AX Server security

Follow the AX Server security recommendations to control access to ACL GRC Analytics Exchange and keep sensitive audit data secure.

General user access

As a general guideline, you should grant AX Server access to the minimum number of required accounts, with the minimum required rights and permissions.

Windows user account security

Windows user account used to run the Analytics Exchange Service

Use a dedicated domain user account only to run the "AX Service" account. Do not use any of the following account types:

a generic IT domain account
an individual employee's account
Local user accounts and the LocalSystem account

Note

The dedicated domain user account that you specify requires access to the Active Directory domain controller in order to authenticate users logging in to ACL GRC Analytics Exchange. If the account you specify uses a password that expires, make sure you have a process in place for keeping the password updated.

Windows user account used to run AX Engine Node

Use the same domain user account that you use to run the Analytics Exchange Service.

The permissions required to run AX Engine Node and the Analytics Exchange Service are the same. Using the same account for both means you have to keep track of only one account.

Individual Windows user accounts

Manage user rights and permissions on AX Server by first adding individual user accounts to a Windows user group. There are two user group options when granting rights and permissions on AX Server for individual user accounts:

create a domain user group specifically for AX Client users
add AX Client users to the AX Server local “Users” group

Note

The first option is more secure because:

it allows you to specify prefix folder permissions at the individual user level, which prevents users from accessing other users’ data files
subsequent updates can be made in Active Directory rather than requiring access to the server housing AX Server

The logon rights and folder permissions for either type of group are specified in subsequent sections.

Login attempts

Do not disable login throttling for user or AX Server administrator login attempts. To mitigate the risk of brute-force attempts at password cracking, ACL GRC Analytics Exchange enables login throttling by default:

Users after two failed login attempts the user is locked out for three seconds.
These default values can be changed in the deployerConfigContext.xml configuration file.
Administrators after five failed login attempts the user is locked out for ten seconds.
These default values can be changed in the admin-security.xml configuration file.

AX Client timeout settings

By default, AX Client times out when it sits idle for 30 minutes. To configure a different maximum idle time for AX Client, update the settings in the aclAuditExchange.xml configuration file. For more information, see aclAuditExchange.xml.

Note

If the application is completing a large import or export with processing time that exceeds the timeout, the timeout counter starts after the process completes. The import or export does not fail due to the maximum idle time setting.

If a dialog that is not related to importing and exporting files is open when the timeout expires, the application and all associated dialogs close.

Sensitive installation information

Secure any sensitive information related to your installation of AX Server. During the installation process, if you created any files that contain sensitive information such as account credentials or configuration settings you should store the files in a secure location.

Server configuration IP restrictions

The following Server configuration pages require administrative username and password authentication:

/manager
/aclconfig

You can increase the security of these pages by also limiting page access to a subset of IP addresses.

Note

If you restrict access to your localhost, you must enter 127.0.0.1 in your browser address when accessing the configuration pages.

To restrict access to these pages, add the following files to the ACL\App\Tomcat\conf\Catalina\localhost directory and specify the permitted requesting IP addresses in a comma-delimited list:

manager.xml: restricts access to /manager page:

<Context path="/manager" debug="0" privileged="true">   
  <!-- Restricts access to localhost. -->   
  <!-- Permitted servers must be added in a comma-delimited list -->   
  <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>
</Context>

aclconfig.xml: restricts access to /aclconfig page:

<Context path="/aclconfig" debug="0" privileged="true">   
  <!-- Restricts access to localhost. -->   
  <!-- Permitted servers must be added in a comma-delimited list -->   
  <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>
</Context>

Note

To revert this change and remove IP restrictions, you must back up your ACL\App\Tomcat\webapps\manager directory, stop the Tomcat service, and then delete the files you added to ACL\App\Tomcat\conf\Catalina\localhost. Once you complete these steps, overwrite your manager folder with the backup and restart the service.

Account logon rights

The following table outlines the necessary logon rights for the accounts that require access to AX Server. Do not grant any logon rights to an account beyond what is specified below. Logon rights are specified in the User Rights Assignment area of the Windows security policy.

Restricting logon rights lessens the risk of someone gaining unauthorized access to AX Server.

Account logon rights

Logon right	AX Service account (including any Engine Nodes)	PostgreSQL account (not applicable if database server is Oracle)	AX users group account (Windows user group for AX Client, AX Web Client, and AX Add-Ins users)	AX Connector account (ACL Analytics users)
Allow log on locally	No	No	No	No Note If you require a connection to SQL Server using a database profile, then Allow log on locally is required.
Deny log on locally	Yes (must be manually assigned)	Yes (must be manually assigned)	Yes (must be manually assigned)	No
Log on as a service	Yes (automatically assigned by the AX installer)	Yes (automatically assigned by the AX installer)	No	No

Logon right

AX Service account

(including any Engine Nodes)

PostgreSQL account

(not applicable if database server is Oracle)

AX users group account

(Windows user group for AX Client, AX Web Client, and AX Add-Ins users)

AX Connector account

(ACL Analytics users)

Allow log on locally

Note

If you require a connection to SQL Server using a database profile, then Allow log on locally is required.

Deny log on locally

Yes

(must be manually assigned)

Yes

(must be manually assigned)

Yes

(must be manually assigned)

Log on as a service

Yes

(automatically assigned by the AX installer)

Yes

(automatically assigned by the AX installer)

Folder permissions

Caution

Do not give individual users or user groups permissions to the entire “ACL” directory on AX Server, or to AX Server operating system directories. This type of configuration creates a major security risk and is not recommended.

The following table outlines the folder permissions that you need to grant to the accounts that require access to AX Server. Do not grant any folder permissions to an account beyond what is specified below.

Restricting folder access to just the required accounts and just the required folders lessens the risk of someone gaining unauthorized access to AX Server. It also prevents an ACL script from accessing or modifying files outside the appropriate folders.

AX Server folder permissions

Folder on AX Server	AX Service account (including any Engine Nodes)	PostgreSQL account (not applicable if database server is Oracle)	AX users group account (Windows user group for AX Client, AX Web Client, and AX Add-Ins users)	AX Connector account (ACL Analytics users)
ACL\App	Read Write	No permissions	No permissions	No permissions
ACL\App\analytic_engine\aclse\conf (the AX Connector configuration folder)	Read Write	No permissions	No permissions	Read
ACL\App\TomCat\conf (the TomEE application server configuration folder) This subfolder contains configuration files that control ACL GRC Analytics Exchange functionality. After AX Server has been installed, the configuration files may contain sensitive information such as hashed credentials and host names.	Read Write	No permissions	No permissions	No permissions
ACL\Data	Read Write	No permissions	No permissions	No permissions
ACL\Data\aclse\<user name> (if you are using a domain user group for AX users)	Read Write	No permissions	No permissions	Full control for users for their own subfolder
ACL\Data\aclse (if you are using the AX Server local “Users” group for AX users)	Read Write	No permissions	No permissions	Full control if not secure No permissions if secure
ACL\Data\jobs	Full control	No permissions	No permissions	No permissions
ACL\Data\savedfailedjobs	Full control	No permissions	No permissions	No permissions
ACL\Data\repository	Read Write	No permissions	No permissions	Read
ACL\Data\repository\datafiles (contains the source data files stored in ACL GRC Analytics Exchange)	Read Write	No permissions	No permissions	Read
ACL\Data\repository\upload	Read Write	No permissions	No permissions	Read
shared data files folder (if using Engine Node, or a separate data files server)	Read Write	No permissions	No permissions	Read
archive and restore data directory	Read Write	No permissions	No permissions	No permissions

[ Back to top ]