Application Support Note
ASN-2004-127
Securing an axis diplomat installation
Last Reviewed: 05 November 2004
Products affected: axis diplomat 2004
Description: As with any software, axis diplomat is vulnerable to both deliberate attacks from viruses or malicious employees and accidental damage from inexperienced or careless users.
axis diplomat is designed to allow the use of operating system security features to help protect its programs and database from accidental or malicious damage whether performed by users or virus software. This document discusses some of the steps which can be taken to minimise these threats by taking steps to secure the axis diplomat installation.
PLEASE NOTE THAT SYSTEMS AXIS PROVIDES SUPPORT ON axis diplomat AND THIRD PARTY PRODUCTS ONLY ON A CONTRACT BASIS. THIS APPLICATION SUPPORT NOTE IS DESIGNED TO PROVIDE A USER WITH MODERATE EXPERIENCE OF THE PRODUCTS USED WITH SUFFICIENT INFORMATION TO PERFORM THE OPERATIONS DESCRIBED. SYSTEMS AXIS REGRET THAT WE CANNOT PROVIDE SUPPORT ON THIS PROCEDURE UNLESS BOTH axis diplomat AND SYSTEMS SUPPORT CONTRACTS ARE IN PLACE.
1. Introduction
This document applies to systems running axis diplomat 2004 on Microsoft Windows 2000 Server or Windows 2003 Server where axis diplomat is installed on an NTFS format disk partition.
2. Security Issues
2.1 Attack from viruses, worms and trojans
The axis diplomat programs, like any others, can potentially be infected by a virus. The virus may originate from an internet email, browsing an internet web page, from a CD/DVD or from a floppy disk. Once on your system the virus may spread to servers and other workstations and infect the axis diplomat programs. Depending on the nature of the virus, running an infected program on your system could result in any affect ranging from emailing users in your contact database to destroying the data on your system.
In order to help detect (and often even prevent) a virus infection Systems AXIS strongly recommends that systems are never run without reputable anti-virus software running on EVERY workstation and server in your system. All anti-virus software packages need to be regularly updated in order to detect new viruses. Some Anti-virus vendors charge for this service whilst others provide updates free of charge.
2.2 Malicious attack from inside your organisation
This is perhaps the most difficult type of attack to guard against since in many cases employees may have an intimate knowledge of the software and/or your computer installation, indeed in some cases they may be responsible for managing it. Some protection can be provided by limiting full access to the axis diplomat folders and enforcing a strict tape backup procedure which incorporates off-site backups held by more than one employee or director/partner.
2.3 Accidental damage from an inexperienced or careless user.
Damage can be caused by browsing the axis diplomat file folders and accidentally cutting or deleting files. To minimise this risk only a few trusted users should be granted full access to the axis diplomat folders.
3. Recommended steps to improve security of an axis diplomat installation.
3.1 Partitioning & Partition Format
Install axis diplomat in its own separate disk partition. This avoids any potential security weakness as a result of creating shares or access rights for other applications you may be running.
Install axis diplomat on a disk partition formatted with a secure file system (e.g. NTFS). Avoid 'FAT' format partitions as these do not allow access rights (permissions) to be controlled.
3.2 'Share' security
In order for network workstations to run axis diplomat, a file share must be created on the axis diplomat server. We recommend that you hide this share so that it does not appear to a casual user browsing the network. Shares can be hidden by ending the share name with the "$" character. For example, to hide the axis diplomat share, use a share name of "AXIS$".
3.3 File & Folder Permissions
3.3.1 Creating Windows User Groups
Because axis diplomat is designed to use 'client-server' architecture, under normal operation users working on individual workstations do not need the ability to be able to modify files in the axis diplomat folders directly, instead all updating is performed by the server. axis diplomat allows you to assign users into one of three Windows user groups; users (axis diplomat Users), supervisors (axis diplomat Supers), or administrators (axis diplomat Admins). Once these groups have been created on your Windows system and users assigned to the correct group, the axis diplomat SETUP program will automatically offer to apply security settings to its files and folders.
On a typical axis diplomat system, virtually all users can be assigned to the "axis diplomat Users" group. This means that they have no ability to modify any files within the axis diplomat folders, so, for example, if a virus-infected email was opened by such user, attempts by the virus software to delete or corrupt an axis diplomat file would fail.
Add everyone who needs to run axis diplomat to the "axis diplomat Users" group and then add only those operators who need to run axis diplomat in supervisor (single user) mode (for example to run period ends, data file size changes, backup or restore the axis diplomat data) to the "axis diplomat Supers" group.
Only the user(s) who install axis diplomat software updates need to be a member of "axis diplomat Admins" and so you can usually restrict this to just the administrative account. Do not grant "axis diplomat Admins" membership to user accounts which are used on a day-to-day basis by real users. Restrict the user of accounts with administrative access to those used either by services or for system maintenance.
Note that if you are securing an existing installation, unless the appropriate users have been added to the appropriate groups and those users have re-logged into Windows to obtain their new access rights, those users will be denied access to all axis diplomat Programs and data. This can cause problems because for example users local shortcuts no longer point to an accessible location.
Remember to also REMOVE the "Everyone" group from access to the AXIS$ share.
3.3.2 Checking AXIS Operator Details
Use the axis diplomat Kernel Supervisor Functions \ Privacy & Shorthand Maintenance functions to ensure that all axis diplomat operators listed are in the Windows "axis diplomat Users" group and that all operators who have "Allow Supervisor Mode Operation" enabled are members of the Windows "axis diplomat Supers" group.
3.3.3 Applying File & Folder Permissions during SETUP
When the axis diplomat 2004 SETUP program is run to install or upgrade a non-demo system, it first checks whether a FAT format drive has been selected on a Windows 2003/2000 server, and if it has, the following warning message box is displayed:
The operator can then choose to abort the installation and use convert.exe to convert the partition from FAT to NTFS.
If an NTFS drive is selected, SETUP then checks to see whether the system being installed/upgraded has previously been secured. If it has, the following message box is displayed:
Permissions are reset to 'full access to everyone' if the operator selects 'No'.
If axis diplomat is not currently secured the following message box is displayed:
If 'No' is selected, the following message box is displayed:
and installation proceeds without any file access permissions being applied.
If 'Yes' is selected and any of the AXIS security groups have not been set up, the following message box is displayed:
The operator can select 'Yes' once they have used the appropriate domain user administration tool to create the necessary Windows user groups.
Having done all this, the installation then proceeds as usual; once all the software has been updated, SETUP then reprocesses all files on the server to apply the necessary file access permissions as specified in the table below.
Note that full access is always available to all files and folders for members of the 'axis diplomat Admins' group and for the user account which was logged in when the axis diplomat SETUP program was run.
Folder / File |
Subfolders & Files? |
axis diplomat Users |
Specific Username |
axis diplomat Supers |
System* |
axis diplomat Admins |
\AXIS2004 |
Yes |
Read |
None |
Change** |
Change |
Full |
\AXIS2004\*.EXE;*.DLL;*.PIF;*.BAT |
Yes |
Read |
None |
Read |
Read |
Full |
\AXIS2004\DATA |
Yes |
None |
None |
Change |
Change |
Full |
\AXIS2004\DATA\<company id>\<folder> |
Yes |
Change |
None |
Change |
Change |
Full |
\AXIS2004\TEMP |
Yes |
Change |
None |
Change |
None |
Full |
\AXIS2004\LOGS |
Yes |
Change |
None |
Change |
None |
Full |
\AXIS2004\TEMPLATE |
Yes |
Read |
None |
Change |
None |
Full |
\AXIS2004\REPORTS |
Yes |
Change |
None |
None |
None |
Full |
\AXIS2004\REPORTS\<username> |
Yes |
None |
Full |
None |
None |
Full |
\AXIS2004\PROFILES |
Yes |
Change |
None |
Change |
None |
Full |
* 'System' is a built in Windows account. The System account is normally used to run the axis diplomat Services (AXIS File Manager & AXIS Queue Manager).
** 'Change' permission allows files to be read, written, executed or deleted. Windows Explorer describes this generic attribute as 'Modify' (although the Windows command line utility 'cacls' describes it as 'Change' (thanks Bill)).
4. Testing Security
To test that the settings are effective, log into Windows as a member of the "axis diplomat Users" group (but not as a member of the "axis diplomat Admins" group) and then using your Windows explorer, try to copy a file into the \AXIS2004 folder on your SERVER. The operation should fail with an error being displayed.
5. Securing/Unsecuring an existing installation.
The axis diplomat 2004 SETUP program can apply or remove file access permissions for existing installations without the need for a full software update. A button is provided on SETUP's main option selection screen for this purpose.
Revision History
1.1 |
22.06.2004 |
Updated for axis diplomat 2004 |
1.0 |
13.10.2001 |
First Draft |