Securing the Operating Systems

This topic contains recommendations for securing your operating system. Securing your operating system contributes to the overall level of security that applies to your Siebel Business Applications.

Securing operating systems is the first step towards safeguarding the Siebel Business Applications deployment from intrusion. Workstations and servers are typically installed with a multitude of development tools and utilities. Securing an operating system involves the removal of all nonessential tools, utilities, and other system administration options. This process also requires that all appropriate security features are activated and configured correctly, and includes the following tasks:

• Protecting files and resources

• Restricting accounts and services to those who need them

• Applying and maintaining patches and product updates

• Performing maintenance activities, such as running security software

Note: Before implementing the security recommendations for operating systems described in this chapter, perform all the security steps outlined in your operating system documentation. Security guidelines for operating systems are generally available on vendor Web sites.

Protecting Files and Resources

Protect files and resources in your operating system environment as follows:

• Set up access restrictions to executable files, data files, Web pages, directories, and administrative tools as follows:

  • On each server that is a part of a Siebel deployment, restrict local user access to Siebel directories to Siebel administrators only. This restriction prevents insiders with access to the computer, but without Siebel administrator privileges, from accessing sensitive information that can be used to gain, or elevate Siebel privileges, thereby allowing more significant security violations to occur.

  • For Siebel deployments that store highly sensitive data or that have other high-security requirements, it is recommended that you encrypt the Siebel File System and all server disks containing Siebel Business Applications data, either using third-party products or encryption features provided by your operating system.

  • If you configure Siebel-specific environment variables that include sensitive data on a computer hosting a module in a Siebel deployment, for example, if you have implemented a Siebel Product Configuration Application Object Manager on a dedicated Siebel Server, then encrypting the server disks is also recommended.

    For information on deploying the Siebel Configurator, see Siebel Deployment Planning Guide. For information on setting Siebel-specific environment variables, see Siebel System Administration Guide.

• Audit file permissions, file ownership, and file access.

• Restrict access to accounts and services.

  Controlling access is an important element in maintaining security. The most secure environments follow the least-privilege principle, which grants users the least amount of access that still enables them to complete their required work. Set up hosts to allow only those services (ports) that are necessary and run only with the fewest possible services. Eliminate services with known vulnerabilities.

• Run the checksum utility on system files when installed and check for Trojan malware frequently. (A Trojan is software that appears legitimate but which contains malicious code that is used to cause damage to your computer.) Check user file systems for vulnerabilities and improper access controls.

• Verify operating system accounts and make sure they have passwords that are difficult to guess.

• Automatically disable accounts after several failed login attempts.

• (UNIX) Limit root access.

• Manage user accounts:

  • Do not share user accounts.

  • Remove or disable user accounts upon termination.

  • Require strong passwords.

  • (Windows) Disable automatic logon.

  • (UNIX) Use a restricted shell.

  • (UNIX) Disable login for well-known accounts that do not need direct login access (bin, daemon, sys, uucp, lp, adm).

• Restrict guest accounts:

  • As with any account, create a guest account only for the time required and remove the account when it is no longer required.

  • Use a non-standard account name for the account; avoid the name guest.

  • Use a strong password.

  • (UNIX) Use a restricted shell. If reasonable, give the account an 077 unmask.

Securing the Siebel File System

The Siebel File System consists of a shared directory that is network-accessible to the Siebel Server and contains physical files used by Siebel Business Applications. The Siebel File System stores documents, images, and other types of file attachments.

Requests for access to the Siebel File System by Siebel user accounts are processed by Siebel Servers, which then use the File System Manager (FSM) server component to access the Siebel File System. FSM processes these requests by interacting with the Siebel File System directory. Siebel Remote components also access the Siebel File System directly. Other server components access the Siebel File System through FSM.

A Siebel proprietary algorithm that compresses files in the Siebel File System prevents direct access to files from outside the Siebel application environment in addition to providing a means of encrypting files. This algorithm is used at the Siebel Server level and appends the extension .saf to compressed files. These compressed files are decompressed before users or applications access them. Users access decompressed files through the Web client. You cannot disable use of this algorithm. For more information about the Siebel File System, see Siebel System Administration Guide.

To provide additional security for the Siebel File System, implement the following recommendations:

• When creating the shared directory for the Siebel File System, append a dollar sign ($) to the end of the share name; this hides the shared directory on the network. For example:

  \\servername\siebelfs$
  

• Use third-party utilities to encrypt the file system or individual folders within the file system.

• Make sure that the Siebel application does not provide direct user access to the Siebel File System by restricting access rights to the Siebel File System directory to the Siebel service owner and the administrator. For information, see "Assigning Rights to the Siebel File System".

• Restrict the types of files that can be saved in the Siebel File System as described in "Excluding Unsafe File Types from the Siebel File System".

Assigning Rights to the Siebel File System

This topic describes how to restrict access rights to the Siebel File System directory to the Siebel service owner and the administrator.

The processes and components of the Siebel Server use the Siebel service owner account to operate. Do not give the Siebel service owner account permission to access any directory other than the Siebel File System directory and the Siebel Server directories.

The following procedures describe how to assign rights to the Siebel File System on Windows and UNIX platforms.

Assigning Rights to the Siebel File System on Windows

Use the following procedure to assign the appropriate rights to the Siebel File System on Windows.

To assign the appropriate rights to the Siebel File System on Windows  

1. In Windows Explorer, navigate to the Siebel CRM directory, for example, SBA_82.

2. Right-click the Siebel CRM directory, and select the Sharing and Security option.

3. Click the Security tab.

4. Select the Advanced option.

5. Deselect the Inherit from parent permissions check box.

6. When prompted, select the Remove option.

7. Check the Replace permission entries on all child objects option.

8. Click Add and assign full control permissions to administrators and the Siebel Service account. Administrators require full rights on the Siebel File System to perform backup or recovery tasks

9. Click OK.

   The file permissions are replicated on all child objects.

10. Repeat this procedure for the Document Server directory. Assign file system rights through the Microsoft Management Console and the security template snap-in.

Assigning Rights to the Siebel File System on UNIX

Use the following procedure to assign the appropriate rights to the Siebel File System on UNIX.

To assign the appropriate rights to the Siebel File System on UNIX  

1. Log in as root to the file system server.

2. Using the appropriate administrative tools for your UNIX operating system, verify that only the Siebel Service account and the Siebel administrator have read, write, and execute permissions to the Siebel File System directory; remove permissions to the Siebel File System directory for all other users.

   For example, run the following command to remove all permissions (read, write, and execute) to the Siebel File System directory for all users and groups except the owner of the Siebel File System directory (Siebel Service account):

   chmod -R go-rwx FileSystemDirectory
   

   where FileSystemDirectory is the name of the Siebel File System directory.

Excluding Unsafe File Types from the Siebel File System

You can prevent files with a specific file extension from being saved to the Siebel File System by enabling the File Ext Check system preference. This topic describes how to implement file extension checking, and how to specify the file types you want to exclude from the Siebel File System.

When you select a file type to be excluded, Siebel Application Object Manager components are prevented from adding any files with that file extension to the Siebel File System, including files from external sources, such as Siebel CRM Desktop, or files from a custom integration point which the Enterprise Application Integration (EAI) Application Object Manager might attempt to add.

Note: Files with file extensions that you choose to exclude that are added to the Siebel File System before you implement file extension checking are not removed from the system. You must review and remove these existing files manually, if required.

About Potentially Unsafe File Types

The purpose of excluding files with specific file extensions from the Siebel File System is to protect your Siebel CRM implementation from viruses or other malicious code potentially contained in these files. Executable files, such as batch files and program execution files, which are designed to run tasks automatically, are the most obvious types of files you might want to exclude. Table C-1 provides a brief list of executable files on Windows and UNIX.

Table C-1 Executable Files

Extension	Operating System
bat	Windows
bin	Windows and UNIX
cmd	Windows
com	Windows
csh	UNIX
exe	Windows
inf	Windows
jse	Windows
ksh	UNIX
reg	Windows
run	UNIX
sh	UNIX
vbe	Windows
vbs	Windows

For additional information on unsafe file types, see the following:

• The Microsoft Support Web site provides information about unsafe file extensions, and it lists the files included in the Unsafe File List used in Internet Explorer. Go to

  http://support.microsoft.com/kb/925330

• The WinZip Computing Web site provides information on unsafe file types, and it lists the file extensions that WinZip treats as unsafe. Go to

  http://kb.winzip.com/help/winzip/ZipSecurity.htm

Enabling File Extension Checking

Perform the steps in the following procedure to enable file extension checking.

To enable file extension checking  

1. Log in to a Siebel application on the Siebel Server.

2. Navigate to Administration - Application, and then the System Preferences view.

3. In the System Preferences list, either query for the system preferences shown in Table C-2, or create the system preferences if they do not already exist, then enter values similar to those shown.

4. Stop then restart the Siebel Server for the new system preference values to take effect.

Table C-2 System Preferences List

System Preference Name	System Preference Value
DCK:Flag For File Ext Check	Enter either Y or N to indicate whether or not you want to enable file extension checking. The default value is N.
DCK:Excluded File Ext	Enter the file extensions you want to exclude in the following format: file extension1,file extension2,file extensionn For example: bat,bin,cmd,com,csh,exe,txt,gif,jpg You can enter up to 100 characters in the System Preference Value field. If you want to specify additional file extensions to exclude, then create one or more DCK:Excluded File Ext N system preference entries.
DCK:Excluded File Ext N	If you want to exclude file extensions that cannot be accommodated in the DCK:Excluded File Ext system preference, then use this system preference to specify the additional file extensions. In the System Preference Name field, change the value of N to a number between 1 and 9, starting with 1 and increasing incrementally up to 9 with each additional DCK:Excluded File Ext N entry you create. In the System Preference Value field, enter the additional file extensions you want to exclude in the following format: file extension1,file extension2,file extensionn You can enter up to 100 characters in the System Preference Value field. Note that if the DCK:Excluded File Ext system preference does not exist, the DCK:Excluded File Ext N system preference is not processed.

About File Extension Checking on the Siebel Mobile Web Client

You can configure file extension checking on the Siebel Server and on Siebel Mobile Web Clients. To implement new system preference values defined on the Siebel Server on the Siebel Mobile Web Client, synchronize the Siebel Mobile Web Client with the Siebel Server, then stop and restart the Siebel Mobile Web Client.

The file extension checking settings you specify at the Siebel Server level take precedence over Siebel Mobile Web Client settings. For example, if the file extension .exe is among the list of excluded file extensions on the Siebel Server, but is not excluded by the Siebel Mobile Web Client, when the Siebel Web Client connects to the Siebel Server to synchronize the local database, the following occurs:

• All attachment records with the .exe file extension are rejected for synchronization with the enterprise database

• A delete operation for each attachment record of type .exe is generated

During the next synchronization session, the delete operations for the rejected attachment records are executed on the Siebel Mobile Web Client and all the attachment records with the extension .exe are deleted.

Assigning Rights to the Siebel Service Owner Account

Siebel Business Applications are installed using the Siebel service owner account. This account must belong to the Windows domain of the Siebel Enterprise Server (Windows environments) or to the users group of the Siebel Enterprise Server (UNIX environments) and must have full write permissions to the Siebel File System.

Implement the following recommendations for the Siebel service owner account:

• Make sure a strong password has been set for the Siebel service owner account.

  For information on changing the password for the Siebel service owner account, see Chapter 3, "Changing and Managing Passwords".

• Set the user account policy to lock the account after three unsuccessful login attempts.

• Assign appropriate rights for the account as described in the following procedures.

For information on creating the Siebel service owner accounts, see Siebel Installation Guide for the operating system you are using.

Assigning Rights to the Siebel Service Owner Account on Windows

The following procedure describes how to assign rights for the Siebel service owner account on Windows.

To assign appropriate rights to the Siebel service owner account on Windows  

1. From the Start menu, select Settings, Control Panel, Administrative Tools, and then choose Local Security Policy.

2. Select Local Policies.

3. Click User Rights Assignments.

4. Assign the following rights to the Siebel service owner account:

   • Act as part of the operating system

   • Lock pages in memory

   • Bypass traverse checking

   • Log on as a service

   • Replace a process level token

   • Deny logon locally

   Do not assign Siebel service owner accounts any rights other than those listed. Siebel Service accounts must belong only to the Local Users Group. Use the local security policy editor to assign user rights for Siebel service owner accounts.

Assigning Rights to the Siebel Service Owner Account on UNIX

The following procedure describes how to assign rights for the Siebel service owner account in a UNIX environment.

To assign appropriate rights for the Siebel service owner account on UNIX  

1. Log in as root on the Siebel application server.

2. Using the appropriate administrative tools for your UNIX operating system, for example, the System Management Interface Tool (AIX) or the Admintool (Oracle Solaris), select the user who runs the Siebel service.

3. Check that the Siebel service does not run as the root user.

Note: You must set the execute bit for the /siebsrvr/webmaster directory for the Siebel service to function. The Siebel service account requires permission to execute the netstat command to perform the installation successfully. Otherwise, the installation fails.

Applying Patches and Updates

Keep track of updates, service packs, hot fixes, and patches. Evaluate the need for patches before installing them on production systems. Test patches on development or staging systems, not on production systems, because security patches can disable services or introduce additional vulnerabilities. Set up a process for testing and implementing any updates for Siebel CRM that are released. See the Oracle Critical Patch Updates and Security Alerts Web site at

http://www.oracle.com/technetwork/topics/security/alerts-086861.html