Essentials Security

Essentials provides two levels of security:

Server security that is partially implemented by the server components of Essentials and by the system administrator
Application security implemented by the client and server components of the Essentials applications

This appendix describes both of these security levels.

Server Security

There are two aspects of Essentials server security:

Security imposed by the server components
Security imposed by the system administrator

Essentials relies on the security features and capabilities of the Windows NT operating system to protect the data and programs used by Essentials from unapproved access.

Caution Essentials can provide security only when installed on an NTFS filesystem.

Server-Imposed Security

The Essentials server provides the following security mechanisms:

Files, file ownership, and permissions---Essentials must be installed by the system administrator and is installed as the user bin. The Windows NT user bin is created at installation time and given a random password that the Essentials daemon manager has access to when it is needed. No user of the Essentials system should ever have to log into the Windows NT system as the user bin.

: Files installed by Essentials are readable by anyone logged into the Windows NT system but files created in the install directory\CSCOpx\files folder are readable only by the bin and administrator users.

Runtime ---Essentials executes some backend processes as system level processes, so there are some programs that run under the system account. These programs are limited in number and controlled by entries in the Windows NT Registry. Only administrators have write access to these Registry entries.
Off machine access ---The Essentials daemon manager will not respond to requests to start, stop, register, or show status for Essentials backend processes from computers other than the Essentials server.

System Administrator-Imposed Security

To maximize Essentials server security, follow these system administration guidelines:

Do not allow users who are not responsible for managing the network to have a login to the Essentials server.
Do not allow the Essentials server file systems to be remotely mounted with any file sharing protocol.
Limit remote access (for example, FTP) to the Essentials server to those users who are permitted to log in to the Essentials server.
Install Essentials on an NTFS file system because FAT file systems have no access controls.

Essentials provides application-level security that allows the Essentials administrator to dictate which applications an Essentials user can access. Essentials provides this security through a set of five built-in roles:

Help Desk
Approver
Network Operations
Network Administration
System Administration

Each role allows access to a predetermined set of applications, tools, and product features. Refer to the "Getting Started" section of the Essentials online help for a detailed chart showing the relationship of user role to application functionality.

When you create an Essentials login (every Essentials user must log in to the application to use its features), you assign one or more roles to the login. The role or combination of roles dictates which Essentials applications are available to the user in the Essentials navigation tree (refer to the "Setting Up Essentials" chapter for an explanation of the navigation tree).

Only the system administrator user can assign roles to Essentials logins. Essentials users can use the administrative tools to change their own password or other aspects of their login.

Essentials comes with two predefined logins:

guest (no password required, user role = Help Desk)

admin (password = admin, user role = super user )

Note The login named admin is the equivalent of the superuser login for Essentials. This login provides access to all Essentials tasks.

To prevent anyone from typing a full path to an Essentials URL to avoid the security system, Essentials applications will run only in the presence of an authenticated session between the server and client. The session is authenticated as a part of the login process so attempting to avoid the login by entering a URL will fail and the user will be returned to the Essentials Login Manager dialog box. The Essentials desktop terminates a login session after a period of no use. After termination, attempting to perform any operation returns the user to the Login Manager dialog box.

Table of Contents