Exchange security best practice

Hi
I need a white paper on exchange 2013 Security practice. I am not refereeing to the security analyzer.
I have to come with a Technical security standard for Exchange 2013.
Regards
Biscay

http://www.msexchange.org/white-papers/

Similar Messages

  • Any known security best practices to follow for FMS deployment

    Hi all,
    We have recently deployed Flash Media Streaming server 3.5.2 and Flash Media Encoder on a Windows 2003 machine. Do you guys know of any security best practices to follow for the FMS server deployment on a Windows machine, could you please point me to that resource.

    Hi
    I will add some concepts, I am not sure how all of them work technically but there should be enough here for you to
    dig deeper, and also alot of this is relevant to your environment and how you want to deploy it.
    I have done a 28 server deployment, 4 origin and 24 edge servers.
    All the Edge servers on the TCP/IP properties we disabled file and printer sharing. Basically this is a way in for hackers and we disabled this only on the edge servers as these are the ones presented to the public.
    We also only allowed ports 1935, 80, 443 on our NICs. Protocol numbers are 6 and 17, this means that you are allowing UDP and TCP. So definitely test out your TCP/IP port filtering until you are confortable that all your connection types are working and secure.
    Use RTMPE over RTMP, as it is there to be used and I am surprised not more people use it. The problem as with any other encryption protocol, it may cause higher overhead on resources of the servers holding the connections.
    You may want to look at SWF verification. In my understanding, it works as the following. You publish a SWF file on a website. This is a source code that your player uses for authentication. If you enable your edge servers to only listen for authentication requests from that SWF file, then hopefully you are really lessening the highjacking possibilities on your streams.
    If you are doing encoding via FME then I would suggest that you download the authentication plugin that is available on the Flash Media Encoder download site.
    There are other things you can look at making it more secure like adaptor.xml, using a front end load balancer, HTML domains, SWF domains,
    Firewalls and DRM.
    I hope this helps you out.
    Roberto

  • SAP and BOBJ XI 3.x Integrated Security Best Practice

    I am trying to find any information around SAP and BOBJ XI 3.x Integrated Security Best Practice.
    So far i think it is uninversally agred that you should :
    1. Utilise the Business Objects platform security model to secure applications, folders and reports.
    2. Use BEx queries as the data source for Business Objects Universes and keep the number BEx queries to a minimum
    3. Use SAP authorisations over the BEx queries to secure report data at a row level.
    Has anyone seen any formal SAP Best Practice document or have any info to add ?
    Andrew

    Hi,
    those three items are all correct. In terms of security you can find lots of material in the standard BW help.
    in terms of query design / universe:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/008d15dc-f76c-2b10-968a-fafe5a121129
    https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0320722-741c-2c10-afab-93b5c0fc7e96
    ingo

  • Remoting Security: Best Practice

    I am exploring Remoting and I am curious about security best practice. By default, Enable-PSRemoting will configure an HTTP listener that listens to all addresses. Initially I thought this address was the addresses of the computer making
    the demoting request, but it isn't, it's the address on the local machine that is doing the listening. My reason for thinking this was the controller machine IP was that I thought I might want to limit successful remote requests to just the one machine. From
    a security standpoint this seemed better than letting any machine initiate a remote session. I know that the remote session is limited by the permissions of the user initiating, so any real threat is only because I have already been breached anyway. But still,
    I wonder if there is a way, and value, in limiting remoting to a subset of machines?
    Or is the default here really fine from a security standpoint as well?
    Thanks!
    Gordon

    It is most secure to configure remoting and restrict it using Group Policy.  GP will let you define subnets for both ends of the conversation network wide.
    \_(ツ)_/

  • SAP Business One 2007 - SQL Security best practice

    I have a client with a large user base running SAP Business One 2007. 
    We are concerned over the use of the sql sa user and the ability to change the password of this ID from the logon of SAP Business One.
    We therefore want to move to use Windows Authentication (ie Trusted Connection) from the SAP BO logon.  It appears however that this can only work by granting the window IDs (of the SAP users) sysadmin access in SQL.
    Does anyone have a better method of securing SAP Business One or is there a recommended best practice.  Any help would be appreciated.
    Damian

    See Administrators Guide for best practise.
    U can use SQL Authentication mode Don't tick Remember password.
    Also check this thread
    SQL Authentication Mode
    Edited by: Jeyakanthan A on Aug 28, 2009 3:57 PM

  • SAP HANA Security - Best Practice for Access to Schemas??

    Hi,
    Currently we don'y have a defined Security model in HANA Studio.Neither there is no defined duties of a BASIS / Security / Developers.
    I want to understand what best practices are followed at other customers for defining security for Schema.
    1. Who should be creating the schema for Developers / Modelers?
    2. Should we use our own ID's to create/maintain these Schema or a Generic ID?
    Right now, when developers log in to Studio, by default they are assigned to their own schema (User ID) and they create objects under that.
    We(Security team), face issues when other developers need access to schema of another user as they want to develop objects under schema of different user
    Also, who should be owning the "SYSTEM" user ID and what steps needs to be done whenever a new schema is created.
    Thanks for the help in advance.

    Hi,
    I created a project (JDeveloper) with local xsd-files and tried to delete and recreate them in the structure pane with references to a version on the application server. After reopening the project I deployed it successfully to the bpel server. The process is working fine, but in the structure pane there is no information about any of the xsds anymore and the payload in the variables there is an exception (problem building schema).
    How does bpel know where to look for the xsd-files and how does the mapping still work?
    This cannot be the way to do it correctly. Do I have a chance to rework an existing project or do I have to rebuild it from scratch in order to have all the references right?
    Thanks for any clue.
    Bette

  • Users And Security Best Practice

    Dear Experts
    I am designing an application with almost fifty users scattered in different places. Each users should access tables according to his/her criteria. For example salessam, salesjug can see only the sales related tables. purchasedon should access only purchase related tables. i have the following problems
    Is it a best practice to create 50 users in the DB i.e. 50 Schemas are going to be created? Where are these users normally created?
    or is it better for me to maintain a table of users and their passwords in my design itself and i regulate through the front end. seems that this would be risky and a cumbersome process.
    Please advice
    thanks
    Manish Sawjiani

    You would normally create a single schema to own the
    objects and 50 users to use them. You would use roles
    and object privileges to control access.Well, this is the classic 'Oracle' approach to do this. I might say it depends a bit on what you want to achieve. Let's call this approach A.
    The other option was to have your own user/pwd table. You can create your own custom authentication but I would go for the built-in Application Express Users - authentication scheme. You can manage the users via the frontend (Application builder > manage Application Express Users) . There you can manage the groups and end users which you can leverage in your Apex app. You can even use the APIs to create the users programmatically. It is all done for you. Let's call this approach B.
    Some things to consider:
    1) You want to create a web application and also other applications that access the data stored in Oracle (another PHP / Oracle Forms / Perl ) or allow access via SQL/Plus. Then you should use approach A. This way you don't need to reimplement security for these different approaches.
    2) You want to create one (or multiple) Apex applications only. This will be the only mechanism the users will access your data. Then I would go for approach B.
    3) When using approach A some users didn't like that all users will have access to their workspace, including the sql command line and having the capability of building applications and possibly being able to change the data they have access to through the Oracle roles. Locking down this capability is possible but it takes some effort and requires an Apache as a proxy.
    4) When using approach A you will need DBA privileges to manage the users and assign the roles. This might not always be possible nor desired. Depends on who will manage the Oracle XE instance.
    5) Moving the application including the end users to another machine is a bit easier using approach B since they are exported via the application export mechanism. Using approach A you would have to do it yourself. Be aware that the passwords are lost when you install the users into a different Oracle XE instance.
    6) If you design the application using approach B you will have to design security in a way that doesn't rely on the Oracle roles / grants security mechanisms. This makes it easier to change the authentication scheme later. For example, later you want to use a LDAP directory, a different custom authentication scheme or even SSO (SSO is not available out of the box but feasible). This is directly possible.
    Using approach A you would have to recode the security mechanisms (which user is allowed to update/delete which data).
    Hope that clarifies your options a bit.
    ~Dietmar.
    Message was edited by:
    Dietmar Aust
    Corrected a typo in (5): Approach B instead of approach A , sorry.
    Message was edited by:
    Dietmar Aust

  • Web application security best practice?

    Hi guys,
    I am developing web app using JSF + Spring + Hibernate. I got a user backing bean which handling user login and logout session. Hence if user sign-in successfully, I will just set userLogIn=true in the userBean.java. I really don;t know if this is the best practice for handling user login session. Any security probelm here? Please advice, Thanks !
    regards,
    kmthien

    hi
    you can also find a lot of info about security handling and JSF if you search the forum.
    thanks.

  • Web Intelligence Security Best Practices

    Hi All,
    We are in the process of starting to use web intelligence. I am puttng together a security model for it and I have some questions around best practices. We have a fairly simple two tier security model so far, end users and creators. Creators will be able to create reports in certain folders and everyone else will be able to run and refresh those reports they can see.
    I was going to create a group for all the creators and assign them to a custom access level in the web intelligence application. Then they would also need to be in another creator group for the particular folder. So they would be able to the create reports in that folder and execute reports in another.
    For all the end users, they need to be able to view and refresh reports, drilling, data tracking, etc. if they have access to them. Is the best practice then to just assign the Everyone group the out of the box view on demand access level?
    I have been digging around looking for resources and welcome anyone's input or ideas on the subject.
    Thanks in advance for any assistance provided.

    Thank you for your prompt reply.
    But that means that the same security groups will need to be creaed on both palces, web intelligence application and at the folder level?
    I was thinking if I create a developer group for the web intelligence application level, all developers would go into there. Then at the folder level I could create another folder level security group for developers to access the folder.
    Would that not simplify the maintenance at the application level? Or would that not work?

  • Looking for Security Best Practices documentation for Sybase ASE 15.x

    Hello, I'm looking for SAP/Sybase best practice documentation speaking to security configurations for Sybase ASE 15.x. Something similar to this:
    Sybase ASE 15 Best Practices: Query Processing & Optimization White Paper-Technical: Database Management - Syba…
    Thanks!

    Hi David,
    This is something I found on the Sybase site:
    Database Encryption Design Considerations and Best Practices for ASE 15
    http://www.sybase.com/files/White_Papers/ASE-Database-Encryption-3pSS-011209-wp.pdf
    ASE Encryption Best Pracites:
    http://www.sybase.com/files/Product_Overviews/ASE-Encryption-Best-Practices-11042008.pdf
    If these do not help, you can search for others at:
    www.sybase.com > serach box on the top right.
    I searched "best pracitces security"
    Can also run advanced search > I typed in "ssl" into exact phrase.
    Hope this helps,
    Ryan

  • HANA Security - Best Practices for Schema??

    Hi,
    Currently we don'y have a defined Security model in HANA Studio.Neither there is no defined duties of a BASIS / Security / Developers.
    I want to understand what best practices are followed at other customers for defining security for Schema.
    1. Who should be creating the schema for Developers / Modelers?
    2. Should we use our own ID's to create/maintain these Schema or a Generic ID?
    Right now, when developers log in to Studio, by default they are assigned to their own schema (User ID) and they create objects under that.
    We(Security team), face issues when other developers need access to schema of another user as they want to develop objects under schema of different user
    Also, who should be owning the "SYSTEM" user ID and what steps needs to be done whenever a new schema is created.
    Thanks for the help in advance.

    >So, if we follow this approach, who should be creating the schema as design time?
    Not sure what you mean by that.  We call this design time because you are creating an artifact in the repository and the catalog object doesn't get created until you activate that design time object.
    > Security Administrator or Developer/Modeler?
    Doesn't really matter. Depends upon your process. However I would say most of the time the developer creates the schema.  The developer doesn't immediately get access to the new schema.  He/She must create a role and that role has to be granted to them before they can see the objects in the new schema.
    >Also, for our current scenario, where developers are doing changes in their own schema, what should be done as a Security Administrator to assign access to a user schema to other developers?
    They shouldn't be creating objects in their user schema.  That user schema is for internal usage - like the creation of temporary objects. It shouldn't be used for any development.

  • Security best practices?

    I'm not sure if this is the right group to post this questions but...
    Our current architecture consists of seperate web server (iPlanet) and java server
    (WLS 5.1). Each server is in a seperate DMZ with a secure network containing our
    DB. The webserver only has ports 80 and 443 available from the outside and only
    the WLS ports to the WLS. The WLS only in the only one that can talk to our DB.
    Our developers are working on a new design with Weblogic 6.1. They have been planning
    on keeping it on 1 server (using weblogic web services). We feel this is a security
    risk to have a server in the outside DMZ talking to a DB server inside our network.
    Does anyone know where I can find a white paper on best practices for security?
    Should we keep it as 2 servers or combine them into 1 server?
    Thank you for your time!
    Brett

    Hi.
    You might have better luck posting this question on the security newsgroup -
    weblogic.developer.interest.security.
    Regards,
    Michael
    BJones wrote:
    I'm not sure if this is the right group to post this questions but...
    Our current architecture consists of seperate web server (iPlanet) and java server
    (WLS 5.1). Each server is in a seperate DMZ with a secure network containing our
    DB. The webserver only has ports 80 and 443 available from the outside and only
    the WLS ports to the WLS. The WLS only in the only one that can talk to our DB.
    Our developers are working on a new design with Weblogic 6.1. They have been planning
    on keeping it on 1 server (using weblogic web services). We feel this is a security
    risk to have a server in the outside DMZ talking to a DB server inside our network.
    Does anyone know where I can find a white paper on best practices for security?
    Should we keep it as 2 servers or combine them into 1 server?
    Thank you for your time!
    Brett--
    Michael Young
    Developer Relations Engineer
    BEA Support

  • What are Printing Security Best Practices for Advanced Features

    In the Networking > Advanced "Enabled Features" what are the best practices settings for security. Trying to find out what all of these are.  Can't find them in the documentation. Particularly eCCL & eFCL?
    Enabled Features
    IPv4 IPv6 DHCP DHCPv6 BOOTP AUTOIP LPD Printing 9100 Printing LPD Banner Page Printing Bonjour AirPrint LLMNR IPP Printing IPPS Printing FTP Printing WS-Discovery WS-Print SLP Telnet configuration TFTP Configuration File ARP-Ping eCCL eFCLEnable DHCPv4 FQDN compliance with RFC 4702
    Thanks,
    John

    I do work with the LAST archived project file, which contains ALL necessary resources to edit the video.  But then if I add video clips to the project, these newly added clips are NOT in the archived project, so I archive it again.
    The more I think about it, the more I like this workflow.  One disadvantage as you said is duplicate videos and resource files.  But a couple of advantages I like are:
    1. You can revert to a previous version if there are any issues with a newer version, e.g., project corruption.
    2. You can open the archived project ANYWHERE, and all video and resource files are available.
    In terms of a larger project containing dozens of individual clips like my upcoming 2013 video highlights video of my 4  year old, I'll delete older archived projects as I go, and save maybe a couple of previous archived projects, in case I want to revert to these projects.
    If you are familiar with the lack of project management iMovie, then you will know why I am elated to be using Premiere Elements 12, and being able to manage projects at all!
    Thanks again for your help, I'm looking forward to starting my next video project.

  • ICommand utility and security best practice

    Hi All,
    I configured the Icommand configuration fle "BAMICommandConfig.xml" with default username and password and restarted the BAM server. I am using the weblogic administrator user as the default ICommand user. The password is clearly displayed in the BAMICommandConfig.xml. I use Icommand to import/export reports/data objects/EMS etc.
    Is it possible to enhance the security by not displaying the password in the BAMICommandConfig.xml or some other best security practice.
    Thanks

    After configurating WLS_HOME/user_projects/domains/base_domain/config/fmwconfig/servers/bam_server1/applications/oracle-bam_11.1.1/config/BAMICommandConfig.xml with username and password.
    E.g.:
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <BAMICommand>
    <ADCServerPort>9001</ADCServerPort>
    <Communication_Protocol>t3</Communication_Protocol>
    <SensorFactory>oracle.bam.common.statistics.noop.SensorFactoryImpl</SensorFactory>
    <GenericSatelliteChannelName>invm:topic/oracle.bam.messaging.systemobjectnotification</GenericSatelliteChannelName>
    <ICommand_Default_User_Name>weblogic</ICommand_Default_User_Name>
    <ICommand_Default_Password>weblogic123</ICommand_Default_Password>
    </BAMICommand>
    The first time that the you execute ICommand sucessfully, the password in tag ICommand_Default_Password is encrypted automatically.

  • RICEF Security - best practice to develop security specs

    Good Morning All,
    We have new ECC implementation kicked off, my question is how RICEF security is controlled? What are the standard guidelines practised in industry?
    We are encouraging process teams to start use authorizations checks in custom transactions where ever necessary, ABAP team says this is in discreation of BP, ABAP will enforce checks if Business Process(BP) ask.
    I not sure if BP will take that extra time to think on authorization checks for RICEFS, we security team offered help to BP saying we can help on finding appropriate auth objects for their RICEF objects.
    As we cannot really enforce this or push hard, I am trying to think what is best way to get this in place.
    What I think is for some custom tcodes, which are low risk reports there is really no need to induce 2nd level check(1st level being S_TCODE) but my concern is this should not be taken for granted.
    I would like to hear suggestions from group.
    Thank You.
    Edited by: Julius Bussche on Apr 22, 2011 5:46 PM
    Subject title made more meaningful.

    Their job is to make it work and security is very often seen as a barrier
    This is very unfortunate but often true Security can however also offer cool solutions to spagetti code and defunct requirements!
    As you correctly state, the reason is often lack of training, awareness and being under pressure from deadlines and complexity. I also suffer under this but have with time learnt that "right first time" is the best way.
    The ideal solution IMO would be to integrate the authority-check statement into both the external and internal license meaurement.
    - A program without any authority-check is freeware because anyone can run it.
    - A program with a display auth check run by a user with display authorizations costs 1 cents each time.
    - A program with change / create checks run by a user with change / create authorizations costs 2 cents each time.
    - A program with delete checks run by a user with delete authorizations costs 5 cents each time.
    - Any program with any checks run by a user with FROM --> TO ranges in authorizations costs 20 cents each time.
    - A program with a display auth check run by a user with SAP_ALL costs 100 cents each time.
    - etc...
    This way, developers will add as many appropriate checks to their code so that it generates revenue from the application. Business process owners will try to restrict the authority-checks to only those really needed and will restict authorizations as much as possible to exact values when testing their roles.
    Would work like a charm... but I'm sure there is a catch somewhere... 
    Cheers,
    Julius
    Edited by: Julius Bussche on Apr 24, 2011 12:07 AM

Maybe you are looking for

  • How to create transparent text on a solid color background?

    I want to create a transparent text on a solid color backround, and I need text transparency to go all the way to through the image (i.e. do not show the solid color background). I have the transparent background layer, the solid rectangle layer that

  • Restrict creation of customers according to account group and sales area.

    Hey Guys, I have this scenario wherein we have to restrict the creation of customers according to the sales area and account group. Here is an example. Suppose I have a domestic customer say D01. Account group that I am using for this domestic custom

  • Installment Plan monthly charges

    Hi, I saw there is an option to spread the charges on all months.  But the monthly charge remains the same.  Is there a way to calculate for variable monthly charges based on certain formula and add that amount to the expected monthly installment amo

  • Embedding WMV Files From Local Computer

    Hey all, what do you guys think would be the best way to embed a local wmv file, i've been able to embed one from an internet source successfully by just pasting the url into the source, but have no idea how to approach a local file. any help/insight

  • CS6 - Unable to open files following migration.  Computer re-starts each time I attempt to open files.

    Following migration from IMac to new MacBook Pro, each time I attempted to work with CS6, computer would re-start.  Hard Drive and memory has been replaced and still have same issue.  All other applications work fine.  Unable to open RAW files now wh