Site Security Tips

We're often asked if there are tips or 'best practices' for keeping your LegalServer site and data secure.

The two easiest and most effective things are:

Scan Your Users List filtered for Login Active = Yes

• At a minimum, set Login Active = No if someone no longer works there or does not need access to your site.
• Consider enabling automatic deactivation.
• Create temporary users, students, etc. with an End Date and enable deactivation based on End Date.

Use Two Factor Authentication (MFA or SSO)

• We know, everyone knows how to use usernames and passwords, so it is familiar and no training required. But if lost or stolen, a miscreant who gets them can easily use them.
• Requiring a second factor (access to a phone/device or email account) makes it more difficult for a miscreant to get into an account.
• LegalServer offers SSO (Single Sign On) integration with Google, Microsoft Azure/Entra, and Okta. If you are already using the security features from those programs, leverage them for LegalServer logins.
• We also offer built-in Multifactor Authentication for organizations that don't have an SSO provider available.

Additional Suggestions

• API Access should be limited to dedicated user accounts with only the permissions needed for any given integration or use case.
• NIST no longer recommends password rotation, so consider disabling that feature.
• Set the Session Timeout features as low as your staff will accommodate, so that the site can not be accessed by another individual coming across an open computer.
• Review access reports in API Logs or Last Login reports regularly.