Security settings

Accessing server security settings

Currently, server security settings are accessed and modified through editing the Web.config file in the Flow Server installation directory. Any changes saved to this file will cause the Flow Server to restart automatically, ensuring that changes take effect immediately.

Limiting WAN access to studio functionality

For Flow Server installations that are available on a public IP address, it advisable to turn off access to the Flow Studio APIs. This means that only end-users will be able to connect to the Flow server using non-LAN IP addresses. For access using the Flow studio, only LAN IP addresses are allowed.

To disable WAN Access to studio functionality, navigate to the Web.config file in the Flow server installation directory, then find the configuration key marked blockStudioIfOutsideLocalNet and change the value to true.

<add key="blockStudioIfOutsideLocalNet" value="true"/>

It is possible to configure a set of excepted hostnames, which will be allowed even if WAN Access is blocked. To configure such exceptions, add the excepted hostnames as a comma-separated list in the blockStudioIfOutsideLocalNetExcept configuration key.

Session time-out

For security and resource management reasons, the Flow Server automatically logs out sessions after a period of inactivity. By default, sessions that have been inactive for more than seven days are considered expired and can no longer be accessed.

Configuring the session time-out parameter

To configure a custom value for the session time-out parameter, edit the Web.config file located in the Flow Server installation directory. In the appSettings section of this file, locate or add the following configuration values:

SittingTimeOut – A value in DD:HH:MM:SS format specifying how long a session can be inactive before it is to be considered expired. The default value is seven days.

SittingTimestampUpdateInterval – A value in DD:HH:MM:SS format specifying the minimum interval at which user activity is registered in the Flow database. For Flow installations with a high density of transactions, a higher value here will increase the system's overall performance. Note also that the sitting timestamp update parameter must be less than the sitting time-out parameter. The default value is one hour.

Example: Session time-out of three hours, update interval of ten minutes

<add key="SittingTimeOut" value="03:00:00" /> 
<add key="SittingTimestampUpdateInterval" value="00:10:00"/> 

Limiting the number of failed logins

The Flow Server can be configured to lock out user accounts where many failed login attempts have occurred. This helps reduce the risk of brute force attacks (successive log-in attempts with the goal of figuring out a user's password).

The functionality is governed by a pair of settings in the Web.config file: MaxFailedLoginAttempts and LockOutTimeAfterFailedLogins.

The MaxFailedLoginAttempts key contains a positive integer value specifying the upper bound for how many times a user is allowed to "try" different passwords before their account is locked. By default, the value is set to 10.

The LockOutTimeAfterFailedLogins key contains a time span value (in the format HH:MM:SS) specifying the time (starting from the last failed login attempt) during which a locked-out user is blocked from further login attempts.

In the following example, a user would be locked after four successive failed login attempts. Locked users would be blocked from further login attempts for one hour.

<add key="MaxFailedLoginAttempts" value="4"/>  
<add key="LockOutTimeAfterFailedLogins" value="01:00:00"/>  

Manually unlocking a locked account

Administrator users can manually unlock a locked user account from the Flow Studio. To do so, click the Environment tab, select the Users sub-tab, find the locked user and click the "Unlock" button.