Follow the AX Server security recommendations to control access to Analytics Exchange and keep sensitive audit data secure.
As a general guideline, you should grant AX Server access to the minimum number of required accounts, with the minimum required rights and permissions.
Use a dedicated domain user account only to run the "AX Service" account. Do not use any of the following account types:
Note
The dedicated domain user account that you specify requires access to the Active Directory domain controller in order to authenticate users logging in to Analytics Exchange. If the account you specify uses a password that expires, make sure you have a process in place for keeping the password updated.
Use the same domain user account that you use to run the Analytics Exchange Service.
The permissions required to run AX Engine Node and the Analytics Exchange Service are the same. Using the same account for both means you have to keep track of only one account.
Manage user rights and permissions on AX Server by first adding individual user accounts to a Windows user group. There are two user group options when granting rights and permissions on AX Server for individual user accounts:
Note
The first option is more secure because:
The logon rights and folder permissions for either type of group are specified in subsequent sections.
Do not disable login throttling for user or AX Server administrator login attempts. To mitigate the risk of brute-force attempts at password cracking, Analytics Exchange enables login throttling by default:
These default values can be changed in the deployerConfigContext.xml configuration file.
These default values can be changed in the admin-security.xml configuration file.
Secure any sensitive information related to your installation of AX Server. During the installation process, if you created any files that contain sensitive information such as account credentials or configuration settings you should store the files in a secure location.
The following Server configuration pages require administrative username and password authentication:
You can increase the security of these pages by also limiting page access to a subset of IP addresses.
Note
If you restrict access to your localhost, you must enter 127.0.0.1 in your browser address when accessing the configuration pages.
To restrict access to these pages, add the following files to the ACL\App\Tomcat\conf\Catalina\localhost directory and specify the permitted requesting IP addresses in a comma-delimited list:
<Context path="/manager" debug="0" privileged="true"> <!-- Restricts access to localhost. --> <!-- Permitted servers must be added in a comma-delimited list --> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/> </Context>
<Context path="/aclconfig" debug="0" privileged="true"> <!-- Restricts access to localhost. --> <!-- Permitted servers must be added in a comma-delimited list --> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/> </Context>
Note
To revert this change and remove IP restrictions, you must back up your ACL\App\Tomcat\webapps\manager directory, stop the Tomcat service, and then delete the files you added to ACL\App\Tomcat\conf\Catalina\localhost. Once you complete these steps, overwrite your manager folder with the backup and restart the service.
The following table outlines the necessary logon rights for the accounts that require access to AX Server. Do not grant any logon rights to an account beyond what is specified below. Logon rights are specified in the User Rights Assignment area of the Windows security policy.
Restricting logon rights lessens the risk of someone gaining unauthorized access to AX Server.
|
Logon right |
AX Service account (including any Engine Nodes) |
PostgreSQL account (not applicable if database server is Oracle) |
AX users group account (Windows user group for AX Client, AX Web Client, and AX Add-Ins users) |
AX Connector account (ACL Analytics users) |
|---|---|---|---|---|
|
Allow log on locally |
No |
No |
No |
Note If you require a connection to SQL Server using a database profile, then Allow log on locally is required. |
|
Deny log on locally |
Yes (must be manually assigned) |
Yes (must be manually assigned) |
Yes (must be manually assigned) |
No |
|
Log on as a service |
Yes (automatically assigned by the AX installer) |
Yes (automatically assigned by the AX installer) |
No |
No |
Caution
Do not give individual users or user groups permissions to the entire “ACL” directory on AX Server, or to AX Server operating system directories. This type of configuration creates a major security risk and is not recommended.
The following table outlines the folder permissions that you need to grant to the accounts that require access to AX Server. Do not grant any folder permissions to an account beyond what is specified below.
Restricting folder access to just the required accounts and just the required folders lessens the risk of someone gaining unauthorized access to AX Server. It also prevents an ACL script from accessing or modifying files outside the appropriate folders.
|
Folder on AX Server |
AX Service account (including any Engine Nodes) |
PostgreSQL account (not applicable if database server is Oracle) |
AX users group account (Windows user group for AX Client, AX Web Client, and AX Add-Ins users) |
AX Connector account (ACL Analytics users) |
|---|---|---|---|---|
|
ACL\App |
Read Write |
No permissions |
No permissions |
No permissions |
|
ACL\App\analytic_engine\aclse\conf (the AX Connector configuration folder) |
Read Write |
No permissions |
No permissions |
Read |
|
ACL\App\TomCat\conf (the TomEE application server configuration folder) This subfolder contains configuration files that control Analytics Exchange functionality. After AX Server has been installed, the configuration files may contain sensitive information such as hashed credentials and host names. |
Read Write |
No permissions |
No permissions |
No permissions |
|
ACL\Data |
Read Write |
No permissions |
No permissions |
No permissions |
|
ACL\Data\aclse\<user name> (if you are using a domain user group for AX users) |
Read Write |
No permissions |
No permissions |
Full control for users for their own subfolder |
|
ACL\Data\aclse (if you are using the AX Server local “Users” group for AX users) |
Read Write |
No permissions |
No permissions |
Full control if not secure No permissions if secure |
|
ACL\Data\jobs |
Full control |
No permissions |
No permissions |
No permissions |
|
ACL\Data\savedfailedjobs |
Full control |
No permissions |
No permissions |
No permissions |
|
ACL\Data\repository |
Read Write |
No permissions |
No permissions |
Read |
|
ACL\Data\repository\datafiles (contains the source data files stored in Analytics Exchange) |
Read Write |
No permissions |
No permissions |
Read |
|
ACL\Data\repository\upload |
Read Write |
No permissions |
No permissions |
Read |
|
shared data files folder (if using Engine Node, or a separate data files server) |
Read Write |
No permissions |
No permissions |
Read |
|
archive and restore data directory |
Read Write |
No permissions |
No permissions |
No permissions |