ServiceDesk/Workflow General Security Best Practices
|Article:DOC6160|||||Created: 2012-10-31|||||Updated: 2012-11-02|||||Article URL http://www.symantec.com/docs/DOC6160|
- When selecting the authentication method for your SQL Server, use Window Authentication instead of SQL Authentication.
- Using Windows authentication is more secure, because the provided identity is confirmed by Windows instead of by SQL Server. Windows Authentication also allows for password policy enforcement, lockout, and expiration. For more information, see http://technet.microsoft.com/en-us/library/ms144284.aspx
- ServiceDesk allows for the selection of both an Installation account, which must be privileged as a machine and SQL administrator, and a Service account, which need not be privileged. Symantec recommends that you create a dedicated ServiceDesk Service account on your domain and grant it no special privileges. During ServiceDesk installation, the installer (using the provided privileged Installer account) will automatically grant all necessary machine and SQL privileges to the Service account. After that point, the privileged Installer account will not be used again and ServiceDesk will operate under the Service account.
- During ServiceDesk and Workflow installation, you are asked to provide an Administrator email address and password. In previous releases the default was “firstname.lastname@example.org” or “email@example.com.” Symantec recommends using a unique address and password for your organization, instead of relying on these defaults.
- Symantec recommends using SSL (https) when installing ServiceDesk or Workflow. SSL ensures that communications to and from the ProcessManager portal are encrypted.
- When using ServiceDesk inbound email monitoring or when building a custom process which retrieves email, Symantec recommends using the SSL features provided by your POP/IMAP email server. Using SSL for email monitoring ensures email contents are encrypted during transmission. Please note that most email servers use different ports for POP and IMAP when SSL in enabled.
- In ServiceDesk 7.5, the Workflow core introduced a change to improve default security for remote connections. By default, remote connections for actions such as deploying from a remote Workflow Designer or connecting Workflow Explorer to a remote server will now be disabled.
To Allow Remote Connections:
- On the Workflow Server, right-click on the Task Tray Tool and click Settings.
- In the Workflow Server section, click the ellipsis next to Workflow Server Configuration.
- In the General section, check Allow Remote Connections.
Symantec recommends disabling this property to not allow remote connections once you are finished deploying.
Article URL http://www.symantec.com/docs/DOC6160