Security Guidance for Employee Portal/Web Client

Multi-factor Authentication

Employee Portal is a web-based platform that allows employees to access company resources, information, and tools. To ensure the security of the portal, Multi-factor Authentication (MFA) can be implemented. MFA is a security mechanism that requires users to provide two or more forms of authentication before accessing the portal. 

One form of MFA is 2-step verification. This involves entering a username and password, followed by a second factor such as a code sent to the user's email address. This ensures that even if someone has obtained the user's password, they cannot access the portal without also having access to their email account. 

Another form of MFA is CAPTCHA login. CAPTCHA is a type of challenge-response test used to determine whether or not the user is human. This prevents automated bots from accessing the portal and ensures that only authorized users can log in. 

Finally, Active Directory Authentication can also be used as an MFA method for Employee Portal. Active Directory (AD) is a directory service developed by Microsoft that provides authentication and authorization services for Windows-based computers. By integrating AD with the employee portal, users can log in using their AD credentials, which adds an extra layer of security to the login process. 

Overall, implementing MFA methods such as 2-step verification, CAPTCHA login, and Active Directory Authentication can help ensure that only authorized employees can access the company's resources through the Employee Portal.

Password Policy

You may consider implementing a Password Policy. A password policy is a set of rules designed to enhance computer security by encouraging users to create and implement stronger passwords. Some of the main benefits of strong policies include preventing unauthorized account access, reducing data loss, ensuring proper password strength and preventing the leakage of sensitive information.

HTTPS Secure Connection

To ensure secure communication between the employee portal/web client and the server, it is essential to configure HTTPS in Internet Information Services (IIS). This involves obtaining an appropriate SSL certificate, creating an HTTPS binding on the site, and testing the configuration by making a request to the site. By enabling HTTPS, data transmitted between the client and server is encrypted, providing a secure and private connection.

Website Security

Additionally, as Employee Portal and HRPro Web Client are running on the Microsoft Web Server (the Internet Information Server). For the administration and management of a web server, please consult your network administrator. The following information provides some guidelines for IIS Security. 

• Security Guidance for IIS 🡕 

• How To Set Up an HTTPS Service in IIS 🡕

• Manage Security of Your Windows IIS Web Services 🡕 

• IIS Best Practices 🡕 

• Web Server Security Best Practices 🡕 

• Guidelines on Securing Public Web Servers 🡕 

• 10 Ways to Improve Data Security🡕

• Website Security Checklist: Protect Your Website in 2023🡕

For better security control for the Employee Portal/Web Client, you could also consider the following:

• RSA SecurID Access 🡕  RSA SecurID Access is a multi-factor authentication solution that provides secure access to web applications, VPNs, and cloud services. It uses a combination of something the user knows (such as a password) and something the user has (such as a token) to verify the user’s identity 1. RSA SecurID Access is part of the AI-powered RSA Unified Identity Platform, which combines automated identity intelligence, authentication, access, governance, and lifecycle to protect organizations from risks and prevent threats. By implementing RSA SecurID Access, organizations can ensure that only authorized users have access to sensitive information and resources. It provides an additional layer of security to protect against unauthorized access, data breaches, and other cyber threats.

• Cisco AnyConnect 🡕 Cisco AnyConnect is a VPN client that provides secure remote access to enterprise networks. It uses SSL encryption to protect data transmitted between the user’s device and the network, ensuring that sensitive information is not intercepted by hackers . Cisco AnyConnect Secure Mobility Client provides additional security features such as multi-factor authentication (MFA) and endpoint posture assessment to ensure that only authorized users have access to the network. Cisco AnyConnect Secure Mobility Client also integrates with Cisco Identity Services Engine (ISE) to prevent noncompliant devices from accessing the network 2. With Duo’s MFA, users can gain secure remote access to the network by verifying their identities. Cisco Umbrella Roaming extends protection to users when they are off the VPN.