LoginHub More Info
Maintenance Connection Canada
This allows you to define your own rules for users, using custom fields you have in your provider. This is especially powerful for those that are using Enterprise providers such as AD, Active AD, Okta, Ping etc.., as Facebook, Google etc.., give you limited if any ability to have and maintain your own custom values by user or group of users. Most, perhaps all, ‘generic’ OIDC and SAML 2.0 providers will need this. However where we have specific ones like OKTA, if you follow the default OKTA fields and if you don’t want the extra power of controlling the setup more, you will not need the scripting engine. Essentially, during the login process, you can gather and pass more info. If you have a large number of service requestors, and a small number higher powered users, you could even use this to ‘hard code’ some of the values for either of those groups, or you can get the values from sources like your provider (AD for example.) The second use would be, for example, where you want ‘manager’ to be filled in, because you already have that info in, say Active Directory, and you want to maintain it in AD not in MRO – but you want MRO to know about it.
Testing security issues. Many of these use our Automated Security Audit program to do these checks. In addition, there will be a manual process for a handful of additional items that can’t be automated.
These tests include:
ini files – should not be served.
asp
can-execute-files in the image server
mczar/mczar – the tool will change this, to a password that is not in the have-i-been-pawned list
admin/admin – again, won’t allow this and check that it is not in the have I been pawned list
Check all encoded passwords against the have I been pawned list
Look at how many even have passwords (very few should in most systems if you have LoginHub)
file system user, again, same checks
Is the mc login backdoor page blocked?
Confirm SSL is turned on
Do you have a health check set up (LoginHub, MCe, MRO)
SSL expiration (if you aren’t using something like letsencrypt, you need to make sure you are ugrading before it desires)
Auto SQL/and image server backup – are those happening, are they being tested?
Copying SQL/image backups to offsite
Testing backups (auto and manual)
Zero day features added and automaticaly upgraded within hours (if you have our automatic upgrades turned on.)
And many more
In addition, with your ongoing SMA, you also get ‘offsite backup’ where you have secure access to your backup. Offsite backup is still not something that people think a lot about, even though it has been used since the 1970’s as a ‘required’ backup option by the author of this document (and owner of Mainttenance Connection Canada.) There are three major reasons to consider offsite backups:
In case of disaster. For example consider the case of the City of Baltimore in 2018 and then again in 2019, they could have saved millions of dollars by having good backups, allowing them to reset the equipment and not lose any critical data. While the best security audit and the best offline backup won’t gurantee to prevent ransomware and other similar attacks, the audit helps minimize the chance and frequency and the backups help maximize the recovery.
In the unlikely case of your SaaS or Hosting provider shutting down and you lose everything because they have all your backups. For example, while we (Maintanenace Connection Canada) have been in business doing only Maintenance Connection software, SaaS, Hosting and support – and we don’t think we are going to disappear … we still recommend you have offsite backups and, if you are on one of our SaaSs, we recommend you keep on your site or on some additional offsite location, backups of your data – don’t rely 100% on us or Accruent or Microsoft for your While we have never lost customer data to date, even Google has ‘lost’ data on their SaaS’s (2011 – email servers being one of the more well known and major times that Google has lost data.)
There are small books written on the why’s of why you should maintain control of your own backups on SaaS’s and on any extenally hosted data, suffice it to say, we think it is a very good idea for you to have access to data that is ‘offsite’ from your SaaS or Hosting provider, and we give the tools to give you these backups as part of our base audit security package. And if you self host, we still think this is an important service, to make sure you have backups in a site that is as unlikely as possible to be affected. How much should we pay for security audits? Some corporations will spend literally millions a year. Some pay zero. We know of one company that spends about $100K USD to test each new piece of software (such as LoginHub – which passed all their tests in 2019) even though the software they are buying is much less than $100K. Unfortunately, there is no ‘maximum’ that will guarantee you will have no security. Our security audit gives a very high ‘bang for the buck’, catching all well known security flaws that have known solutions, and we keep creating solutions. What about the statement ‘The company that wrote the software should guarantee there are no flaws’ or ‘The company that did the install should make sure that everything was done to be completely secure.’ The above paragraph really answers that … there is no way to perfectly achieve that level of security, so we recommend running first with our entry level audit to catch all the major points of security that we are aware of, and then decide how much (10’s of K, 100’s of K or millions of dollars a year) is the right amount for your organization.
This gives you Facebook, Twitter for service requestiors, AD and Okta for your technicians and managers.
If you don’t want a ‘full bore’ customized page, you just want a few tweaks typically to match your corporate branding, the Customizable Login Pages is for that. It allows you to putting in your own logo, changing colors.
Build a set of URLs that automatically log users in as long as they are logged into the provider already, it can also specify the database if you want. This gets rid of the need to ‘login’. Service Requestors would then have zero clicks during the login, technical people could normally have one click, but you can also set them up with no clicks. If you have/purchase nlh09, Direct Login comes with it.
For buying the API and using the samples.
There is a computer in a hospital.
It is sitting on a cart in a hallway, or on a common access desk at the nurse’s station.
In order to make the computer both domain connected (required for patch management and other reasons) and usable without logging in. IT has setup the computer to automatically LOGIN using a fixed user account. That user account is typically special for that computer. We’ll call it: a “hardware account”
If a doctor or nurse needs to get Medical information, they walk up, click an icon on the desktop and get information. Some information will be available simply based on the permissions of the “Hardware Account”.
Other applications like the MC family are ‘secured’ (or should be) by a proper AD login that uniquely defines the person.
But that means that the normal AD login in LoginHub or any other SSO product will fail because it is designed to NOT PROMPT if the “user” is already using a domain account (which it actually is).
Some Hospital customers “fix” this problem by saying “FORCE everyone to login regardless”. Which is possible, but most hospitals do not want to do that.
The reason why a hospital would NOT want to force everyone to login is because while these “hallway” computers are common, they are not 100% of the computers. Managers, and regular workers have offices and their own computers which are PROPERLY logged in and this would irritate everyone who is not using a “hallway” computer. It keeps all the rest of the advanced SSO user management, but it loses the “SSO” part (the single sign on part) of LoginHub.
Almost no one “ignores it” because then the user would “successfully” login as what amounts to “random user” and would access likely the service requester. While most users likely wouldn’t even notice since all they do is put in Service Requests, you would have odd things like:
When you use a specific PC it would have a history list of other peoples service requests
All work on that device would be done by that “Hardware Account”.
A manager or Tech would never be able to use those “hallway” PCs for their normal work
Other random issues
And SOME Hospitals “fix” this by filtering out the ‘fixed’ user accounts. But they need to then handle the error on Login by determining that this is “one of ‘those’ accounts” and instruction LoginHub. So we provide (at a cost) a tool we call the LoginHub API that lets you control this type of activity. With in we provide the direct login feature and sample code that with some or no tweaking be used in your environment to fix this problem in the most elegant way we know. Now … what happens to the “fixed” account? The “fixed” account is still logged into the workstation session, even though the live user is logged into the application that is within the same workstation session.
Not all features are available at this time, talk to us if you need providers we don’t have yet.