Security concerns with a TEMA installation



When using SQL Server Authentication, the TEMA database username and password are stored as clear text in C:\TEMA\config\database.yml, and the BES database username and password are stored in clear text in a TEMA database table. We recommend Windows authentication instead.



If using SSL to access your server the SSL certificate is stored in C:\TEMA\config\keystore. While this file is nominally encrypted, it is still advisable to restrict access to the entire configuration directory.



The first time the TEMA server is started, the program files are expanded to a directory tree under the installation directory. A sophisticated hacker could breach security by tampering with these files.



We recommend securing the installation directory and using Windows authentication for database access. The following example illustrates one way to do this.

 

Example secure installation

Prepare the TEMA server



We must select or create a Windows user account to run the TEMA service. This example creates a new local account, but a Domain account may be necessary if the database and server are installed on different machines.

 

  • Using an administrative account, log in to the server that will host the TEMA server software. These instructions assume this machine is named TEMA_SERVER.
  • Invoke the control panel: 'Start / control panel'
  • Naviate to 'Administrative tools' and doubleclick 'Computer Management'
  • Navigate to 'Local Users and Groups'
  • Right click 'Users' and choose 'New User...'
  • Enter username and password. In the remainder of this document, we assume username: TEMA_svc_user password: temasvc
  • Uncheck 'User must change password at next logon'
  • Check 'Password never expires'
  • Click 'Create'
  • Click 'Close' The new user should appear in the users list.
  • Remove any default permission group membership:
    • Right-click the user and choose 'Properties'
    • Select the 'Member Of' tab
    • Select 'Users' and click 'Remove'
    • Repeat for any other group listed.
  • Click 'OK'
  • Close the 'Computer Management' window
  • Doubleclick 'Local Security Policy'
  • Navigate to 'Local Policies/User Rights Assignment'
  • In the 'Policy' column, doubleclick 'Log on as a Service'
  • Click 'Add user or Group'
  • Enter the the TEMA service user name fully qualified with the TEMA Server name, for example: TEMA_SERVER\TEMA_svc_user
  • Click 'Check Names'
    • If entered incorrectly a warning will appear. Double check and try again.
    • If entered properly, the name will now appear underlined.
  • Click 'OK'
  • Click 'OK'
  • Close the 'Local Security Policy' window
  • Close the 'Administrative Tools' window
  • Close the 'Control Panel' window

 

Create the TEMA database login

 

  • Run SQL Server Management Studio, and connect to the SQL Server instance that will host the TEMA database. Connect as an database administrator.
  • Add the TEMA_SERVER\TEMA_svc_user login:*
    • Navigate to 'Security/Logins'
    • Right click 'Logins' and choose 'New Login...'
    • Click 'Search...'
    • Enter the the TEMA service user name fully qualified with the TEMA
    • Server name, for example: TEMA_SERVER\TEMA_svc_user
    • Click 'Check Names'
      • If entered incorrectly a warning will appear. Doublecheck and try again.
      • If entered properly, the name will now appear underlined.
    • Click 'OK'
  • Do one of the following:
    • Add the 'dbcreator' role: This role may be removed later if desired. See optional steps below.
      • Navigate to 'Server Roles'
      • Check 'dbcreator'
    • Manually create the TEMA database and set the TEMA_svc_user as 'owner' of that database:
      • navigate to <server> / Databases
      • right click 'Databases' and choose 'New Database...'
      • enter the database name, 'tem_analytics' is recommended.
      • click the '...' button
      • check the TEMA_svc_user login and click 'OK'
      • click 'OK'
      • click 'OK' to create the new database



Create a TEMA login on the BES database

 

  • Run SQL Server Management Studio, and connect to the SQL Server instance that hosts the BES database. Connect as an administrative user.
  • Add the TEMA_SERVER\TEMA_svc_user login as before (see * above)
  • Navigate to 'Security/Logins' and doubleclick the TEMA_svc_user
  • Navigate to user mapping and check the BES database. These instructions assume it's called 'BFEnterprise'
  • Click 'OK'
  • Click the 'New Query' button
  • In the query window enter:
    use BFEnterprise;    grant SELECT to [TEMA_SERVER\TEMA_svc_user];    grant EXECUTE to [TEMA_SERVER\TEMA_svc_user];
  • Click 'Execute'
  • Verify that the Messages window says 'Command(s) completed successfully'
  • Do just one of the following:
  • Either add 'alter database' permissions (these may be removed later; see optional steps below)
  • In the query window enter the following and click 'Execute':
    use BFEnterprise;    grant CREATE SCHEMA to [TEMA_SERVER\TEMA_svc_user];    grant CREATE TABLE to [TEMA_SERVER\TEMA_svc_user];    grant CREATE VIEW to [TEMA_SERVER\TEMA_svc_user];    grant CREATE FUNCTION to [TEMA_SERVER\TEMA_svc_user];
  • Or manually install the TEMA extensions into your BES database
    • tbd

 



Create a TEMA login on the Web reports database

 

Skip these steps if you're not linking to a Web reports installation.

  • Run SQL Server Management Studio, and connect to the SQL Server instance that hosts the Web Reports database. Connect as an administrative user. These instructions assume the database is called 'WebReportsDB.'
  • Add the TEMA_SERVER\TEMA_svc_user login as before (see * above)
  • Click the 'New Query' button
  • In the query window enter:
    use WebReportsDB;    grant SELECT to [TEMA_SERVER\TEMA_svc_user];
  • Click 'Execute'
  • Verify that the Messages window says 'Command(s) completed successfully'
  • Close SQL Server Management Studio



Create a secure installation directory for TEMA

 

  • With Windows Explorer, navigate to the drive TEMA will reside on. These instructions assume 'Local Disk (C:)'
  • Right click and choose 'New Folder' These instructions assume the folder is called C:\TEMA.
  • Right click the TEMA folder and select 'properties'
  • Choose the 'Security' tab and click 'Advanced'
  • Choose the 'Permissions' tab and click 'Change Permissions...'
  • Uncheck 'Include inheritable permissions from this object's parent.'
  • At the security warning dialog, choose 'Remove' to Remove inherited parent permissions from this object. The 'permission entries:' list should now be now empty.
  • Add the users/groups that should have access to the TEMA directory
  • click 'Add...'
  • Enter the name of the TEMA service user, example: TEMA_SERVER\TEMA_svc_user
  • click 'Check Names' The server\username should now be underlined.
  • click 'OK'
  • In the 'Permissions:' window click 'Full Control' in the 'Allow' column. All remaining boxes in the 'Allow' column will now be checked.
  • click 'OK'
  • Repeat the last six steps to add the administrator account you're currently using, and once more to add the 'Administrators' group.
  • click 'OK'
  • click 'OK'
  • click 'OK'



Install TEMA

 

  • Invoke the installer, tema.msi
  • Select the directory you prepared above; C:\TEMA in our example.
  • Select the account you prepared above for the service user; TEMA_SERVER\TEMA_svc_user in our example.
  • The installer will open the TEMA application in a web browser. Choose Windows Authentication for all database settings, and configure the remaining settings as desired.

To use SSL, see the instructions in the user's guide. You will have to manually restart the service using an administrator account,and Control Panel/Administrative tools/Services. If using SSL, Firefox may warn that the connection is 'untrusted.' This is normal with the testing certificate. Click 'I understand the risks' and add an exception to proceed.

Test the installation

 

  • Verify that the service is running as the correct user

    • Launch 'Control Panel
    • Choose 'Administrative Tools'
    • Doubleclick 'Services'
    • Locate the 'Tivoli Endpoint Manager Analytics' service
    • Verify that the 'Log On As' column lists the 'TEMA_svc_user' It may be listed as 'TEMA_SERVER\TEMA_svc_user' or simply '.\TEMA_svc_user'
    • Close the 'Services', 'Administrative Tools', and 'Control Panel' windows.
  • Log in as an unpriviliged user and verify that you cannot access the TEMA installation directory.
  • Verify that you can only access the TEMA web application via https://



Optional steps

Remove the 'db creator' role from your service user, and the 'create' permissions from your BES database if you added them temporarily.

  • Stop your TEMA server:
    • Navigate to Control Panel/Administrative Tools/Services
    • Double click the Tivoli Endpoint Manager Analytics service.
    • Click Stop
  • Open SQL Servier Management Studio
  • Connect to the TEMA database server
  • Sign in as a database admin.
  • Navigate to 'Security/Logins'
  • Double click the TEMA_svc_user Login
  • Navigate to 'Server Roles'
  • Uncheck 'dbcreator'
  • Click OK
  • Close the server connection
  • Connect to the BES database server
  • Sign in as a database admin.
  • Click 'New Query'
  • Enter the following, substituting your BES database name.
    use BFEnterprise;    revoke CREATE SCHEMA from [TEMA_SERVER\TEMA_svc_user];    revoke CREATE TABLE from [TEMA_SERVER\TEMA_svc_user];    revoke CREATE VIEW from [TEMA_SERVER\TEMA_svc_user];    revoke CREATE FUNCTION from [TEMA_SERVER\TEMA_svc_user];
  • click 'Execute' The Messages window should say 'Command(s) completed successfully'
  • Close the server connection
  • Restart your TEMA server.
    • Navigate to Control Panel/Administrative Tools/Services
    • Double click the Tivoli Endpoint Manager Analytics service.
    • Click Start
  • After the server starts, verify that TEMA is operating normally.