. Use the Trust Center to protect your working environment from information theft, and your data from potential damage caused by opening documents from non-trusted sources.
You can configure settings to protect the following types of data and information:
Trusted Locations. A trusted location is a directory that is designated as a secure source for opening files. By default, InfoConnect allows users to open documents only in directories specified as trusted locations and prevents them from opening untrusted documents outside of these locations.
Information Privacy. Consider protecting sensitive data such as credit card Primary Account Numbers (PANs), phone numbers, and US Social Security numbers. Information Privacy allows you to configure InfoConnect Desktop so that the sensitive data is not displayed on the screen or in productivity features, such as Screen History. It also allows you to require secure connections and to redact PANs in logs.
API and Macro Security. Consider the following options for handling the InfoConnect Desktop API and macros. You can configure Trust Center settings to:
- Enable or disable the InfoConnect Desktop .NET API.
- Determine if legacy macros are supported or not.
- Specify what will happen if an action that has been restricted through Group Policy or .ACCESS files is initiated through a macro or API call.
See Protect Data.
Do not save passwords in macros. Including user IDs or passwords in macros or other automation code creates a security risk.
When a VBA macro is recorded in InfoConnect Desktop, a password prompt dialog box is automatically added to the macro in place of actually recording the password. Using this password prompt in macros that require user credentials prevents security risks.
There may be circumstances where you need to consider embedding a password in a macro, although this is a security risk. Undertake this process with extreme caution and after careful deliberations of the potential for the password being compromised by others who should not have the information, as shown in Technical Information Document 7024220.
Note: The InfoConnect Desktop software does not store Host user names or passwords anywhere in the product configuration files and InfoConnect Workspace logs do not capture Host user names or passwords.
Consider using a centralized management server to manage host sessions. You can centrally manage, secure, and monitor users' access to host connections with the Open Text Host Access Management and Security Server (MSS), a separately available product that is designed to provide centralized management for InfoConnect sessions:
- Using this centralized management server, you can grant or deny access based on group or role, quickly apply security updates and configuration changes to align with changing regulatory or business needs, and make post-install adjustments on the fly. MSS allows you to configure and lock down large numbers of desktops with ease. See Centrally Manage Sessions.
- Using the MSS Advanced Authentication Add-on, you can configure a multi-factor authentication solution that enables you to protect your sensitive data by using a more advanced way of authentication on top of the typical user name and password authentication. With Advanced Authentication, you can authenticate on diverse platforms by using different types of authenticators such as Fingerprint, Card, and OTP. Advanced Authentication provides a single authentication framework that ensures secure access to all your devices with minimal administration. See Open Text Advanced Authentication.
- Using the Automated Sign-On for Mainframe Add-On, you can enable a user to authenticate to a front-end system using a modern form of authentication (such as a smart card, certificate, LDAP password, Kerberos, etc.) and then be automatically logged on to a z/OS mainframe application. See Set up Automated SignOn for Mainframe Sessions.
Consider encrypting session documents. You can encrypt session documents to protect them against unauthorized changes. Encryption effectively scrambles the data in a session document, helping to prevent unauthorized users from reading and changing the file's contents. For best results, use document encryption in conjunction with the encryption options in InfoConnect Permissions Manager.