Configuring Security Settings

Modify security settings for Faspex user accounts, self-registration, external senders and encryption. Go to Server > Configuration > Security to view or modify your server's security settings for Faspex user accounts, self-registration, external senders, and encryption.

Faspex Accounts

Configuration Option Description
Session timeout Sessions time out after the specified number of minutes of inactivity.
Lock users Lock the user account when login attempts fail under the specified circumstance or after a specified number of days of inactivity.
Remove users Remove users after the specified number of days of inactivity. Local, directory service, and SAML users can be configured separately.
Prevent concurrent login If enabled, users can only be logged in from one client at a time.
Passwords expire When activating global password expiration, all users with default password policies are updated with a password expiration date specified by the password expiration interval. Admins can override this global policy in a user's account settings. See Configure User Settings.
Note: When changing password expiration interval, changes to password expiration date do not occur until next password change for each user if password expiration is already active.
Prevent password reuse Prevent users from reusing passwords. Enter the number of previous passwords users cannot reuse.
Use strong passwords If enabled, requires newly created passwords to contain at least one letter, one number and one symbol. Existing passwords remain valid. Admins may also change the strong password criteria by editing the faspex.yml file, which is located in the following directory:
/opt/aspera/faspex/config/faspex.yml

Inside faspex.yml, paste the following code (where StrongPasswordRegex is the password criteria as a regular expression and StrongPasswordRequirements is the description that appears to the user underneath the field):

StrongPasswordRegex: (?=.*[A-Z])(?=.*(\d|\W|_)).{7,} 
StrongPasswordRequirements: "Password must meet this criteria..." 
For more information on faspex.yml, see Configuring Faspex with faspex.yml
Require new users to change password on first login If this feature is enabled, new users must enter a new password when they first log in.
Allow locked out users to unlock themselves If this feature is enabled, locked out users can select the Forgot my password button to have a password reset email sent to them. Using the link, they can reset their email and log in.
Keep user directory private

When set to Yes, prevents a Faspex user (even if they have permissions to send to all Faspex users) from being able to see the entire user directory. You can override this setting on a user-by-user basis by editing their permissions.

Important: When the privacy setting is turned on (set to Yes), users who have been assigned the role of Workgroup Admin can still view the entire list of Faspex users via the Workgroup Members page.
Allow users to create normal packages If this feature is disabled (unselected), users cannot access the New Packages site and can only create dropbox packages (only if they are a member of a dropbox). This option can also be set for individual users by going to Accounts > Users, clicking the username, and selecting an option for Can create normal packages.
Users can see global distribution lists by default Select to give all users access to the global distribution lists. If this option is disabled, admins must configure a user's settings to grant access to global distribution lists.
Ignore invalid recipients Prevent a package from failing to send even when addressed to invalid recipients. Faspex skips any invalid user and delivers the package to all valid recipients in the list.
Allow users to change their email address Enable users to change their own email addresses in their account preferences (see Personal Account Preferences). If this feature is disabled, only admins can change a user's email address.
Send welcome email to all new users Faspex sends a welcome email to all users. This welcome email includes a link to download Aspera products, a password reset link, and a link to login to Faspex.
Note: The password reset link expires after one week.

Registrations

Configuration Option Description
Self-registration Choose whether non-users can create or request user accounts.
  • None: Non-users are not allowed to create or request user accounts.
  • Moderated: An admin must approve the account before it is created.
  • Unmoderated: Once a user registers, his or her account is automatically created.
If you allow self-registration, Aspera recommends the moderated setting for security.
Warning: If self-registration is enabled, then it could be utilized to find out whether a certain account exists on the server. That is, if you attempt to self-register a duplicate account, you receive a prompt stating that the user already exists.

After a user self-registers (either moderated or unmoderated), his or her account inherits the permissions of the configured template user and automatically becomes a member of designated workgroups. To configure the template user, go to Accounts > Pending Registrations and select the user. To set the workgroups that newly created users join, click the workgroups link. Although self-registered users are, by default, not allowed to send packages to other self-registered users, you can modify this setting by selecting Self-registered users can send to one another.

Important: To prevent a self-registered account from having the same email address as a full Faspex user, Admins can add a special option to faspex.yml. You can find faspex.ymlin the following directory:
/opt/aspera/faspex/config/faspex.yml

Inside faspex.yml, within the "Production:" section, paste the following option and set it to "true":

EnforceSelfRegisteredUserEmailUniqueness: true
Terms of service Enter a statement that users are required to accept in order to self register an account. If you do not enter a statement, users are not required to accept terms of service to create an account.
Notify the following emails to approve This field appears when you choose the Moderated registration policy. Enter one or more email addresses to notify for moderation.
Note: These email addresses are not validated against existing Faspex admins or managers.
Require external users to register Select to force external users to register a Faspex account to download packages sent to them. External users register with the same process as self-registered users. For more information about requesting accounts, see Requesting an Account.
Note: You must first allow users to send packages to external email addresses by selecting the Allow sending to external email addresses. For more information, see the description for the option below.
Use default registration policy for external users Select this option to use the same registration policy you chose for self registration for external users registering accounts.
Note: This option appears when you selected Require external users to register. You must choose a registration policy for self registration to select this option.
Registration policy for external users If you do not use the default registration policy, choose either Moderated or Unmoderated.
  • Moderated: An admin must approve the account before it is created.
  • Unmoderated: Once a user registers, his or her account is automatically created.
Terms of service for external users Enter a statement that external users are required to accept in order to create an account. If you do not enter a statement, users are not required to accept terms of service to create an account.
Notify the following emails to approve external users This field appears when you choose the Moderated registration policy. Enter one or more email addresses to notify for moderation.
Note: These email addresses are not validated against existing Faspex admins or managers.
Self-registered users can send to one another Select to allow self-registered users to send packages to other self-registered users.
Note: Self-registered users must have permission to send to all Faspex users. If a self-registered user does not have permission to send to all Faspex users, the Self-registered users can send to one another option has no effect. For more information giving a user permission to send to all Faspex users, see Configure User Settings.
Important: If users are allowed to self-register, they see the Request an account link on the login page. After a user clicks this link and completes the form, admins are prompted under Accounts > Pending Registrations > Actions to Approve or Deny the account.

Outside email addresses

Configuration Option Description
Allow inviting external senders When Allow inviting external senders is selected, external senders (those who do not have Faspex accounts) can be invited to send a package to a user. For more information on external senders, see Allowing Users to Send to External Email Addresses.
Important: An admin can enable or disable this feature for specific users while still retaining the server-wide setting of enabled or disabled. Go to Accounts and select the user to enable or disable this feature. For more information on this setting, see Configure User Settings.
Invitation link expires Select to set a global policy for invitation link expiration times for personal and dropbox invitations. You can set a time in days, expire the link after one successful upload, allow users to set a custom link expiration policy, or a combination. For example, you can select both a time in days and allow users to set a custom policy. If the default policy is to expire links after 5 days, then users can set links to expire after less than 5 days but not longer than 5 days.

Clear this option to never let invitation links expire.

Allow public URL

Allow a user to send a Public URL to users without Faspex accounts. These external users can submit packages to registered Faspex users through this public URL. For more information about Public URLs, see Configuring Public URLs.

Select Allow public submission URLs to globally enable the feature and allow admins to configure this feature on a user-by-user basis. Set the server default to Allow or Deny.
Tip: An admin can enable or disable this feature for specific users while still retaining the server setting.
Allow sending to external email addresses Select Allow sending to external email addresses to enable all Faspex users to send packages to external email addresses.

This feature is enabled by default. Select Allow sending to external email addresses to globally enable the feature and allow admins to configure this feature on a user-by-user basis. Set the server default to Allow or Deny.

Tip: An admin can enable or disable this feature for specific users while still retaining the server setting.
Package link expires

This field appears when you select Allow sending to external email addresses.

When enabled, the package link expire after the specified number of days.
Expire after full package download

This field appears when you select Allow sending to external email addresses.

If this checkbox is enabled, the package link expires after one download. This is also applicable when the link is forwarded. After the first download, the files must be re-sent in a new package through Faspex for the recipient to be able to download them again.

Encryption

Configuration Options Description
Encrypt transfers Select to encrypt all transfers with the AES-128 encryption method. HTTP fallback transfers are also encrypted.
Use encryption-at-rest Encryption-at-Rest (EAR) requires users, on upload, to enter a password to encrypt the files on the server. Package recipients are required to enter the encryption password to decrypt protected files as they are being downloaded. If a user chooses to keep downloaded files encrypted, they are not required to enter a password until they attempt to decrypt the files locally. Encryption-at-Rest is supported by the IBM Aspera Connect
  • Always: Always use EAR. Users must enter an encryption password when sending a password.
  • Never: Do not use EAR. This is the default setting.
  • Optional: Users may choose to encrypt when uploading a package.
Note: This EAR setting only applies to transfers initiated through Faspex. Transfers initiated using ascp from the command line or the Enterprise Server GUI are not encrypted unless configured in the aspera.conf file. For more information on encrypting ascp transfers, see the IBM Aspera Enterprise Server Admin Guide.
Allow dropboxes to have their own encryption settings Select to allow admins to adjust Encryption-at-Rest settings for each dropbox. For more information on creating and configuring dropboxes, see Creating a Dropbox.
Important: You must click the Update button to apply and save your changes.