Siebel Security Hardening Guide > Securing the Operating System >

Protecting Files and Resources

Protect files and resources in your operating system environment as follows:

• Set up access restrictions to executable files, data files, Web pages, directories, and administrative tools as follows:
  • On each server that is a part of a Siebel deployment, restrict local user access to Siebel directories to Siebel administrators only. This restriction prevents insiders with access to the computer, but without Siebel administrator privileges, from accessing sensitive information that can be used to gain, or elevate Siebel privileges, thereby allowing more significant security violations to occur.
  • For Siebel deployments that store highly sensitive data or that have other high-security requirements, it is recommended that you encrypt the Siebel File System and all server disks containing Siebel Business Applications data, either using third-party products or encryption features provided by your operating system.
  • If you configure Siebel-specific environment variables that include sensitive data on a computer hosting a module in a Siebel deployment, for example, if you have implemented a Siebel Product Configuration Application Object Manager on a dedicated Siebel Server, then encrypting the server disks is also recommended.

    For information on deploying the Siebel Configurator, see Siebel Deployment Planning Guide. For information on setting Siebel-specific environment variables, see Siebel System Administration Guide.

• Audit file permissions, file ownership, and file access.
• Restrict access to accounts and services.

  Controlling access is an important element in maintaining security. The most secure environments follow the least-privilege principle, which grants users the least amount of access that still enables them to complete their required work. Set up hosts to allow only those services (ports) that are necessary and run only with the fewest possible services. Eliminate services with known vulnerabilities.

• Run the checksum utility on system files when installed and check for Trojan malware frequently. (A Trojan is software that appears legitimate but which contains malicious code that is used to cause damage to your computer.) Check user file systems for vulnerabilities and improper access controls.
• Verify operating system accounts and make sure they have passwords that are difficult to guess.
• Automatically disable accounts after several failed login attempts.
• (UNIX) Limit root access.
• Manage user accounts:
  • Do not share user accounts.
  • Remove or disable user accounts upon termination.
  • Require strong passwords.
  • (Windows) Disable automatic logon.
  • (UNIX) Use a restricted shell.
  • (UNIX) Disable login for well-known accounts that do not need direct login access (bin, daemon, sys, uucp, lp, adm).
• Restrict guest accounts:
  • As with any account, create a guest account only for the time required and remove the account when it is no longer required.
  • Use a non-standard account name for the account; avoid the name guest.
  • Use a strong password.
  • (UNIX) Use a restricted shell. If reasonable, give the account an 077 unmask.