axis diplomat 2008 Kernel Support Notes

As with any software, axis diplomat is vulnerable to both deliberate attacks from viruses or malicious employees and accidental damage from inexperienced or careless users.

axis diplomat is designed to allow the use of operating system security features to help protect its programs and database from accidental or malicious damage whether performed by users or virus software. This document discusses some of the steps which can be taken to minimise these threats by taking steps to secure the axis diplomat installation.

PLEASE NOTE THAT AXIS FIRST PROVIDES SUPPORT ON axis diplomat AND THIRD PARTY PRODUCTS ONLY ON A CONTRACT BASIS. THIS APPLICATION SUPPORT NOTE IS DESIGNED TO PROVIDE A USER WITH MODERATE EXPERIENCE OF THE PRODUCTS USED WITH SUFFICIENT INFORMATION TO PERFORM THE OPERATIONS DESCRIBED. AXIS FIRST REGRET THAT WE CANNOT PROVIDE SUPPORT ON THIS PROCEDURE UNLESS BOTH axis diplomat AND SYSTEMS SUPPORT CONTRACTS ARE IN PLACE.

Introduction

This document applies to systems running axis diplomat on Microsoft Windows 2003 Server or Windows 2008 Server where axis diplomat is installed on an NTFS format disk partition.

Security Issues

Attack from viruses, worms and trojans

The axis diplomat programs, like any others, can potentially be infected by a virus. The virus may originate from an internet email, browsing an internet web page, from a CD/DVD or from a floppy disk. Once on your system the virus may spread to servers and other workstations and infect the axis diplomat programs. Depending on the nature of the virus, running an infected program on your system could result in any affect ranging from emailing users in your contact database to destroying the data on your system.

In order to help detect (and often even prevent) a virus infection Axis First strongly recommends that systems are never run without reputable anti-virus software running on EVERY workstation and server in your system. All anti-virus software packages need to be regularly updated in order to detect new viruses. Some Anti-virus vendors charge for this service whilst others provide updates free of charge.

Malicious attack from inside your organisation

This is perhaps the most difficult type of attack to guard against since in many cases employees may have an intimate knowledge of the software and/or your computer installation, indeed in some cases they may be responsible for managing it. Some protection can be provided by limiting full access to the axis diplomat folders and enforcing a strict tape backup procedure which incorporates off-site backups held by more than one employee or director/partner.

Accidental damage from an inexperienced or careless user

Damage can be caused by browsing the axis diplomat file folders and accidentally cutting or deleting files. To minimise this risk only a few trusted users should be granted full access to the axis diplomat folders.

Recommended steps to improve security of an axis diplomat installation

Partitioning & Partition Format

Install axis diplomat in its own separate disk partition. This avoids any potential security weakness as a result of creating shares or access rights for other applications you may be running.

Install axis diplomat on a disk partition formatted with a secure file system (e.g. NTFS). Avoid 'FAT' format partitions as these do not allow access rights (permissions) to be controlled.

'Share' security

In order for network workstations to run axis diplomat, a file share must be created on the axis diplomat server. By default, the axis diplomat seup program creates a hidden share called AxisDiplomat$. We recommend that you avoid mapping a drive to this share. The axis diplomat client is run using a UNC path. 

File & Folder Permissions

Creating Windows User Groups

Because axis diplomat is designed to use ‘client-server’ architecture, under normal operation users working on individual workstations do not need the ability to be able to modify files in the axis diplomat folders directly, instead all updating is performed by the server.

axis diplomat allows you to assign users into one of three Windows user groups; users (axis diplomat Users), supervisors (axis diplomat Supers), or administrators (axis diplomat Admins). Once these groups have been created on your Windows system and users assigned to the correct group, the axis diplomat SETUP program will automatically offer to apply security settings to its files and folders.

On a typical axis diplomat system, virtually all users can be assigned to the “axis diplomat Users” group. This means that they have no ability to modify any files within the axis diplomat folders, so, for example, if a virus-infected email was opened by such user, attempts by the virus software to delete or corrupt an axis diplomat file would fail.

Add everyone who needs to run axis diplomat to the "axis diplomat Users" group and then add only those operators who need to run axis diplomat in supervisor (single user) mode (for example to run period ends, data file size changes, backup or restore the axis diplomat data) to the "axis diplomat Supers" group. Only the user(s) who install axis diplomat software updates need to be a member of "axis diplomat Admins" and so you can usually restrict this to just the administrative account. Do not grant "axis diplomat Admins" membership to user accounts which are used on a day-to-day basis by real users. Restrict the user of accounts with administrative access to those used either by services or for system maintenance.

Note that if you are securing an existing installation, unless the appropriate users have been added to the appropriate groups and those users have re-logged into Windows to obtain their new access rights, those users will be denied access to all axis diplomat Programs and data. This can cause problems because for example users local shortcuts no longer point to an accessible location.

Remember to also REMOVE the "Everyone" group from access to the AXISDiplomat$ share.

Checking AXIS Operator Details

Use the axis diplomat Kernel Supervisor Functions \ Privacy & Shorthand Maintenance functions to ensure that all axis diplomat operators listed are in the Windows "axis diplomat Users" group and that all operators who have "Allow Supervisor Mode Operation" enabled are members of the Windows "axis diplomat Supers" group.

Applying File & Folder Permissions during SETUP

When the axis diplomat SETUP program is run to install or upgrade a non-demo system, it first checks whether a FAT format drive has been selected on a Windows 2003/2000 server, and if it has, the following warning message box is displayed:

The operator can then choose to abort the installation and use convert.exe to convert the partition from FAT to NTFS.

If an NTFS drive is selected, SETUP then checks to see whether the system being installed/upgraded has previously been secured. If it has, the following message box is displayed:

Permissions are reset to 'full access to everyone' if the operator selects 'No'. If axis diplomat is not currently secured the following message box is displayed:

If 'No' is selected, the following message box is displayed:

and installation proceeds without any file access permissions being applied.

If 'Yes' is selected and any of the AXIS security groups have not been set up, the following message box is displayed:

The operator can select 'Yes' once they have used the appropriate domain user administration tool to create the necessary Windows user groups.

Having done all this, the installation then proceeds as usual; once all the software has been updated, SETUP then reprocesses all files on the server to apply the necessary file access permissions as specified in the table below.

Note that full access is always available to all files and folders for members of the 'axis diplomat Admins' group and for the user account which was logged in when the axis diplomat SETUP program was run.

Folder / File	Subfolders & Files?	axis diplomat Users	Specific Username	axis diplomat Supers	System*	axis diplomat Admins
\AXISDiplomat	Yes	Read	None	Change**	Change	Full
\AXISDiplomat\*.EXE;*.DLL;*.PIF;*.BAT	Yes	Read	None	Read	Read	Full
\AXISDiplomat\DATA	Yes	None	None	Change	Change	Full
\AXISDiplomat\DATA\\	Yes	Change	None	Change	Change	Full
\AXISDiplomat\TEMP	Yes	Change	None	Change	None	Full
\AXISDiplomat\LOGS	Yes	Change	None	Change	None	Full
\AXISDiplomat\TEMPLATE	Yes	Read	None	Change	None	Full
\AXISDiplomat\REPORTS	Yes	Change	None	None	None	Full
\AXISDiplomat\REPORTS\	Yes	None	Full	None	None	Full
\AXISDiplomat\PROFILES	Yes	Change	None	Change	None	Full

^* 'System' is a built in Windows account. The System account is normally used to run the axis diplomat Services (AXIS File Manager & AXIS Queue Manager).

^** 'Change' permission allows files to be read, written, executed or deleted. Windows Explorer describes this generic attribute as 'Modify' (although the Windows command line utility 'cacls' describes it as 'Change' (thanks Bill)).

Testing Security

To test that the settings are effective, log into Windows as a member of the “axis diplomat Users” group (but not as a member of the "axis diplomat Admins" group) and then using your Windows explorer, try to copy a file into the \AXISDiplomat folder on your SERVER. The operation should fail with an error being displayed.

Securing/Unsecuring an existing installation

The axis diplomat SETUP program can apply or remove file access permissions for existing installations without the need for a full software update. A button is provided on SETUP's main option selection screen for this purpose.