The settings in Admin > Security provide you the ability to add additional security around the logins and sessions used for your intranet.
Site Level Login
With this setting, you can control whether your users are required to log into the site with a preset username and password assigned through Logins or allow anonymous access.
This setting determines how logins are created and how users log into the site.
Form Authentication is solely for use with user logins that have been manually created with a username and password. The demo accounts that are automatically in the software are form-based logins. Usernames and passwords are stored in the database for authentication purposes. With this setting, users are expected to type in their username and password.
Windows Authentication is solely for use with AD Synchronization. Users’ credentials are synchronized with Active Directory and users can login automatically with their Windows based credentials. Usernames are stored in the database but passwords are not; credentials are passed by the browser to the domain controller specified in your AD Synchronization settings for authentication. With this setting, users can check the Windows Authentication box on the login screen and have the username and password automatically populate.
Mixed Mode Authentication is for use with both of the above. This is the recommended setting immediately after AD Synchronization is enabled until workstation logins have been tested and proven to work without error. With this setting, users can check the Windows Authentication box or type in the credentials based on their login type.
When users log into the site, or they are automatically logged in with Windows authentication, a unique session is created for the user during their time on the site. This session contains information about the user, as well as any elevated rights they may be assigned. You can configure the session expiry so the site automatically logs the user out after the specified length of inactivity. This setting does not apply to Windows Authentication as these users are automatically logged in.
You can enable a captcha to appear on the login screen to help prevent login attempts from internet programs that are designed to guess logins. This does not apply if you have not externalized the site.
You can choose to enforce a EULA agreement or any message that you choose. This message is mandatory for a user to accept when they log into the site. You may select an interval you wish the EULA to expire, forcing the user to accept the agreement again. If you make a change and choose enforce, ALL users will be prompted to accept again on next login.
This feature can be used to prevent ALL users EXCEPT administrators from accessing the intranet during periods of maintenance or upgrading. Users who are not administrators will see the message you have entered on the screen under this setting.
From the Intranet Connections Blog
These settings are available only when Authentication Mode is not set to Windows Authentication only. These settings allow you to improve site security by blocking brute force login attempts, rotating your users’ passwords, and enforcing password minimums. These settings are only applicable to Form Based logins.
Create your own welcome message which will be sent to all new users. If this option is re-enabled again, you will be asked whether to send the welcome message to all users in the system.
Login Error Handling
You can specify what message appears with failed login attempts.
Application Delete Lock
This setting allows you to require the entry of a confirmation password when triggering the deletion of an app or site. This password is not required for super admins.
Lucee’s XSS protection is limited.