GE Centricity* Business V4.3+ Desktop Internet Security s Summary This document describes the Microsoft Internet Security settings recommended and required to run Centricity Business web solutions. Software Version 4.3+ Document Version 1 2011 General Electric Company. All Rights Reserved. * Centricity is a trademark of General Electric Company
2 Desktop Internet Security s Acknowledgments Prepared by Centricity Business Knowledge Services. Please send comments to KnowledgeServicesOrganization@ge.com. Confidentiality and Proprietary Rights This document is the confidential property of, a division of General Electric Company ( ). No part of this document may be reproduced in any form, by photostat, microfilm, xerography, or any other means, or incorporated into any information retrieval system, electronic or mechanical, without the written permission of GE Healthcare. Inquiries regarding copying and/or using the materials contained in this document outside of the limited scope described herein should be addressed to the e-mail address listed above. reminds you that there may be legal, ethical, and moral obligations for medical care providers to protect sensitive patient information when dealing with vendors such as. You should obtain explicit written consent from both the patient and before you disclose sensitive patient information to. Limitations and Conditions of Use furnishes this document to you, a current customer, as confidential information pursuant to a non-disclosure agreement ( NDA ) or an agreement with confidentiality provisions between you and. If you are not (i) a current customer, and (ii) subject to an NDA or an agreement with confidentiality provisions with, you are not authorized to access this document. The information contained herein is confidential and should not be used, disclosed, or duplicated for any purpose other than developing information system plans within customer organizations. Duplication and/or distribution of this document beyond customer organization information systems and management executives are not allowed without express written consent from. Trademarks GE, the GE Monogram, Centricity, and imagination at work are trademarks of General Electric Company. All other product names and logos are trademarks or registered trademarks of their respective companies. Copyright Notice Copyright 2007-2011 General Electric Company. All rights reserved. Disclaimers Any information related to clinical functionality is intended for clinical professionals. Clinical professionals are expected to know the medical procedures, practices and terminology required to monitor patients. Operation of the product should neither circumvent nor take precedence over required patient care, nor should it impede the human intervention of attending nurses, physicians or other medical personnel in a manner that would have a negative impact on patient health. General Electric Company reserves the right to make changes in specifications and features shown herein, or discontinue the products described at any time without notice or obligation. This does not constitute a representation or warranty or documentation regarding the product or service featured. All illustrations or examples are provided for informational or reference purposes and/or as fictional examples only. Your product features and configuration may be different than those shown. Contact your GE Representative for the most current information. 540 West Northwest Highway Barrington, IL 60010 U.S.A. www.gehealthcare.com
Desktop Internet Security s 3 Contents Desktop Requirements for Running Centricity Business Web Applications... 4 Internet Security s for Running Centricity Business Web Applications on the Desktop... 5 Microsoft Default s... 5 Internet Security s... 5 Downloading Signed ActiveX Controls... 13 Additional Security Recommendations... 14 General Recommendations... 14 Using a Shortcut to Launch Centricity Business... 14 Google Toolbar Plug-in for Internet Explorer, other Pop-up Blockers... 14 Using Trusted Sites List to Manage Security ()... 14 Using Group Policy Objects to Manage Security s... 15 Configuring.Net CLR Programmatically... 15
4 Desktop Internet Security s Desktop Requirements for Running Centricity Business Web Applications Following are desktop requirements for Centricity Business 4.3 and later: Display requirements: A 1024x768 or larger display area On Windows XP and Windows 7, the Windows Classic Theme and Windows XP Theme (Styles) are supported. 256 or more colors Microsoft Internet Explorer 6.0 SP1 or higher; the highest version currently supported is 8.0. Microsoft.NET Common Language Runtime (CLR) version 2.0 (higher versions may be used; consult the appropriate System Environment Specifications document for details).
Desktop Internet Security s 5 Internet Security s for Running Centricity Business Web Applications on the Desktop Centricity Business applications work with only minimal setup changes within Internet Security. We recommend changing Internet Security default settings only when non-default settings provide significant benefits. If, however, you are running other web-based applications that require special settings, you need a more sophisticated approach to managing security on the desktop than that outlined in this document. Security settings in the security zone used to access the Centricity Framework server (and application servers if there are any) are the settings that matter. Microsoft Default s Before you apply any of the recommended changes listed below, force default settings by clicking the Default button for each security zone (Internet, Local intranet, or ), and for Advanced, then Apply and OK. Internet security rarely, if ever, has all of the default settings, even when delivered directly from Microsoft. Internet Security s The following table describes the recommended security settings. settings that differ from Microsoft default settings are highlighted in red. To review/modify Internet Security s go to Control Panel/Internet Options/Security Tab. IE 6.0 and 7.0 Comment General tab (Temporary Internet files, s) Check for newer versions of stored pages Every time you start Internet Explorer Automatic setting has caused performance problems at GE Healthcare sites; network is flooded with cache-checking traffic. Amount of disk space to use Content tab 250 MB or more A user that touched every page of all products might need this much. Content Not enabled Required; Centricity Framework is NOT Default settings in IE 6.0 SP1 All Windows versions before XP SP2 Automatic 3.2% of total partition space Not enabled Windows XP SP2 GR, WS2003 SP1 Automatic 3.2% of total partition space Not enabled
6 Desktop Internet Security s Advisor Security tab.net Framework-reliant components: Run components not signed with Authenticode Run components signed with Authenticode ActiveX and plug-ins Download signed ActiveX Download unsigned ActiveX Initialize and script ActiveX marked as not safe Comment compatible with the Microsoft Content Advisor Default settings in IE 6.0 SP1 All Windows versions before XP SP2 Windows XP SP2 GR, WS2003 SP1 Internet, Local intranet, and security zones Centricity Framework uses.net assemblies. Also requires MS.Net CLR Prompt, or Required for user to download components from the Centricity Framework server (user must also have local Administrative rights). See Downloading Signed ActiveX Controls, below. Such objects present a security risk Such objects present a security risk Prompt, except in zone Prompt, except in zone except Prompt in zone except Prompt in zone Run ActiveX and plugins Script ActiveX marked safe for scripting ; Required ; Required Required Required
Desktop Internet Security s 7 Comment Default settings in IE 6.0 SP1 All Windows versions before XP SP2 Windows XP SP2 GR, WS2003 SP1 Downloads Automatic prompting for file downloads Required for.net (WF Admin, Flowcast.Net) NA, except in Internet zone: WS2003: in Internet zone File download Required Miscellaneous Access data sources across domains Advanced tab (for all security zones) Browsing thirdparty browser extensions Reuse windows for launching shortcuts Required for ETM except when WF server and CSP Gateway server are the same box Internet: Local Intranet: Prompt : Internet: Local Intranet: Prompt : d Required d d Not enabled (required) change from default value that affects Centricity Business applications when running other web applications on the same desktop Data can be lost from IDX products if links/shortcuts are launched in the same browser window. See Using a Shortcut to Launch Centricity Framework in the next section. Not enabled is d WS2003 SP2: default is not enabled d
8 Desktop Internet Security s Automatically check for Internet Explorer updates Multimedia NOT enabled Comment Required to run CareCast viewer. change from default value that does not affect Centricity Business applications this to prevent browser going to MS for updates when every time it starts Show pictures d Required by Centricity Framework graphics Default settings in IE 6.0 SP1 All Windows versions before XP SP2 d d Windows XP SP2 GR, WS2003 SP1 d d Security Do not save encrypted pages to disk Empty Temporary Internet Files folder when browser is closed d d Flowcast 2.0: If enabled with SSL, generates LOTS of network traffic Flowcast 3.0: If enabled, WF Admin doesn t work, including color palette If enabled, generates more network traffic to start up new sessions; WF, WB, AW, ETM do NOT store any data in cacheable files Additional Security tab setting required by Flowcast 2.0 Microsoft VM: Java Permissions High safety Required to be at least High safety. Default for Internet, Local intranet, and Trusted sites zones all are satisfactory for running Flowcast 2.0. Flowcast 2.0 Requires Microsoft VM on desktop d d Internet zone: High safety Local intranet zone: Medium safety zone: Low safety XP: d WS2003: d XP: d WS2003: d Internet zone: High safety Local intranet zone: Medium safety zone: Low safety
Desktop Internet Security s 9 IE 7.0 Usage and Limitations IE 8.0 The Web Client supports IE7 with the following exceptions: 1. Centricity Business does not support being used in conjunction with active use of multiple IE7 Tabs. It does not require that tabs be disabled in IE7 settings, just that users understand that if the IE7 browser session is to be used with Centricity Business, there should be no concurrent usage of multiple tabs in that session. You may wish to disable Tabs to avoid issues. To do this, access Control Panel/Internet options, select Tabs, then s, and uncheck Tabbed Browsing. 2. Centricity Business does not support ensuring proper display and navigation in conjunction with using the IE7 Page Zoom feature. 3. Centricity Business does not support IE7 installed on Windows Server 2003 SP1 environments that are used as the Framework Server (that is, within the Application Server Tier). General tab (Temporary Internet files, s) Check for newer versions of stored pages Every time you start Internet Explorer Automatic setting has caused performance problems at GE Healthcare sites; network is flooded with cache-checking traffic. Amount of disk space to use Content tab Content Advisor Security tab Comment Default settings in IE 8.0 250 MB or more A user that touched every page of all products might need this much. Not enabled.net Framework-reliant components: Run components not signed with Authenticode Required; Centricity Framework is NOT compatible with the Microsoft Content Advisor Centricity Framework Windows XP SP2 and SP3 Automatic 3.2% of total partition space Not enabled Windows 7 Automatic 3.2% of total partition space Not enabled Internet, Local intranet, and security zones
10 Desktop Internet Security s Run components signed with Authenticode ActiveX and plug-ins Comment Default settings in IE 8.0 uses.net assemblies. Also requires MS.Net CLR Windows XP SP2 and SP3 Required to enable the successful download of updated versions of client-side components Download signed ActiveX Download unsigned ActiveX Initialize and script ActiveX marked as not safe Run ActiveX and plugins Script ActiveX marked safe for scripting Downloads Prompt, or ; Required ; Required Required for user to download components from The Centricity Framework server (user must also have local Administrative rights). See Downloading Signed ActiveX Controls, below. Such objects present a security risk Such objects present a security risk Prompt, except in zone Windows 7 Prompt, except in zone Required Required These options let you keep client-side synchronized with the server Automatic prompting for file downloads Required for.net (WF Admin, Flowcast.Net), except in Internet zone: File download Required Privacy, except in Internet zone:
Desktop Internet Security s 11 toolbars and extensions when inprivate browsing starts (In Private section) Miscellaneous Comment Default settings in IE 8.0 Windows XP Windows 7 SP2 and SP3 (uncheck) (checked) (checked) Access data sources across domains Allow scriptinitiated windows without size of position constraints. Navigate windows and frames across different domains Scripting for for Intranet for Trusted Sites Required for ETM except when WF server and CSP Gateway server are the same box Necessary to ensure the workplace menu items display (VF 246667/SPR 2576) Prevents 2 Help Windows displaying when the F1 key is pressed (VF 247244/SPR 2592) XSS filter d Required for Cognos 8.4 and Centricity Business Reporter Advanced tab (for all security zones) Browsing thirdparty browser extensions Reuse windows for launching shortcuts d Not enabled Required NOTE: You must restart the computer before a change to this setting takes effect. change from default value that affects Centricity Business applications when running other web Internet: Local Intranet: Prompt : for Trusted Sites for Trusted Sites and Local Intranet d d Internet: Local Intranet: Prompt : for Trusted Sites for Trusted Sites and Local Intranet d WS2003 SP2: default is not enabled d
12 Desktop Internet Security s Automatically check for Internet Explorer updates Multimedia (required) NOT enabled Comment Default settings in IE 8.0 applications on the same desktop Data can be lost from IDX products if links/shortcuts are launched in the same browser window. See Using a Shortcut to Launch Centricity Framework in the next section. Not enabled is Required to run CareCast viewer. change from default value that does not affect Centricity Business applications this to prevent browser going to MS for updates when every time it starts Show pictures d Required by Centricity Framework graphics Security Do not save encrypted pages to disk Empty Temporary Internet Files folder when browser is closed Check for server certificate revocation d d Uncheck NOTE: You must restart the computer before a change to this setting takes effect. If enabled, generates more network traffic to start up new sessions; WF, WB, AW, ETM do NOT store any data in cacheable files Prevents errors in ETM Preview Pane (VF 251866) Windows XP SP2 and SP3 d d d d Windows 7 d d d WS2003: d d WS2003: d Check
Desktop Internet Security s 13 IE 8.0 Usage and Limitations 1. IE 8.0 Compatibility Mode is not required and does not need to be turned on. Under Tools, Compatibility View should not be checked. 2. If you are using Centricity Business Reporter, Cognos must be at version 8.4 to be compatible with IE 8.0. Additionally, The Cognos URL must be added to the Sites for the and Local intranet zones. The XSS filter Security Internet Option (found under Scripting) must be disabled for the and Local intranet zones (see table above). 3. All limitations listed under IE 7.0 Usage and Limitations apply to IE 8.0 as well. Downloading Signed ActiveX Controls A user must have local Admin rights to download and install ActiveX. The Prompt setting for the Download Signed ActiveX Controls property causes a dialog box to be presented to the user when a component must be downloaded, unless Previous component(s) signed by the same digital certificate have already been downloaded, and The check box Always trust content from IDX Systems Corporation is checked. The setting for this property allows download and installation of ActiveX without the user having to confirm the download every time. This setting does not matter on a locked-down desktop that receives updates from either Active Directory or the Desktop Components install kit.
14 Desktop Internet Security s Additional Security Recommendations General Recommendations Centricity Business recommends that you: Include your Centricity Framework server(s) in the zone. Use Fully Qualified Domain Names to refer to your servers. Using a Shortcut to Launch Centricity Business If you are accessing Centricity Business products using the Internet Explorer browser, use a target like "C:\Program Files\Internet Explorer\iexplore.exe" http://dotnet.idx.com/idxweb to define a shortcut to launch Centricity Business. This ensures that a new iexplorer.exe process is started, and thus gives the new window completely clean context. If you are accessing Centricity Business products using smart client, you use the desktop shortcut created during smart client deployment for access. Google Toolbar Plug-in for Internet Explorer, other Pop-up Blockers The Google Toolbar has a pop-up blocker. Centricity Business web applications use pop-ups. Therefore, to ensure that the applications operate properly, enable ( whitelist ) pop-ups from the Centricity Framework server(s). Any other application that blocks pop-ups within the browser must be configured to allow pop-ups from the Centricity Framework server(s). Pop-up blocking should be disabled with IE7 and IE8 (Tools/Pop-up blocking; uncheck). Using Trusted Sites List to Manage Security () By default, URLs with no domain (for example, http://webserver/idxweb) use the Local intranet zone security (simple domain name) URLs with domain (for example, http://webserver.school.edu/idxweb) use the Internet zone security (Fully Qualified Domain Name) URLs can be added to the Sites list for each zone to change default behavior. We recommend that you configure your systems so that Centricity Business is secured by running in the zone. To do this, set security in this zone correctly, then add the URL of your Centricity Framework server (or Content switch) to the list.
Desktop Internet Security s 15 Simple and Fully Qualified DNS names are independent; therefore both addresses, as well as the enumerated IP address, must be listed to cover all possible references. Various wild cards are allowed; for example, you can add *://*.yourorg.yourtld and *://10.11.12.130-140 to the list to allow both http and https. Simple domain names cannot be wildcarded. For more details, see documentation for the Group Policy editor (gpedit.msc) included with each version of Internet Explorer. Using Group Policy Objects to Manage Security s Configuring.Net CLR Programmatically Microsoft s Technet provides articles on managing configuration with Group Policies. Policy settings for controlling URL Actions are available in both the Computer Configuration and the User Configuration nodes of Group Policy Object Editor, in Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page..NET CLR should be configured using code similar to that provided in the sample Dotnet2.0_trust.bat file included in the desktop components kit.