|
X1 Enterprise Edition lets users search enterprise data with desktop, mobile, or browser clients. The product provides a security design that:
- Can be installed without changes to the customer's existing Microsoft Windows security framework;
- Adds an additional layer of security to domains managed by Microsoft Active Directory;
- Results in a smaller index size than products from other vendors;
- Is extensible to data stores outside Microsoft Windows domains.
This paper explains how X1 Enterprise Edition security integrates seamlessly with an existing Microsoft network installation. It describes how X1 security features are configured and deployed, including web server security. It ends by showing how X1 and Microsoft Windows security layers work together at runtime.
Microsoft Windows Environment
This paper assumes that X1 Enterprise Edition1 has been deployed within a corporate Microsoft Windows environment, so that end-users, index data, and raw data all reside within the logical bounds of a Microsoft Windows domain managed by Microsoft Active Directory.
In a Microsoft Windows environment, X1 Enterprise Edition takes advantage of the security facilities offered by the Microsoft Windows file servers, Microsoft Active Directory infrastructure, and the Microsoft Internet Information Services (IIS) web application server platform.
All the components in the diagram below must be present for X1 Enterprise Edition to operate in a secure fashion.
X1 Security Layers
To determine whether a user is authorized to receive a search result, X1 combines several layers of security, verifying the credentials of the user's search query against the combined security rules of all layers.
Windows File Permissions
If a user is not able to open a file using the standard Microsoft Windows file explorer, X1 assumes that the user is not authorized to access the data stored in the file.
Windows file permissions are controlled by the security settings that have been applied to the file or to the directory that contains the file. These are settings that the IT administrator sets on the file server, from which X1 reads and indexes data.
These file permissions are managed directly (that is, outside the X1 system), using the standard Microsoft Windows file-security management tools. These tools are a standard part of the Microsoft Windows operating system and are in the Microsoft Windows file explorer.
When X1 Enterprise Edition indexes a file from the end-user's server, it gets the list of allowed and denied users and groups associated with the file. This information is stored as part of the index. It is used to guarantee that the credentials of the user (or process) issuing a query match the allowed list (and do not match the denied list) for each item returned in an X1 result list.
Server Share Security
X1 Enterprise Edition reads data from a file server on the network through a server share. A server share is a directory on the file server that has been made available (that is, has been "shared") by the administrator of the server, so that external users and computers can access the files stored in it.
This is done using the standard Microsoft Windows directory sharing capabilities, available through the Windows file explorer.
A Microsoft Windows file server share is created in 3 steps:
1. Right-clicking a directory and selecting "Sharing and Security"
2. Naming the new share
3. Assigning user and group security (that is, defining Allow and Deny lists for the share).
When X1 Enterprise Edition reaches out to retrieve files during the indexing process, it presents its own credentials to the file server. These credentials are also known as the "Run As Account" of the X1Server Windows Service.
To see the credentials ("Run As Account") of the X1Server process, do the following:
1. Click on Start > Control Panel > Administrative Tools > Computer Management
2. Right-click the X1 Enterprise Server service and select "Properties"
3. Click on the "Log On" Tab of the dialog box.
In most cases, the default setting of "Local System Account" will not be used, since it allows X1 Enterprise Edition to index only data that resides on the local server.
|
