Application Support Note
ASN-2000-127
Securing an AXIS Diplomat installation
Last Reviewed:
05 November 2004
Products affected: AXIS Diplomat
2000
Description: As
with any software, AXIS Diplomat is vulnerable to both deliberate
attacks from viruses or malicious employees and accidental damage from
inexperienced or careless users.
AXIS Diplomat is
designed to allow the use of operating system security features to help
protect its programs and database from accidental or malicious damage
whether performed by users or virus software. This
document discusses some of the steps which can be taken to minimise these
threats by taking steps to secure the AXIS Diplomat installation.
PLEASE NOTE THAT SYSTEMS AXIS PROVIDES SUPPORT
ON AXIS DIPLOMAT AND THIRD PARTY PRODUCTS ONLY ON A CONTRACT BASIS. THIS
APPLICATION SUPPORT NOTE IS DESIGNED TO PROVIDE A USER WITH MODERATE EXPERIENCE
OF THE PRODUCTS USED WITH SUFFICIENT INFORMATION TO PERFORM THE OPERATIONS
DESCRIBED. SYSTEMS AXIS REGRET THAT WE CANNOT PROVIDE SUPPORT ON THIS
PROCEDURE UNLESS BOTH AXIS DIPLOMAT AND SYSTEMS SUPPORT CONTRACTS ARE
IN PLACE.
1. Introduction
This document applies to systems running
AXIS Diplomat 2000 on Microsoft Windows 2000 Server or Windows NT 4 Server
where AXIS Diplomat is installed on an NTFS format disk partition. Some
of the procedures outlined below may also be applicable to Windows 95
& 98 systems but since Windows 9x does not provide a secure file system,
facilities for securing such systems are limited. We recommend that users
who are running Windows 9x based systems and who are concerned about security
consider upgrading. Similar security can
also be achieved if you are using a Novell NetWare server however the
security settings must be applied manually. Refer to the section on Novell
NetWare below
2. Security Issues
2.1 Attack from viruses, worms and trojans
The AXIS Diplomat programs, like any others, can potentially be infected
by a virus. The virus may originate from an internet email, browsing an
internet web page, from a CD ROM or from a floppy disk. Once on your system
the virus may spread to servers and other workstations and infect the
AXIS Diplomat programs. Depending on the nature of the virus, running
an infected program on your system could result in any affect ranging
from emailing users in your contact database to destroying the data on
your system.In order to help detect (and often even prevent) a virus infection Systems
AXIS strongly recommends that systems are never run without reputable
anti-virus software running on EVERY workstation and server in your system.
All anti-virus software packages need to be regularly updated in order
to detect new viruses. Some Anti-virus vendors charge for this service
whilst others provide updates free of charge.
2.2 Malicious attack from inside your organisation
This is perhaps the most difficult type of attack to guard against since
in many cases employees may have an intimate knowledge of the software
and/or your computer installation, indeed in some cases they may be responsible
for managing it. Some protection can be provided by limiting full access
to the AXIS Diplomat folders and enforcing a strict tape backup procedure
which incorporates off-site backups held by more than one employee or
director/partner.
2.3 Accidental damage from an inexperienced or careless user.
Damage can be caused by browsing the AXIS Diplomat file folders and accidentally
cutting or deleting files. To minimise this risk only a few trusted users
should be granted full access to the AXIS Diplomat folders.
3. Recommended steps to improve security of an AXIS Diplomat installation.
3.1 Partitioning & Partition FormatInstall AXIS Diplomat in its own separate disk partition.
This avoids
any potential security weakness as a result of creating shares or access
rights for other applications you may be running.Install AXIS Diplomat on a disk partition formatted with a secure file
system (e.g. NTFS). Avoid 'FAT' format partitions as these do not allow
access rights (permissions) to be controlled.
3.2 'Share' securityIn order for network workstations to run AXIS Diplomat, a file share
must be created on the AXIS Diplomat server.
We recommend that you hide
this share so that it does not appear to a casual user browsing the network.
On a Microsoft Windows 2000 or NT 4 server shares can be hidden by ending
the share name with the "$" character. For example, to hide
the AXIS Diplomat share, use a share name of "AXIS$".
3.3 File & Folder Permissions
3.3.1 Creating Windows User Groups
Because AXIS Diplomat is designed to use ‘client-server’
architecture, under normal operation users working on individual workstations
do not need the ability to be able to modify files in the AXIS Diplomat
folders directly, instead all updating is performed by the server. AXIS
Diplomat allows you to assign users into one of three Windows user groups;
users (AXIS Diplomat Users), supervisors (AXIS Diplomat Supers), or administrators
(AXIS Diplomat Admins). Once these groups have been created on your Windows
system and users assigned to the correct group, the AXIS Diplomat SETUP
program will automatically offer to apply security settings to its files
and folders. On a typical AXIS Diplomat system, virtually all users
can be assigned to the “AXIS Diplomat Users” group. This means that they
have no ability to modify any files within the AXIS Diplomat folders,
so, for example, if a virus-infected email was opened by such user, attempts
by the virus software to delete or corrupt an AXIS Diplomat file would
fail.
Add everyone who needs to run AXIS Diplomat to the "AXIS Diplomat
Users" group and then add only those operators who need to run AXIS
Diplomat in supervisor (single user) mode (for example to run period ends,
data file size changes, backup or restore the AXIS Diplomat data) to the
"AXIS Diplomat Supers" group. Only the user(s) who install AXIS
Diplomat software updates need to be a member of "AXIS Diplomat Admins"
and so you can usually restrict this to just the administrative account.
Do not grant "AXIS Diplomat Admins" membership to user accounts
which are used on a day-to-day basis by real users. Restrict the user
of accounts with administrative access to those used either by services
or for system maintenance.
Note that if you are securing an existing installation, unless the
appropriate users have been added to the appropriate groups and those
users have re-logged into Windows to obtain their new access rights, those
users will be denied access to all AXIS Diplomat Programs and data. This
can cause problems because for example users local shortcuts no
longer point to an accessible location.
Remember to also REMOVE the "Everyone" group from access to
the AXIS$ share.
3.3.2 Checking AXIS Operator Details
Use the AXIS Diplomat Kernel Supervisor Functions \ Privacy & Shorthand
Maintenance functions to ensure that all AXIS Diplomat operators
listed are in the Windows "AXIS Diplomat Users" group and that
all operators who have "Allow Supervisor Mode Operation" enabled
are members of the Windows "AXIS Diplomat Supers" group.
3.3.3 Applying File & Folder Permissions during SETUP
When the AXIS Diplomat 2000 SETUP program is run to
install or upgrade a non-demo system, it first checks whether a FAT format
drive has been selected on a Windows NT/2000 server, and if it has, the
following warning message box is displayed:
The operator can then choose to abort the installation
and use convert.exe to convert the partition from FAT to NTFS.If an NTFS drive is selected, SETUP then checks to
see whether the system being installed/upgraded has previously been secured.
If it has, the following message box is displayed:
Permissions are reset to 'full access to everyone'
if the operator selects 'No'.If AXIS Diplomat is not currently secured the following
message box is displayed:
If 'No' is selected, the following message box is displayed:
and installation proceeds without any file access permissions
being applied.If 'Yes' is selected and any of the AXIS security groups
have not been set up, the following message box is displayed:
The operator can select 'Yes' once they have used the
appropriate domain user administration tool to create the necessary Windows
user groups.Having done all this, the installation then proceeds
as usual; once all the software has been updated, SETUP then reprocesses
all files on the server to apply the necessary file access permissions
as specified in the table below.
Note that full access is always available to all files and folders for
members of the 'AXIS Diplomat Admins' group and for the user account which
was logged in when the AXIS Diplomat SETUP program was run.
Folder / File |
Subfolders &
Files? |
AXIS Diplomat
Users |
Specific Username |
AXIS Diplomat
Supers |
System* |
AXIS Diplomat
Admins |
\AXIS7 |
Yes |
Read |
None |
Change** |
Change |
Full |
\AXIS7\*.EXE;*.DLL;*.PIF;*.BAT;*.NCF;*.NLM |
Yes |
Read |
None |
Read |
Read |
Full |
\AXIS7\DATA |
Yes |
None |
None |
Change |
Change |
Full |
\AXIS7\DATA\<company id>\<folder> |
Yes |
Change |
None |
Change |
Change |
Full |
\AXIS7\TEMP |
Yes |
Change |
None |
Change |
None |
Full |
\AXIS2000\ |
Yes |
Read |
None |
Read |
None |
Full |
\AXIS2000\*.EXE;*.DLL;*.PIF;*.BAT;*.NCF;*.NLM |
Yes |
Read |
None |
Read |
Read |
Full |
\AXIS2000\LOGS |
Yes |
Change |
None |
Change |
None |
Full |
\AXIS2000\TEMPLATE |
Yes |
Read |
None |
Change |
None |
Full |
\AXIS2000\REPORTS |
Yes |
Change |
None |
None |
None |
Full |
\AXIS2000\REPORTS\<username> |
Yes |
None |
Full |
None |
None |
Full |
\AXIS2000\PROFILES |
Yes |
Change |
None |
Change |
None |
Full |
\AXIS2000\TEMP |
Yes |
Change |
None |
Change |
None |
Full |
* 'System' is a built in Windows account. The System
account is normally used to run the AXIS Diplomat Services (AXIS File
Manager & AXIS Queue Manager).** 'Change' permission allows files to be read, written,
executed or deleted. The Windows 2000 Explorer describes this generic
attribute as 'Modify' (although the Windows 2000 command line utility
'cacls' and the Windows NT4 explorer describes it as 'Change' (thanks
Bill)).
4. Testing SecurityTo test that the settings are effective, log into Windows
as a member of the “AXIS Diplomat Users” group (but not as a member of
the "AXIS Diplomat Admins" group) and then using your Windows
explorer, try to copy a file into the \AXIS2000 folder on your SERVER.
The operation should fail with an error being displayed.
5. Securing/Unsecuring an existing installation.The AXIS Diplomat 2000 SETUP program can apply or remove
file access permissions for existing installations without the need for
a full software update. A button is provided on SETUP's main option selection
screen for this purpose.
6. Novell NetWareNovell NetWare provides similar security facilities
which can be used to protect your AXIS Diplomat installation in the same
way however SETUP will not apply the necessary security setting for you
and you will need to manually apply them based on the following:
- End -
THE INFORMATION PROVIDED IN THIS DOCUMENT
IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. SYSTEMS AXIS
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL
Systems AXIS Limited OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER
INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS
PROFITS OR SPECIAL DAMAGES.
Published by Systems AXIS
Limited. AXIS, AXIS Envoy, AXIS Ambassador, AXIS Diplomat and the AXIS
logo are trademarks of Systems AXIS Limited. REAL/32 is a trademark of
Intelligent Micro Software Ltd. All other product names are trademarks
of their respective owners.© Copyright 2002 Systems AXIS
Limited. All rights reserved.
Revision History
0.1 |
13.10.2001 |
First Draft |
|
Home
Support
