action.skip

Best Practices for Securing Reflection Desktop

Reflection Desktop has a number of security features designed to protect your personal data and prevent it from being read by unauthorized users.

Following these best practices for securing Reflection Desktop will help you design a secure terminal emulation solution.These best practices include high-level recommendations and considerations. For additional detailed information about the security features supported by Reflection Desktop, see Secure Connections in the Reflection Desktop Help.

Monitor Reflection Desktop security alerts

Rocket Software regularly publishes security alerts in knowledge base articles. You can find the most recent alerts at Security Alerts – Reflection Desktop.
Use the highest level of TLS for secure connections

Reflection Desktop supports TLS 1.2 for IBM 3270 and 5250 sessions. Reflection Desktop 17.0 and higher support TLS 1.3. If your environment supports TLS 1.3, consider using this version.
Use the strongest encryption ciphers available in your environment

Reflection Desktop contains enhanced capabilities that allow you to disable cipher suites which are less secure, and also to enable ciphers used in your environment that you consider to be more secure. See SSL/TLS (Security Properties Dialog Box).
Stay current with versioning in Reflection Desktop

Staying current with major new releases, service packs and updates (when available) ensures you have deployed the latest security patches and fixes to your end-users.

Rocket Software strives to make each new version of Reflection Desktop more secure than the last. The Host Connectivity team responsible for the development of new versions is a dedicated staff of senior engineers who have a strong focus on making the product more secure. They evaluate all security alerts against the currently released products and incorporate updates in the next versions.

Rocket Software Development teams use a Secure Development Lifecycle process, where ongoing training and product review ensures that our software does not contain security vulnerabilities and that all new features are developed with security in mind.
Use Certificates in a secure manner

Configure Reflection Desktop to prevent security risks associated with certificates:

- Don't allow host authentication with invalidated certificates. To prevent this security risk, make sure the Retrieve and validate certificate chains setting in the SSL/TLS Security Properties Dialog Box is enabled. This setting specifies whether certificates presented for host authentication are checked to determine if they are valid and signed by a trusted CA. Disabling this option can make connections vulnerable to man-in-the-middle attacks, which could compromise the security of the connection. See SSL/TLS (Security Properties Dialog Box).

- Consider disabling the use of the Windows certificate store for Reflection connections. Reflection applications can be configured to authenticate using only those certificates located in the Reflection store or using both the Windows and the Reflection store. Disabling use of the Windows certificate store enables you to have greater control over which certificates are used for authentication. Certificates can be added to the Windows store in a variety of ways, and you may not want to allow use of all of those certificates for authenticating Reflection sessions. When use of the Windows store is disabled, only the certificates you have imported into the Reflection store are used for host authentication.

Control access to product features that are not needed

Limit access to settings and controls and consider setting up custom templates with locked down settings so that users must use security settings, such as the latest TLS versions, when they create new sessions.

You can restrict access to almost any of the Reflection settings or controls to prevent users from changing values, like the host address that a session connects to. This allows you to simplify support requirements and resolve security concerns. Administrative access is required to change settings and users cannot change these options unless they elevate their access level to administrator.

Access to almost every Reflection Desktop feature can be enabled or disabled with Microsoft Group Policy or Reflection *.ACCESS files that you can create with Reflection Desktop administrative tools. See Control Access to Lock Down Settings and Controls.
Control Access

Lock down or disable features which can be used in an insecure manner. For example, allowing users access to programming and macro languages could allow users to record or write automation code that includes user IDs and passwords. This code could then be freely distributed among users, creating a security risk.

Using the Reflection Group policy settings, as documented in Technical Information Document 7024743, and Control Access to Settings and Controls with Microsoft Group Policy to disable specific features leads to more secure user environments.

Alternatively, you can use Reflection Desktop administrative tools to create and deploy .ACCESS files that lock down specific settings. See Control Access to Settings and Controls with Reflection Administrative Tools.
Set up Session Templates

Deploy session templates using pre-configured settings to control the types of sessions that users can create. For example, you can create templates that have pre-configured SSL/TLS settings and then lock down these settings with Group Policy or Reflection Desktop administrative tools. Then configure Reflection to hide the built-in templates so that only the custom templates are available. See Set up Session Templates.
Configure the Reflection Desktop Trust Center to protect data and information privacy

Use the Trust Center to protect your working environment from information theft, and your data from potential damage caused by opening documents from non-trusted sources. You can configure settings to protect the following types of data and information:

Trusted Locations

A trusted location is a directory that is designated as a secure source for opening files. By default, Reflection allows users to open documents only in directories specified as trusted locations and prevents them from opening untrusted documents outside of these locations.

Information Privacy

Consider protecting sensitive data such as credit card Primary Account Numbers (PANs), phone numbers, and US Social Security numbers. Information Privacy

allows you to configure Reflection Desktop so that the sensitive data is not displayed on the screen or in productivity features, such as Screen History. It also allows you to require secure connections and to redact PANs in logs.

API and Macro Security

Consider the following options for handling the Reflection Desktop API and macros. You can configure Trust Center settings to:

- Enable or disable the Reflection Desktop .NET API.

- Determine if Reflection legacy macros are supported or not.

- Specify what will happen if an action that has been restricted through Group Policy or .ACCESS files is initiated through a macro or API call. See Protecting Data and Information Privacy.
Do not save passwords in macros

Including user IDs or passwords in macros or other automation code creates a security risk.

When a VBA macro is recorded in Reflection Desktop, a password prompt dialog box is automatically added to the macro in place of actually recording the password. Using this password prompt in macros that require user credentials prevents security risks.

There may be circumstances where you need to consider embedding a password in a macro, although this is a security risk. Undertake this process with extreme caution and after careful deliberations of the potential for the password being compromised by others who should not have the information, as shown in Technical Information Document 7024220.

Note: The Reflection Desktop software does not store Host usernames or passwords anywhere in the product configuration files and Reflection Workspace logs do not capture Host usernames or passwords.
Consider using a centralized management server to manage host sessions

You can centrally manage, secure, and monitor users' access to host connections with the Rocket Software Host Access Management and Security Server (MSS), a separately available product that is designed to provide centralized management for Reflection sessions.

- Using this centralized management server, you can grant or deny access based on group or role, quickly apply security updates and configuration changes to align with changing regulatory or business needs, and make post-install adjustments on the fly. MSS allows you to configure and lock down large numbers of desktops with ease. See Use a Centralized Management Server.

- Using the MSS Advanced Authentication Add-on, you can configure a multi-factor authentication solution that enables you to protect your sensitive data by using a more advanced way of authentication on top of the typical username and password authentication. With Advanced Authentication, you can authenticate on diverse platforms by using different types of authenticators such as Fingerprint, Card, and OTP. Advanced Authentication provides a single authentication framework that ensures secure access to all your devices with minimal administration. See Rocket Software Advanced Authentication.

- Using the Automated Sign-On for Mainframe Add-On, you can enable a user to authenticate to a front-end system using a modern form of authentication (such as a smart card, certificate, LDAP password, Kerberos, etc.) and then be automatically logged on to a z/OS mainframe application.
Consider encrypting session documents

You can encrypt 3270, 5250, and Open Systems session documents to protect them against unauthorized changes. Encryption effectively scrambles the data in a session document, helping to prevent unauthorized users from reading and changing the file's contents. For best results, use document encryption in conjunction with the encryption options in Reflection Permissions Manager. See Encrypt a Session File.