Security Guidance for Employee Portal/Web Client

Employee Portal is a web-based platform that allows employees to access company resources, information, and tools securely. This guide outlines key security measures for IIS-hosted deployments, focusing on authentication, encryption, and best practices.

Multi-factor Authentication

Multi-factor Authentication (MFA) requires two or more verification factors before granting access, protecting against credential theft.

Employee Portal supports these MFA methods:

• 2-step verification: Username/password plus a code sent via email or SMS, ensuring email access is needed post-password compromise.

• CAPTCHA login: Challenge-response test to block automated bots and verify human users.

• Active Directory Authentication: Integrates with Microsoft AD for domain credentials, adding enterprise identity security.

SSO / External Identity Provider MFA Options

Enable in Employee Portal Setup > General tab (Login panel) 

• Sign in with Microsoft: Uses Microsoft Entra ID (OAuth 2.0); inherits organisation MFA policies (e.g., Authenticator, SMS, conditional access). Employees log in with existing Microsoft Work/School/Personal accounts (Office 365, Outlook) instead of separate portal passwords. Centralizes identity via email matching in Employee Master. How to Enable "Sign In with Microsoft".

• ​Sign in with Google: Leverages Google OAuth 2.0 and Workspace MFA (e.g., Authenticator, security keys). Authenticates via Google Account (Gmail/Workspace) with email match in Employee Master, reducing password fatigue and support overhead. How to Enable "Sign In with Google".​

Password Policy

Implement a Password Policy to enforce strong passwords, preventing unauthorized access and data leaks. Benefits include better strength enforcement and reduced breach risk. 

HTTPS Secure Connection

Configure HTTPS in IIS for encrypted client-server communication using an SSL certificate and HTTPS binding. Test via secure requests to prevent data interception.

Firewall and Port Control

Proper firewall configuration limits exposure, blocking unauthorized access while allowing legitimate traffic. For internet-facing setups, use network firewalls (e.g., Azure NSG, hardware appliances) alongside Windows Defender Firewall.

Website Security

Consult your network administrator for IIS management. Key guidelines:

• Security Guidance for IIS 🡕 

• How To Set Up an HTTPS Service in IIS 🡕

• Manage the Security of Your Windows IIS Web Services 🡕 

• IIS Best Practices 🡕 

• Web Server Security Best Practices 🡕 

• Guidelines on Securing Public Web Servers 🡕 

• 10 Ways to Improve Data Security🡕

• Website Security Checklist: Protect Your Website in 2023🡕

• RSA SecurID Access 🡕

• Cisco AnyConnect 🡕

It is also recommended to enable these for enhanced control:

• Turn on UseSecureCookies and SqlConnectionEncrypt  in HRPro.config and EPortal.config.

• SQL Server Password Encryption.