Security Overview

System security for AcuServer file server software is designed to address two fundamental security issues:

  1. Controlling access to data files

    This is addressed in two ways: first, via the AcuServer server access file, and second, through the standard UNIX or Windows NT/2000 to 2008 file access provisions.

    Whether a user of AcuServer can access to a given file depends on two things: (1) the user ID assigned the requester in the server access file, and (2) either the Windows NT/2000 to 2008 security set up for your files, or the UNIX ownerships and permissions set on the particular file.

    On both Windows and UNIX networks you have the option to use your operating system security rather than AcuServer system security. Use the operating system security, which is essentially required when using Windows 2008. By setting the SECURITY_METHOD configuration variable on both the client and the server, you can override the server access file and use the full range of native security features on files and directories on the server instead. See SECURITY_METHOD in Server Configuration Variables for information and considerations.

  2. Preventing unauthorized use of AcuServer to perform privileged activities (such as modifying privileged files)

    This is addressed through strict enforcement of the security measures that you have established through the server's operating system.

    On a Windows NT, Windows 2000 to 2008 server, AcuServer system security is designed to work with files that reside on an NTFS (NT file system). (AcuServer can work with a FAT file system, but the files are less secure and no longer supported.)

    When using the NTFS, you may set read and write access permissions on your files by using the Windows security features. Refer to your Windows documentation for more information about NTFSs and security procedures. Make sure that the AcuAccess file and the a_srvcfg file can be written only by those accounts and groups that you want to have write privileges.

    NTFSs may also have shared directories. The permissions on the shared directory operate in addition to any NTFS permissions you have established. Shared directory permissions specify the maximum access allowed.

    When AcuServer is running as a Windows NT/2000 to 2008 service, it usually belongs to an implicit group called SYSTEM. Make sure that the SYSTEM group (or whichever group that you are using for your acuserve services) is added to your file permissions with Full Control.

    Files created by AcuServer are owned by the administrators group and allow Full Control for SYSTEM and Administrator. Everyone is given the permissions specified by the third digit in the umask in the AcuAccess file. UNIX ownerships and permissions can be set on key AcuServer files. Note, however, that your site could jeopardize security if you include entries in the server access file that explicitly allow users running as root on the clients to run as root on the server. It is strongly recommend against thto not include such entries.

Achieving sound AcuServer system security depends on the configuration and management of the following security elements:

UNIX ownerships and permissions on the acuserve executable, server configuration file, and server access file are specified in Ownerships and Permissions. These specifications must be strictly maintained. If the ownerships and permissions are more permissive than those specified, AcuServer will not start.