Security for the Navis TOS

Securing your terminal operating system (TOS) is essential to avoid the worst case scenario of a cyber-attacker taking over your entire system without your knowledge. Although it is possible for attackers to compromise even the most secure systems, you must still take every step you can to deter and discourage unauthorized users from accessing your system.

Navis recommends that you take action in the following areas to reduce the vulnerability of your terminal operating system:

Password/Users Management

  • After you install N4, you must change the default passwords for all pre-configured users in N4 (on page 1).

  • Implement strong password requirements (on page 1) and retry rules (on page 1). N4 administrators should review and apply the appropriate N4 security settings under Administration Settings.

  • Configure user session timeout rules. (on page 1)

  • Use LDAP for password storage, if available. See Set up LDAP support for User Authentication (on page 1) for instructions on setting up external user authentication with LDAP.

  • Change passwords often. Use this checklist for changing various passwords (on page 1).

  • Administrators can force users to create a new password (on page 1).

  • Disable any guest users for all Windows server or server room clients. Follow security standards for securing your operating systems.

  • Do not allow multiple users to share a login account. Each user should have a unique login account (on page 1).

  • If you are running N4 on Windows, configure the N4 service to log on with a non-administrator user account (on page 1), such as:

  • the Network Service account (a password is not required for this account)

  • a domain user account

  • a managed service account

  • Make sure this account has full access to the local N4 folders and read/write permission on the shared network folder.

Internet Access Restrictions and Firewall Policies

  • Use Transport Layer Security or Secured Sockets Layer (TLS/SSL) for all web components. Limit internet access through the load balancer, such as the Apache HTTP Server, and configure it for SSL (on page 1).

  • Disable LLMNR and NetBIOS on Windows servers (on page 1).

  • Restrict external access by using an IP address whitelist on your load balancer or in N4. Use either the N4 IP Address Whitelist feature (on page 1) or a third-party configuration to limit access between components within your network.

  • Keep all web services behind the firewall. 

  • Keep JMX (MBeans) behind the firewall. Firewalls and load balancers should be configured to block access to the JMX port. If you are using a third-party monitoring tool such as Hyperic, the servers should be whitelisted for access to JMX.

  • Hide the N4 Mobile URLs from the internet. Any N4 URLs that are not explicitly needed for clients to access N4 should be hidden.

  • Consider using VPN or Citrix to access internet-facing URLs such as N4 CAP. The risk of being hacked due to N4 being accessible on the internet can be reduced by hiding the URLs behind VPN access. Users would need to be authenticated on the VPN to access N4.

  • Use third-party Denial of Service mitigation. If Denial of Service attacks are of concern, invest in a service or tool specializing in this type of attack.

Login Activity Monitoring

  • Use the Current Users Monitor view (on page 1) to view information about users that are currently logged into N4.

  • Use the Authentication History view (on page 1) to view a history of authentication failures. This might indicate unauthorized login attempts.