Keystroke recommends that all hosting clients implement the best practices outlined below in order to ensure maximum security of their databases. These guidelines should be interpreted as "high level" security measures, and not an exhaustive list of all security tools available. Act! supports many different levels of security including login (database security), user security (with different permissions available to different security roles), contact security (available through "limited access" and "private" settings), and field level security – which allows you to limit access to certain fields to designated users.
Contact access security can also be enforced though sync sets for remote users to control which contacts they can see.
Obviously these guidelines are advisable for unhosted customers, as well.
1. Act! User Account Management
Database administrators can enforce a password policy by clicking “Tools > Password Policy”. The following password policy settings are recommended:
o Repetition: User cannot reuse last 5 passwords.
o Duration: Password must change every 90 days.
o Length: Password must be at least 8 characters in length.
o Complexity: Password must contain 4 of 4 character groups. (lower case, upper case, numbers, special characters)
When creating users using the “Tools > Manage Users” menu option, Administrators can set additional security options below:
o Force the user to change their password at next log on.
o Disable the option “Password never expires”
* Users should be given the least amount of privileges based on their security role. Only trusted individuals should be given access to the Administrator and Manager roles. A detailed breakdown of roles in Act! and their permissions is available in the following document: http://kb.act.com/app/answers/detail/a_id/15284
* Database users should not reuse the same password for multiple systems. For instance, we’ve had numerous requests from customer’s IT staff to align the Act! username/passwords with the Active Directory or Windows username/passwords. This is strongly discouraged as network security roles do not often match Act! security roles, and aligning them could compromise security for both. Also, Act! allows easy password reset by a database Admin, whereas aligning them requires considerably more coordination to help a user login into Act!.
* Users should refrain from saving the password while logging in and close Act and/or lock their workstation when being away from their desk.
* Users should refrain from sharing their passwords with other users.
* Users should refrain from storing their or others’ passwords in Act or other applications which store data in plain text.
2. Act! for Web Settings
* Users should be automatically logged off from Act! for Web after 20 minutes of inactivity. This is the default setting and can be configured by our hosting staff at the administrator’s request. The reason for this default setting is resource management. Users that close the browser instead of logging out of Act! for Web properly actually leave their online session active for the duration of the inactivity period.
In cases where there are multiple users logging in and out through the day, a long inactivity period could consume much more server memory than necessary, and seriously degrade performance.
* Even though unencrypted HTTP connections are allowed, users should be encouraged to access the Act! for Web website using an HTTPS encrypted connection. All Keystroke hosting servers support SSL encryption.
* Web browsers must be updated regularly to ensure any security issues are patched. Make sure you configure your browser to support your unique database URL so it is a trusted site that permits pop-ups.
* When accessing Act! for Web from a mobile device, users should be encouraged to lock their devices using a PIN number.
3. Act! for Desktop Settings
* While using a remote database on a desktop/laptop, users should be encouraged to encrypt their hard drives. This will ensure that the data is protected in the event of theft.
* A local firewall should be enabled which blocks any incoming connections, especially to Act and Microsoft SQL Server. For servers hosting a database, administrators must ensure only the local subnet is given access to Act shared files and the Microsoft SQL Server instance.
For larger more secure deployments, Keystroke recommends an Internet facing “Application Server” and an offline “Database Server”. This will prevent any external connections to the SQL databases.
* Remote databases should be regularly synced both manually, and automatically using the Act scheduler program. Keystroke hosting emails customers when a remote database goes a certain interval without synching.
* Keystroke also recommends using network security to reinforce your document security with Act!. If you need to store sensitive documents within Act!, store those files in a secure share on your network, and then “link” them to your database. If a network user does not have access to the network share, the linked document will behave like a dead link. Network users authorized to access the share will be able to click on the link within Act! and see the document.
* Third party plugins should be approved by administrators before being installed to ensure they will not affect the database performance or security in a negative manner. For instance, some addons can bypass certain Record Creation rules.
Developing good security policies is essential, but Keystroke always reminds business that weaknesses in “practice” will always undermine “policy”. These security priorities must be enforced and adopted from the top-down for the rank-and-file users to respect them.
Administrators that require additional security than what is available out-of-the-box should consult our Act! Consultants for information on addons that can lock down your database further - including ways in which to customize user roles and addons that can better secure the company & group tables.