Bookshelf Home | Contents | Index | PDF     

Siebel Security Hardening Guide > Securing the Operating System > Securing the Siebel File System >

Excluding Unsafe File Types from the Siebel File System

You can prevent files with a specific file extension from being saved to the Siebel File System by enabling the File Ext Check system preference. This topic describes how to implement file extension checking, and how to specify the file types you want to exclude from the Siebel File System.

When you select a file type to be excluded, Siebel Application Object Manager components are prevented from adding any files with that file extension to the Siebel File System, including files from external sources, such as Siebel CRM Desktop, or files from a custom integration point which the Enterprise Application Integration (EAI) Application Object Manager might attempt to add.

NOTE:  Files with file extensions that you choose to exclude that are added to the Siebel File System before you implement file extension checking are not removed from the system. You must review and remove these existing files manually, if required.

About Potentially Unsafe File Types

The purpose of excluding files with specific file extensions from the Siebel File System is to protect your Siebel CRM implementation from viruses or other malicious code potentially contained in these files. Executable files, such as batch files and program execution files, which are designed to run tasks automatically, are the most obvious types of files you might want to exclude. Table 3 provides a brief list of executable files on Windows and UNIX.

Table 3. Executable Files
Extension
Operating System

bat

Windows

bin

Windows and UNIX

cmd

Windows

com

Windows

csh

UNIX

exe

Windows

inf

Windows

jse

Windows

ksh

UNIX

reg

Windows

run

UNIX

sh

UNIX

vbe

Windows

vbs

Windows

For additional information on unsafe file types, see the following:

  • The Microsoft Support Web site provides information about unsafe file extensions, and it lists the files included in the Unsafe File List used in Internet Explorer. Go to

    http://support.microsoft.com/kb/925330

  • The WinZip Computing Web site provides information on unsafe file types, and it lists the file extensions that WinZip treats as unsafe. Go to

    http://kb.winzip.com/help/winzip/ZipSecurity.htm

Enabling File Extension Checking

Perform the steps in the following procedure to enable file extension checking.

To enable file extension checking

  1. Log in to a Siebel application on the Siebel Server.
  2. Navigate to Administration - Application, and then the System Preferences view.
  3. In the System Preferences list, either query for the system preferences shown in the following table, or create the system preferences if they do not already exist, then enter values similar to those shown.
    System Preference Name
    System Preference Value

    DCK:Flag For File Ext Check

    Enter either Y or N to indicate whether or not you want to enable file extension checking.

    The default value is N.

    DCK:Excluded File Ext

    Enter the file extensions you want to exclude in the following format:

    file extension1,file extension2,file extensionn

    For example:

    bat,bin,cmd,com,csh,exe,txt,gif,jpg

    You can enter up to 100 characters in the System Preference Value field. If you want to specify additional file extensions to exclude, then create one or more DCK:Excluded File Ext N system preference entries.

    DCK:Excluded File Ext N

     

    If you want to exclude file extensions that cannot be accommodated in the DCK:Excluded File Ext system preference, then use this system preference to specify the additional file extensions.

    • In the System Preference Name field, change the value of N to a number between 1 and 9, starting with 1 and increasing incrementally up to 9 with each additional DCK:Excluded File Ext N entry you create.
    • In the System Preference Value field, enter the additional file extensions you want to exclude in the following format:

      file extension1,file extension2,file extensionn

      You can enter up to 100 characters in the System Preference Value field.

    NOTE:  If the DCK:Excluded File Ext system preference does not exist, the DCK:Excluded File Ext N system preference is not processed.
  4. Stop then restart the Siebel Server for the new system preference values to take effect.

About File Extension Checking on the Siebel Mobile Web Client

You can configure file extension checking on the Siebel Server and on Siebel Mobile Web Clients. To implement new system preference values defined on the Siebel Server on the Siebel Mobile Web Client, synchronize the Siebel Mobile Web Client with the Siebel Server, then stop and restart the Siebel Mobile Web Client.

The file extension checking settings you specify at the Siebel Server level take precedence over Siebel Mobile Web Client settings. For example, if the file extension .exe is among the list of excluded file extensions on the Siebel Server, but is not excluded by the Siebel Mobile Web Client, when the Siebel Web Client connects to the Siebel Server to synchronize the local database, the following occurs:

  • All attachment records with the .exe file extension are rejected for synchronization with the enterprise database
  • A delete operation for each attachment record of type .exe is generated

During the next synchronization session, the delete operations for the rejected attachment records are executed on the Siebel Mobile Web Client and all the attachment records with the extension .exe are deleted.

    
Siebel Security Hardening Guide Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices.