Implemented security
Take note of the following areas in which security levels are implemented in Studio Server.
Client authentication
Studio Server uses its own user definitions and passwords which are used to authenticate the clients with Studio Server. The Server applies the business logic and authorization rules as to what a specific user is allowed to do. The Server itself always uses the configured database user that has “Full” access to the database.
Note: This is true for a standard installation only. In case the instructions are followed as outlined in Security checkpoints below, access for the database user is more restricted.
Encrypted passwords
Studio Server user passwords are stored encrypted inside the database.
Tickets instead of passwords
For each client session, a ticket is created and returned to the client application. Instead of sending passwords, the ticket is sent along each SOAP call (between the client application and the Server).
Cookie support
If you raise the security level of your Web browser, cookie support might get disabled implicitly. However, cookies are used by Studio Server so make sure that they are enabled again after raising the security level.
Security checkpoints
Verify the following areas to see if you want to increase the security of the system.
MySQL user root password
The standard MySQL user root does not have a password. Set a password for root (or even better: disable the root user and create a new MySQL user account with a password) and enter this user and password into the config.php file for Studio Server as well.
Database user privileges
If you want to reduce the privileges for the newly created database user, the following is the minimal set of required privileges:
MySQL
- Installation: ALL
- Everyday: SELECT, INSERT, UPDATE, DELETE on all tables in the Studio Server database, CREATE TEMPORARY TABLES system privilege
- Adding/removing custom properties: ALTER on smart_objects, smart_deleted-objects tables
MS SQL
- Installation: ALL
- Everyday: SELECT, INSERT, UPDATE, DELETE on all tables in the Studio Server database, CREATE TABLE, DROP TABLE on tempdb database
- Adding/removing custom properties: ALTER on smart_objects, smart_deletedobjects tables
Oracle
- Not applicable: a minimal set of privileges was already defined during the Oracle installation steps of Studio Server.
File storage
If you use the file system for file storage, the default location is the File Store directory in the root of your disk. Change this into a better place and set the location in the config.php file of Studio Server. Next, make sure the access rights are set as narrow as possible.
Default user
Studio Server ships with a default user account with full admin rights thereby giving full access to the system. Since this account is mentioned in various places in the online help, we strongly advise to change the password and/or to deactivate this account in order to prevent unauthorized access. Be sure to create a user with administrative rights first though.
SSL
SSL can be used as a means of securing the connection between the applications server and client applications.
Note: For more information about setting up clients and servers by enabling SSL, see Using SSL in Studio Server.
wwtest folder
It is recommended to remove the wwtest/ folder from production installations since the scripts it contains provide a wealth of configuration and installation information which can be useful to potential attackers.
Comment
Do you have corrections or additional information about this article? Leave a comment! Do you have a question about what is described in this article? Please contact Support.
0 comments
Please sign in to leave a comment.