Configuring Security Settings

Modify security settings for Faspex user accounts, self-registration, external senders and encryption. Go to Server > Configuration > Security to view or modify your server's security settings for Faspex user accounts, self-registration, external senders, and encryption.

Faspex Accounts

Configuration Option	Description
Session timeout	Sessions time out after the specified number of minutes of inactivity.
Lock users	Lock the user account when login attempts fail under the specified circumstance or after a specified number of days of inactivity.
Remove users	Remove users after a specified number of days of inactivity.
Prevent concurrent login	If enabled, users can only be logged in from one client at a time.
Passwords expire	When activating global password expiration, all users with default password policies are updated with a password expiration date specified by the password expiration interval. Admins can override this global policy in a user's account settings. See Configure User Settings. Note: When changing password expiration interval, changes to password expiration date do not occur until next password change for each user if password expiration is already active.
Prevent password reuse	Prevent users from reusing passwords. Enter the number of previous passwords users cannot reuse.
Use strong passwords	If enabled, requires newly created passwords to contain at least one letter, one number and one symbol. Existing passwords remain valid. Admins may also change the strong password criteria by editing the faspex.yml file, which is located in the following directory: /opt/aspera/faspex/config/faspex.yml Inside faspex.yml, paste the following code (where `StrongPasswordRegex` is the password criteria as a regular expression and `StrongPasswordRequirements` is the description that appears to the user underneath the field): StrongPasswordRegex: (?=.[A-Z])(?=.(\d\|\W\|_)).{7,} StrongPasswordRequirements: "Password must meet this criteria..." For more information on faspex.yml, see Configuring Faspex with faspex.yml
Require new users to change password on first login	If this feature is enabled, new users must enter a new password when they first log in.
Allow locked out users to unlock themselves	If this feature is enabled, locked out users can select the Forgot my password button to have a password reset email sent to them. Using the link, they can reset their email and log in.
Keep user directory private	When set to Yes, prevents a Faspex user (even if they have permissions to send to all Faspex users) from being able to see the entire user directory. You can override this setting on a user-by-user basis by editing their permissions. Important: When the privacy setting is turned on (set to Yes), users who have been assigned the role of Workgroup Admin can still view the entire list of Faspex users via the Workgroup Members page.
Users can see global distribution lists by default	Select to give all users access to the global distribution lists. If this option is disabled, admins must configure a user's settings to grant access to global distribution lists.
Ignore invalid recipients	Prevent a package from failing to send even when addressed to invalid recipients. Faspex skips any invalid user and delivers the package to all valid recipients in the list.
Allow users to change their email address	Enable users to change their own email addresses in their account preferences (see Configure Personal Account Preferences). If this feature is disabled, only admins can change a user's email address.
Send welcome email to all new users	Faspex sends a welcome email to all users. This welcome email includes a link to download Aspera products, a password reset link, and a link to login to Faspex. Note: The password reset link expires after one week.

Registrations

Configuration Option	Description
Self-registration	Choose whether non-users can create or request user accounts. None: Non-users are not allowed to create or request user accounts. Moderated: An admin must approve the account before it is created. Unmoderated: Once a user registers, his or her account is automatically created. If you allow self-registration, Aspera recommends the moderated setting for security. Warning: If self-registration is enabled, then it could be utilized to find out whether a certain account exists on the server. That is, if you attempt to self-register a duplicate account, you receive a prompt stating that the user already exists. After a user self-registers (either moderated or unmoderated), his or her account inherits the permissions of the configured template user and automatically becomes a member of designated workgroups. To configure the template user, go to Accounts > Pending Registrations and select the user. To set the workgroups that newly created users join, click the workgroups link. Although self-registered users are, by default, not allowed to send packages to other self-registered users, you can modify this setting by selecting Self-registered users can send to one another. Important: To prevent a self-registered account from having the same email address as a full Faspex user, Admins can add a special option to faspex.yml. You can find faspex.ymlin the following directory: /opt/aspera/faspex/config/faspex.yml Inside faspex.yml, within the "Production:" section, paste the following option and set it to "true": EnforceSelfRegisteredUserEmailUniqueness: true
Terms of service	Enter a statement that users are required to accept in order to self register an account. If you do not enter a statement, users are not required to accept terms of service to create an account.
Notify the following emails to approve	This field appears when you choose the Moderated registration policy. Enter one or more email addresses to notify for moderation. Note: These email addresses are not validated against existing Faspex admins or managers.
Require external users to register	Select to force external users to register a Faspex account to download packages sent to them. External users register with the same process as self-registered users. For more information about requesting accounts, see Requesting an Account. Note: You must first allow users to send packages to external email addresses by selecting the Allow sending to external email addresses. For more information, see the description for the option below.
Use default registration policy for external users	Select this option to use the same registration policy you chose for self registration for external users registering accounts. Note: This option appears when you selected Require external users to register. You must choose a registration policy for self registration to select this option.
Registration policy for external users	If you do not use the default registration policy, choose either Moderated or Unmoderated. Moderated: An admin must approve the account before it is created. Unmoderated: Once a user registers, his or her account is automatically created.
Terms of service for external users	Enter a statement that external users are required to accept in order to create an account. If you do not enter a statement, users are not required to accept terms of service to create an account.
Notify the following emails to approve external users	This field appears when you choose the Moderated registration policy. Enter one or more email addresses to notify for moderation. Note: These email addresses are not validated against existing Faspex admins or managers.
Self-registered users can send to one another	Select to allow self-registered users to send packages to other self-registered users. Note: Self-registered users must have permission to send to all Faspex users. If a self-registered user does not have permission to send to all Faspex users, the Self-registered users can send to one another option has no effect. For more information giving a user permission to send to all Faspex users, see Configure User Settings.

Important: If users are allowed to self-register, they see the Request an account link on the login page. After a user clicks this link and completes the form, admins are prompted under Accounts > Pending Registrations > Actions to Approve or Deny the account.

Outside email addresses

Configuration Option	Description
Allow inviting external senders	When Allow inviting external senders is selected, external senders (those who do not have Faspex accounts) can be invited to send a package to a user. Important: An admin can enable or disable this feature for specific users while still retaining the server-wide setting of enabled or disabled. Go to Accounts and select the user to enable or disable this feature. For more information on this setting, see Configure User Settings.
Allow public URL	Allow a user to send a Public URL to users without Faspex accounts. These external users can submit packages to registered Faspex users through this public URL. For more information about Public URLs, see Configuring Public URLs. Select Allow public submission URLs to globally enable the feature and allow admins to configure this feature on a user-by-user basis. Set the server default to Allow or Deny. Tip: An admin can enable or disable this feature for specific users while still retaining the server setting.
Allow sending to external email addresses	Select Allow sending to external email addresses to enable all Faspex users to send packages to external email addresses. This feature is enabled by default. Select Allow sending to external email addresses to globally enable the feature and allow admins to configure this feature on a user-by-user basis. Set the server default to Allow or Deny. Tip: An admin can enable or disable this feature for specific users while still retaining the server setting.
Package link expires	This field appears when you select Allow sending to external email addresses. When enabled, the package link expire after the specified number of days.
Expire after full package download	This field appears when you select Allow sending to external email addresses. If this checkbox is enabled, the package link expires after one download. This is also applicable when the link is forwarded. After the first download, the files must be re-sent in a new package through Faspex for the recipient to be able to download them again.

Encryption

Configuration Options	Description
Encrypt transfers	Select to encrypt all transfers with the AES-128 encryption method. HTTP fallback transfers are also encrypted.
Use encryption-at-rest	Encryption-at-Rest (EAR) requires users, on upload, to enter a password to encrypt the files on the server. Package recipients are required to enter the encryption password to decrypt protected files as they are being downloaded. If a user chooses to keep downloaded files encrypted, they are not required to enter a password until they attempt to decrypt the files locally. Encryption-at-Rest is supported by the IBM Aspera Connect Browser Plug-in Always: Always use EAR. Users must enter an encryption password when sending a password. Never: Do not use EAR. This is the default setting. Optional: Users may choose to encrypt when uploading a package. Note: This EAR setting only applies to transfers initiated through Faspex. Transfers initiated using ascp from the command line or the Enterprise Server GUI are not encrypted unless configured in the aspera.conf file. For more information on encrypting ascp transfers, see the IBM Aspera Enterprise Server Admin Guide.
Allow dropboxes to have their own encryption settings	Select to allow admins to adjust Encryption-at-Rest settings for each dropbox. For more information on creating and configuring dropboxes, see Creating a Dropbox.

Important: You must click the Update button to apply and save your changes.