The following suggestions protect Managed Reporting applications.
Secure Managed Reporting Administrator IDs. Make sure the Managed Reporting administrator ID has a password or that the default ID is removed. When Managed Reporting is first installed, the user ID with the value admin has no password and has administrator authorization privileges.
Secure Your Managed Reporting Repository from Unauthorized Access. Ensure that your WebFOCUS/basedir directory is only accessible by the WebFOCUS Client program. When your application server allows anonymous connections, this means that only the anonymous user service account should have read and write access to prevent the following security exposures:
During normal operation, the Managed Reporting Repository should only be accessed by the WebFOCUS Client. Depending on file permissions, it may be possible for users to circumvent WebFOCUS security and view or change sensitive repository information by using operating system features, such as network shares and Notepad. This situation should be avoided because sensitive information can be exposed, production reports can be altered, and Managed Reporting itself can be rendered inoperable. When this exposure has been eliminated, the site is considered to have implemented a secure Managed Reporting Repository.
The basic concept of a secure Managed Reporting Repository is simple: the effective ID of the WebFOCUS Client program is controlled so that it is the same for all user connections, and Managed Reporting Repository file system permissions are changed so that only this fixed ID is allowed access to the repository. An administrator group can also be configured with file system access to the repository for the purpose of copying files to its import directories, or for support and debugging purposes.
For details on how to secure your Managed Reporting Repository, see the WebFOCUS and ReportCaster Installation and Configuration manual for your platform.
Disable Self-Service Access to Managed Reporting Reports. The Publish feature allows developers to create launch pages for reports which can be run from outside of Managed Reporting. WebFOCUS allows these reports to be run without requiring a Managed Reporting session in order to provide a convenient way to leverage Managed Reporting content in self-service applications. You can disable this feature for increased security by setting MR_ANONYMOUS_RUN_ACCESS to NO, as described in Changing Managed Reporting Settings.
Encrypt all WebFOCUS Cookies and Increase Encryption Strength. By default, only the WF_COOKIE and MR_COOKIE are encrypted. You should set WF_ENCRYPT_USER to YES and set REDIRECT_COOKIE to ON so that all cookies are encrypted. You should also set WFENCR to one of the higher strength options or write a plug-in to call your own encryption routine for increased security.
Use an External Authentication Provider. There is no support for password expiration or complexity checks when using the built-in user directory included with Managed Reporting. Whenever possible, you should use one of the external authentication providers built-in to the Managed Reporting Realm Driver (for example, Active Directory, LDAP, Reporting Server operating system, Relational DBMS, JNDI Data Source).
Prevent Non-Managed Reporting Users From Accessing WebFOCUS Reporting Servers. You may want to configure WebFOCUS to allow access to the Reporting Servers to only those users who have already been authenticated to Managed Reporting. In the future, this will be a standard configuration option, easily set in the WebFOCUS Administration Console. See Technical Memo 4608: Limiting Reporting Server Access by Non-Managed Reporting Users, for a technique you can use to restrict access.
| WebFOCUS |