Reflection Desktop has a number of security features designed to protect your personal data and prevent it from being read by unauthorized users.
Following these best practices for securing Reflection Desktop will help you design a secure terminal emulation solution.These best practices include high-level recommendations and considerations. For additional detailed information about the security features supported by Reflection Desktop, see Secure Connections in the Reflection Desktop Help.
✓ |
Monitor Reflection Desktop security alerts Micro Focus regularly publishes security alerts in knowledge base articles. You can find the most recent alerts at: |
✓ |
Use the highest level of TLS for secure connections Reflection Desktop supports TLS 1.2 for IBM 3270 and 5250 sessions. Reflection Desktop 17.0 and higher support TLS 1.3. If your environment supports TLS 1.3, consider using this version. |
✓ |
Use the strongest encryption ciphers available in your environment Reflection Desktop 17.0 contains enhanced capabilities that allow you to disable cipher suites which are less secure, and also to enable ciphers used in your environment that you consider to be more secure. See SSL/TLS (Security Properties Dialog Box). |
✓ |
Stay current with versioning in Reflection Desktop Staying current with major new releases, service packs and updates (when available) ensures you have deployed the latest security patches and fixes to your end-users. Micro Focus strives to make each new version of Reflection Desktop more secure than the last. The Host Connectivity team responsible for the development of new versions is a dedicated staff of senior engineers who have a strong focus on making the product more secure. They evaluate all security alerts against the currently released products and incorporate updates in the next versions. Micro Focus Development teams use a Secure Development Lifecycle process, where ongoing training and product review ensures that our software does not contain security vulnerabilities and that all new features are developed with security in mind. |
✓ |
Use Certificates in a secure manner Configure Reflection Desktop to prevent security risks associated with certificates.
|
✓ |
Control access to product features that are not needed Limit access to settings and controls and consider setting up custom templates with locked down settings so that users must use security settings, such as the latest TLS versions, when they create new sessions. You can restrict access to almost any of the Reflection settings or controls to prevent users from changing values, like the host address that a session connects to. This allows you to simplify support requirements and resolve security concerns. Administrative access is required to change settings and users cannot change these options unless they elevate their access level to administrator. Access to almost every Reflection Desktop feature can be enabled or disabled with Microsoft Group Policy or Reflection *.ACCESS files that you can create with Reflection Desktop administrative tools. See Section 8.0, Control Access to “Lock Down” Settings and Controls. Control Access Lock down or disable features which can be used in an insecure manner. For example, allowing users access to programming and macro languages could allow users to record or write automation code that includes user IDs and passwords. This code could then be freely distributed among users, creating a security risk.
Set up Session Templates Deploy session templates using pre-configured settings to control the types of sessions that users can create. For example, you can create templates that have pre-configured SSL/TLS settings and then lock down these settings with Group Policy or Reflection Desktop administrative tools. Then configure Reflection to hide the built-in templates so that only the custom templates are available. See Set up Session Templates. |
✓ |
Configure the Reflection Desktop Trust Center to protect data and information privacy Use the Trust Center to protect your working environment from information theft, and your data from potential damage caused by opening documents from non-trusted sources. You can configure settings to protect the following types of data and information: Trusted Locations A trusted location is a directory that is designated as a secure source for opening files. By default, Reflection allows users to open documents only in directories specified as trusted locations and prevents them from opening untrusted documents outside of these locations. Information Privacy Consider protecting sensitive data such as credit card Primary Account Numbers (PANs), phone numbers, and US Social Security numbers. Information Privacy allows you to configure Reflection Desktop so that the sensitive data is not displayed on the screen or in productivity features, such as Screen History. It also allows you to require secure connections and to redact PANs in logs. API and Macro Security Consider the following options for handling the Reflection Desktop API and macros. You can configure Trust Center settings to:
|
✓ |
Do not save passwords in macros Including user IDs or passwords in macros or other automation code creates a security risk. When a VBA macro is recorded in Reflection Desktop, a password prompt dialog box is automatically added to the macro in place of actually recording the password. Using this password prompt in macros that require user credentials prevents security risks. There may be circumstances where you need to consider embedding a password in a macro, although this is a security risk. Undertake this process with extreme caution and after careful deliberations of the potential for the password being compromised by others who should not have the information, as shown in Technical Information Document 7024220. NOTE:The Reflection Desktop software does not store Host usernames or passwords anywhere in the product configuration files and Reflection Workspace logs do not capture Host usernames or passwords. |
✓ |
Consider using a centralized management server to manage host sessions You can centrally manage, secure, and monitor users’ access to host connections with the Micro Focus Host Access Management and Security Server (MSS), a separately available product that is designed to provide centralized management for Reflection sessions.
|
✓ |
Consider encrypting session documents You can encrypt 3270, 5250, and Open Systems session documents to protect them against unauthorized changes. Encryption effectively scrambles the data in a session document, helping to prevent unauthorized users from reading and changing the file's contents. For best results, use document encryption in conjunction with the encryption options in Reflection Permissions Manager. See Encrypt a Session File. |