AX Server security
Follow the AX Server security recommendations to control access to Analytics Exchange and keep sensitive audit data secure.
General user access
As a general guideline, you should grant AX Server access to the minimum number of required accounts, with the minimum required rights and permissions.
Windows user account security
Windows user account used to run the ACL Analytics Exchange Service
Use a dedicated domain user account only to run the "AX Service" account. Do not use any of the following account types:
- a generic IT domain account
- an individual employee's account
- Local user accounts and the LocalSystem account
Note
The dedicated domain user account that you specify requires access to the Active Directory domain controller in order to authenticate users logging in to Analytics Exchange. If the account you specify uses a password that expires, make sure you have a process in place for keeping the password updated.
Windows user account used to run AX Engine Node
Use the same domain user account that you use to run the ACL Analytics Exchange Service.
The permissions required to run AX Engine Node and the ACL Analytics Exchange Service are the same. Using the same account for both means you have to keep track of only one account.
Individual Windows user accounts
Manage user rights and permissions on AX Server by first adding individual user accounts to a Windows user group. There are two user group options when granting rights and permissions on AX Server for individual user accounts:
- create a domain user group specifically for AX Client users
- add AX Client users to the AX Server local “Users” group
Note
The first option is more secure because:
- it allows you to specify prefix folder permissions at the individual user level, which prevents users from accessing other users’ data files
- subsequent updates can be made in Active Directory rather than requiring access to the server housing AX Server
The logon rights and folder permissions for either type of group are specified in subsequent sections.
Login attempts
Do not disable login throttling for user or AX Server administrator login attempts. To mitigate the risk of brute-force attempts at password cracking, Analytics Exchange enables login throttling by default:
- Users after two failed login attempts the user is locked out for three seconds.
These default values can be changed in the deployerConfigContext.xml configuration file.
- Administrators after five failed login attempts the user is locked
out for ten seconds.
These default values can be changed in the admin-security.xml configuration file.
AX Client timeout settings
By default, AX Client times out when it sits idle for 30 minutes. To configure a different maximum idle time for AX Client, update the settings in the aclAuditExchange.xml configuration file. For more information, see aclAuditExchange.xml.
Note
If the application is completing a large import or export with processing time that exceeds the timeout, the timeout counter starts after the process completes. The import or export does not fail due to the maximum idle time setting.
If a dialog that is not related to importing and exporting files is open when the timeout expires, the application and all associated dialogs close.
Sensitive installation information
Secure any sensitive information related to your installation of AX Server. During the installation process, if you created any files that contain sensitive information such as account credentials or configuration settings you should store the files in a secure location.
Server configuration IP restrictions
The following Server configuration pages require administrative username and password authentication:
- /manager
- /aclconfig
You can increase the security of these pages by also limiting page access to a subset of IP addresses.
Note
If you restrict access to your localhost, you must enter 127.0.0.1 in your browser address when accessing the configuration pages.
To restrict access to these pages, add the following files to the ACL\App\Tomcat\conf\Catalina\localhost directory and specify the permitted requesting IP addresses in a comma-delimited list:
-
manager.xml: restricts access to /manager page:
<Context path="/manager" debug="0" privileged="true">
<!-- Restricts access to localhost. -->
<!-- Permitted servers must be added in a comma-delimited list -->
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>
</Context> -
aclconfig.xml: restricts access to /aclconfig page:
<Context path="/aclconfig" debug="0" privileged="true">
<!-- Restricts access to localhost. -->
<!-- Permitted servers must be added in a comma-delimited list -->
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>
</Context>
Note
To revert this change and remove IP restrictions, you must back up your ACL\App\Tomcat\webapps\manager directory, stop the Tomcat service, and then delete the files you added to ACL\App\Tomcat\conf\Catalina\localhost. Once you complete these steps, overwrite your manager folder with the backup and restart the service.
Account logon rights
The following table outlines the necessary logon rights for the accounts that require access to AX Server. Do not grant any logon rights to an account beyond what is specified below. Logon rights are specified in the User Rights Assignment area of the Windows security policy.
Restricting logon rights lessens the risk of someone gaining unauthorized access to AX Server.
Account logon rights
|
Logon right |
AX Service account (including any Engine Nodes) |
PostgreSQL account (not applicable if database server is Oracle) |
AX users group account (Windows user group for AX Client, AX Web Client, and AX Add-Ins users) |
AX Connector account (Analytics users) |
|---|---|---|---|---|
|
Allow log on locally |
No |
No |
No |
No Note If you require a connection to SQL Server using a database profile, then Allow log on locally is required. |
|
Deny log on locally |
Yes (must be manually assigned) |
Yes (must be manually assigned) |
Yes (must be manually assigned) |
No |
|
Log on as a service |
Yes (automatically assigned by the AX installer) |
Yes (automatically assigned by the AX installer) |
No |
No |
Folder permissions
Caution
Do not give individual users or user groups permissions to the entire “ACL” directory on AX Server, or to AX Server operating system directories. This type of configuration creates a major security risk and is not recommended.
The following table outlines the folder permissions that you need to grant to the accounts that require access to AX Server. Do not grant any folder permissions to an account beyond what is specified below.
Restricting folder access to just the required accounts and just the required folders lessens the risk of someone gaining unauthorized access to AX Server. It also prevents an Analytics script from accessing or modifying files outside the appropriate folders.
AX Server folder permissions
|
Folder on AX Server |
AX Service account (including any Engine Nodes) |
PostgreSQL account (not applicable if database server is Oracle) |
AX users group account (Windows user group for AX Client, AX Web Client, and AX Add-Ins users) |
AX Connector account (Analytics users) |
|---|---|---|---|---|
|
ACL\App |
Read Write |
No permissions |
No permissions |
No permissions |
|
ACL\App\analytic_engine\aclse\conf (the AX Connector configuration folder) |
Read Write |
No permissions |
No permissions |
Read |
|
ACL\App\TomCat\conf (the TomEE application server configuration folder) This subfolder contains configuration files that control Analytics Exchange functionality. After AX Server has been installed, the configuration files may contain sensitive information such as hashed credentials and host names. |
Read Write |
No permissions |
No permissions |
No permissions |
|
ACL\Data |
Read Write |
No permissions |
No permissions |
No permissions |
|
ACL\Data\aclse\<user name> (if you are using a domain user group for AX users) |
Read Write |
No permissions |
No permissions |
Full control for users for their own subfolder |
|
ACL\Data\aclse (if you are using the AX Server local “Users” group for AX users) |
Read Write |
No permissions |
No permissions |
Full control if not secure No permissions if secure |
|
ACL\Data\jobs |
Full control |
No permissions |
No permissions |
No permissions |
|
ACL\Data\savedfailedjobs |
Full control |
No permissions |
No permissions |
No permissions |
|
ACL\Data\repository |
Read Write |
No permissions |
No permissions |
Read |
|
ACL\Data\repository\datafiles (contains the source data files stored in Analytics Exchange) |
Read Write |
No permissions |
No permissions |
Read |
|
ACL\Data\repository\upload |
Read Write |
No permissions |
No permissions |
Read |
|
shared data files folder (if using Engine Node, or a separate data files server) |
Read Write |
No permissions |
No permissions |
Read |
|
archive and restore data directory |
Read Write |
No permissions |
No permissions |
No permissions |
