Professional Documents
Culture Documents
Version 15
C OPYRIGHT
Information in this document is subject to change without notice. The OnBase® Information
Management System software (the "Software") described in this document is furnished only under a
separate license agreement and may be used or copied only according to the terms of such
agreement. It is against the law to copy the Software except as specifically allowed in the license
agreement. This document or accompanying materials contains certain information which is
confidential information of Hyland Software, Inc. and which is subject to the confidentiality provisions
agreed to by you.
All data, names, and formats used in this document’s examples are fictitious unless noted otherwise.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright law, no part of this document may be reproduced, stored in or introduced into
a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Hyland Software, Inc.
© 2015 Hyland Software, Inc. All rights reserved.
Depending on the modules licensed, the OnBase® Information Management System software may
include software developed and copyrighted by third parties, including but not limited to the
following:
A2iA CheckReader™ by A2iA Corp;
Adobe ® PDF Library™ by Adobe Systems Incorporated;
dtSearch ® Text Retrieval Engine by dtSearch Corp.;
software or other content adapted from Smart Client – Composite UI Application Block by Microsoft
Corporation © 2005 Microsoft Corporation;
software or other content adapted from Microsoft patterns & practices ObjectBuilder © 2006 Microsoft
Corporation;
Nuance™ OCR © 1994-2012 Nuance Communications;
portions of imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL;
Imaging Technology copyrighted by Snowbound Software Corporation, Snowbound.com;
CD-R technology by Sonic Solutions, Inc.;
full-text indexing technology by Autonomy;
IDSMail © 2005 by Intuitive Data Solutions;
jLex Copyright 1996-2003 by Elliot Joel Berk and C. Scott Ananian;
Rumba by NetManage;
AutoVue by Oracle America, Inc.
All rights reserved.
Further information regarding third-party software included in the OnBase Information Management
System software can be found in the About box within the Software.
Hyland Software ®, OnBase®, Application Enabler, and Where Your Information Finds You are
registered or unregistered trademarks of Hyland Software, Inc. A2iA CheckReader™ is a trademark of
A2iA Corporation. Adobe ® PDF Library™ is a trademark of Adobe Systems Incorporated.
All other trademarks, service marks, trade names and products of other companies are the property
of their respective owners.
Document Name .................................................................. Security Best Practices
Department/Group .......................................................................... Documentation
Revision Number ............................................................................................. 15
©
2015 Hyland Software, Inc.
ii
©2015 Hyland Software, Inc.
iii
© 2015 Hyland Software, Inc.
iv
USING THIS MODULE REFERENCE GUIDE (PDF)
In the following module reference guide (MRG), we provide a great deal of information. If
you are unfamiliar with our MRGs, take a few moments to review the content below so you
can more quickly and efficiently locate the information you need.
Note: The content in this MRG is considered module-specific. Therefore, you may be
referred to another MRG if a referenced function is not specific to this module.
Tip: It is considered a best practice to read through an entire stepped process before
attempting to complete any of its steps. Pay close attention to notes, tips, and cautions,
which can help you better understand the entire process and discover any prerequisites you
may not have completed.
Tip: To return to the page you were viewing before following a cross-reference, press Alt +
Left Arrow until the desired page is displayed.
EXPOSURE
Overview .........................................................................................................1
©
2015 Hyland Software, Inc.
vii
Table of Contents Security Best Practices
©
2015 Hyland Software, Inc.
viii
EXPOSURE
Overview
The following document outlines the Hyland Software best practices for securing OnBase
environments. As each OnBase environment is unique, any changes should be
thoroughly tested in a non-production environment prior to full implementation so the
impact on business processes can be determined.
Due to the complexity of OnBase, this document does not represent an exhaustive list of
every possible security configuration and should not be treated as such. Instead, this
text serves as a guide to the current best practices for securing the OnBase database,
disk groups, integrations, and its client features. Implementing the guidelines found in
this document will dramatically increase the security of an OnBase implementation and
help prevent unauthorized intrusion and data loss.
©
2015 Hyland Software, Inc.
1
Security Best Practices OnBase 15
Exposure
©
2015 Hyland Software, Inc.
2
SECURITY BEST PRACTICES
The following best practice recommendations have been assembled by a team of OnBase
subject matter experts. They represent the accumulation of years of experience
installing and configuring OnBase solutions.
The following recommendations are general in nature, and are applicable to most
OnBase solutions and network environments. Depending on your solution design and
your organization’s needs, not all of the best practice recommendations listed below may
apply to, or be recommended for, your OnBase solution.
Carefully consider the impact of making any changes, including those listed below, to
your OnBase solution prior to implementing them in a production environment.
OnBase Upgrades
Due to rapidly changing technological environments, Hyland Software strongly
recommends that its customers upgrade to the latest version of the software at least
once every year.
Technological changes in customer environments can lead to situations where older
versions of the product may be rendered inoperable and Hyland Software may be unable
to provide relief or suggestions to address issues that customers may face.
In addition, Hyland Software routinely addresses security, scalability, and other types of
fixes that are important to OnBase users in its ongoing development efforts.
Database
When the OnBase database is configured, several database logins (HSI, HSINET, etc.)
are created with default passwords. These passwords are also hard coded into the
software.
if your organization has a security requirement to change these default passwords,
Hyland Software provides the ability to do so. However, this change is not trivial, and it
is recommended to execute this change in a test environment before trying it in a
production environment.
Changing the database password requires adding a license to your system, adding a
command line switch to OnBase Configuration, locking the OnBase database, and
updating executables for your OnBase environment. This is not a difficult procedure, but
it is multistep and will require redeploying your OnBase client executables and/or
upgrading .dlls in your Application Server. Please see the Changing Database User Name
Passwords section of the System Administration MRG for more detailed instructions, and
engage your first line of support with any questions before executing this procedure.
©
2015 Hyland Software, Inc.
3
Security Best Practices OnBase 15
ODBC Configuration
When configuring an ODBC source for OnBase, the VIEWER account should be used to
test connectivity to the database; the HSI user is not required or recommended.
Additionally, it is recommended to select the Use Strong Encryption for Data option in
order to ensure that data is protected while it is in transit between the OnBase database
and the Application Server or OnBase Client.
Security Best Practices
When this option is enabled, the hsi user no longer requires the following rights:
Oracle The create user and alter user permissions are not
required.
Disk Groups
Distributed Disk Services
While standard file system access to the OnBase Disk Groups is secure, DDS provides an
additional layer of security:
• A secure port employs a single access point for OnBase file retrieval.
• DDS file servers can be kept behind a firewall. The firewall only needs access to
a secure port, avoiding UNC traffic.
Note: DDS requires unrestricted bidirectional network access for User Datagram Protocol
(UDP) and Transmission Control Protocol (TCP) between the client and server on the
specified port.
©
2015 Hyland Software, Inc.
4
OnBase 15 Security Best Practices
• To protect documents from being intercepted in a data stream, the full contents
of the datastream is encrypted.
• Users cannot browse files using Windows Explorer.
For more information on configuring DDS, see the Distributed Disk Services module
reference guide.
You can rotate, or change, the second piece of the KEK as a security measure against
outside forces (e.g., separated employees, social engineering). The concept is similar to
changing a password. When you rotate the KEK, OnBase changes the piece that is stored
in the OnBase software, generates new Client and Configuration executables, and
creates a new copy of Hyland.Core.GrabIcon.dll . These files contain the new KEK piece.
The KEK can be rotated using the OnBase Configuration module. For more information
on configuring Encrypted Disk Groups, see the Platter Management module reference
guide.
Client Settings
©
2015 Hyland Software, Inc.
5
Security Best Practices OnBase 15
Password Controls
With each OnBase installation, two pre-defined password policies are created by default
to establish good security practices. The High Security policy is created as the
recommended level of security, and the Medium Security policy is applied as the default
password policy if no default password policy is defined for your system. These policies
cannot be modified or deleted.
Note: When upgrading to OnBase 15, if the system password policies are not found in the
database upon launching the Configuration module, the policies are created.
©
2015 Hyland Software, Inc.
6
OnBase 15 Security Best Practices
Although it is unenforceable at the system level, there is no more effective policy than to
require a Unicode (e.g. ♞, ★) character as part of your users’ passwords. Adding one of
these characters has been shown to all but defeat every known password cracking
mechanism. Due to user unfriendliness, this is only recommended to be used in super-
high security environments.
Note: This tactic is only effective if the entire OnBase database has been configured for
Unicode.
For more information on configuring password policies, see the System Administration
module reference guide.
©
2015 Hyland Software, Inc.
7
Security Best Practices OnBase 15
Keywords
Configuring Keyword Types
When configuring settings for Keyword Types, the following features can be applied in
the Keyword Type Settings dialog box for additional security:
• Invisible - This option ensures that this Keyword Type is only displayed while
Security Best Practices
For more information about these options, see the System Administration module
reference guide.
Security Keywords
Security Keywords restrict a user’s ability to view documents based on document
Keyword Values.
Caution: SQL Custom Queries do not respect Security Keywords in the OnBase Client. Users
that execute SQL Custom Queries may be able to access documents they should not be
allowed to access.
This does not apply to the OnBase Core (for example, the Web or Unity Client). The OnBase
Core respects Security Keywords when executing SQL Custom Queries.
Note: Security Keywords do not restrict document viewing rights in Workflow. Instead,
the configuration of the work queue determines access to documents.
Currency, Date, and Floating Point Keyword Types cannot be configured as Security
Keywords.
Note: OnBase does not support the use of wildcards in numeric Keyword Types. Instead,
change the Keyword Type to be an alphanumeric Keyword Type that has a numeric
mask, or duplicate the data in an alphanumeric Keyword Type.
©
2015 Hyland Software, Inc.
8
OnBase 15 Security Best Practices
Note: Some regulations, such as HIPAA or PCI-DSS, may require that PII (Personally
Identifiable Information) be encrypted.
The encryption keys themselves are encrypted with a Key-Encrypting Key (KEK) and
stored in the database. Rotating the KEKs is fully supported in cases of critical business
need, but it is important to note that if the KEKs are rotated, administrator should store
the Formatted KEK in a secure location along with a copy of all executables and DLLs
which will be generated after the rotation process.
For more information, see the Encrypted Alpha Keywords module reference guide.
DocPop
Note: The HTTP logon method should not be used in production environments because it
passes the user name and password in clear text on the query string.
©
2015 Hyland Software, Inc.
9
Security Best Practices OnBase 15
1. When using the default login method, secure the user account specified in the
Web Server’s Web.config file.
DocPop, PDFPop, and FolderPop are only as secure as this user’s rights. Configure
this user account to have the least privileges required to accomplish a task. For
example, if users only need to view documents through DocPop, then only the
Retrieve/View privilege is needed.
Security Best Practices
Do not grant the user account additional rights, such as Workflow or re-indexing
privileges, unless it is absolutely necessary. Grant rights only to Document Types
that anyone in your network should be able to access.
2. Use the interactive login method to provide another layer of security. When an
autologin method is used, any user who can access the workstation also could
have access to OnBase documents through DocPop.
3. If DocPop will be accessed from a shared workstation, but only some of the
workstation’s users should be able to access OnBase documents using DocPop,
then use the interactive login method.
For example, when DocPop is accessed from a scanning workstation, the
interactive login method will ensure that only users who have sufficient rights can
log on.
For more information on DocPop, see the DocPop module reference guide.
Checksums
Checksums ensure that only URLs generated by the system are used. Checksums can
prevent users from retrieving documents other than the ones that the DocPop URL was
intended to retrieve.
1. Use checksums when you want to ensure that only URLs generated by the system
are used. When a user attempts to retrieve a document, DocPop compares the
checksum in the URL query string to the expected checksum. If the values match,
the document is displayed. If the values do not match, the user is presented with
an error.
2. Use checksums when integrating DocPop with another application. For example, if
an application creates a DocPop URL that retrieves documents by account
number, the user could modify the account number in the URL to retrieve
documents for another account. A checksum would prevent the user from
accessing other documents by modifying the URL.
3. Checksums do not prevent other users from using a URL, nor do they cause URLs
to expire. To limit access to DocPop, choose the appropriate logon method.
Note: Remember to apply the principle of least privilege when choosing a logon method.
The concept of least privilege refers to a policy of only providing access to the rights,
privileges, and parts of the system that are absolutely essential for users to complete
their daily tasks.
For more information on configuring checksums, see the DocPop module reference guide.
©
2015 Hyland Software, Inc.
10
OnBase 15 Security Best Practices
Integrations
Full-Text Indexing Server for Autonomy IDOL
When installing the Full-Text Indexing Service and Data Capture components of the
Autonomy IDOL solution, an OnBase Service Account must be supplied to allow these
Single Sign-On
Single Sign-On is third-party software that authenticates users to multiple services
without requiring the user to log in multiple times. It is most effective when users need
to authenticate to multiple services over a WAN, but also over complex LANs where
users must authenticate to multiple and disparate services. Many customers use single
sign-on technology to streamline their business process. OnBase’s Integration for Single
Sign-On module allows OnBase to integrate with most single sign-on vendors so that a
user is automatically logged in to OnBase as part of a single sign-on solution.
The Integration for Single Sign-On module consists of two parts. One part is coded to
submit login information to OnBase in the way that OnBase expects to receive it. The
other part is the custom provider, which integrates with the single sign-on vendor’s
software. This portion of the software is coded to take input from a single sign-on
technology and prepare that input so that OnBase can recognize it as login credentials.
For more information on the Integration for Single Sign-On, see the Integration for Single
Sign-On module reference guide.
Directory Authentication
©
2015 Hyland Software, Inc.
11
Security Best Practices OnBase 15
The Network Security module allows for tighter security controls and a more streamlined
user experience when accessing OnBase by integrating with existing Active Directory
and LDAP authentication schemes.
Active Directory and LDAP authentication schemes have the added security benefit that
users need only remember one password, making it less likely that they will write their
passwords down where someone can find them. You can also choose whether you want
Security Best Practices
users to be prompted for login credentials when accessing OnBase or if users are logged
in to OnBase automatically based on the credentials supplied when they logged on to
their workstation.
In OnBase 12, you can use the Active Directory – Enhanced option for directory
integration configuration. This option is recommended for use in any Active Directory
integration implementation, as it allows for a more visual configuration, allowing a much
more granular assignment of users and groups, as well as integrating an explicit denial
option.
Caution: These options provide the ability to implement global security changes to your
OnBase system and should never be made available to non-administrative users. If
configured incorrectly, your OnBase system may be made more vulnerable and users can
be locked out of OnBase.
For more information on directory authentication, see the Network Security module
reference guide.
For more information on running the OnBase Client as a Windows service, see the
System Administration module reference guide.
You should use SSL encryption for your OnBase-HP web server when possible, to ensure
that the data being transmitted from your HP devices to the OnBase-HP web server and
the data being transmitted from the OnBase-HP web server to the OnBase Application
Server is secure.
©
2015 Hyland Software, Inc.
12
OnBase 15 Security Best Practices
©
2015 Hyland Software, Inc.
13
Security Best Practices OnBase 15
Security Best Practices
©
2015 Hyland Software, Inc.
14