Security Page

You can secure connections between MicroStrategy Web and the rest of the MicroStrategy system using the options in the Security page of the MicroStrategy Web Administrator page.

Access

To access the Security page, click the Security link on the left pane of the MicroStrategy Web Administrator Page.

Fields

Encryption:

• Traffic to the Intelligence Server: Determine whether data transferred between the Web and Intelligence Server machines is encrypted. By default, this data is not encrypted.

• No encryption (default): Data transferred between the Web and Intelligence Server machines is not encrypted.

• SSL: Uses Secure Socket Layer (SSL) encryption to secure data between Web and Intelligence Server. This is the recommended option for secure communications. For instructions to set up SSL encryption for Web, see the System Administration Help.

For details and steps to determine how data in MicroStrategy Web is encrypted and stored, see Encrypt Traffic, Manage Browser Caching, and Manage Session Information.

Browser caching: Determine web browser caching settings.

• Prevent browser from caching content on the client: Determine whether users' browsers cache any MicroStrategy Web content on the users' machines. For details and steps, see Encrypt Traffic, Manage Browser Caching, and Manage Session Information. This checkbox is cleared by default.

Cookies: See Configure SameSite Cookies for MicroStrategy Web and MicroStrategy Mobile for more information.

Diagnostics: You can prevent diagnostic information from being added to the source page. Use the following options to determine whether to include the exception information, include the request information, or include both:

• Include exception information in the page source: Determine whether to include the exception stack trace in the page source. This checkbox is cleared by default.

• Include request information in the page source: Determine whether to include the request information in the page source. This checkbox is cleared by default.

• Override unhandled Intelligence Server error messages: Define a generic error message to display to users for any Intelligence Server error. This option affects the error message displayed to users in Web; the error is recorded in the MicroStrategy Web logs using the default Intelligence Server error message, regardless of the error message displayed to users.
  
  MicroStrategy provides a way to display custom error messages for specific errors, and includes some custom error messages by default. If an error has a custom error message, the custom error message is displayed to users instead of the generic error message. For steps to define a custom error message for a specific error, see the MicroStrategy Developer Library (MSDL) provided with MicroStrategy SDK.

• Include time stamp in error message: Include a timestamp with the generic error message. The timestamp can help identify the specific Intelligence Server error that prompted the error message.

URL:

• Session information is included on the URL: Clear the checkbox to hide the server name and port number in the URL of pages displayed in MicroStrategy Web. If the checkbox is selected, the server name and port number are displayed, and a user can bookmark a MicroStrategy Web page by adding it to the Favorites list in the web browser. Users can also share and assign permissions to objects such as reports and documents in Web. For more information on controlling session information, see Encrypt Traffic, Manage Browser Caching, and Manage Session Information. This checkbox is selected by default.

  Even with the session information in the URL, bookmarks support only basic pages that correspond to saved objects or static links. This means you cannot bookmark a report page after you have applied manipulations.

User Input Filtering: Determine if HTML (including scripts) can be used in any of the following. For details and steps, see How to Control the Use of HTML and JavaScript in Web.

• Project description and project header: Determine if any HTML included in either the project description on the project page or the project header is displayed. For example, a developer may want to display a hyperlink within the description of the project. HTML must be enabled for such hyperlinks to be displayed.

• Object description: Determine if any HTML included in object descriptions and threshold definitions is displayed. If this setting is enabled, when users browse the folders, the hyperlinks are displayed in object definitions and descriptions. This checkbox is cleared by default.

• Prompt titles and descriptions: Determine if any HTML included in the title or description of a prompt is displayed. For example, a prompt designer may have included a hyperlink within a prompt's description. HTML must be enabled in the prompt text for such hyperlinks to be displayed. This checkbox is cleared by default.

• Metric values: Determine if any HTML included in metric values is displayed. For example, a metric designer may have included thresholds that open a website when analysts click them. HTML must be enabled in the metric values for such hyperlinks to be displayed. This checkbox is cleared by default.

• Print header and footer: Determine if HTML in the print header and footer of a report or document is displayed. A designer may have included images in the header and footer layout of a report or document. HTML must be enabled in the print header and footer for such images and HTML to be displayed. This setting only applies to HTML printing, and does not apply if PDF printing is enabled. To disable PDF printing, clear the Use PDF for printing reports checkbox in the General Dialog. This checkbox is cleared by default.

• Exported text in plain text of CSV formats: Determine if HTML is included when a user exports a report to plain text or CSV. The inclusion of HTML in plain text files can cause some browsers to execute the text file as if it were a script. When this checkbox is selected, SCRIPT tags are encoded so browsers do not execute text files that are not meant to be executed as scripts. This checkbox is cleared by default.

• Graph tooltips: Determine if any HTML formatting included in graph tooltips is displayed. For example, a designer may have included HTML line breaks or bold formatting in the tooltip for series values in a graph. HTML must be enabled for graph tooltips for such formatting to be displayed properly. This checkbox is cleared by default.

• Allow JavaScript Execution for Report Services Documents Hyperlinks: Determine whether to execute JavaScript in a hyperlink in a Report Services document. When this checkbox is selected and a user clicks a hyperlink within a document, any included JavaScript is executed. For example, a document designer may create a text field and enable the Is Hyperlink property for the text field. In the Hyperlink field, they type "javascript:alert('click me!');". The JavaScript will be executed if a user clicks on that text field in Express Mode. This checkbox is cleared by default.

Login: You can enable or disable the following login options for MicroStrategy Web users. For details and steps to modify the login options, see How to Define Login Options.

• Allow automatic login if session is lost: Determine whether users are automatically logged back in to a project if their MicroStrategy Web session is lost. This option only applies to users with standard, LDAP, or database authentication. Web automatically logs Windows and guest authentication users back in if the session is lost. This checkbox is cleared by default.

• Allow users to change expired password: Determine whether users can change a password that has expired. Passwords can be set to expire after a certain period of time; you can set this preference when you create a user. By default, users cannot change an expired password. This checkbox is cleared by default.

• Allow AutoComplete: Determine whether the AutoComplete feature in users' browsers is able to store MicroStrategy login information. If AutoComplete is on, users do not have to type their login information completely. For example, if a user's name is 'djohnson' and they begin to type the letters 'd' and 'j', AutoComplete brings up the word 'djohnson.' The user can then select 'djohnson' instead of typing the rest of the letters. This checkbox is cleared by default.

• Create new HTTP session upon login: Determine whether to provide additional security by creating a new HTTP session each time a user logs in to a project. Select this checkbox to help prevent session fixation attacks. This setting is only applicable to the JSP version of MicroStrategy Web. This checkbox is selected by default.

• Allow users to log in by including their user ID and password in the URL: Determine whether to allow the user to automatically log into a project by including the user ID and password information when using the Web URL API, for example, when executing a report or document. This checkbox is selected by default. If the checkbox is cleared, the user ID and password are ignored, forcing the user to log in using the interface. For more information about using the Web URL API, see the MicroStrategy Developer Library (MSDL), part of the MicroStrategy SDK product.

Preferences:

• Allow users with the 'Web administration' privilege to change project default preferences on all projects: Determine whether Web users with the Web Administration privilege can apply changes to project defaults for all projects on an Intelligence Server to which they have access. For details and steps to allow users to modify project defaults, see How to Allow Users to Modify Project Defaults.
  
  If this checkbox is selected, users can select Apply to all projects on the current MicroStrategy Intelligence Server from the drop-down list at the bottom of the Project Defaults page to apply their changes to all projects. If this checkbox is cleared, users can only select the Apply to the current project option from the drop-down list at the bottom of the Project Defaults page, to apply changes to the project they are currently logged in to. This checkbox is selected by default.

MicroStrategy Library configuration: Enter the secret key to allows sharing sessions between MicroStrategy Web and MicroStrategy Library.

Other: Clickjacking (also called a UI redress attack) is a form of security attack in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on another page when the user intended to click the top-level page. In other words, the attacker is hijacking clicks meant for a legitimate page and routing them to other another page that is most likely owned by another application, domain, or both. For example, an attacker may load the login page of a trusted website into an invisible iFrame to trick a user into typing their user name and password into the invisible frame. You can defend against clickjacking attempts by enabling the following options:

• Prevent clickjacking by adding a frame-breaking script to pages: Select this option to prevent the page from being incorporated into a frame or iFrame using a script that forces the parent window to load the URL of the current frame. This option is supported in all web browsers and preserves all the page's content. However, portals are not supported using this option because the portal contents will replace the parent window.

  MicroStrategy recommends enabling this option.

• Prevent clickjacking by adding an X-Frame-Options: SAMEORIGIN header to page responses: X-Frame-Options is an HTTP response header sent by the server to tell web browsers under what conditions the contents of a page should be allowed to load within a frame. Browsers that understand the header will not display the contents of the page if the conditions are violated. However, if the user is on a non-secure or unfamiliar network, attackers may be able to use a proxy to strip the header.

  MicroStrategy recommends enabling this option.

  Select this option to allow the page to load in a frame if the page and the frame attempting to load the page share the same domain. This option accommodates portals coming from the same domain, and provides attackers with less chances to find a workaround. However, requests from cross-domain portals will be denied. The portal server must be under the same domain as the MicroStrategy Web server that is serving the content. This option is supported by Internet Explorer 8+, Safari 4+, Chrome 4+, and Firefox 3.6+.