Recommendations for security best practices
Issue: The injection of malicious code into an application by exploiting the way some
Windows applications search and load Dynamic Link Libraries (DLL) files that are present in the
Datacap folders by depositing unauthorized binaries into
the install directories.
- Recommendation: Assigning read-only access for client users to the DcDesktop, dcshared, dcshared_x64, DStudio, FastDoc, FingerprintService, ProgramSet, RRS, RV2, Taskmaster, Taskmaster x_64, Tmweb.net, Tmweb.java, and wTM folders is crucial for data security. This action prevents accidental modifications and ensures data integrity by limiting unauthorized access and changes to sensitive information.
Issue: Unauthorized users from modifying the IFEO registry keys.
- Recommendation: Make registry settings read-only by setting permissions on the registry key that contains the settings, which effectively prevents users from making changes.
Issue: When a desktop client application is running, the client application does not
automatically log off the user after a specified period.
- Recommendation: Logging off and closing the unused Datacap Desktop, FastDoc and Datacap Studio applications when they are not in use reduces the risk of exploitation by unauthorized users when the workstation is left unattended.
Issue: Session Fixation, the session fixation attack is a class of Session Hijacking,
which steals the established session between the client and the Web Server after the user logs in.
- Recommendation: The Datacap Web Client application is designed to function fully on Microsoft Edge with Internet Explorer compatibility mode, which prevents session fixation attacks. No other browsers are supported with Datacap Web Client.
Issue: Session Cookie without Cookie Attribute set.
- Recommendation: If a customer wants to enable the session cookie attributes of sameSite
and requireSSL in Datacap Web Client, they must
- Configure an SSL certificate using the steps in How to configure an II-hosted WCF service with SSL.
- Add the httpCookies element to the web.config file
located at ..\Datacap\tmWeb.net.An example:
<system.web> … <httpCookies httpOnlyCookies="true" sameSite="Strict" requireSSL="true" /> … </system.web>
Issue: Enabling HTTP Strict-Transport-Security Headers in the Datacap Web Client.
- Recommendation: If you run your enterprise security vulnerability tool and it flags that
the HTTP Strict-Transport-Security (HSTS) Headers are not being added to the HTTP Response, you can
modify the Datacap Web Client configuration XML,
Web.Config, to add these headers under the
customHeaders element as shown.
This configuration requires SSL to be enabled. HTTP will no longer work. If you have customized any of the Datacap Web user interface code, test your code to make sure it works with the Strict-Transport-Security headers.<configuration> … <customHeaders> <add name=”X-Content-Type-Options” value=”nosniff” /> <add name=”Strict-Transport-Security” value=”max-age=31536000;includeSubDomains” /> </customHeaders> … </configuration>
Issue: Session Fixation - Web Security Vulnerability
- Recommendation: Legacy session management retains static session IDs and supports full functionality only in Microsoft Edge (IE mode).