| Siebel CRM Siebel Security Hardening Guide Siebel Innovation Pack 2015 E24815-01 |
|
 Previous |
 Next |
View PDF |
| Siebel CRM Siebel Security Hardening Guide Siebel Innovation Pack 2015 E24815-01 |
|
Previous |
Next |
View PDF |
The following general guidelines are applicable for securing all client computers that access Siebel Business Applications. For specific information on security recommendations for mobile clients, see "Securing Mobile Clients".
You can optionally deploy Siebel Business Applications using the Siebel Open UI. Siebel Open UI is the most secure Siebel CRM client available and is therefore recommended if your Siebel implementation has high-security requirements.
Siebel Open UI has the following characteristics:
Limited attack surface. Siebel Open UI uses only three technologies to render the client code: HTML, CSS, and JavaScript. Because of the small set of underlying technologies that are used to render the client and the absence of third-party plug-ins such as ActiveX and Java, Siebel Open UI provides the smallest possible attack surface.
Transparent technology. Because the Siebel Open UI client is built entirely on standards, a variety of modern inspection tools can be used to validate the security compliance of your implementations.
Compatibility with Data Execution Prevention features and virtualization. Because the Siebel Open UI client is a scripted client, it is fully compatible with Data Execution Prevention features for software or hardware, and compatible with virtualization features.
Siebel Open UI clients enforce session security by requiring that session IDs can only be passed in session cookies. Passing session IDs through the URL (cookieless mode) is not secure and is not recommended for customer-facing deployments of Siebel Business Applications. Siebel Open UI clients do not support cookieless mode.
For additional information about Siebel Open UI, see Deploying Siebel Open UI and Configuring Siebel Open UI.
Siebel Business Applications in high-interactivity mode use ActiveX technology to deliver several features, for example, email client integration. A browser running a high-interactivity application must be enabled to access and use ActiveX controls. You can do one of the following:
Allow users to download ActiveX controls on demand from a Web server.
This option is not preferred because it requires that users are assigned permissions associated with power users.
Deploy the required ActiveX controls on users' computers (recommended option).
If you deploy ActiveX controls on users' computers, then you can configure the client-browser settings to prevent additional ActiveX controls from being downloaded. For information on deploying ActiveX controls, see Siebel System Administration Guide.
If you are not using supported security-setting templates for applicable Web content zones for your Siebel Business Applications in high-interactivity mode, then to enable full functionality related to ActiveX controls you must manually enable the Internet Explorer ActiveX settings. For information on this task, see the chapter on configuring the browser for Siebel Web clients in Siebel System Administration Guide.
It is recommended that you secure all communications between the Siebel Web Client and the Web server using TLS, if support for this protocol is provided by your Web server. Encryption is not set by default. For additional information, see "Enabling Encryption Between the Web Client Browser and Web Server".
The physical security of the client device is handled outside of Siebel Business Applications. You can use utilities that provide computer-level security by enforcing computer passwords or encrypting the computer hard drive. Most leading handheld devices have user-enabled passwords.
It is recommended that you use a two-factor authentication approach (for example, RSA Secure ID) for network components; this is a security process that confirms user identities using something users have and something they know. Requiring two different forms of electronic identification reduces the risk of fraud and protects against password attacks.
Users should not leave workstations unattended while they are logged in to Siebel Business Applications; doing so makes their computer potentially accessible to unauthorized users. Define a corporate policy for handling unattended PC sessions. Oracle recommends using password-locked screen saver features on all PCs.
Update browser software when new versions are released; new releases often include additional security features. If you are using Internet Explorer, then check the Microsoft Web site for the latest browser security patches.
Certain features and functions in Siebel Business Applications work in conjunction with security or other settings on the Web browser. Some of the security features provided by supported browsers and operating systems are not supported when used with Siebel Business Applications.
.Detailed information about the browser settings used in deploying Siebel clients is provided in Siebel System Administration Guide. For more information about the settings in your Web browser, see the documentation that came with your browser.
To protect against malicious software (malware), apply security patches provided by the desktop operating system provider on a regular basis. The same is true of patches released by antivirus software suppliers, and by companies that provide other third-party software products supported by Siebel Business Applications.
