This article aims to inform developers and administrators about actions to take when developing and deploying GeneXus applications so that they are more secure against certain events that, by default, are not covered by configuration in the GeneXus IDE or otherwise are covered and are explained here.
It should be stressed that every development or configuration improvement implemented must be tested before it is deployed in a production environment. In particular, this applies to changes regarding server configuration.
Every deployment has its particular characteristics, so there is no fixed configuration recommended for everything that GAM offers. However, several elements should be checked and adjusted to recommended or appropriate values for the application. This section lists the essential tasks that must be performed when configuring GAM for safe deployment. For more details on each item, read the documentation on recommended changes.
- Change the password of the administrator user, “admin.”
Since the automatically created administrator users of the GAM repository have a default password, this must be changed in the GAM backend.
- Change the password of the administrator user, “gamadmin.”
This is the password of the repository administrator. It has to be changed through the GAM API using code, which must not be accessible to non-administrators.
- Create new connections (Repository Connections) or edit them in the repository.
By default, GAM creates a user for each connection named <version_name> (name of the knowledge base version using that naming convention), with a default password. For example, in a version called “MY_APP” the username will be “my_app” and the password will be “my_app123.” Creating new connections or at least editing the default password generated for production deployments is recommended.
- Delete all users intended for testing.
- Only deploy metadata of Native mobile applications if it's strictly required. More information at App Update property and Enable KBN property.
- The web server must not expose the connection.gam file.
- The GAM backend must be private, so that only users with the “Administrator” role can run its panels.
Web Panel objects already have the logic to comply with this restriction. However, if the backend binaries distributed by GAM are not used but the “GAM Examples” are compiled, keep in mind that the panels GAMExampleRecoverPasswordStep1 and GAMExampleRecoverPasswordStep2 must be edited as indicated in the GAM example article. They should not be deployed as they were distributed because they are sample panels. The same applies to the panels GAMExampleRegisterUser, GAMExampleUpdateRegisterUser and GAMExampleChangePassword.
Configuring the following elements in the GAM repositories is recommended:
- User remember me type: The safest value is “None.”
- User remember me timeout (days): Depending on the security requirements, the recommended value may be a maximum of 30 days and decrease as the severity increases.
- User recovery password key timeout (minutes).
- Minimum amount characters in login.
- Login retries to lock user.
- Login attempts to lock session.
- Unblock user timeout (minutes).
- Give anonymous session?
- User session cache timeout (seconds): A value smaller than or equal to 30 seconds is recommended.
- Expire the session when the IP changes?
- User activation method: The “Automatic” value is not recommended.
- User automatic activation timeout (hours).
- Repository cache timeout (minutes).
- Check the repository's default values for the properties Repository default security policy and Repository default role.
Configuring the following elements regarding the GAM security policy is recommended:
- ONLY WEB
- Session time out (minutes).
- Allow multiple concurrent user sessions: The safest value is “No.”
- ONLY REST OAUTH (Mobile, GAMRemoteRest)
- Token Expire (minutes): There isn't a fixed recommended value; it is determined by the required security level (the lower this value, the safer the application).
- Token maximum renovations: To avoid entering credentials again, also set a maximum number of refresh tokens of at least 1.
- Period change password (days).
- Minimum waiting time between password changes (days).
- Minimum password length: The minimum length can be debatable, but a minimum of 8 is usually suggested if the password is complex enough.
- Minimum number of numeric characters in passwords.
- Minimum number of uppercase characters in passwords.
- Minimum number of special characters in passwords.
- Maximum password history entries.
- In the case of mobile devices, in general, actions programmed by GeneXus developers are translated into calls to REST Web Services. REST services must be protected in the same way as objects for mobile development.
To find these services, search the KB for “Rest Protocol= TRUE” and set the permissions on each one as appropriate (see section “Integrated Security Levels”).