| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
 Previous |
 Next |
View PDF |
| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
Previous |
Next |
View PDF |
This topic describes how to protect Siebel Business Applications by configuring the security features. It includes the following topics:
Securing applications requires analysis, monitoring, and testing. Protecting applications is crucial because an attacker who has taken over an application can execute commands with the privileges of that application. Often application-to-application security is minimal and privileges are high because these are assumed to be trusted sources. Many applications run with superuser (root) privileges, which increases the risk of serious damage if a vulnerability is exploited.
Web applications are the leading entry for most hackers and have more vulnerabilities than other applications. Web server and application server configurations play a key role in the security of a Web application. These servers are responsible for serving content and calling applications that generate content. In addition, many application servers provide several services that Web applications can use including data storage, directory services, email, messaging, and so on.
Several server-configuration problems can threaten a Web site, for example:
Server-software configurations that permit directory listing and directory traversal attacks
Unnecessary default, backup, or sample files including scripts, applications, configuration files and Web pages
Improper file and directory permissions
Unnecessary services enabled, including content management and remote administration
Default accounts and passwords
Administrative or debugging functions that are enabled or accessible
Poorly configured TSL certificates and encryption settings
Use of self-signed certificates to achieve authentication
Use of default certificates
You can detect many of these problems with security-scanning tools. These configuration problems can compromise a Web application and successful attacks can also result in the compromise of back-end applications, including databases and corporate networks.
A strong Web application is typically deployed on a secure host (server) in a secure network using secure design and deployment guidelines. Because of the dependencies on the network environment, Web application security must be addressed in multiple layers, including securing the network, host, and application.
This topic provides guidelines for minimizing security vulnerabilities when deploying Siebel Business Applications. Consider the following:
Verify that the environment in which Siebel Business Applications is to be deployed is secure. Verify that the underlying platform (operating system, Web server, and database server) upon which Siebel Business Applications reside or are connected to has been secured using the respective vendor's security guides and has been checked against your organization's security policy.
Do not configure an email relay service or other communications service on any of the computers where Siebel Business Applications reside. If email is needed, then permit only outgoing email to notify administrators of any critical events. With applications such as Siebel Email Marketing, configure the Siebel Server to forward the emails to an email relay service on another server in the demilitarized zone, which can forward the emails to the appropriate destination. For additional information, see Siebel Marketing Installation and Administration Guide.
Enforce a server-management policy. For example, system administrators log in to servers using their respective personal user IDs and password (with administrative privileges) instead of the default administrator accounts.
Delete optional learning aids. For example, delete the sample Siebel database and demo data. For information on deleting the sample Siebel database, see Siebel Installation Guide for the operating system you are using.
Disable or uninstall optional Siebel Business Applications components that are not required in your environment. For information, see "About Disabling Siebel Components".
Install application-specific patches. For additional information on the patches available with Siebel Business Applications, see "Critical Patch Updates for Siebel Business Applications".
Store all application-specific files in a directory. Limit the attack surface to this directory and any subdirectories it contains.
Add application-layer authentication.
Most of the components required to run Siebel Business Applications are common to all Siebel Business Applications. However, the components that are required in a specific Siebel environment vary according to factors such as the following:
Whether mobile clients are supported.
The features provided by the Siebel application, for example, Siebel Sales uses a number of components that are not required by applications such as Oracle's Siebel Marketing or Oracle's Siebel Employee Relationship Management application.
During the Siebel Server configuration process, you specify the components and component groups you want to enable for a Siebel Server. It is not necessary to run all components on all Siebel Servers in an Enterprise. Verify that only the components or component groups you require on each Siebel Server are enabled; disable or unassign component groups that are not required.
The following are some examples of Siebel Server components that do not have to be enabled on all Siebel Servers in an Enterprise:
SvrTblCleanup. The SvrTblCleanup component deletes completed and expired Server Request records for all Siebel Servers in a Siebel Enterprise from the S_SRM_REQUEST table. Enable this component on only one Siebel Server in a Siebel Enterprise.
SCBroker. Disable the SCBroker component on Siebel Servers that host only batch mode components, for example, Workflow components.
SRProc. Disable the Server Request Processor (alias SRProc) component on Siebel Servers that run only Application Object Manager components and that do not run batch mode components.
Components can be disabled using the Siebel Administration - Server screens or the srvrmgr command-line interface. For information on enabling and disabling components, see Siebel System Administration Guide.
Siebel Business Applications have an open authentication architecture that integrates with your selected authentication infrastructure. Siebel Business Applications support these types of user authentication:
A database security adapter for database authentication
An LDAP or ADSIsecurity adapter for LDAP authentication
Web Single Sign-On (SSO)
Custom security adapter
You can develop a custom security adapter using a security adapter SDK, which allows you to implement authentication using products such as RACF, CA-ACF2 or CA-TopSecret.
It is recommended that you implement LDAP authentication or Web SSO authentication. It is simpler to maintain these methods of authentication and to apply account policies to them. For a comparison of the benefits and disadvantages of the supported authentication mechanisms, see Chapter 5, "Security Adapter Authentication".
It is important to implement a password management policy so that only authorized users can access Siebel Business Applications. The details of the policy are likely to vary across Siebel implementations, depending on the language and character set in use in a Siebel environment, and depending on the business needs of users. However, a set of rules need to be defined, implemented, and checked each time a new password is created or modified.
Implement the password management recommendations in the following topics:
Implement the following general password management policies:
Determine a password expiry period (except for the Siebel administrator).
Determine the number of password failures allowed before an account is locked.
Implement password syntax rules. See "Defining Rules for Password Syntax".
Implement password hashing. For additional information, see "Process of Configuring User and Credentials Password Hashing".
Change the password of the system administrator account regularly.
During the Siebel Business Applications installation process, the Siebel administrator account (SADMIN) is created. You are required to specify a password for this account before you install and configure the Siebel database components. Change the password for the administrator account at regular intervals. For information on this task, see Chapter 3, "Changing and Managing Passwords".
Change the password for Siebel utilities after installation.
A number of Siebel command-line utilities can be used during the installation and configuration of Siebel Business Applications, for example:
srvrmgr
srvrcfg
srvredit
When starting any of these utilities, you must specify the Siebel administrator user name and password in the command line as command flags. In a Siebel deployment with high-security requirements, it is recommended that you change the Siebel administrator user name and password used for these utilities after you have completed the Siebel implementation process.
To make sure that the passwords in your Siebel deployment are difficult to guess and are capable of withstanding brute-force attacks, define rules for your organization relating to password syntax. It is recommended that you implement password syntax rules similar to the following:
The password value must not be the same as the user name.
Password values must include a variety of characters within the supported character set, for example:
Both alphabetic and numeric characters are required.
A special character is required, such as a symbol, an accented character, or a punctuation mark.
At least one uppercase and one lowercase letter is required.
Specify illegal values, for example, no more than one space character is permitted, or no more than 2 repetitions of the same character are permitted.
Password values must be a minimum length, usually 8 characters.
In general, Siebel Business Applications do not provide support for either implementing password syntax rules or for verifying them. However, the following options exist:
For the Siebel Mobile Web Client, the following options for managing the passwords of Remote clients are available:
Application lockout after a specified number of consecutive, unsuccessful login attempts
Password expiration after a defined interval
Password syntax check
User password reset by the administrator
For information on setting these options, see Siebel Remote and Replication Manager Administration Guide.
Users who have previously self-registered on a Siebel customer or partner application who forget their passwords can get new passwords by clicking the Forgot Your Password? link in the login dialog box. You can configure the length (maximum and minimum characters) of the passwords generated by your Siebel application for such users. For additional information, see "Defining Password Length for Retrieved Passwords".
Password hashing is a critical tool for preventing unauthorized users from bypassing Siebel Business Applications and logging in to the Siebel database directly. It also prevents passwords intercepted over the network from being used to access Siebel Business Applications, because an intercepted hashed password is itself hashed when a login is attempted, leading to a failed login.
Password hashing is not enabled by default in Siebel CRM. It is recommended that you enable password hashing after installing Siebel Business Applications if appropriate for your environment.
Password hashing is enabled by setting the value of the Hash User Password parameter to True and hashing each user password using the hashpwd.exe utility. For detailed information on enabling password hashing, see "About Configuring Password Hashing for Users".
Within Siebel Business Applications, special users are defined with specific roles within the application. Data to support these special user accounts is included in the seed data installed with Siebel Business Applications. You can change special user account names after installation, or delete the relevant seed data for a special user account if you do not need the functionality it provides. Do not, however, disable the system administrator (SADMIN) or guest user accounts. For more information about the defined special users and privileges for Siebel Business Applications, see "Special Users and Privileges".
This topic describes the mechanisms that you can use to restrict access to data and Siebel Business Applications functionality for authenticated users after they have accessed Siebel Business Applications.
Siebel Business Applications use two primary access-control mechanisms to determine the privileges or resources that a user is entitled to within Siebel Business Applications:
View-level access control. Manages the functions that a user can access.
Record-level access control. Manages the data items that are visible to each user.
Organizations are generally arranged around functions, with employees being assigned one or more functions. View-level access control determines what parts of a Siebel application a user can access. This access is based on the functions assigned to that user. In Siebel Business Applications, these functions are called responsibilities. Responsibilities define the collection of views to which a user has access. Each user's primary responsibility also controls the user's default screen tab layout and tasks.
You can choose to store users' Siebel responsibilities as roles in a directory attribute instead of in the Siebel database if you are using LDAP or custom security adapters, or if you are using Web SSO authentication.
Record-level access control assigns permissions to individual data items within an application. This access level allows you to configure a Siebel application so that only authenticated users who need to view particular data records can access that information.
Siebel Business Applications use three types of record-level access: position, organization, and access group. When a particular position, organization, or access group is assigned to a data record, only employees within that position, organization, or access group can view that record.
Adhere to the following general guidelines when authorizing access to views and records:
Grant privileges to positions and responsibilities rather than to individual named users, and grant necessary privileges only.
Limit access to the user profiles and position lists.
For additional information, see "Implementing Personal Visibility for the User Profile View".
Lock accounts after invalid login attempts.
For additional information on view and data access control, see Chapter 9, "Configuring Access Control".
This topic outlines how to strengthen the security of the User Profile View by enforcing personal access control to the view. This ensures that access to the data in the view is restricted to the user whose person record is associated with the data in the database. To enforce personal access to a view, you must set the Visibility Type of the view to Personal. This task is described in the following procedure.
|
Note: It is recommended that you set the Visibility Type to Personal for all View applets that contain sensitive information. |
To implement personal visibility to the User Profile View
Start Siebel Tools.
In the Object Explorer, click the View object type.
The Views list appears.
Query for the User Profile Default View view.
Confirm that the property settings are set as follows:
Visibility Applet. Set to User Profile Form Applet.
Visibility Applet Type. Set to Personal.
In the Object Explorer, expand the View object type, select View Web Template, expand the View Web Template object type, and then select the View Web Template Item object type.
In the Object List Editor, select the User Profile Form Applet object.
Lock the object, then change the property setting to the following:
Applet Visibility Type. Set to Personal.
Navigate to Business Component in the Object Explorer.
Query for Employee.
Lock the object.
In the Object Explorer, expand the Business Component object, then select the BusComp View Mode object.
Create a new record with the following property values.
| Field | Value |
|---|---|
| Name | Personal |
| Owner Type | Person |
| Visibility Field | Row Id |
Update the repository and deliver the updates.
For more information on configuring access control, see Appendix P, "Configuring Access Control".
This topic outlines recommendations for securing Siebel Business Applications data when performing configuration tasks. In addition to applying critical patch updates, encoding relevant data, and implementing secure coding practices, perform the recommendations in the following topics:
When creating, implementing, and publishing Web services, implement the WS-Security UserName Token mechanism to pass user credentials (Username and Password) to Web services. Passing the user name and password in the Web service URL is not supported in Siebel CRM version 8.1 or 8.2.
Using the WS-Security UserName Token mechanism means that user names and passwords do not have to be passed to Web services in the URL and a session cookie does not have to be passed with the HTTP request. For additional information on the WS-Security UserName Token, see Integration Platform Technologies: Siebel Enterprise Application Integration.
When you create an inbound Web service based on a Siebel business service or a Siebel workflow process, make sure that the Web service is secure. Siebel CRM does not verify the security of inbound Web services you create.
|
Note: Web services exposed by Siebel do not prevent XML entity injection attacks. Unless you explicitly enable the external entity resolution on business services, external entities defined in XML are not resolved by default. The external entity resolution is disabled by default. |
This topic describes measures you can take to protect Siebel application data from HTML injection attacks.
Siebel Business Applications allow you to display HTML content in fields in the user interface. When using Control objects that are field values, you can set the value of the HTML Display Mode property to control how the field value is displayed in the user interface. You can specify the following values for the HTML Display Mode property:
EncodeData. If the field value contains HTML reserved characters, then they are encoded before they are displayed so that the HTML displays as text in the user interface and is not executed as an HTML command. It is recommended that you set the HTML Display Mode property to EncodeData for each Control object to ensure executable statements are not included in Siebel data records.
DontEncodeData. Use this value only when the value of the field is HTML text and you want the HTML to be executed. Selecting this value is not recommended because the HTML text can be the object of malicious interference.
FormatData. This value is used when description or comment fields are in read-only layout. Setting FormatData to TRUE causes data to be formatted in HTML. For further information, see Siebel Object Types Reference.
Oracle recommends that you review all Control objects whose HTML Display Mode property is set to either DontEncodeData or FormatData, and consider changing the value of the property to EncodeData. The following SQL commands can be used to return a list of Control objects that have the HTML Display Mode property set to a value of either FormatData or DontEncodeData:
SELECT
HTML_DISPLAY_MODE
FROM
SIEBEL.S_CONTROL
WHERE
HTML_DISPLAY_MODE = 'FormatData' OR
HTML_DISPLAY_MODE = 'DontEncodeData'
Review the list of Control objects returned in the query. You cannot change the value of the HTML Display Mode property to EncodeData for all Control objects in one operation from within the Siebel application. The property must be set for each control individually.
If you choose another method of changing the HTML Display Mode property to EncodeData for all the Control objects returned in the query, then consider the consequences carefully before proceeding. It is recommended that you contact your Oracle sales representative for Oracle Advanced Customer Services to request assistance with this task.
To strengthen your Siebel application and data against attacks, you can specify the name of each of the host servers that are authorized for use with the Siebel application. The following procedure describes how to specify the names of these trusted servers.
To specify the names of trusted servers
Start Siebel Tools.
In the Object Explorer, select the Application object type.
The Applications list appears.
Query for the name of your Siebel application in the Object List Editor.
For example, for the Siebel Call Center application, query for Siebel Universal Agent.
Lock the application object.
In the Object Explorer, expand the Application object type, then select the Application User Prop object type.
The Application User Props list appears.
In the Object List Editor, add an application user property for each server used by the Siebel application. For example:
Name: AllowedServerNamesUrl0 value:server_name1 Name: AllowedServerNamesUrl1 value:server_name2
Update and publish all Siebel repository changes and deliver them to the Siebel runtime repository.
External business components are used to access data that resides in a non-Siebel table or view using a Siebel business component. When configuring external business components, you must specify the data source for the external table that contains the data you want to access.
To prevent users having to log in when accessing the external data source, for each data source accessed by an external business component, specify the data source user name and password details using the DSUsername and DSPassword values when configuring the data source named subsystem. The DSUsername and the DSPassword parameters are activated only when using the database security adapter. For information on configuring external business components, see Integration Platform Technologies: Siebel Enterprise Application Integration.
The HTTP protocol supports a number of methods that are used to specify the operation to be performed on a resource on the Web. Siebel Business Applications support the HTTP GET and POST methods only. All other HTTP methods are blocked to maximize the security of your Siebel application. For information on using the HTTP GET and POST methods with Siebel Business Applications, see Transports and Interfaces: Siebel Enterprise Application Integration.
In Siebel Innovation Pack 2014 and later, you can allow access to a blocked method for HTTP GET access using the GETEnabledMethods user property. For information about using the GETEnabledMethods user property, see Configuring Siebel Open UI.
Siebel message broadcasting functionality allows Siebel administrators to display important information directly in the message bar of users' screens. The text of a message broadcast can be up to 2,000 characters in length and can contain HTML tags, which are treated as HTML code on the message bar.
Message broadcasting is available for employee applications but not for customer or partner applications. By default, message broadcasting is enabled, although the administrator can enable or disable it. In environments with very high security requirements, it is recommended that message broadcasting be disabled. For information on disabling message broadcasting, see Siebel Applications Administration Guide.
Secure third-party applications by making sure that all the software is updated with the latest software versions and security patches. For additional information on securing third party products, see the vendor-specific documentation.
