Prevention of intrusion and malicious attacks

Search engine crawlers

By default any server that is exposed to the internet is indexed by search engines and available through search. If your Maximo® Asset Management server is connected to the internet, you can hide it from search engines by deploying a robots.txt file on the application server or on an IBM® HTTP Server proxy server.

IP address blocking

You can configure system properties to block IP addresses when an attack is detected because too many failed login, forgotten password, or self-registration attempts are made from the same IP address. You can view, add, and delete blocked IP addresses in the Manage Blocked IP Addresses window of the Users application.

If the number of successive forgotten password attempts for a user exceeds the value that is specified in the Security Controls window of the Users application and the Security Groups application, the status of the user that is associated with the email address is set to BLOCKED.

The following system properties are used to configure IP blocking:

mxe.sec.IPblock property

Enables or disables IP address blocking

mxe.sec.IPblock.MatchBoth property

IP address is blocked only if both the client host and the client address of the incoming request match the values in the LOGINBLOCK table.

mxe.sec.IPblock.num property

IP address is blocked when the number of failed login or forgotten password attempts exceeds this value during a specified time period. The number of failed logins is tracked by the reported number of web browser sessions. Do not use this property to control the number of user sessions or windows because web browsers report sessions in different ways so the information can be unreliable. Use this property only for the purpose of blocking intrusion attempts.

mxe.sec.IPblock.sec property

Specifies the time period that is used in conjunction with the mxe.sec.IPblock.num.

mxe.sec.forgotpassword.maxsets property

IP address is blocked if the number of concurrent forgotten password attempts exceeds this value.

mxe.sec.addusers.maxsets property

IP address is blocked if the number of concurrent self-registration attempts exceeds this value.

mxe.sec.allowedIP property

Comma-separated list of IP addresses that are never blocked to ensure, for example, that users can always access servers that are used for load-balancing.

Prevention of cross-site request forgery attacks

CSRF attacks attempt to use browser and HTTP vulnerabilities to manipulate the state-changing actions of authenticated users, causing them to inadvertently reset passwords or transfer funds, for example. Use the most recent versions of browsers to benefit from the latest security updates.

Maximo Asset Management includes security measures to guard against CSRF attacks. When a user logs into a Work Center, a randomly-generated value, a CSRF token, is set for the user session. During the session, any state-changing request to the Maximo database must include the CSRF token.

If you are using APIs to exchange data with external applications, you cannot use the GET method for state-changing actions. For example, you can use the GET method to retrieve an asset record from the database, but you cannot use the GET method to bookmark an asset. You must use a POST method to change the state of a record and you must include a csrftoken in the header of the request. If a POST request does not include a valid csrftoken, the request is rejected.