Windows Server must have TLS 1.0 & TLS 1.1 & TLS 1.2 disabled. Also, SSL 3.0 must be disabled.
Windows Server must have enabled TLS 1.3.
Astrow web application must be installed on the latest Windows Server and IIS.
Astrow web application must be available only by https.
If Astrow is available by https, these keys must be set in web.config file:
inside <appSettings> add this key:
<add key="UseOnlyHTTPs" value="1" />
inside <system.web> add this (if tag <authentication mode="Forms"/> already exists, replace it):
<authentication mode="Forms">
<forms requireSSL="true"></forms>
</authentication>
If Windows Server has enabled TLS 1.3, inside web.config add this key:
inside <appSettings> add this key:
<add key=" UseSecurityProtocolTLS13" value="1" />
Inside Astrow's System Settings, the Use password policy should be enabled, along with Minimum password strength set on Strong (see details in Password Policy).
Disable account
To prevent data breaches, the account can be disabled after a few failed consecutive logins. In Astrow Web, go to System - Security and set the desired value to the parameter Disable account after X failed consecutive logins. By default, it is set to 4, meaning that after 4 attempts to log in with a wrong password, the account is suspended (inactive) and can be reactivated only by a user with security permissions.
