Securing the Siebel File System

The Siebel File System consists of a shared directory that is network-accessible to the Siebel Server and contains physical files used by Siebel Business Applications. The Siebel File System stores documents, images, and other types of file attachments.

Requests for access to the Siebel File System by Siebel user accounts are processed by Siebel Servers, which then use the File System Manager (FSM) server component to access the Siebel File System. FSM processes these requests by interacting with the Siebel File System directory. Siebel Remote components also access the Siebel File System directly. Other server components access the Siebel File System through FSM.

A Siebel proprietary algorithm that compresses files in the Siebel File System prevents direct access to files from outside the Siebel application environment in addition to providing a means of encrypting files. This algorithm is used at the Siebel Server level and appends the extension .saf to compressed files. These compressed files are decompressed before users or applications access them. Users access decompressed files through the Web client. You cannot disable use of this algorithm. For more information about the Siebel File System, see Siebel System Administration Guide.

To provide additional security for the Siebel File System, implement the following recommendations:

• When creating the shared directory for the Siebel File System, append a dollar sign ($) to the end of the share name; this hides the shared directory on the network. For example:

  \\servername\siebelfs$
  

• Use third-party utilities to encrypt the file system or individual folders within the file system.

• Make sure that the Siebel application does not provide direct user access to the Siebel File System by restricting access rights to the Siebel File System directory to the Siebel service owner and the administrator. For information, see "Assigning Rights to the Siebel File System".

• Restrict the types of files that can be saved in the Siebel File System as described in "Excluding Unsafe File Types from the Siebel File System".

Assigning Rights to the Siebel File System

This topic describes how to restrict access rights to the Siebel File System directory to the Siebel service owner and the administrator.

The processes and components of the Siebel Server use the Siebel service owner account to operate. Do not give the Siebel service owner account permission to access any directory other than the Siebel File System directory and the Siebel Server directories.

Note: If Active Directory authentication is implemented, then all users require read, execute and modify permissions to the Siebel File System \userpref directory to save their user preferences. In this case, when assigning rights to the Siebel File System, you must assign read, execute and modify permissions to the overall Siebel File System directory to everyone, assign read, execute and modify permissions to the \userpref directory to everyone, then restrict access to all other directories in the Siebel File System to the administrator and the Siebel service owner.

The following procedures describe how to assign rights to the Siebel File System on Windows and UNIX platforms.

Assigning Rights to the Siebel File System on Windows

Use the following procedure to assign the appropriate rights to the Siebel File System on Windows.

To assign the appropriate rights to the Siebel File System on Windows  

1. In Windows Explorer, navigate to the Siebel CRM directory, for example, SBA_82.

2. Right-click the Siebel CRM directory, and select the Sharing and Security option.

3. Click the Security tab.

4. Select the Advanced option.

5. Deselect the Inherit from parent permissions check box.

6. When prompted, select the Remove option.

7. Check the Replace permission entries on all child objects option.

8. Click Add and assign full control permissions to administrators and the Siebel Service account. Administrators require full rights on the Siebel File System to perform backup or recovery tasks

   
   

   Note: If Active Directory authentication is implemented in your environment, then assign read, execute, and modify permissions to all other users.

   
   

9. Click OK.

   The file permissions are replicated on all child objects.

10. (Active Directory Only) In an Active Directory authentication environment, for each directory in the Siebel File System except the \userpref directory, remove all permissions for user accounts, except for the administrator and the Siebel Service user accounts.

11. Repeat this procedure for the Document Server directory. Assign file system rights through the Microsoft Management Console and the security template snap-in.

Assigning Rights to the Siebel File System on UNIX

Use the following procedure to assign the appropriate rights to the Siebel File System on UNIX.

To assign the appropriate rights to the Siebel File System on UNIX  

1. Log in as root to the file system server.

2. Using the appropriate administrative tools for your UNIX operating system, verify that only the Siebel Service account and the Siebel administrator have read, write, and execute permissions to the Siebel File System directory; remove permissions to the Siebel File System directory for all other users.

   For example, run the following command to remove all permissions (read, write, and execute) to the Siebel File System directory for all users and groups except the owner of the Siebel File System directory (Siebel Service account):

   chmod -R go-rwx FileSystemDirectory
   

   where FileSystemDirectory is the name of the Siebel File System directory.

Excluding Unsafe File Types from the Siebel File System

You can prevent files with a specific file extension from being saved to the Siebel File System by enabling the File Ext Check system preference. This topic describes how to implement file extension checking, and how to specify the file types you want to exclude from the Siebel File System.

When you select a file type to be excluded, Siebel Application Object Manager components are prevented from adding any files with that file extension to the Siebel File System, including files from external sources, such as Siebel CRM Desktop, or files from a custom integration point which the Enterprise Application Integration (EAI) Application Object Manager might attempt to add.

Note: Files with file extensions that you choose to exclude that are added to the Siebel File System before you implement file extension checking are not removed from the system. You must review and remove these existing files manually, if required.

About Potentially Unsafe File Types

The purpose of excluding files with specific file extensions from the Siebel File System is to protect your Siebel CRM implementation from viruses or other malicious code potentially contained in these files. Executable files, such as batch files and program execution files, which are designed to run tasks automatically, are the most obvious types of files you might want to exclude. Table 4-1 provides a brief list of executable files on Windows and UNIX.

Table 4-1 Executable Files

Extension	Operating System
bat	Windows
bin	Windows and UNIX
cmd	Windows
com	Windows
csh	UNIX
exe	Windows
inf	Windows
jse	Windows
ksh	UNIX
reg	Windows
run	UNIX
sh	UNIX
vbe	Windows
vbs	Windows

For additional information on unsafe file types, see the following:

• The Microsoft Support Web site provides information about unsafe file extensions, and it lists the files included in the Unsafe File List used in Internet Explorer. Go to

  http://support.microsoft.com/kb/925330

• The WinZip Computing Web site provides information on unsafe file types, and it lists the file extensions that WinZip treats as unsafe. Go to

  http://kb.winzip.com/help/winzip/ZipSecurity.htm

Enabling File Extension Checking

Perform the steps in the following procedure to enable file extension checking.

To enable file extension checking  

1. Log in to a Siebel application on the Siebel Server.

2. Navigate to Administration - Application, and then the System Preferences view.

3. In the System Preferences list, either query for the system preferences shown in the following table, or create the system preferences if they do not already exist, then enter values similar to those shown.

   Table 4-2 System Preferences List

   System Preference Name	System Preference Value
   DCK:Flag For File Ext Check	Enter either Y or N to indicate whether or not you want to enable file extension checking. The default value is N.
   DCK:Excluded File Ext	Enter the file extensions you want to exclude in the following format: file extension1,file extension2,file extensionn For example: bat,bin,cmd,com,csh,exe,txt,gif,jpg You can enter up to 100 characters in the System Preference Value field. If you want to specify additional file extensions to exclude, then create one or more DCK:Excluded File Ext N system preference entries.
   DCK:Excluded File Ext N	If you want to exclude file extensions that cannot be accommodated in the DCK:Excluded File Ext system preference, then use this system preference to specify the additional file extensions. In the System Preference Name field, change the value of N to a number between 1 and 9, starting with 1 and increasing incrementally up to 9 with each additional DCK:Excluded File Ext N entry you create. In the System Preference Value field, enter the additional file extensions you want to exclude in the following format: file extension1,file extension2,file extensionn You can enter up to 100 characters in the System Preference Value field. Note that if the DCK:Excluded File Ext system preference does not exist, the DCK:Excluded File Ext N system preference is not processed.

   
   

4. Stop then restart the Siebel Server for the new system preference values to take effect.

About File Extension Checking on the Siebel Mobile Web Client

You can configure file extension checking on the Siebel Server and on Siebel Mobile Web Clients. To implement new system preference values defined on the Siebel Server on the Siebel Mobile Web Client, synchronize the Siebel Mobile Web Client with the Siebel Server, then stop and restart the Siebel Mobile Web Client.

The file extension checking settings you specify at the Siebel Server level take precedence over Siebel Mobile Web Client settings. For example, if the file extension .exe is among the list of excluded file extensions on the Siebel Server, but is not excluded by the Siebel Mobile Web Client, when the Siebel Web Client connects to the Siebel Server to synchronize the local database, the following occurs:

• All attachment records with the .exe file extension are rejected for synchronization with the enterprise database

• A delete operation for each attachment record of type .exe is generated

During the next synchronization session, the delete operations for the rejected attachment records are executed on the Siebel Mobile Web Client and all the attachment records with the extension .exe are deleted.