|
This section contains security recommendations that are
specific to Windows when used to run LiveCycle.
3.7.1 JBoss Service accountsThe LiveCycle turnkey installation sets up a service account,
by default, using the Local System account. The built-in Local System
user account has a high level of accessibility; it is part of the
Administrators group. If a worker process identity runs as the Local
System user account, that worker process has full access to the entire
system.
3.7.1.1 Run the application server using a non-administrative accountIn the Microsoft Management Console (MMC), create
a local user for the LiveCycle server service to log in as:
Select Settings > Administrative Tools > Services.
Double-click the application server service and stop the
service.
On the Log On tab, select This Account, browse
for the user account you created, and enter the password for the
account.
In the Local Security Settings window, under User Rights
Assignment, give the following rights to the user account that the
LiveCycle server is running under:
Give the new user account Read & Execute, List Folder
Contents, and Read permissions to LiveCycle web content directories.
Start the application server service.
3.7.2 File system securityLiveCycle uses the file system in the following ways:
Stores temporary files that are used while processing
document input and output
Stores files in the global archive store that are used to
support the solution components that are installed
Watched folders store dropped files that are used as input
to a service from a file system folder location
When using watched folders as a way to send and receive documents
with a LiveCycle server service, take extra precautions with file
system security. When a user drops content in the watched folder,
that content is exposed through the watched folder. In this case,
the service does not authenticate the actual end user. Instead,
it relies on ACL and Share level security to be set at the folder
level to determine who can effectively invoke the service.
|
|
|
