Security Best Practices

Security Best Practices
Version 15
C OPYRIGHT
Information in this document is subject to change without notice. The OnBase® Information
Management System software (the "Software") described in this document is furnished only under a
separate license agreement and may be used or copied only according to the terms of such
agreement. It is against the law to copy the Software except as specifically allowed in the license
agreement. This document or accompanying materials contains certain information which is
confidential information of Hyland Software, Inc. and which is subject to the confidentiality provisions
agreed to by you.
All data, names, and formats used in this document’s examples are fictitious unless noted otherwise.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright law, no part of this document may be reproduced, stored in or introduced into
a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Hyland Software, Inc.
© 2015 Hyland Software, Inc. All rights reserved.
Depending on the modules licensed, the OnBase® Information Management System software may
include software developed and copyrighted by third parties, including but not limited to the
following:
A2iA CheckReader™ by A2iA Corp;
Adobe ® PDF Library™ by Adobe Systems Incorporated;
dtSearch ® Text Retrieval Engine by dtSearch Corp.;
software or other content adapted from Smart Client – Composite UI Application Block by Microsoft
Corporation © 2005 Microsoft Corporation;
software or other content adapted from Microsoft patterns & practices ObjectBuilder © 2006 Microsoft
Corporation;
Nuance™ OCR © 1994-2012 Nuance Communications;
portions of imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL;
Imaging Technology copyrighted by Snowbound Software Corporation, Snowbound.com;
CD-R technology by Sonic Solutions, Inc.;
full-text indexing technology by Autonomy;
IDSMail © 2005 by Intuitive Data Solutions;
jLex Copyright 1996-2003 by Elliot Joel Berk and C. Scott Ananian;
Rumba by NetManage;
AutoVue by Oracle America, Inc.
All rights reserved.
Further information regarding third-party software included in the OnBase Information Management
System software can be found in the About box within the Software.
Hyland Software ®, OnBase®, Application Enabler, and Where Your Information Finds You are
registered or unregistered trademarks of Hyland Software, Inc. A2iA CheckReader™ is a trademark of
A2iA Corporation. Adobe ® PDF Library™ is a trademark of Adobe Systems Incorporated.
All other trademarks, service marks, trade names and products of other companies are the property
of their respective owners.
Document Name .................................................................. Security Best Practices
Department/Group .......................................................................... Documentation
Revision Number ............................................................................................. 15
©
2015 Hyland Software, Inc.
ii
©2015 Hyland Software, Inc.
iii
© 2015 Hyland Software, Inc.
iv
USING THIS MODULE REFERENCE GUIDE (PDF)
In the following module reference guide (MRG), we provide a great deal of information. If
you are unfamiliar with our MRGs, take a few moments to review the content below so you
can more quickly and efficiently locate the information you need.
Note: The content in this MRG is considered module-specific. Therefore, you may be
referred to another MRG if a referenced function is not specific to this module.
What is in the MRG?

The MRG is a PDF document containing all available instructions for a module. It includes
the following chapters, which contain task-oriented sections:
• Exposure - Provides introductory information and license requirements.
• Usage - Provides instructions on user-facing functionality.
• Configuration - Provides instructions on administrative tasks and functions.
• Installation - Provides instructions on installation procedures and information on
system requirements.
Tip: It is considered a best practice to read through an entire stepped process before
attempting to complete any of its steps. Pay close attention to notes, tips, and cautions,
which can help you better understand the entire process and discover any prerequisites you
may not have completed.
How to Navigate the MRG

When using the MRG, consider the following:
• You can jump to any chapter or section contained in the MRG by clicking its entry
in the Table of Contents.
• The title bars of dialog boxes and the names of options in the software are
displayed as bold text in the documentation. If you are searching for information
on a named option or dialog box, search for that text in the documentation.
The following search instructions pertain to viewing an MRG in Adobe Reader or Adobe
Acrobat. Some of the information may not apply to other PDF readers.
Basic search: Press Ctrl + F. Enter the word or phrase you are looking for in the search box
and press Enter to locate each instance.
Advanced search: Press Ctrl + Shift + F. From the Search dialog box, enter the word or
phrase you are looking for and select one of the following options:
• In the current document - Searches the document you are viewing.
• All PDF Documents in - Searches a selected folder or directory. If you are unsure of
which MRG to search, try searching the folder your MRGs are located in to display
all results for the word or phrase.
©2015 Hyland Software, Inc.

v
Advanced search results are displayed in a list, along with some context (e.g., page
numbers and some of the text surrounding each instance).
Cross-references: Cross-references are links to related information or additional instructions
you may need to complete a task. Though they appear the same as normal text, they jump
to referenced sections when clicked. A page or step number typically indicates a cross-
reference.
Example of a cross-reference: What is in the MRG? on page v.
Tip: To return to the page you were viewing before following a cross-reference, press Alt +
Left Arrow until the desired page is displayed.
© 2015 Hyland Software, Inc.

vi
Security Best Practices Table of Contents
USING THIS MODULE REFERENCE GUIDE (PDF)

What is in the MRG?......................................................................................... v
How to Navigate the MRG ................................................................................ v
EXPOSURE
Overview .........................................................................................................1
SECURITY BEST PRACTICES

OnBase Upgrades ............................................................................................3
Database .........................................................................................................3
ODBC Configuration .................................................................................................. 4
Disable Workstation Account Creation.......................................................................... 4
Disk Groups .....................................................................................................4
Distributed Disk Services ........................................................................................... 4
Encrypted Disk Groups .............................................................................................. 5
Client Settings .................................................................................................5
Default User Accounts ............................................................................................... 5
Best Security Practices ........................................................................................ 6
Deleting Obsolete User Accounts................................................................................. 6
Password Controls .................................................................................................... 6
Resetting All User Passwords ................................................................................ 7
User Group Rights .................................................................................................... 7
Keywords ................................................................................................................ 8
Configuring Keyword Types .................................................................................. 8
Assigning Keyword Types to Documents ................................................................ 8
Security Keywords .............................................................................................. 8
Encrypted Alpha Keywords ................................................................................... 9
Implementing Read-Only Keywords with E-Forms ......................................................... 9
DocPop ................................................................................................................... 9
Checksums ...................................................................................................... 10
Integrations ..................................................................................................11
Full-Text Indexing Server for Autonomy IDOL............................................................. 11
Single Sign-On ....................................................................................................... 11
Directory Authentication .......................................................................................... 11
Running the OnBase Client as a Windows Service........................................................ 12
Encrypting the Distribution Service Account Credentials ............................................... 12
Command Line Switches .......................................................................................... 13
©
vii
Table of Contents Security Best Practices
©
viii
EXPOSURE
Overview
The following document outlines the Hyland Software best practices for securing OnBase
environments. As each OnBase environment is unique, any changes should be
thoroughly tested in a non-production environment prior to full implementation so the
impact on business processes can be determined.
Due to the complexity of OnBase, this document does not represent an exhaustive list of
every possible security configuration and should not be treated as such. Instead, this
text serves as a guide to the current best practices for securing the OnBase database,
disk groups, integrations, and its client features. Implementing the guidelines found in
this document will dramatically increase the security of an OnBase implementation and
help prevent unauthorized intrusion and data loss.
©
1
Security Best Practices OnBase 15
Exposure
©
2
SECURITY BEST PRACTICES
The following best practice recommendations have been assembled by a team of OnBase
subject matter experts. They represent the accumulation of years of experience
installing and configuring OnBase solutions.
The following recommendations are general in nature, and are applicable to most
OnBase solutions and network environments. Depending on your solution design and
your organization’s needs, not all of the best practice recommendations listed below may
apply to, or be recommended for, your OnBase solution.
Carefully consider the impact of making any changes, including those listed below, to
your OnBase solution prior to implementing them in a production environment.
OnBase Upgrades
Due to rapidly changing technological environments, Hyland Software strongly
recommends that its customers upgrade to the latest version of the software at least
once every year.
Technological changes in customer environments can lead to situations where older
versions of the product may be rendered inoperable and Hyland Software may be unable
to provide relief or suggestions to address issues that customers may face.
In addition, Hyland Software routinely addresses security, scalability, and other types of
fixes that are important to OnBase users in its ongoing development efforts.
Database
When the OnBase database is configured, several database logins (HSI, HSINET, etc.)
are created with default passwords. These passwords are also hard coded into the
software.
if your organization has a security requirement to change these default passwords,
Hyland Software provides the ability to do so. However, this change is not trivial, and it
is recommended to execute this change in a test environment before trying it in a
production environment.
Changing the database password requires adding a license to your system, adding a
command line switch to OnBase Configuration, locking the OnBase database, and
updating executables for your OnBase environment. This is not a difficult procedure, but
it is multistep and will require redeploying your OnBase client executables and/or
upgrading .dlls in your Application Server. Please see the Changing Database User Name
Passwords section of the System Administration MRG for more detailed instructions, and
engage your first line of support with any questions before executing this procedure.
©
3
ODBC Configuration
When configuring an ODBC source for OnBase, the VIEWER account should be used to
test connectivity to the database; the HSI user is not required or recommended.
Additionally, it is recommended to select the Use Strong Encryption for Data option in
order to ensure that data is protected while it is in transit between the OnBase database
and the Application Server or OnBase Client.
Disable Workstation Account Creation

The Disable workstation account creation should be enabled in Global Client Settings.
When this option is selected, the hsi user will not be able to create workstation accounts.
Instead, the hsi account itself will be used to log in to the database.
When this option is enabled, the hsi user no longer requires the following rights:
Database Platform Privilege
Microsoft SQL Server The Security Admin role is not required.
Oracle The create user and alter user permissions are not
required.
Note: These permissions are still required during the initial

database creation, and can only be removed after the
Disable workstation account creation option is enabled.
Sybase SQL The USER ADMIN permission is not required.

Anywhere
Note: These permissions are still required during the initial
database creation, and can only be removed after the
Disable workstation account creation option is enabled.
Disk Groups
Distributed Disk Services
While standard file system access to the OnBase Disk Groups is secure, DDS provides an
additional layer of security:
• A secure port employs a single access point for OnBase file retrieval.
• DDS file servers can be kept behind a firewall. The firewall only needs access to
a secure port, avoiding UNC traffic.
Note: DDS requires unrestricted bidirectional network access for User Datagram Protocol
(UDP) and Transmission Control Protocol (TCP) between the client and server on the
specified port.
©
4
OnBase 15 Security Best Practices
• To protect documents from being intercepted in a data stream, the full contents
of the datastream is encrypted.
• Users cannot browse files using Windows Explorer.
For more information on configuring DDS, see the Distributed Disk Services module
reference guide.

Encrypted Disk Groups
The Encrypted Disk Groups module adds an additional layer of security to your OnBase
solution that can be used separately or in conjunction with the other security practices
employed by your organization. With Encrypted Disk Groups, the documents and images
are encrypted using 128 bit or 256 bit AES (Advanced Encryption Standard) encryption
at the storage level, protecting the data even in the event of unauthorized access to the
drives. Documents that are archived in an Encrypted Disk Group can only be opened and
viewed using the OnBase interface, ensuring that the security controls imposed by
OnBase are respected at all times.
You can rotate, or change, the second piece of the KEK as a security measure against
outside forces (e.g., separated employees, social engineering). The concept is similar to
changing a password. When you rotate the KEK, OnBase changes the piece that is stored
in the OnBase software, generates new Client and Configuration executables, and
creates a new copy of Hyland.Core.GrabIcon.dll . These files contain the new KEK piece.
The KEK can be rotated using the OnBase Configuration module. For more information
on configuring Encrypted Disk Groups, see the Platter Management module reference
guide.
Client Settings
Default User Accounts

By default, OnBase comes with two user accounts that are more privileged than any
other created accounts: the MANAGER and ADMINISTRATOR accounts. OnBase gives
these accounts full functionality in the Configuration module. The functionality that
belongs to these accounts is outlined below:
• Access to all menu options in the Configuration module, irrespective of
Configuration Rights
• Ability to view all users in OnBase, regardless of whether the account is
assigned to the appropriate user group
• Ability to view and configure all users and user groups in OnBase
• Ability to view all Document Types, including those not assigned to a user group
• Ability to view all Folder Types, including those not assigned to a user group
• In an Institutional Database, these accounts are designated as Institutional
Super Users. This privilege cannot be removed.
©
5
Best Security Practices

These are the best practices for securing these accounts:
• Change the default passwords on both accounts.
• Do not delete the accounts. Rename them, if desired.
• Only authorize a limited set of trusted users to use these accounts. These users
should be trained in using the accounts responsibly, as well as safeguarding

them.
• Do not use these accounts when testing a solution or troubleshooting a
situation. These accounts may not reflect the constraints of a user-created
account.
• Monitor logs for unexpected use of these accounts.
• Whenever possible, lock or disable these accounts to prevent misuse
For more information on configuring user accounts, see the System Administration
module reference guide.
Deleting Obsolete User Accounts

You should regularly view the User Metrics dialog box in the Configuration module and
delete any user accounts that are no longer required (for example, accounts for users
that have left the organization). For more information on deleting users, see the System
Administration module reference guide.
Password Controls
With each OnBase installation, two pre-defined password policies are created by default
to establish good security practices. The High Security policy is created as the
recommended level of security, and the Medium Security policy is applied as the default
password policy if no default password policy is defined for your system. These policies
cannot be modified or deleted.
Note: When upgrading to OnBase 15, if the system password policies are not found in the
database upon launching the Configuration module, the policies are created.
The Medium Security policy enforces the following rules:

• No more than 2 characters can be repeated consecutively
• Passwords must be a minimum length of 8 characters
• Passwords expire the first time users log on
• Accounts are locked after 5 failed attempts to log on
• Locks on accounts with too many failed attempts to log on are released after 15
minutes
• Accounts are locked after they are idle for 180 days
The High Security policy enforces the following rules:

• User names cannot be embedded in passwords
• Passwords must be a minimum length of 15 characters
• Passwords cannot be reused within 5 password changes
©
6
• Passwords cannot be changed more than once within 24 hours

• Passwords expire every 180 days
• Passwords expire the first time users log on
• Accounts are locked after 5 failed attempts to log on
• Administrators must manually release locks on accounts with too many failed
attempts to log on

• Accounts are locked after they are idle for 60 days
Although it is unenforceable at the system level, there is no more effective policy than to
require a Unicode (e.g. ♞, ★) character as part of your users’ passwords. Adding one of
these characters has been shown to all but defeat every known password cracking
mechanism. Due to user unfriendliness, this is only recommended to be used in super-
high security environments.
Note: This tactic is only effective if the entire OnBase database has been configured for
Unicode.
For more information on configuring password policies, see the System Administration
Resetting All User Passwords

In some instances, it may be necessary to reset all user passwords, forcing users to
create new login passwords the next time they attempt to log in. For example, you may
decide to reset all user passwords if you change a password policy and would like the
policy to be immediately enforced. Also, it may be crucial to reset user passwords, for
instance, if there is breach in system security. To reset all user passwords, you must use
the -ROMANZO switch.
For more information on resetting passwords, see the System Administration module
reference guide.
User Group Rights

To increase security within an OnBase environment, it is vital to apply the principle of
least privilege when assigning various rights and privileges to user groups. The concept
of least privilege refers to a policy of only providing access to the rights, privileges, and
parts of the system that are absolutely essential for users to complete their daily tasks.
Due to the complexity of many OnBase environments, privilege creep is a regular
occurrence. Users are often assigned additional rights for a specific circumstance, but
those rights are never revoked. For this reason, you should perform a full audit of user
and user group rights at least once every six months. It is important to remember that
OnBase user privileges are cumulative, meaning that a user’s effective permissions are
the combination of privileges available for each user group to which that user belongs.
For more information on configuring user group rights, see the System Administration
©
7
Keywords
Configuring Keyword Types
When configuring settings for Keyword Types, the following features can be applied in
the Keyword Type Settings dialog box for additional security:
• Invisible - This option ensures that this Keyword Type is only displayed while
indexing and as part of Auto-Name strings.

• Not For Retrieval - This option ensures that the Keyword Type is unavailable for
Document Retrieval.
For more information about these options, see the System Administration module
reference guide.
Assigning Keyword Types to Documents

When assigning Keyword Types to Document Types in the Keyword Type Selection dialog
box, additional Keyword options can be applied by clicking Options. The following options
can be configured for additional security:
• HID - When this check box is selected, the Keyword Type will be hidden unless
the user has the Access Restricted Keywords privilege .
• RO - When this check box is selected, the Keyword Type will be read-only unless
the user has the Access Restricted Keywords privilege.
For more information about these options, see the System Administration module
reference guide.
Security Keywords
Security Keywords restrict a user’s ability to view documents based on document
Keyword Values.
Caution: SQL Custom Queries do not respect Security Keywords in the OnBase Client. Users
that execute SQL Custom Queries may be able to access documents they should not be
allowed to access.

This does not apply to the OnBase Core (for example, the Web or Unity Client). The OnBase
Core respects Security Keywords when executing SQL Custom Queries.
Note: Security Keywords do not restrict document viewing rights in Workflow. Instead,
the configuration of the work queue determines access to documents.
Currency, Date, and Floating Point Keyword Types cannot be configured as Security
Keywords.
Note: OnBase does not support the use of wildcards in numeric Keyword Types. Instead,
change the Keyword Type to be an alphanumeric Keyword Type that has a numeric
mask, or duplicate the data in an alphanumeric Keyword Type.
©
8
Implement Security Keyword restriction of documents two ways:

• Equal - limits the viewing to documents that contain the specified value only.
• Not Equal - limits the viewing to all documents except for those with the
specified value. Documents with null values for a Not Equal Security Keyword
Type are returned for viewing unless the Perform security keyword checking
during database query Database Settings option is selected.

For more information on Security Keywords, see the System Administration module
reference guide.
Encrypted Alpha Keywords

The Encrypted Alpha Keywords module uses 128 bit and 256 bit AES (Advanced
Encryption Standard) encryption to encrypt Alphanumeric Keyword Types stored in
OnBase. Encrypted Alphanumeric Keyword Types can be masked when they are shown to
OnBase users, which provides an additional level of security. A User Group privilege
grants access to view encrypted Keyword Values without the security mask.
Note: Some regulations, such as HIPAA or PCI-DSS, may require that PII (Personally
Identifiable Information) be encrypted.
The encryption keys themselves are encrypted with a Key-Encrypting Key (KEK) and
stored in the database. Rotating the KEKs is fully supported in cases of critical business
need, but it is important to note that if the KEKs are rotated, administrator should store
the Formatted KEK in a secure location along with a copy of all executables and DLLs
which will be generated after the rotation process.
For more information, see the Encrypted Alpha Keywords module reference guide.
Implementing Read-Only Keywords with E-Forms

Keywords can be made read-only on E-Forms in two ways. The first method is to hard-
code the read-only attribute into the HTML code of the form. After this change, the
affected fields can no longer be modified.
The second method is to configure Keywords assigned to the E-Form’s Document Type as
read-only. This will prevent users from entering or modifying the data in the Keyword
Panel, but not in the E-Form Keyword fields themselves. If a user attempts to edit a
Keyword field directly on the E-Form, an error is displayed and the form will not be
created.
See Assigning Keyword Types to Documents on page 8 for more information on how to
configure Keywords as read-only for a Document Type.
DocPop
Note: The HTTP logon method should not be used in production environments because it
passes the user name and password in clear text on the query string.
©
9
1. When using the default login method, secure the user account specified in the
Web Server’s Web.config file.
DocPop, PDFPop, and FolderPop are only as secure as this user’s rights. Configure
this user account to have the least privileges required to accomplish a task. For
example, if users only need to view documents through DocPop, then only the
Retrieve/View privilege is needed.
Do not grant the user account additional rights, such as Workflow or re-indexing
privileges, unless it is absolutely necessary. Grant rights only to Document Types
that anyone in your network should be able to access.
2. Use the interactive login method to provide another layer of security. When an
autologin method is used, any user who can access the workstation also could
have access to OnBase documents through DocPop.
3. If DocPop will be accessed from a shared workstation, but only some of the
workstation’s users should be able to access OnBase documents using DocPop,
then use the interactive login method.
For example, when DocPop is accessed from a scanning workstation, the
interactive login method will ensure that only users who have sufficient rights can
log on.
For more information on DocPop, see the DocPop module reference guide.
Checksums
Checksums ensure that only URLs generated by the system are used. Checksums can
prevent users from retrieving documents other than the ones that the DocPop URL was
intended to retrieve.
1. Use checksums when you want to ensure that only URLs generated by the system
are used. When a user attempts to retrieve a document, DocPop compares the
checksum in the URL query string to the expected checksum. If the values match,
the document is displayed. If the values do not match, the user is presented with
an error.
2. Use checksums when integrating DocPop with another application. For example, if
an application creates a DocPop URL that retrieves documents by account
number, the user could modify the account number in the URL to retrieve
documents for another account. A checksum would prevent the user from
accessing other documents by modifying the URL.
3. Checksums do not prevent other users from using a URL, nor do they cause URLs
to expire. To limit access to DocPop, choose the appropriate logon method.
Note: Remember to apply the principle of least privilege when choosing a logon method.
The concept of least privilege refers to a policy of only providing access to the rights,
privileges, and parts of the system that are absolutely essential for users to complete
their daily tasks.
For more information on configuring checksums, see the DocPop module reference guide.
©
10
Integrations
Full-Text Indexing Server for Autonomy IDOL
When installing the Full-Text Indexing Service and Data Capture components of the
Autonomy IDOL solution, an OnBase Service Account must be supplied to allow these

components to run as services. You may also associate a Windows account to these
services, which should be configured with only the permissions necessary for installing
and running them.
The Full-Text Indexing Service for Autonomy IDOL communicates with the database
through the Application Server using an OnBase Service Account. This service account
should be dedicated only to this task and have a strong password.
In order to authenticate connections from remote systems, Autonomy IDOL utilizes the
server settings established in the AutonomyIDOLServer.cfg configuration file. The
settings for QueryClients , AdminClients , and IndexClients can be used to restrict whether
remote systems have access to querying, administrative, and indexing functionalities.
Single or multiple IP addresses can be specified in this configuration file. This allows only
explicitly identified systems to connect to Autonomy IDOL.
For more information on the Full-Text Indexing Server for Autonomy IDOL, see the Full-
Text Indexing Server for Autonomy IDOL module reference guide.
Single Sign-On
Single Sign-On is third-party software that authenticates users to multiple services
without requiring the user to log in multiple times. It is most effective when users need
to authenticate to multiple services over a WAN, but also over complex LANs where
users must authenticate to multiple and disparate services. Many customers use single
sign-on technology to streamline their business process. OnBase’s Integration for Single
Sign-On module allows OnBase to integrate with most single sign-on vendors so that a
user is automatically logged in to OnBase as part of a single sign-on solution.
The Integration for Single Sign-On module consists of two parts. One part is coded to
submit login information to OnBase in the way that OnBase expects to receive it. The
other part is the custom provider, which integrates with the single sign-on vendor’s
software. This portion of the software is coded to take input from a single sign-on
technology and prepare that input so that OnBase can recognize it as login credentials.
Significant value is achieved by consolidating authentication models across an enterprise

or across even a few systems. Users achieve increased productivity by having fewer
passwords to remember and fewer log ins to accomplish in the course of their work. An
improvement in overall system security is also achieved with fewer passwords because
users are less likely to use a simple password that is easily compromised or to resort to
writing down their multiple passwords.
For more information on the Integration for Single Sign-On, see the Integration for Single
Sign-On module reference guide.
Directory Authentication
©
11
The Network Security module allows for tighter security controls and a more streamlined
user experience when accessing OnBase by integrating with existing Active Directory
and LDAP authentication schemes.
Active Directory and LDAP authentication schemes have the added security benefit that
users need only remember one password, making it less likely that they will write their
passwords down where someone can find them. You can also choose whether you want
users to be prompted for login credentials when accessing OnBase or if users are logged
in to OnBase automatically based on the credentials supplied when they logged on to
their workstation.
In OnBase 12, you can use the Active Directory – Enhanced option for directory
integration configuration. This option is recommended for use in any Active Directory
integration implementation, as it allows for a more visual configuration, allowing a much
more granular assignment of users and groups, as well as integrating an explicit denial
option.
Caution: These options provide the ability to implement global security changes to your
OnBase system and should never be made available to non-administrative users. If
configured incorrectly, your OnBase system may be made more vulnerable and users can
be locked out of OnBase.
For more information on directory authentication, see the Network Security module
reference guide.
Running the OnBase Client as a Windows Service

It is recommended that a separate user account be created to use OnBase as a Windows
service, with only the permissions explicitly needed by the service. This user account
cannot be configured as a Service Account.
For more information on running the OnBase Client as a Windows service, see the
System Administration module reference guide.
You should use SSL encryption for your OnBase-HP web server when possible, to ensure
that the data being transmitted from your HP devices to the OnBase-HP web server and
the data being transmitted from the OnBase-HP web server to the OnBase Application
Server is secure.
Encrypting the Distribution Service Account Credentials

By default, the Service Account’s user name and password are entered in
Hyland.Core.Distribution.NTService.exe.config file in clear text. Although these
credentials cannot be used to log on to any OnBase client application, you should
encrypt them in the Windows registry using the aspnet_setreg utility. The Distribution
Service can then be configured to refer to the encrypted registry keys to retrieve the
Service Account’s user name and password.
©
12
Command Line Switches

The use of command line switches is not recommended. Leaving switches enabled on
your client or configuration machines could allow for unintended access to restricted
features. It is recommended to only use command line switches when required for
configuration or use of a specific business process.
©
13
©
14

Security Best Practices

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Best Practices

Uploaded by

Copyright:

Available Formats

Security Best Practices

What is in the MRG?

How to Navigate the MRG

©2015 Hyland Software, Inc.

© 2015 Hyland Software, Inc.

USING THIS MODULE REFERENCE GUIDE (PDF)