This documentation supports the 23.3 version of BMC Helix ITSM.To view an earlier version, select the version from the Product version menu.

Configuring security options

As an enhanced security measure, you can configure different security options in Smart IT, such as restricting certain type of file attachments and updating the content security policy.

For information about configuring security options for Mid Tier, see Enabling cross launch to Mid Tier.

To restrict attachment file types in Smart IT

You can restrict users from attaching certain file types to ​​​​​​​Smart IT records by setting options in the AR System server. For example, you might want to restrict users from attaching executable files or scripts to the Activity feed to prevent malicious code from executing when the attachment is opened. When you restrict attachment file types, an error message is displayed if users try to attach those file types in the following contexts:

Related topics

Clearing the server cache

General troubleshooting

  • Ticket details (for example, when adding an attachment to the Description field on incidents, work orders, problem investigations, and known errors)
  • Asset profiles (for example, profile images)
  • People profiles (for example, profile images)
  • Activity feed
  • Email
  • Broadcasts
  • Change request documents
  • Knowledge articles

By default, the Attachment Security settings are blank, which allows all attachment types. For more information about these settings, see Restricting users from uploading and viewing files with specific extensions.

To restrict attachment file types in Smart IT, perform the following steps:

  1. Log in to ​​​​​​​Smart IT as an administrator.
  2. Open the AR System Administration Console, and select System > General > Server Information.
    The AR System Administration: Server Information form appears.
  3. On the Server Information form, click the Attachment Security tab. 
    attachmentsecurity.png
  4. From the Attachment Criteria list, select an option to allow or disallow attachments with specific file extensions.
  5. In the Comma separated list of limit extensions field, enter a comma-separated list of file extensions such as exe,com.
  6. Click Apply.
  7. Clear the ​​​​​​​Smart IT cache.

To update the content security policy

Smart IT uses a content security policy (CSP) to determine which type of resources are allowed to be loaded in the application UI. The CSP is a set of properties stored in Centralized configuration. Use of a CSP reduces the risk of cross-site scripting (XSS) attacks.  You can use AR System Configuration component setting to set or modify the CSP properties. For example, the CSP defines the source domains that are valid for loading scripts and objects. ​​​​​​​Smart IT supports the connect-src, object-src, script-src, img-src, and media-src directives, which are described in the Content Security Policy (CSP) Quick Reference Guide at http://content-security-policy.com/.

Warning

CSP properties ending in _0 and _n00 are reserved by BMC, such as smartItCsp_script-src_0 , smartItCsp_script-src_100 , smartItCsp_script-src_200 , and so on.

Do not remove or modify any of the following default properties, or Smart IT will not function properly:

  • smartItCsp_connect-src_0
  • smartItCsp_object-src_0
  • smartItCsp_script-src_0

Based on the requirements of your organization, you can add your own directives to the CSP. For example, you might want to allow users to add images from external sources to knowledge articles. To do so, you must add a new property to the Centralized configuration in the following format:

Property Name

Property Value

smartItCsp_directive-name_number

http://company.domain.com http://company.domain2.net

Where directive-name is the name of a supported CSP directive (such as object-src), and number is a whole number identifier for your customer property, such as 1. For example:

smartItCsp_object-src_1

For the property value, include a space-separated list of allowed sources, up to a total of 255 characters. For example:

http://company.domain.com http://company.domain2.net http://company.domain3.org

If the list of allowed sources exceeds 255 characters, you can create additional properties for the same directive as needed. For example:

  • smartItCsp_ object-src_1
  • smartItCsp_ object-src_2
  • smartItCsp_ object-src_3
Warning

If you add a new img-src property (smartItCsp_ img-src_1), you must include 'self' as the first allowed source in the property value. If 'self' is not included in this manner, images added from internal Smart IT sources (such as profile images) do not appear in the ​​​​​​​Smart IT UI.

Example: 'self' http://company.domain.com http://company.domain2.net

To configure source editing for knowledge articles

By default, the Source button is disabled when users create or update knowledge articles, and users cannot edit the source code. If you want to enable source editing, open the isCKEditorSourceEditable property in the Centralized configuration form and change its value from false to true.

To allow preview of PDF document when CSP is applied

  1. Open Form AR System Configuration Component Setting from Mid Tier.
  2. Search for property with SettingName > smartItCsp_. You will see smartItCsp_object-src_.
  3. In the Setting value, enter blob.
  4. Click Save.
  5. Restart ​​​​​​​Smart IT server or wait for 30 minutes for the settings to take effect.

To enable Strict-Transport-Security response header

You can enable Strict-Transport-Security response header for ​​​​​​​Smart IT. For example, by using the Strict-Transport-Security parameter, you can restrict the browsers to access Smart IT by using HTTPS only and not HTTP. For more information, see Setting-configuration-parameters-in-BMC-Helix-ITSM.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*