Web Intelligence Security Best Practices

Similar Messages

• Web application security best practice?

  Hi guys,
  I am developing web app using JSF + Spring + Hibernate. I got a user backing bean which handling user login and logout session. Hence if user sign-in successfully, I will just set userLogIn=true in the userBean.java. I really don;t know if this is the best practice for handling user login session. Any security probelm here? Please advice, Thanks !
  regards,
  kmthien

  hi
  you can also find a lot of info about security handling and JSF if you search the forum.
  thanks.

• Any known security best practices to follow for FMS deployment

  Hi all,
  We have recently deployed Flash Media Streaming server 3.5.2 and Flash Media Encoder on a Windows 2003 machine. Do you guys know of any security best practices to follow for the FMS server deployment on a Windows machine, could you please point me to that resource.

  Hi
  I will add some concepts, I am not sure how all of them work technically but there should be enough here for you to
  dig deeper, and also alot of this is relevant to your environment and how you want to deploy it.
  I have done a 28 server deployment, 4 origin and 24 edge servers.
  All the Edge servers on the TCP/IP properties we disabled file and printer sharing. Basically this is a way in for hackers and we disabled this only on the edge servers as these are the ones presented to the public.
  We also only allowed ports 1935, 80, 443 on our NICs. Protocol numbers are 6 and 17, this means that you are allowing UDP and TCP. So definitely test out your TCP/IP port filtering until you are confortable that all your connection types are working and secure.
  Use RTMPE over RTMP, as it is there to be used and I am surprised not more people use it. The problem as with any other encryption protocol, it may cause higher overhead on resources of the servers holding the connections.
  You may want to look at SWF verification. In my understanding, it works as the following. You publish a SWF file on a website. This is a source code that your player uses for authentication. If you enable your edge servers to only listen for authentication requests from that SWF file, then hopefully you are really lessening the highjacking possibilities on your streams.
  If you are doing encoding via FME then I would suggest that you download the authentication plugin that is available on the Flash Media Encoder download site.
  There are other things you can look at making it more secure like adaptor.xml, using a front end load balancer, HTML domains, SWF domains,
  Firewalls and DRM.
  I hope this helps you out.
  Roberto

• SAP and BOBJ XI 3.x Integrated Security Best Practice

  I am trying to find any information around SAP and BOBJ XI 3.x Integrated Security Best Practice.
  So far i think it is uninversally agred that you should :
  1. Utilise the Business Objects platform security model to secure applications, folders and reports.
  2. Use BEx queries as the data source for Business Objects Universes and keep the number BEx queries to a minimum
  3. Use SAP authorisations over the BEx queries to secure report data at a row level.
  Has anyone seen any formal SAP Best Practice document or have any info to add ?
  Andrew

  Hi,
  those three items are all correct. In terms of security you can find lots of material in the standard BW help.
  in terms of query design / universe:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/008d15dc-f76c-2b10-968a-fafe5a121129
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0320722-741c-2c10-afab-93b5c0fc7e96
  ingo

• Remoting Security: Best Practice

  I am exploring Remoting and I am curious about security best practice. By default, Enable-PSRemoting will configure an HTTP listener that listens to all addresses. Initially I thought this address was the addresses of the computer making
  the demoting request, but it isn't, it's the address on the local machine that is doing the listening. My reason for thinking this was the controller machine IP was that I thought I might want to limit successful remote requests to just the one machine. From
  a security standpoint this seemed better than letting any machine initiate a remote session. I know that the remote session is limited by the permissions of the user initiating, so any real threat is only because I have already been breached anyway. But still,
  I wonder if there is a way, and value, in limiting remoting to a subset of machines?
  Or is the default here really fine from a security standpoint as well?
  Thanks!
  Gordon

  It is most secure to configure remoting and restrict it using Group Policy.  GP will let you define subnets for both ends of the conversation network wide.
  \_(ツ)_/

• Users And Security Best Practice

  Dear Experts
  I am designing an application with almost fifty users scattered in different places. Each users should access tables according to his/her criteria. For example salessam, salesjug can see only the sales related tables. purchasedon should access only purchase related tables. i have the following problems
  Is it a best practice to create 50 users in the DB i.e. 50 Schemas are going to be created? Where are these users normally created?
  or is it better for me to maintain a table of users and their passwords in my design itself and i regulate through the front end. seems that this would be risky and a cumbersome process.
  Please advice
  thanks
  Manish Sawjiani

  You would normally create a single schema to own the
  objects and 50 users to use them. You would use roles
  and object privileges to control access.Well, this is the classic 'Oracle' approach to do this. I might say it depends a bit on what you want to achieve. Let's call this approach A.
  The other option was to have your own user/pwd table. You can create your own custom authentication but I would go for the built-in Application Express Users - authentication scheme. You can manage the users via the frontend (Application builder > manage Application Express Users) . There you can manage the groups and end users which you can leverage in your Apex app. You can even use the APIs to create the users programmatically. It is all done for you. Let's call this approach B.
  Some things to consider:
  1) You want to create a web application and also other applications that access the data stored in Oracle (another PHP / Oracle Forms / Perl ) or allow access via SQL/Plus. Then you should use approach A. This way you don't need to reimplement security for these different approaches.
  2) You want to create one (or multiple) Apex applications only. This will be the only mechanism the users will access your data. Then I would go for approach B.
  3) When using approach A some users didn't like that all users will have access to their workspace, including the sql command line and having the capability of building applications and possibly being able to change the data they have access to through the Oracle roles. Locking down this capability is possible but it takes some effort and requires an Apache as a proxy.
  4) When using approach A you will need DBA privileges to manage the users and assign the roles. This might not always be possible nor desired. Depends on who will manage the Oracle XE instance.
  5) Moving the application including the end users to another machine is a bit easier using approach B since they are exported via the application export mechanism. Using approach A you would have to do it yourself. Be aware that the passwords are lost when you install the users into a different Oracle XE instance.
  6) If you design the application using approach B you will have to design security in a way that doesn't rely on the Oracle roles / grants security mechanisms. This makes it easier to change the authentication scheme later. For example, later you want to use a LDAP directory, a different custom authentication scheme or even SSO (SSO is not available out of the box but feasible). This is directly possible.
  Using approach A you would have to recode the security mechanisms (which user is allowed to update/delete which data).
  Hope that clarifies your options a bit.
  ~Dietmar.
  Message was edited by:
  Dietmar Aust
  Corrected a typo in (5): Approach B instead of approach A , sorry.
  Message was edited by:
  Dietmar Aust

• Security best practices?

  I'm not sure if this is the right group to post this questions but...
  Our current architecture consists of seperate web server (iPlanet) and java server
  (WLS 5.1). Each server is in a seperate DMZ with a secure network containing our
  DB. The webserver only has ports 80 and 443 available from the outside and only
  the WLS ports to the WLS. The WLS only in the only one that can talk to our DB.
  Our developers are working on a new design with Weblogic 6.1. They have been planning
  on keeping it on 1 server (using weblogic web services). We feel this is a security
  risk to have a server in the outside DMZ talking to a DB server inside our network.
  Does anyone know where I can find a white paper on best practices for security?
  Should we keep it as 2 servers or combine them into 1 server?
  Thank you for your time!
  Brett

  Hi.
  You might have better luck posting this question on the security newsgroup -
  weblogic.developer.interest.security.
  Regards,
  Michael
  BJones wrote:
  I'm not sure if this is the right group to post this questions but...
  Our current architecture consists of seperate web server (iPlanet) and java server
  (WLS 5.1). Each server is in a seperate DMZ with a secure network containing our
  DB. The webserver only has ports 80 and 443 available from the outside and only
  the WLS ports to the WLS. The WLS only in the only one that can talk to our DB.
  Our developers are working on a new design with Weblogic 6.1. They have been planning
  on keeping it on 1 server (using weblogic web services). We feel this is a security
  risk to have a server in the outside DMZ talking to a DB server inside our network.
  Does anyone know where I can find a white paper on best practices for security?
  Should we keep it as 2 servers or combine them into 1 server?
  Thank you for your time!
  Brett--
  Michael Young
  Developer Relations Engineer
  BEA Support

• Jdev101304 SU5 - ADF Faces - Web app deployment best practice|configuration

  Hi Everybody:
  1.- We have several web applications that provides a service/product used for public administration purposes.
  2.- the apps are using adf faces adf bc.
  2.- All of the apps are participating on javaSSO.
  3.- The web apps are deployed in ondemand servers.
  4.- We have notice, that with the increase of users on this dates, the sessions created by the middle tier in the database, are staying inactive but never destroyed or removed.
  5.- Even when we only sing into the apps using javasso an perform no transacctions (like inserting or deleting something), we query the v$sesisons in the database, and the number of inactive sessions is always increasing, until the server colapse.
  So, we want to know, if this is an issue of the configurations made on the Application Module's properties. And we want to know if there are some "best practices" that you could provide us to configure a web application and avoid this behavior.
  The only configurations that we found recomended for web apps is set the jbo.locking.mode to optimistic, but this doesn't correct the "increasing inactive sessions" problem.
  Please help us to get some documentation or another resource to correct configure our apps.
  Thnks in advance.
  Edited by: alopez on Jan 8, 2009 12:27 PM

  hi alopez
  Maybe this can help, "Understanding Application Module Pooling Concepts and Configuration Parameters"
  see http://www.oracle.com/technology/products/jdev/tips/muench/ampooling/index.html
  success
  Jan Vervecken

• SAP Business One 2007 - SQL Security best practice

  I have a client with a large user base running SAP Business One 2007. 
  We are concerned over the use of the sql sa user and the ability to change the password of this ID from the logon of SAP Business One.
  We therefore want to move to use Windows Authentication (ie Trusted Connection) from the SAP BO logon.  It appears however that this can only work by granting the window IDs (of the SAP users) sysadmin access in SQL.
  Does anyone have a better method of securing SAP Business One or is there a recommended best practice.  Any help would be appreciated.
  Damian

  See Administrators Guide for best practise.
  U can use SQL Authentication mode Don't tick Remember password.
  Also check this thread
  SQL Authentication Mode
  Edited by: Jeyakanthan A on Aug 28, 2009 3:57 PM

• SAP HANA Security - Best Practice for Access to Schemas??

  Hi,
  Currently we don'y have a defined Security model in HANA Studio.Neither there is no defined duties of a BASIS / Security / Developers.
  I want to understand what best practices are followed at other customers for defining security for Schema.
  1. Who should be creating the schema for Developers / Modelers?
  2. Should we use our own ID's to create/maintain these Schema or a Generic ID?
  Right now, when developers log in to Studio, by default they are assigned to their own schema (User ID) and they create objects under that.
  We(Security team), face issues when other developers need access to schema of another user as they want to develop objects under schema of different user
  Also, who should be owning the "SYSTEM" user ID and what steps needs to be done whenever a new schema is created.
  Thanks for the help in advance.

  Hi,
  I created a project (JDeveloper) with local xsd-files and tried to delete and recreate them in the structure pane with references to a version on the application server. After reopening the project I deployed it successfully to the bpel server. The process is working fine, but in the structure pane there is no information about any of the xsds anymore and the payload in the variables there is an exception (problem building schema).
  How does bpel know where to look for the xsd-files and how does the mapping still work?
  This cannot be the way to do it correctly. Do I have a chance to rework an existing project or do I have to rebuild it from scratch in order to have all the references right?
  Thanks for any clue.
  Bette

• Workflow & Web Dynpro integration - best practice?

  Hi,
  I am working on ECC6 and EP7 and looking at building some workflow approval scenarios for Travel Management.  I need to move away from the SAP supplied approval scenarios to meet our business requirements.
  What I'm looking for is a 'best practice' for integrating a Web Dynpro application (for ABAP) which will be the basis of our approval workitem.  I have seen a number of presentations which talk about integrating the user decision task (BOR object DECISION) into a web dynpro application.  I have also seen an approach where the FM WDY_EXECUTE_IN_PLACE is used to call a Web Dynpro application from within a BOR object method. 
  I guess I'm wondering if there is an approach that provides a cleaner integration then either of the above approaches as they both appear (well to me anyway!) to have limitations.  Is there a way for example of implementing an ABAP class method as the basis of the approval task that cleanly integrates with the Web Dynpro application?
  Any suggestions would be greatly appreciated.
  Thanks in advance
  Michael Arter

  Hello,
  Are you going to use the Universal worklist in your portal? If yes, that will bring you more possibilitites. Then you don't have to code anything into your business object - instead in portal (UWL configuration) you can define what which WD application is launched when the user clicks the task in UWL.
  If you are going to use business workplace and just launch WD applications from there, then you probably just need to use WDY_EXECUTE_IN_PLACE (or any other suitable way to launch WD application from ABAP).
  >Is there a way for example of implementing an ABAP class method as the basis of the approval task that cleanly integrates with the Web Dynpro application?
  Yes, but what is really the need for this? Did you know that you can replace the methods of your BO as methods of an ABAP class? Just implement the IF_WORKFLOW interface for your class, and you can use it in your workflow then just like the BO. If you want to "replace" the whole BO with your ABAP class, just take a look to Jocelyn Dart's blog series about the subject. But as I said, it is not really necessary to do this - especially if you already have lot of custom code in your custom business object - then it is probably a good idea to continue using it for your custom stuff.
  Regards,
  Karri

• Looking for Security Best Practices documentation for Sybase ASE 15.x

  Hello, I'm looking for SAP/Sybase best practice documentation speaking to security configurations for Sybase ASE 15.x. Something similar to this:
  Sybase ASE 15 Best Practices: Query Processing & Optimization White Paper-Technical: Database Management - Syba…
  Thanks!

  Hi David,
  This is something I found on the Sybase site:
  Database Encryption Design Considerations and Best Practices for ASE 15
  http://www.sybase.com/files/White_Papers/ASE-Database-Encryption-3pSS-011209-wp.pdf
  ASE Encryption Best Pracites:
  http://www.sybase.com/files/Product_Overviews/ASE-Encryption-Best-Practices-11042008.pdf
  If these do not help, you can search for others at:
  www.sybase.com > serach box on the top right.
  I searched "best pracitces security"
  Can also run advanced search > I typed in "ssl" into exact phrase.
  Hope this helps,
  Ryan

• HANA Security - Best Practices for Schema??

  Hi,
  Currently we don'y have a defined Security model in HANA Studio.Neither there is no defined duties of a BASIS / Security / Developers.
  I want to understand what best practices are followed at other customers for defining security for Schema.
  1. Who should be creating the schema for Developers / Modelers?
  2. Should we use our own ID's to create/maintain these Schema or a Generic ID?
  Right now, when developers log in to Studio, by default they are assigned to their own schema (User ID) and they create objects under that.
  We(Security team), face issues when other developers need access to schema of another user as they want to develop objects under schema of different user
  Also, who should be owning the "SYSTEM" user ID and what steps needs to be done whenever a new schema is created.
  Thanks for the help in advance.

  >So, if we follow this approach, who should be creating the schema as design time?
  Not sure what you mean by that.  We call this design time because you are creating an artifact in the repository and the catalog object doesn't get created until you activate that design time object.
  > Security Administrator or Developer/Modeler?
  Doesn't really matter. Depends upon your process. However I would say most of the time the developer creates the schema.  The developer doesn't immediately get access to the new schema.  He/She must create a role and that role has to be granted to them before they can see the objects in the new schema.
  >Also, for our current scenario, where developers are doing changes in their own schema, what should be done as a Security Administrator to assign access to a user schema to other developers?
  They shouldn't be creating objects in their user schema.  That user schema is for internal usage - like the creation of temporary objects. It shouldn't be used for any development.

• What are Printing Security Best Practices for Advanced Features

  In the Networking > Advanced "Enabled Features" what are the best practices settings for security. Trying to find out what all of these are.  Can't find them in the documentation. Particularly eCCL & eFCL?
  Enabled Features
  IPv4 IPv6 DHCP DHCPv6 BOOTP AUTOIP LPD Printing 9100 Printing LPD Banner Page Printing Bonjour AirPrint LLMNR IPP Printing IPPS Printing FTP Printing WS-Discovery WS-Print SLP Telnet configuration TFTP Configuration File ARP-Ping eCCL eFCLEnable DHCPv4 FQDN compliance with RFC 4702
  Thanks,
  John

  I do work with the LAST archived project file, which contains ALL necessary resources to edit the video.  But then if I add video clips to the project, these newly added clips are NOT in the archived project, so I archive it again.
  The more I think about it, the more I like this workflow.  One disadvantage as you said is duplicate videos and resource files.  But a couple of advantages I like are:
  1. You can revert to a previous version if there are any issues with a newer version, e.g., project corruption.
  2. You can open the archived project ANYWHERE, and all video and resource files are available.
  In terms of a larger project containing dozens of individual clips like my upcoming 2013 video highlights video of my 4  year old, I'll delete older archived projects as I go, and save maybe a couple of previous archived projects, in case I want to revert to these projects.
  If you are familiar with the lack of project management iMovie, then you will know why I am elated to be using Premiere Elements 12, and being able to manage projects at all!
  Thanks again for your help, I'm looking forward to starting my next video project.

• ICommand utility and security best practice

  Hi All,
  I configured the Icommand configuration fle "BAMICommandConfig.xml" with default username and password and restarted the BAM server. I am using the weblogic administrator user as the default ICommand user. The password is clearly displayed in the BAMICommandConfig.xml. I use Icommand to import/export reports/data objects/EMS etc.
  Is it possible to enhance the security by not displaying the password in the BAMICommandConfig.xml or some other best security practice.
  Thanks

  After configurating WLS_HOME/user_projects/domains/base_domain/config/fmwconfig/servers/bam_server1/applications/oracle-bam_11.1.1/config/BAMICommandConfig.xml with username and password.
  E.g.:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <BAMICommand>
  <ADCServerPort>9001</ADCServerPort>
  <Communication_Protocol>t3</Communication_Protocol>
  <SensorFactory>oracle.bam.common.statistics.noop.SensorFactoryImpl</SensorFactory>
  <GenericSatelliteChannelName>invm:topic/oracle.bam.messaging.systemobjectnotification</GenericSatelliteChannelName>
  <ICommand_Default_User_Name>weblogic</ICommand_Default_User_Name>
  <ICommand_Default_Password>weblogic123</ICommand_Default_Password>
  </BAMICommand>
  The first time that the you execute ICommand sucessfully, the password in tag ICommand_Default_Password is encrypted automatically.