docs.intersystems.com
Home / Installation Guide / Preparing to Install / Preparing for InterSystems Security / Initial InterSystems Security Settings


InterSystems: The power behind what matters   
Search:  


Initial InterSystems Security Settings
During installation, there is a prompt for one of three sets of initial security settings: Minimal, Normal, and Locked Down. This selection determines the initial authorization configuration settings for InterSystems services and security, as shown in the following sections:
If you select Normal or Locked Down for your initial security setting, you must provide additional account information to the installation procedure. If you are using Kerberos authentication, you must select Normal or Locked Down mode. See the Configuring User Accounts section for details.
Important:
If you are concerned about the visibility of data in memory images (often known as core dumps), see the section Protecting Sensitive Data in Memory Images in the “System Management and Security” chapter of the Security Administration Guide.
Initial User Security Settings
The following tables show the user password requirements and settings for predefined users based on which security level you choose.
Initial User Security Settings
Security Setting Minimal Normal Locked Down
Password Pattern 3.32ANP 3.32ANP 8.32ANP
Inactive Limit 0 90 days 90 days
Enable _SYSTEM User Yes Yes No
Roles assigned to UnknownUser %All None None
You can maintain both the password pattern and inactive limit values from the System > Security Management > System Security Settings > System-wide Security Parameters page of the System Management Portal. See the System-wide Security Parameters section of the “System Management and Security” chapter of the Security Administration Guide for more information.
After installation, you can view and maintain the user settings at the System > Security Management > Users page of the System Management Portal.
Password Pattern
When InterSystems IRIS is installed, it has a default set of password requirements. For locked-down installations, the initial requirement is that a password be from 8 to 32 characters, and can consist of alphanumeric characters or punctuation; the abbreviation for this is 8.32ANP. Otherwise, the initial requirement is that the password be from 3 to 32 characters, and can consist of alphanumeric characters or punctuation (3.32ANP).
Inactive Limit
This value is the number of days an account can be inactive before it is disabled. For minimal installations, the limit is set to 0 indicating that accounts are not disabled, no matter how long they are inactive. Normal and locked-down installations have the default limit of 90 days.
Enable _SYSTEM User
InterSystems IRIS version creates the _SYSTEM and the following additional predefined users, using the password you provide during the installation: _SYSTEM, Admin, SuperUser, CSPSystem, and the instance owner (the installing user on Windows and the username specified by the installer on other platforms).
For more details on these predefined users, see the Predefined User Accounts section of the “Users” chapter of the Security Administration Guide.
Roles Assigned to UnknownUser
When an unauthenticated user connects, InterSystems IRIS assigns a special name, UnknownUser, to $USERNAME and assigns the roles defined for that user to $ROLES. The UnknownUser is assigned the %All role with a Minimal-security installation; UnknownUser has no roles when choosing a security level other than Minimal.
For more details on the use of $USERNAME and $ROLES, see the Users and Roles chapters of the Security Administration Guide.
Initial Service Properties
Services are the primary means by which users and computers connect to InterSystems IRIS. For detailed information about the InterSystems services see the Services chapter of the Security Administration Guide.
Initial Service Properties
Service Property Minimal Normal Locked Down
Use Permission is Public Yes Yes No
Requires Authentication No Yes Yes
Enabled Services Most Some Fewest
Use Permission is Public
If the Use permission on a service resource is Public, any user can employ the service; otherwise, only privileged users can employ the service.
Requires Authentication
For installations with initial settings of locked down or normal, all services require authentication of some kind (Instance Authentication, operating-system–based, or Kerberos). Otherwise, unauthenticated connections are permitted.
Enabled Services
The initial security settings of an installation determine which of certain services are enabled or disabled when InterSystems IRIS first starts. The following table shows these initial settings:
Initial Enabled Settings for Services
Service Minimal Normal Locked Down
%Service_Bindings Enabled Enabled Disabled
%Service_CacheDirect Enabled Disabled Disabled
%Service_CallIn Enabled Disabled Disabled
%Service_ComPort Disabled Disabled Disabled
%Service_Console* Enabled Enabled Enabled
%Service_ECP Disabled Disabled Disabled
%Service_Monitor Disabled Disabled Disabled
%Service_Telnet* Disabled Disabled Disabled
%Service_Terminal† Enabled Enabled Enabled
%Service_WebGateway Enabled Enabled Enabled
* Service exists on Windows servers only
† Service exists on non-Windows servers only
After installation, you can view and maintain these services at the System > Security Management > Services page of the System Management Portal.
Configuring User Accounts
If you select Normal or Locked Down for your initial security setting, you must provide additional information to the installation procedure:
  1. User Credentials for Windows server installations only — Choose an existing Windows user account under which to run the InterSystems service. You can choose the default system account, which runs InterSystems IRIS as the Windows Local System account, or enter a defined Windows user account.
    Important:
    If you are using Kerberos, you must enter a defined account that you have set up to run the InterSystems service. InterSystems recommends you use a separate account specifically set up for this purpose as described in the Creating Service Principals for Windows InterSystems IRIS Servers section.
    If you enter a defined user account, the installation verifies the following :
  2. InterSystems IRIS Users Configuration for Windows installations — The installation creates an InterSystems IRIS account with the %All role for the user that is installing InterSystems IRIS to grant that user access to services necessary to administer InterSystems IRIS.
    Owner of the instance for non-Windows installations — Enter a username under which to run InterSystems IRIS. InterSystems IRIS creates an account for this user with the %All role.
    Enter and confirm the password for this account. The password must meet the criteria described in the Initial User Security Settings table.
    Setup creates the following InterSystems IRIS accounts for you:_SYSTEM, Admin, SuperUser, CSPSystem, and the instance owner (installing user on Windows or specified user on other platforms) using the password you provide.
Important:
If you select Minimal for your initial security setting on a Windows installation, but InterSystems IRIS requires network access to shared drives and printers, you must manually change the Windows user account under which to run the InterSystems service. Choose an existing or create a new account that has local administrative privileges on the server machine.
The instructions in the platform-specific chapters of this book provide details about installing InterSystems IRIS. After reading the Security Administration Guide introduction and following the procedures in this section, you are prepared to provide the pertinent security information to these installation procedures.


View this book as PDF
Copyright © 1997-2019 InterSystems Corporation, Cambridge, MA
Content Date/Time: 2019-03-21 08:37:19