File System Security

To analyze the overall system security of 3DOrchestrate, you should consider the security of the local file system of the 3DOrchestrate Station computer.

This page discusses:

This file system is, in general, available to any simulation process job that executes on the station. The job can attempt to read or write any part of the file system, including network attached drives.

It is important, therefore, to properly secure the local file system against inadvertent or malicious use by a job. 3DOrchestrate Stations using the run-as feature behave differently—from a file system security point of view—than stations running without run-as enabled.

File System Security Without Run-As

Without the station run-as feature, the 3DOrchestrate Station runs as a single process with the security identity of the user that starts the process (i.e. the station program). The station, therefore, has access to exactly the same set of files as the user account that starts it.

If that user has complete access to the entire file system, all users that run jobs on that station also have access to that computer’s entire file system. Simulation process jobs on such a system can read or write any file, potentially including operating system files or private user data.

The first step in securing the file system in this environment is to use a dedicated, restricted user account (username/password) to run the 3DOrchestrate Station process. The restricted user should be given access only to the parts of the file system needed for proper operation of the station and jobs that run there. In general, this setup requires read access to basic operating system files, read access to the 3DOrchestrate Station installation directories, and read/write access to the 3DOrchestrate Station temporary directory. The temporary directory can be specified in the Temp Directory property of the station configuration UI or in the fiper.station.tempdir property in the properties file. In general, it is best to specify a custom location for the temporary directory rather than using the default location, which is the user’s temporary directory.

The station will keep all work-in-progress files in the temporary directory. To prevent access to these files, that directory should be restricted such that only the dedicated station user account has read/write access to it. All other users should have no access to this directory. This arrangement will prevent anyone from logging on to the station computer and having access to work-in-progress files.

In this environment it is impossible to prevent an executing job from (possibly) accessing another user’s unrelated work-in-progress files. All work-in-progress files are created by the same dedicated user, and all will be accessible from any other executing jobs. However, it would require some explicit effort for a running job to access unrelated work-in-progress files because they are kept in separate subdirectories. The station run-as security feature should be used to prevent this type of file access.

File System Security With Run-As

When the station run-as feature is enabled, each user’s work is executed in that user’s security context. Access to files on the station computer will be dictated by the file system permissions of the end-user who submitted the simulation process.

In general, the station computer must be configured to allow read access for all users to parts of the file system needed to run the station program, which includes the basic operating system files and the station software installation directory. The system administrator can choose to make these directories readable for all users or only for those users that will be executing jobs on the station. The station installation directory should not be configured with write permission for users running jobs.

The station will keep all work-in-progress files in the temporary directory. Within that directory, each substation (user) will create a subdirectory with permissions that allow access only by the submitting user. This prevents one user’s job from accessing work-in-progress files from another user’s job.

The station should be configured with an explicit temporary directory by specifying the directory path in the Temp Directory property of the station configuration UI or in the fiper.station.tempdir property in the properties file.

On Windows stations, this directory should be configured with the following permissions for all users that will run jobs on the station:

  • read

  • write

  • execute

  • create folders

  • create files

Note: On Windows you can grant all the necessary permissions using the Modify option available from the Security tab on the directory’s Properties dialog box.

All other users should have no access to this directory to prevent casual users logged on to the computer from accessing work-in-progress files. If the computer is physically secure or there is no threat from logged on users, these permissions can be granted to all users.