Take note of the following areas in which security levels are implemented in Studio Server.
Studio Server uses its own user definitions and passwords which are used to authenticate the clients with Studio Server. The Server applies the business logic and authorization rules as to what a specific user is allowed to do. The Server itself always uses the configured database user that has “Full” access to the database.
Note: This is true for a standard installation only. In case the instructions are followed as outlined in Security checkpoints below, access for the database user is more restricted.
Studio Server user passwords are stored encrypted inside the database.
Tickets instead of passwords
For each client session, a ticket is created and returned to the client application. Instead of sending passwords, the ticket is sent along each SOAP call (between the client application and the Server).
If you raise the security level of your Web browser, cookie support might get disabled implicitly. However, cookies are used by Studio Server so make sure that they are enabled again after raising the security level.
Verify the following areas to see if you want to increase the security of the system.
MySQL user root password
The standard MySQL user root does not have a password. Set a password for root (or even better: disable the root user and create a new MySQL user account with a password) and enter this user and password into the config.php file for Studio Server as well.
Database user privileges
If you want to reduce the privileges for the newly created database user, the following is the minimal set of required privileges:
- Installation: ALL
- Everyday: SELECT, INSERT, UPDATE, DELETE on all tables in the Studio Server database, CREATE TEMPORARY TABLES system privilege
- Adding/removing custom properties: ALTER on smart_objects, smart_deleted-objects tables
- Installation: ALL
- Everyday: SELECT, INSERT, UPDATE, DELETE on all tables in the Studio Server database, CREATE TABLE, DROP TABLE on tempdb database
- Adding/removing custom properties: ALTER on smart_objects, smart_deletedobjects tables
- Not applicable: a minimal set of privileges was already defined during the Oracle installation steps of Studio Server.
If you use the file system for file storage, the default location is the File Store directory in the root of your disk. Change this into a better place and set the location in the config.php file of Studio Server. Next, make sure the access rights are set as narrow as possible.
Studio Server ships with a default user account with full admin rights (username woodwing, password ww) thereby giving full access to the system. Since this account is mentioned in various places in the online help, we strongly advise to change the password and/or to deactivate this account in order to prevent unauthorized access. Be sure to create a user with administrative rights first though.
SSL can be used as a means of securing the connection between the applications server and client applications.
Note: For more information about setting up clients and servers by enabling SSL, see Using SSL in Studio Server.
It is recommended to remove the wwtest/ folder from production installations since the scripts it contains provide a wealth of configuration and installation information which can be useful to potential attackers.