Security Settings

Security Settings

Administrators can configure various options to enhance security such as locking accounts, set session expiry, set HTTP mode etc. 

These are application-wide configurations.
To configure security settings, go to Admin > General Settings > Security Settings (if only one portal is configured) or go to Global Settings > General Settings > Security Settings (if multiple portals are configured).


General Settings Tab

Configure Account Lockout Threshold and Duration 

  • Click the relevant checkbox and set the number of failed attempts and reset thresholds.

  • You can also choose whether to lock the account in the user's current device or all devices.

  • Configure the display message to show when user's account is locked.

  • You can send an email notification or send notifications to one or more support reps when a user account is disabled. 

Server Port and Protocol Configuration 

  • Select the protocol: HTTP or HTTPS mode using the radio buttons.

  • If HTTPS mode sis chose, then add support TLS versions and Ciphers.

  • Set port number. 

Configuring Session Expiry 

  • Set the number of days to re-authenticate users even when the keep me signed-in feature is enabled.


Enable Forgot Password:

Under Admin > Security Settings > General, configure the Forgot Password option to be displayed on the login page for users who log in via local authentication. Once enabled, the user can use this option to receive a password reset link in their primary email address. The reset link will be sent only if they provide the user name and the domain name. The password reset link email will not be sent if the email is not configured or associated with multiple profiles. In such cases, the admin will need to manually reset the password.


Customize the password reset notification email under Notification Rules > Send Self-service login details > Customize Template. Use $ to insert variables such as First Name, Product Name, etc. Click Save. To alter the password reset link's validity, contact support at <>

Inactive session timeout configuration: Set the duration in minutes after which the user will be logged out of an inactive session from the web and mobile app. You can set the limit between 1 and 1440 minutes.

The default mobile app session timeout is 30 minutes for the fresh installations of SupportCenter Plus version 11200 later and AssetExplorer version 6800 or later. For migrated builds, the session timeout for the mobile app will remain disabled and should be configured as required. 

Advanced Settings Tab

Adding Security Response Headers


Click the relevant checkbox and set security headers to protect from XSS, Reflected XSS, Clickjack vulnerabilities.


The available header types are as follows. 

  • Cache Control

  • Content-Security-Policy

  • Strict-Transport-Security

  • X-Content-Type-Options

  • X-Frame-Options

  • X-XSS-Protection

  • Access-Control-Allow-Origin

  • Referrer-Policy

  • Expect-CT 

Other options


You can enable domain filtering, disable copying passwords, disable HTTP compression using relevant checkboxes.


Enable Antivirus Scanning for File Uploads

You can configure your existing antivirus software in ServiceDesk Plus to detect any vulnerable files during file uploads and email attachment receipts. Antivirus software that uses ICAP protocol can only be configured.

To configure an antivirus scan in the application,

  1. Go to Admin > Security Settings > Advanced.
  2. Click on the checkbox beside "Enable Antivirus scanning for file uploads".
  3. Enter the Host Name where the antivirus is installed.
  4. Enter the Service Name and the Port of the antivirus tool. This can be found in your Antivirus tool's Settings page.
  5. Click Save.

Once configured, the file uploads and attachment receipts will be scanned for vulnerable files.

Some of the antivirus tools that can be configured:



Password Policy Tab

Enable password policy: Password Policy allows the administrator to configure and enforce the criteria for creating passwords. This ensures the better security of user passwords. Password policy is enabled by default.

The configured password policy will be applied when:

  • Users change/reset their account passwords.

  • SDAdmin changes user passwords.

  • New users are added via Web form, CSV import, or Active Directory import.

  • Dynamic users are added.

  • Local authentication password is set - both auto-generated and predefined passwords.


To configure the password policy,

  • Select Enable password policy checkbox.

  • Select the minimum password length between 8 and 99. The default value is 8.

  • Select if the password must include:

    • Both uppercase and lower case letters

    • Special characters/symbols

  • Choose the number of previous passwords to remember and prevent reuse. The application can remember up to 8 passwords.

  • Select the expiry period for the password.

Enable Force password reset at first login: You can enable this option to force users to change their password during the first login. This is beneficial when preset passwords are issued.


The application must be restarted for any changes in the settings to take effect.


Security Meter

Security Meter allows you to monitor and gauge how effectively you have configured various built-in application security features. The Security Meter displays a security score in percentage based on the number of security configurations that have been enabled against the total number of available security configurations. Based on the score, your application security is categorized into one of the following four security levels:

  • Unsecured: This level is displayed when the score is less than 50%. This means you have configured less than 50% of the available built-in security settings.

  • Weak Security: This level is displayed when the security score is between 50 and 70%. This means you have configured between 50 to 70% of the available built-in security settings.

  • Moderate Security: This level is displayed when the security score is between 70 and 90%. This means you have configured between 70 to 90% of the available built-in security settings.

  • Highly Secure: This level is displayed when the security score is over 90%. This means you have configured more than 90% of the available built-in security settings. The security meter can be accessed by SDAdmins or SDOrgAdmins from Global Settings > General Settings > Security Settings.



The list of available security settings can also be accessed directly from the security meter by clicking View all security configurations.

The list shows the security items in multiple categories along with a status icon that indicates whether the settings are enabled/disabled.

Based on the setting, when you click an item on the list, you will either be taken to the corresponding configuration page or be shown an appropriate configuration popup. You can make the necessary changes there and save it.

Security Alerts


OrgAdmins can store their official contact details to get instant notifications on any security update or release. There will not be any marketing communication sent to the stored address.

To get the security alerts,

Org Admins can store their official contact details under Admin > General Settings > Security Settings > Security Alerts.


    • Related Articles

    • Outgoing Mail Server Settings

      Configure your organization's mail server to send emails. Outgoing mail server settings must be configured to trigger email notifications for the following settings. Two-Factor Authentication Backup Scheduling Security Settings Performance Settings ...
    • Troubleshooting Mail Server Settings

      Troubleshooting Mail fetching problems After you configure the mail server, test the settings by fetching a sample mail. To do so, click the Fetch a sample mail button. If the settings are configured right and the connection is successful, the oldest ...
    • attachment-settings

      Attachment Settings Attachment settings allow you to manage the files that users add as attachments in various modules. Role Required: SDAdmin. Go to Admin > General Settings > Attachment Settings and configure the fields as explained below: Fields ...
    • Proxy Settings

      You can configure a proxy server to add an extra layer of protection to the server that runs SupportCenter Plus.  This is an application-wide configuration. To configure a proxy server:  1. Go to Admin>>General Settings>>Proxy Settings (if only one ...
    • Incoming Mail Server Settings

      Configure your organization's mail server to receive and process incoming emails. You can use email protocols (POP, IMAP, POPS, or IMAPs), Exchange Web Services (EWS), or Microsoft Graph to connect SupportCenter Plus with the mailbox. Role Required: ...