WoodWing Help Center

Security considerations for Enterprise Server 9

Security considerations for Enterprise Server 9

Implemented security

Take note of the following areas in which security levels are implemented in Enterprise.

Client authentication

Enterprise uses its own user definitions and passwords which are used to authenticate the clients with Enterprise Server. The Server applies the business logic and authorization rules as to what a specific user is allowed to do. The Server itself always uses the configured database user that has “Full” access to the database.

Note: This is true for a standard installation only. In case the instructions are followed as outlined in Security checkpoints below, access for the database user is more restricted.

Encrypted passwords

Enterprise user passwords are stored encrypted inside the database.

Tickets instead of passwords

For each client session, a ticket is created and returned to the client application. Instead of sending passwords, the ticket is sent along each SOAP call (between the client application and the Server).

Cookie support

If you raise the security level of your Web browser, cookie support might get disabled implicitly. However, cookies are used by the Enterprise system so make sure that they are enabled again after raising the security level.

Security checkpoints

Verify the following areas to see if you want to increase the security of the system.

MySQL user root password

The standard MySQL user root does not have a password. Set a password for root (or even better: disable the root user and create a new MySQL user account with a password) and enter this user and password into the config.php file for Enterprise Server as well.

Database user privileges

If you want to reduce the privileges for the newly created database user, the following is the minimal set of required privileges:

MySQL

  • Installation: ALL
  • Everyday: SELECT, INSERT, UPDATE, DELETE on all tables in the Enterprise database, CREATE TEMPORARY TABLES system privilege
  • Adding/removing custom properties: ALTER on smart_objects, smart_deleted-objects tables

MS SQL

  • Installation: ALL
  • Everyday: SELECT, INSERT, UPDATE, DELETE on all tables in the Enterprise database, CREATE TABLE, DROP TABLE on tempdb database
  • Adding/removing custom properties: ALTER on smart_objects, smart_deletedobjects tables

Oracle

  • Not applicable: a minimal set of privileges was already defined during the Oracle installation steps of Enterprise Server.

File storage

If you use the file system for file storage, the default location is the File Store directory in the root of your disk. Change this into a better place and set the location in the config.php file of Enterprise Server. Next, make sure the access rights are set as narrow as possible.

Enterprise default user

Enterprise ships with a default user account with full admin rights (username woodwing, password ww) thereby giving full access to the system. Since this account is mentioned in various places in the online help, we strongly advise to change the password and/or to deactivate this account in order to prevent unauthorized access. Be sure to create a user with administrative rights first though.

SSL

SSL can be used as a means of securing the connection between the applications server and client applications.

Note: For more information about setting up clients and servers by enabling SSL, see Using SSL in Enterprise Server.

wwtest folder

It is recommended to remove the wwtest/ folder from production installations since the scripts it contains provide a wealth of configuration and installation information which can be useful to potential attackers.

Was this article helpful?
0 out of 0 found this helpful / Created: / Updated:
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.