Security

AcuConnect system security is designed to address two fundamental issues:

1. Controlling access to data files
2. Preventing unauthorized use of client components to perform privileged activities (such as modifying privileged files)

The first issue, controlling access to data files, is addressed in two ways: first, via a server access file known as AcuAccess (the same access file used by AcuServer), and second, through the standard UNIX or Windows server file access provisions. Whether an AcuConnect user can access a given file on the server depends on two things: (1) the user ID assigned the requester in the server access file, and (2) either the Windows security set up for your files, or the UNIX ownerships and permissions set on the particular file.

The second issue, preventing unauthorized privileged use, is addressed through strict enforcement of the security measures that you have established through the server's operating system.

Achieving sound system security depends on the configuration and management of the following security elements:

• The AcuAccess server access file (the database of authorized AcuConnect users)
• The Windows server security protections set up for the acurcl executable file, server configuration file, server access file, and remote data files and directories. Microsoft recommends that you use the NT file system (NTFS) for better security.
• The UNIX ownerships assigned to the acurcl executable file, server configuration file, server access file, and remote data files and directories
• The UNIX access permissions (read, write, and execute) set on the acurcl executable file, server configuration file, server access file, and remote data files and directories

When AcuConnect is running as a Windows service (NT/2000/2003/2008), it belongs to an implicit group called "SYSTEM." Make sure that the "SYSTEM" group is added to your file permissions with "Full Control." (This is not necessary if you are using Windows NT security via the SECURITY_METHOD configuration variable.)

UNIX ownerships and permissions can be set on key AcuConnect files. Note, however, that your site could jeopardize security if you include entries in the server access file that explicitly allow users running as root on the clients to run as root on the server. Do not include such entries.

UNIX ownerships and permissions on the acurcl executable file, server configuration file, and server access file are described in Establishing System Security. These specifications must be strictly maintained. If the ownerships and permissions are more permissive than those specified, AcuConnect will not start, halting system operations.

In addition to the AcuAccess file, AcuConnect offers internal socket layer encryption to further enhance security. Encryption protects information while it is in transit across the network. See Creating a Runtime Configuration File for the Remote Server Component for information about the configuration variables used to enable encryption.