Best practice tast profile security in BPC

Similar Messages

• Best Practice paper for Security

  Does anyone have or know of a Best Practice Paper for Security?
  Thanks,
  Melissa

  http://www.petefinnigan.com is another excellent security resource-- he has a couple of different checklists.
  Justin
  Distributed Database Consulting, Inc.
  http://www.ddbcinc.com/askDDBC

• Best practice for standard security role

  Hi, I'd like to know which is the best practice for standard role use, some people tell me that a standard role should never be used, that a copy must be made and assign the users to the copy, but then, why should SAP bother creating the standard role?

  They are provided as a template for you, and you can copy them into a different namespace and make changes there before generating the profiles and authorizations.
  Why you should use a copy of them is because SAP will also update them sometimes. If transactions change in the standard menues with SP's and upgrades, then you will find them in transaction SU25.
  If you do a search on "standard AND roles" in the SDN then you will also find more detailed infos and opinions on the use of them.
  Cheers,
  Julius

• Best Practice/Standard for Securing and Attaching Files in a Web Service

  Thanks in advance.
  Being new to Web Services as well as most of my team. I would like to know what is the best practice for transporting files via a Web Service. I know of several methods and one that seems to be the standard, but you can't really tell in this ever changing world of Web Services. Below are the options that I have found.
  1. MIME encoded the file and embed in the payload of the SOAP message
  2. SwA (SOAP with Attachments) which applies MIME attachments to SOAP. I think this is similiar to the way emails are handled.
  3. DIME (Direct Internet Message Encapsulation) similiar to MIME encoding but is more efficient
  4. MTOM (Message Transmission Optimization Mechanism) I really not understand this method, but it seems that this is the NEW standard. I just don't understand why.
  5. Utilize HTTPS and download the file from an accessible file server w/ a login id and password.
  Is there someone out there that understands this problem and can assist me in understanding the pros and cons of these methods? Or maybe there is a method that I'm overlooking altogether.
  Thanks

  JWSDP supports securing of attachments [1]and will soon support securing MTOM attachments too. [1]http://java.sun.com/webservices/docs/2.0/xws-security/ReleaseNotes.html

• Best practice architecture Wireless security

  What is the best practice architecture for wireless to the wire network?
  Use AP to Firewall and it to a router using RADIUS?
  It apply to Control is a safety?
  What models Cisco recomend (Hard and Soft?)
  Is any place in Cisco that I can use to see Architecture recomendations that integrete Wireless, Radio (Microwave) and Voice over IP com-plete system?

  using one of the 802.1x types (i.e. LEAP, EAP-FAST, PEAP) with WPAv2 (AES encryption). Too bad that there are not many wireless adapters support AES.
  All Cisco wireless product support AES in 12.3(2)JA recently.
  Also, you may want to configure WDS for radio management.

• RICEF Security - best practice to develop security specs

  Good Morning All,
  We have new ECC implementation kicked off, my question is how RICEF security is controlled? What are the standard guidelines practised in industry?
  We are encouraging process teams to start use authorizations checks in custom transactions where ever necessary, ABAP team says this is in discreation of BP, ABAP will enforce checks if Business Process(BP) ask.
  I not sure if BP will take that extra time to think on authorization checks for RICEFS, we security team offered help to BP saying we can help on finding appropriate auth objects for their RICEF objects.
  As we cannot really enforce this or push hard, I am trying to think what is best way to get this in place.
  What I think is for some custom tcodes, which are low risk reports there is really no need to induce 2nd level check(1st level being S_TCODE) but my concern is this should not be taken for granted.
  I would like to hear suggestions from group.
  Thank You.
  Edited by: Julius Bussche on Apr 22, 2011 5:46 PM
  Subject title made more meaningful.

  Their job is to make it work and security is very often seen as a barrier
  This is very unfortunate but often true Security can however also offer cool solutions to spagetti code and defunct requirements!
  As you correctly state, the reason is often lack of training, awareness and being under pressure from deadlines and complexity. I also suffer under this but have with time learnt that "right first time" is the best way.
  The ideal solution IMO would be to integrate the authority-check statement into both the external and internal license meaurement.
  - A program without any authority-check is freeware because anyone can run it.
  - A program with a display auth check run by a user with display authorizations costs 1 cents each time.
  - A program with change / create checks run by a user with change / create authorizations costs 2 cents each time.
  - A program with delete checks run by a user with delete authorizations costs 5 cents each time.
  - Any program with any checks run by a user with FROM --> TO ranges in authorizations costs 20 cents each time.
  - A program with a display auth check run by a user with SAP_ALL costs 100 cents each time.
  - etc...
  This way, developers will add as many appropriate checks to their code so that it generates revenue from the application. Business process owners will try to restrict the authority-checks to only those really needed and will restict authorizations as much as possible to exact values when testing their roles.
  Would work like a charm... but I'm sure there is a catch somewhere... 
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 24, 2011 12:07 AM

• Office Web Apps - Best Practice for App Pool Security Account?

  Guys,
  I am finalising my testing of Office Web Apps, and ready to move onto deploying it to my live farm.
  Generally speaking, I put service applications in their own application pool.
  Obviously by doing so this has an overhead on memory and processing, however generally speaking it is best practice from a security perspective when using separate accounts.
  I have to create 3 new service applications in order to deploy Office Web Apps, in my test environment these are using the Default SharePoint app pool. 
  Should I create one application pool for all my office web apps with a fresh service account, or does it make no odds from a security perspective to run them in the default app pool?
  Cheers,
  Conrad
  Conrad Goodman MCITP SA / MCTS: WSS3.0 + MOSS2007

  i run my OWA under it's own service account (spOWA) and use only one app pool.  Just remember that if you go this route, "When
  you create a new application pool, you can specify a security account used by the application pool to be either a predefined Network Service account or a managed account. The account must have db_datareader, db_datawriter, and execute permissions for the content
  databases and the SharePoint configuration database, and be assigned to the db_owner role for the content databases." (http://technet.microsoft.com/en-us/library/ff431687.aspx)

• Secure my laptop Best Practice idea requests

  My MacBook was stolen with all my personal information unencrypted last month and I now have a new 13 inch MacBookPro. I would like some Best Practice recommendations for securing the data within my user account. Is there a BIOS level password option on the Apple laptops?
  Any thoughts on Identity theft? LoJackforLaptops software tracking? Is Apple's encryption of the home directory stable enough to use routinely and how does it affect back up of data and recovery of data? How about online backup...Mozy vs Carbonite or Others. I had Mozy and it seems that much less data was actually available to recover than I had thought.
  Or is this a case of the Cow is out of the barn and why shut the door now?!
  Thoughts please!
  Thanks
  Warren Tripp
  Madison,WI

  Warren Tripp wrote:
  I am NOT going to use FileVault however. I tried it once and lost data. Everything I read seems to imply it is not worth the trouble.
  RE encryption, eww is correct - that's the only way to protect your data. Competent individuals (Kappy, eww, and me, for example), could defeat the firmware password protection and your strong admin password in a matter of minutes. A competent thief +who was interested in your data+ would be able to do so as well (most just want the hardware, of course).
  I do agree that FileVault is not the best solution here (I sometimes refer to it as FileFault - there's an inherent risk in having all of your data in a single, huge, encrypted file). I see no need to encrypt iTunes music, my personal photos, etc. Instead, consider creating an encrypted disk image for your sensitive personal data (again with a strong password, and UNcheck the box to store the password in the keychain!).
  http://support.apple.com/kb/HT1578

• What are Printing Security Best Practices for Advanced Features

  In the Networking > Advanced "Enabled Features" what are the best practices settings for security. Trying to find out what all of these are.  Can't find them in the documentation. Particularly eCCL & eFCL?
  Enabled Features
  IPv4 IPv6 DHCP DHCPv6 BOOTP AUTOIP LPD Printing 9100 Printing LPD Banner Page Printing Bonjour AirPrint LLMNR IPP Printing IPPS Printing FTP Printing WS-Discovery WS-Print SLP Telnet configuration TFTP Configuration File ARP-Ping eCCL eFCLEnable DHCPv4 FQDN compliance with RFC 4702
  Thanks,
  John

  I do work with the LAST archived project file, which contains ALL necessary resources to edit the video.  But then if I add video clips to the project, these newly added clips are NOT in the archived project, so I archive it again.
  The more I think about it, the more I like this workflow.  One disadvantage as you said is duplicate videos and resource files.  But a couple of advantages I like are:
  1. You can revert to a previous version if there are any issues with a newer version, e.g., project corruption.
  2. You can open the archived project ANYWHERE, and all video and resource files are available.
  In terms of a larger project containing dozens of individual clips like my upcoming 2013 video highlights video of my 4  year old, I'll delete older archived projects as I go, and save maybe a couple of previous archived projects, in case I want to revert to these projects.
  If you are familiar with the lack of project management iMovie, then you will know why I am elated to be using Premiere Elements 12, and being able to manage projects at all!
  Thanks again for your help, I'm looking forward to starting my next video project.

• Best practice for assigning permissions

  Good morning,
  I am trying redo permissions on our shared folders, and want to incorporate some sort of best practice and be security conscious.
  The current environment is permissions is assigned directly to the folder, and it is usually domain users :(.
  I have a multi-domain environment, I want to know what is the best way to handle permissions, so for instance I have a folder called
  \\ITserver01\ITtest, what kind of naming scheme do you give? I was thinking about maybe ITserver01_ITtest_RW as an example...
  Also do I have to create a domain local r/w and R/o group and a universal group r/w and r/o, since I cannot assign place users directly in the domain local account?
  Chad

  Best practices (esp in naming schemes) depends a bit on the corporate culture and standard procedures. However, we put users in domain local groups based on their role. Those groups would be made a member of a domain group that is used to grant access to
  local resources. and then make those resource access domain groups are member of local groups on the server.
  For example, If I have a server 'test', then there is a domain group called 'test administrators' and that group is then a member of the local admins group of the test server. And one of the members of the 'test administrators' group would be the 'site domain
  admins' group.
  For your example,  ITserver01_ITtest_RW would be a domain local group. And you would not put users in it directly, but user groups.  Users are in groups like 'Site helpdesk admins' or whtever. Something that defines their role in the orgnization.
  And then you would put the  'Site helpdesk admins' as member in the ITserver01_ITtest_RW group.
  Does that make sense?

• Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover

  With Prashanth Goutham R.
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham. 
  Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA is a key component of the Cisco SecureX Framework, protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.
  Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.
  Remember to use the rating system to let Prashanth know if you have received an adequate response. 
  Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  Hello John,
  This session is on Failover Functionality on all Cisco Firewalls, im not a geek on QOS however i have the answer for what you need. The way to limit traffic would be to enable QOS Policing on your Firewalls. The requirement that you have is about limiting 4 different tunnels to be utilizing the set limits and drop any further packets. This is called Traffic Policing. I tried out the following in my lab and it looks good.
  access-list tunnel_one extended permit ip 10.1.0.0 255.255.0.0 20.1.0.0 255.255.0.0access-list tunnel_two extended permit ip 10.2.0.0 255.255.0.0 20.2.0.0 255.255.0.0access-list tunnel_three extended permit ip 10.3.0.0 255.255.0.0 20.3.0.0 255.255.0.0access-list tunnel_four extended permit ip 10.4.0.0 255.255.0.0 20.4.0.0 255.255.0.0    class-map Tunnel_Policy1     match access-list tunnel_one   class-map Tunnel_Policy2     match access-list tunnel_two   class-map Tunnel_Policy3     match access-list tunnel_three   class-map Tunnel_Policy4     match access-list tunnel_four  policy-map tunnel_traffic_limit     class Tunnel_Policy1      police output 4096000   policy-map tunnel_traffic_limit     class Tunnel_Policy2      police output 5734400   policy-map tunnel_traffic_limit     class Tunnel_Policy3      police output 2457600    policy-map tunnel_traffic_limit     class Tunnel_Policy4      police output 4915200service-policy tunnel_traffic_limit interface outside
  You might want to watch out for the following changes in values:
  HTTS-SEC-R2-7-ASA5510-02(config-cmap)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy1HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4096000HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy2HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 5734400WARNING: police rate 5734400 not supported. Rate is changed to 5734000    
  HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy3HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 2457600WARNING: police rate 2457600 not supported. Rate is changed to 2457500HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy4HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4915200WARNING: police rate 4915200 not supported. Rate is changed to 4915000I believe this is because of the software granularity and the way IOS rounds it off in multiples of a certain value, so watch out for the exact values you might get finally. I used this website to calculate your Kilobyte values to Bits: http://www.matisse.net/bitcalc/
  The Final outputs of the configured values were :
      Class-map: Tunnel_Policy1      Output police Interface outside:        cir 4096000 bps, bc 128000 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps     Class-map: Tunnel_Policy2      Output police Interface outside:        cir 5734000 bps, bc 179187 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy3      Output police Interface outside:        cir 2457500 bps, bc 76796 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy4      Output police Interface outside:        cir 4915000 bps, bc 153593 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps
  Please refer to the QOS document on CCO here for further information: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html
  Hope that helps..

• Digitial certificate best practice

  Hi all,
  What's the best way to update the TP (not host) certificates in the wallet file (Apache/Apache/conf/ssl.wlt/default)?
  1). Leave old certificate in wallet and add new certificate ahead of time. Remove expired certificates sometime in the future.
  2). Remove old certificate and install new certificate when the certificate expires - one step process.
  Preference is option 1 unless there is an issue.
  Thanks,
  Suresh

  Hi Suresh,
  If you are replacing an expired certificate then option 1 will not cause an issue but in case you are replacing due to any other reason then option 2 is must.
  As a best practice to keep security intact, always option two should be followed as option 1 leaves a blackhole for an intruder.
  Regards,
  Anuj

• Best practices whil using Iron Port as MTA..

  We are planning to deploy ironport in our environment as a MTA and Spam. Currently we use qmail as MTA and Trend was a spam.
  Mail Flow
  External --> Qmail (DMZ) --> Trend Micro Spam Server (LAN) --> Exchange
  Kindly suggest as best practice and important features should enable to block spam.

  Something that may aid you in your readings --->
  https://supportforums.cisco.com/discussion/11429111/ask-expert-best-practices-configuring-email-security-appliance
  Snippet from there:
  Because everyone's mail flow is different (my company will receive different targeted spam than yours, for instance), obtaining the maximum potential can be as much an art as a science.
  Since we often are asked what extra steps can be taken to get the maximum potential out of your IronPort, we've published an external Knowledge Base article that lists *several* things you can do to stop as much spam as possible:
  Article #493: IronPort Anti-Spam Efficacy Checklist Link: http://tinyurl.com/eqpk6
  I cannot stress enough to use Step 11: Report mis-classified messages to IronPort.  Anytime you catch an email making it through our systems, we want to know. You cannot submit too many samples. (The same holds true for misclassifed HAM messages.) 
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• Best Practice for Securing Web Services in the BPEL Workflow

  What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
  They are all deployed on the same oracle application server.
  Defining agent for each?
  Gateway for all?
  BPEL security extension?
  The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
  Regards
  Farbod

  It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
  The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
  Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
  If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
  Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
  You can enforce rules at your network layer to allow access to the App server only from Gateway.
  When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
  The next BPEL developer in your project may not be aware of Security extensions
  Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
  Thanks
  Ram

• Looking for Some Examples / Best Practices on User Profile Customization in RDS 2012 R2

  We're currently running RDS on Windows 2008 R2. We're controlling user's Desktops largely with Group Policy. We're using Folder Redirection to configure their Start Menus as well.
  We've installed a Server 2012 R2 RDS box and all the applications that users will need. Should we follow the same customization steps for 2012 R2 that we used in 2012 R2? I would love to see some articles on someone who has customized a user profile/Desktop
  in 2012 R2 to see what's possible.
  Orange County District Attorney

  Hi Sandy,
  Here are some related articles below for you:
  Easier User Data Management with User Profile Disks in Windows Server 2012
  http://blogs.msdn.com/b/rds/archive/2012/11/13/easier-user-data-management-with-user-profile-disks-in-windows-server-2012.aspx
  User Profile Best Practices
  http://social.technet.microsoft.com/wiki/contents/articles/15871.user-profile-best-practices.aspx
  Since you want to customize user profile, here is another blog for you:
  Customizing Default users profile using CopyProfile
  http://blogs.technet.com/b/askcore/archive/2010/07/28/customizing-default-users-profile-using-copyprofile.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]