Perceptive Content Security

Similar documents
Perceptive Interact for Microsoft Dynamics CRM

Contingency Planning and Disaster Recovery

ImageNow Cluster Resource Monitor

Interact for Microsoft Office

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

WebNow Single Sign-On Solutions

ImageNow User. Getting Started Guide. ImageNow Version: 6.7. x

Use Enterprise SSO as the Credential Server for Protected Sites

WebNow. Installation and Setup Guide. ImageNow Version: 6.7.x Environment: Windows Web Application Server: Tomcat

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

WatchDox SharePoint Beta Guide. Application Version 1.0.0

CA Performance Center

ImageNow for Microsoft SQL Server

ImageNow Administrator

Quick Scan Features Setup Guide. Scan to Setup. See also: System Administration Guide: Contains details about setup.

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Active-Active and High Availability

HR Onboarding Solution

Available Performance Testing Tools

HYPERION SYSTEM 9 N-TIER INSTALLATION GUIDE MASTER DATA MANAGEMENT RELEASE 9.2

Perceptive Integration Server

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

ImageNow Report Library Catalog

Perceptive Experience Single Sign-On Solutions

Xerox Multifunction Devices. Verify Device Settings via the Configuration Report

multiple placeholders bound to one definition, 158 page approval not match author/editor rights, 157 problems with, 156 troubleshooting,

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

IIS SECURE ACCESS FILTER 1.3

HP Operations Orchestration Software

Vyapin Office 365 Management Suite

Embedded Document Accounting Solution (edas) for Cost Recovery. Administrator's Guide

Active-Active ImageNow Server

ImageNow Administrator Getting Started Guide

Security IIS Service Lesson 6

Administration Quick Start

NSi Mobile Installation Guide. Version 6.2

Single Sign-On Guide for Blackbaud NetCommunity and The Patron Edge Online

InfoRouter LDAP Authentication Web Service documentation for inforouter Versions 7.5.x & 8.x

Integrating LANGuardian with Active Directory

Version Devolutions inc.

Version 1.0 January Xerox Phaser 3635MFP Extensible Interface Platform

fåíéêåéí=péêîéê=^çãáåáëíê~íçêûë=dìáçé

Setting Up SSL on IIS6 for MEGA Advisor

Document Management Getting Started Guide

Authentication Methods

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

Customer Tips. Xerox Network Scanning TWAIN Configuration for the WorkCentre 7328/7335/7345. for the user. Purpose. Background

NETWRIX EVENT LOG MANAGER

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

SELF SERVICE RESET PASSWORD MANAGEMENT WEB INTERFACE GUIDE

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Cisco SSL Encryption Utility

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

Installation Guide for Pulse on Windows Server 2012

MailStore Outlook Add-in Deployment

Entrust Managed Services PKI

ImageNow Interact for Microsoft SharePoint Installation, Setup, and User Guide

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

MadCap Software. Upgrading Guide. Pulse

Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft

AD RMS Step-by-Step Guide

Remote Management Reference

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

How to Secure a Groove Manager Web Site

Installing Management Applications on VNX for File

Sophos Mobile Control Installation guide

Using LDAP Authentication in a PowerCenter Domain

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

RoomWizard Synchronization Software Manual Installation Instructions

Agent Configuration Guide

Chapter 2 Editor s Note:

Installation and Setup Guide

Jobs Guide Identity Manager February 10, 2012

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

ImageNow Message Agent

BlackShield ID Agent for Remote Web Workplace

Application Note. ShoreTel 9: Active Directory Integration. Integration checklist. AN June 2009

Installation Guide for Pulse on Windows Server 2008R2

NETWRIX PASSWORD MANAGER

Management Reporter Integration Guide for Microsoft Dynamics AX

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark

Technical Brief for Windows Home Server Remote Access

Host Access Management and Security Server

Installation & Configuration Guide

Netwrix Auditor. Administrator's Guide. Version: /30/2015

Novell ZENworks 10 Configuration Management SP3

Send to Network Folder. Embedded Digital Sending

Oracle Enterprise Single Sign-on Provisioning Gateway. Administrator Guide Release E

v Devolutions inc.

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

Internet Script Editor (ISE)

How To Use Salesforce Identity Features

Security Guidelines for MapInfo Discovery 1.1

PrinterOn Print Management Overview

McAfee Endpoint Encryption for PC 7.0

Remote Management Reference

Redeploying Microsoft CRM 3.0

Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide

RSA Authentication Manager 7.1 Basic Exercises

Transcription:

Perceptive Content Security Best Practices Perceptive Content, Version: 7.1.x Written by: Product Knowledge, R&D Date: June 2015

2015 Perceptive Software. All rights reserved. Perceptive Software is a trademark of Lexmark International Technology S.A., registered in the U.S. and other countries. All other brands and product names mentioned in this document are trademarks or registered trademarks of their respective owners. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or any other media embodiments now known or hereafter to become known without the prior written permission of Lexmark.

Table of Contents Security... 4 System architecture security considerations... 4 OSM... 4 LDAP... 4 Encryption... 5 Client validation... 5 Application configuration security considerations... 6 Perceptive Manager and Department Manager roles... 6 Views... 7 Users... 7 Privileges... 7 Auditing security considerations... 8 Page 3 of 8

Security This document provides best practices for managing security. In this document, you will find best practices defined for system architecture and application configuration, as well as auditing. System architecture security considerations The following sections provide system architecture security information. OSM The Object Storage Manager (OSM) is a critical storage element on Perceptive Content Server that stores three types of information in separate locations, including: Perceptive Content documents (image, TXT, PDF, and other files) Sub-objects, such as bitmap stamp annotations, embedded OLE annotations, thumbnails, DataCapture data, and worksheets Document batches that have not yet been linked or automatically processed The OSM can store unlimited amounts of content in its original format, for example, TIFF, PDF, or Microsoft Word. By storing every page of a document as a discrete object, the OSM enables Perceptive Content to deliver pages to users on demand. The OSM is a tree structure file system that consists of a main directory comprised of sets or branches. Each set can contain 512 folders which can each contain up to 512 subdirectories. In addition, each subdirectory can contain up to 512 documents. This means that each OSM set can contain 134,217,728 documents or pieces of content. As your storage needs increase, you can set Perceptive Content to add additional OSM sets automatically. You can configure the OSM to store objects across any number of file systems on a variety of platforms and architectural designs. This efficient, hybrid storage model ensures the Perceptive Content database maintains steady performance even as usage and database size grows. Configure OSM The following recommendations are steps you can perform while configuring the OSM. Limit OSM Windows NTFS permissions to a single Windows service account with Modify permission only. Consider OSM drawer redirections ensuring documents from different drawers are not in the same OSM and facilitating departmental chargeback for data storage. Consider using EMC Centera's storage encrypted CAS (Content Addressed Storage) integration when adding OSM storage sets and OSM storage trees. LDAP Perceptive Software recommends using LDAP authentication in Perceptive Content for authenticating users. Using LDAP authentication, Perceptive Content authenticates to an LDAP server using the LDAP Simple Bind method. The Perceptive Content Server attempts a "bind" to the LDAP server using the credentials provided by the user. In addition to simple bind, Perceptive Content also supports LDAP authentication using simple bind over SSL (Secure Sockets Layer). SSL is a protocol used for transmitting documents through the Web; by default SSL connections start with https: instead of http:.also, you can use multiple LDAP servers to authenticate against. Page 4 of 8

Encryption WebNow transmits all data between the client's web browser and the web application server as binary data; there is no transmission of plain text. Whether the integration with WebNow is through a standard URL link or a web POST, any potentially sensitive information is hidden and will not display on the client's web browser. Thus potentially sensitive information is always protected. For additional security measures, an optional encryption feature can be turned on to encrypt data between the web application server and the Perceptive Content Server. Additionally, SSL encryption can be employed on the web application server to provide greater encryption between the application server and the client's web browser. WebNow also uses the Perceptive Content Client software authentication model. Therefore, security attributes are inherited when a user logs in. Note Enabling encryption accrues approximately 10% network overhead. Client validation Use client validation to ensure that the Windows user account is the same account used to log into Perceptive Content. Note Enabling client validation can cause issues when the Perceptive Content administrator troubleshoots other users' workstations. Set up WebNow automatic Windows domain authentication This functionality is only available when using Windows Domain authentication; it is not supported with LDAP. With automatic domain authentication enabled, you can start WebNow, while logged in on a Windows machine to an NT domain, and completely bypass the login page. If you are on a platform other than Windows or the Perceptive Content Server cannot log you in automatically, the login page appears. At this point you should be able to log in manually. If you provide no user name and password on the URL, and automatic domain authentication is enabled, WebNow automatically attempts to log you in. If it cannot log in, WebNow displays the login page. If you enter a user name and password on the URL, WebNow bypasses the automatic domain authentication and logs in with the information from the URL. 1. Using Windows Explorer, navigate to the [drive:]\inserver\etc folder, and then open inow.ini. 2. Under the [Logon Control] parameter, scroll to the following section and change the client.validation setting from FALSE to TRUE and then type the nt.domain.list. ; If set to true, ImageNow will allow the ImageNow client to logon with ; the User ID provided in the ImageNow logon dialog, as long as the user ; is logged into a valid Windows NT domain on the client PC with a NT ; domain account that is equal to the ImageNow user ID. Otherwise, ; ImageNow validates user and password requests via the ImageNow Server. client.validation=true ; The valid NT Domain list of which the ImageNow ; User ID must already be logged into on the requesting PC. nt.domain.list=<<list_goes_here>> 3. Save and close the inow.ini file. 4. Restart Perceptive Content Server. Page 5 of 8

5. Complete the following steps to set domain authentication parameters in the web configuration file. 1. Using Windows Explorer, navigate to the [drive:][path]\webnow6\web-inf folder, and then open the WebNow.settings file with a text editor. 2. Under Application server settings, change the domain-authentication setting to true. 3. Save and close the WebNow.settings file. Application configuration security considerations The following sections provide application configuration security considerations. Perceptive Manager and Department Manager roles The following tables list the security rules for the Perceptive Manager and Department Manager roles. Perceptive Manager There can be more than one Perceptive Manager. A Perceptive Manager cannot assign his or her own privileges. A Perceptive Manager must be demoted before he or she can be removed from the system. Only a Perceptive Manager can promote another user to Perceptive Manager. Only a Perceptive Manager can import a migration package. Only a Perceptive Manager can create a department. A user can be a Perceptive Manager and a Department Manager simultaneously. Only a Perceptive Manager can create users in the system. A Perceptive Manager does not have access to Department content or configurations unless explicitly granted by a Department Manager. Only a Perceptive Manager can promote a user to the Department Manager role. A Perceptive Manager cannot promote himself or herself to Department Manager. Page 6 of 8

Department Manager A Department Manager cannot create a department. A Department Manager is the only user who can share objects in his or her department with other departments. A Department Manager is the only user who can move items between departments on the same system. A user can be a Department Manager for any number of departments. One department can have multiple Department Managers. Configure Perceptive Manager and Department Manager roles Perceptive Software recommends the following when configuring the Perceptive Manager and Department Manager roles. Set up all manager users with both a manager account and a non-manager user account in the system to encourage role separation in your organization. Views In Perceptive Content, a view is a mechanism that displays a set of documents or folders that are selected and displayed according to the view definition that you create for your users. You can give a user access to one or more views, such that the user's overall access consists of all the documents and folders made available by the views. When you install Perceptive Content, two default views are already in place, All documents and All folders, allowing users to have access to all documents and folders in Perceptive Content. Perceptive Software recommends that you disable these views and create individual views with assigned users. Users Remove the All Users group from the All Documents and the All Folders view. Create custom document and folder views for each business area. Privileges The Manage Process privilege will not grant access to workflow queues in that workflow process. A user who has the Manage Process privilege must still be specifically granted access to each queue within that process they need to see. Page 7 of 8

Auditing security considerations Use Business Insight reports to verify permissions quarterly or annually. Use the Business Insight Deleted Documents report to audit unusual activity. You can use audit logs to troubleshoot issues or track the actions taken in Perceptive Content by specific users or groups. Audit templates describe the actions that you want to log. You can configure audit templates to monitor more than 500 actions that a user can perform in Perceptive Content. After a template is configured, you can assign it to individual users or entire groups. After assigning the audit template to a user or group, you can disable the auditing at any time. The more events and users that you monitor, the larger the log file becomes. Permanently auditing many actions can create massive log files and can slow server performance. There is no limit to the number of audit templates you can create. Audit templates can record a variety of Perceptive Content activities, such as when a user views, deletes or re-indexes an object, when a user logs in, or when a user performed a workflow action. If audit records are stored to the database, Business Insight may be used to generate audit reports. If audit records are stored in XML format, you can use other third-party tools to view the audit records, although Perceptive Software does not provide customer support for those tools. For all environments, you manage the auditing features through the Perceptive Content Management Console. You can create audit templates as well as assign audit templates to users and groups. You can also rename, copy, and delete audit templates. You can set templates as active or inactive based on need. Page 8 of 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information