Hardening File Permissions On the OpenInsight Directory (Deployment,Installation)
Created at 21 OCT 2009 02:08PM
Contents:
Overview
Share Level Security
File and Folder Level Security
Design and Deployment Considerations
Overview
Locking down file level permissions on the OpenInsight directory is an important step to ensuring the stability of your application.Improper permissions can allow users to change or delete files - accidentally or intentionally. This Knowledge Base entry provides guidelines to secure the OpenInsight directory.
Examples of securing the application at the share level and file level are provided.Each example begins with the creation of the destination directory followed by installing OpenInsight into the newly created location. Establishing the destination directory permissions before installation ensures that the administrator installing the application will have rights to modify it later.
Environment & Prerequisites
This article applies to run time deployments of OpenInsight 9.0+ and the Universal Driver 4.6.
Please note that AREV32, CTO, and OpenInsight versions prior to 9 may require additional security configurations not covered by this document.
Applications can be deployed from a network share or on a terminal server.
Prior knowledge of installing OpenInsight and the Universal Driver is recommended. If you are not familiar with these topics you can still apply the security concepts to your installation but following this procedure step by step will be difficult.
General familiarity with NTFS and share security is helpful.
Caution:This article does not cover locking down permissions for applications under active development. Attempting to change or develop an application with restricted user rights designed for run time deployment will be problematic.Please see the list of deployment and design considerations at the end of this article.
Test Environment
Windows2003 file server running the Universal Driver 4.6.
The server name is QUEEN and is a member of the LAB domain.
On the local drive the C:\RevSoft directory will contain the OpenInsight application
User accounts used in this example:
Group: | OIAdmin | OIUser | Domain Admins |
Users: | MattAdmin | Fred Barney | MattAdmin |
Share Level Security
Applications deployed from a network share are best secured by changing the share level permissions. The advantage to share level security is all permissions are controlled on the share from a single location. The share permissions are the first set of access controls the user's connection must pass through before accessing files. Changes to files and permissions inside the directory at the file level will not affect the share security. Share level security can not be overridden by file and folder security.
Share security has two disadvantages. First, it lacks the granular security controls that are available from file level security lists. Second, if users have access to the shared directory through a separate share or the server's local disk drive (as in a terminal server environment) then the share security will do little to secure the application. Both of these disadvantages are resolved by using file and folder level security.
To implement share level security follow these steps.
From the server console
1. Login to the server as Administrator.
2. Create the root OpenInsight directory where oinsight.exe will be installed to. In our example the path is C:\RevSoft\OpenInsight\
3. Share the OpenInsight directory. In the example below the share is named "OpenInsight".
5. Click "Permissions" to assign the appropriate permissions.
6. Remove "Everyone" from the list of permissions. By default the everyone group is added to new shares.
7. Add the groups OIAdmin and OIUser. Set the permissions for OIAdminto "Full Control". The OIUser group should only have "Read" access. See screen shots below.
9. Save your changes. This completes the steps on the server.
From the workstation
1. Login to an administration workstation as a member of the OIAdmin group. The example account previously setup is named AdminMatt.
2. Start the OpenInsight setup program. Refer to the installation instructions. OpenInsight will be installed into the share created in the previous section. In the example environment \QUEEN\OpenInsight is the destination directory.
3. Install the Universal Driver using the documentation provided. The REVPARAM file will be created in the \QUEEN\OpenInsight directory. If the Linear Hash service already exists then simply copy the REVPARAM file from the Universal Driver directory into the \QUEEN\OpenInsight directory.
4. For each workstation using OI run the ClientSetup.exe file to properly register any required controls.
This completes the installation. You can now sign in as one of the members from the OIUser group and launch OpenInsight. You should not be able to directly modify any of the files in the\QUEEN\OpenInsight share.
File and Folder Level Security
Instead of applying permissions at the point of entry to the server (i.e. the share)permissions are applied directly on the file objects. The share permission simply lists the "Everyone" group with full control. The file level permissions take effect as users read and manipulate the files.There are two situations where file level security is appropriate. First,applications deployed on a terminal server where users have access to the server's local disk drive. Second, if the application is deployed from a network share but the administrator requires more granular control over file permissions.
The file level security control method is more complicated to maintain and setup.As updates are applied and files are copied into the new directory it is possible for the files to retain their existing permissions instead of inheriting permissions from the root OpenInsight directory. This results in a mixture of file permissions within the same directory.File and folder permissions can be overridden by share level permission.
To implement NTFS file level security follow these directions.
From the server console
1. Login to the server as Administrator.
2. Create the root OpenInsight directory where oinsight.exe will be installed. In our example the path is C:\RevSoft\OpenInsight\
3. Share the OpenInsight directory. In the example below the share is named "OpenInsight".
5. Click "Permissions" to assign the appropriate permissions.
6. Change the permissions for "Everyone" to "Full Control"
7. Click OK to save the changes.
9. Click the "Security" tab. The final changes will be done from this tab.
11. Click "Advanced" button.
12. Un-check "Allow inheritable permissions from the parent…". A prompt will display asking to copy or remove the permissions. Choose "Remove".
14. Your screen will now resemble the image below. Click OK to return to the security tab.
16. Verify the Administrators group has full control.
18. Add the local SYSTEM user with "Full Control".
19.
20. IMPORTANT: If the SYSTEM group doesn't have "Full Control" the Linear Hash service may not be able to access the files.
21.
23. Add the OIAdmin group and specify full control.
25. Finally, add the OIUser group.Verify only the following permissions are allowed for this group: "Read& Execute", "List Folder Contents", "Read".
27. Save your changes. This completes the steps on the server.
From the workstation
1. Login to an administration workstation as a member of the OIAdmin group. The example account previously setup is named AdminMatt.
2. Start the OpenInsight setup program. Refer to the installation instructions. OpenInsight will be installed into the share created in the previous section. In the example environment, \QUEEN\OpenInsight is the destination directory.
3. Install the Universal Driver using the documentation provided. The REVPARAM file will be created in the \QUEEN\OpenInsight directory. If the Linear Hash service is already exists then simply copy the REVPARAM file from the Universal Driver directory into the \QUEEN\OpenInsight directory.
4. For each workstation using OI run the ClientSetup.exe file to properly register any required controls.
This completes the installation. You can now sign in as one of the members from the OIUser group and launch OpenInsight. You should not be able to directly modify any of the files in the\QUEEN\OpenInsight share.
Design and Deployment Considerations
Permissions should always be considered during the development phase of your application. This section covers the additional security requirements that may apply to complex applications. Generally, a fresh installation of OpenInsight doesn't require additional security setup.
Application DBT Settings
The Database Manager window controls which tables are automatically attached to the application during startup. This list is stored in a settings file with the extension DBT in the root OpenInsight directory.Changes to the DBT file or the Database Manager should be performed with Administrator rights.
Temporary Files
Whenever possible temporary files should be created on the local workstation. The path to the Windows temp folder is returned by making a call to GET_SORT_PATH("%TEMP%").If a common temporary file/folder is required on the secured application share then file and folder permissions should be used to secure the application.
Sort Path
By default OpenInsight 9.x ships with a database sort path set to %TEMP%. This variable resolves to a sort file located in the temp directory assigned by the operating system. If this setting is not set to the temporary directory verify that the application users have read/write access to the location.
Transaction Log Path
The default transaction log path setting is "TRANSACT" which is a directory relative to the oinsight.exe program. If the application uses transaction logging this setting must be checked.
Iffile and folder permissions are used to secure the directory simply allow read/write access to the TRANSACT folder in the OpenInsight directory.
If share level permissions are used this setting must be modified. By default share level permissions will not allow the creation of tables in this directory. One of four possible solutions exist for this situation.
1. Setup a separate share with read/write permissions specifically for the transaction logs. Be sure to include a copy of the REVPARAM file from your application directory.
2. Use an absolute path on the local workstation for the transaction logs.
3. Use file and folder permissions and specifically grant read/write access to this folder.
4. Create the transaction log table in advance.
Note: Options 1 and 2 require an absolute path. Whenever possible Revelation Software recommends all paths be relative to the OpenInsight directory. To keep relative paths, file and folder permissions must be used.