There are two types of integrity to consider:

Confidentiality is all about keeping secrets. Some common methods to help ensure confidentiality are:

For example, if a Human Resources system requires storing Social Security numbers in a database, the application accessing the database and database itself must enforce authentication (users) and authorization (roles) to prevent unauthorized users from accessing that data. However, where most organizations get into trouble is by shrugging off the fact that the database administrator (DBA) as well as the local Administrators group have access (by default the Local Administrators group is added to the sysadmin role in SQL Server). This means that not only can the DBA access the Social Security numbers, but additionally every domain administrator can as well (if the local Administrators' group hasn't been removed from the dbo role in SQL Server and the SQL Server is a domain member). This is when encryption at the data column level must be deployed to prevent those who have access but are not authorized to see the information from doing so. Additionally the Local Administrators' group should be removed from the sysadmin role within SQL Server and replaced with a domain group that represents the SQL DBAs.

In order for an organization to know what data is confidential, it's important to go through a data classification process where all the information within a company is given a classification label (for example, Business Sensitive, Business Confidential, and so on.). Government agencies often already have these classifications defined. Once the information is classified, appropriate controls can be applied to protect data based on policy.

This concept is straightforward: If the data is not available for some reason, this tenant has been violated. Some examples of availability problems:

Initially, it may not be obvious what availability has to do with information security but when you consider different scenarios, it becomes apparent why availability is in the definition of information security. Consider a business that strictly relies on the Internet, such as an e-commerce company. Every minute the Web site is down, that company is losing potential customers, sometimes permanently as consumers may switch to another, more reliable e-commerce Web site, causing major financial losses. Also consider the military — if a network or system that directly supports soldiers in the field goes down, it could limit their effectiveness or even cost lives. Some ways to protect systems against availability issues:

Also, more extreme scenarios need to be considered. Does the organization have a Business Continuity Plan/disaster recovery plan? How long would an organization survive if the primary networking facility became unavailable for an extended period of time or permanently (for example, fire, hurricane, and so on)? Would the business recover? Chapter 18 will delve more into disaster recovery with K2 blackpearl.

One potential way of mitigating a long term availability failure with K2 blackpearl is by having a backup manual process that doesn't rely on any IT systems. This, of course, would require up-to-date available physical paper copies of any forms needed for a given process. This could allow an organization to function, at least partially, without the system or network for perhaps a few days if needed. It's also critical that employees are familiar with the alternate manual process as well as the automated one. Finally, a method for importing the outcomes of the manual process into the system after it's been restored would be necessary. Certain core features may be missing while it's offline, such as calculations or inventory lookups, so it might not be possible to have a full manual functioning process. This requires careful thought and planning.

It's worth noting that certain types of organizations may focus on one tenant more than the others. For example, the military would be most concerned with confidentiality of information and a financial institution may be more interested in protecting data integrity. This isn't to say that the other tenants of security aren't important or are ignored, it's just that one may stand out as clearly more critical to protect to the organization.

There is also another common security triad used in information security that doesn't completely fall under the CIA Triad that is important for organizations to understand as well. These are authentication, authorization, and accounting (auditing), often called AAA or Triple A.

Applying AAA throughout the organization helps protect information assets and additionally provides a way to validate (audit) that assets are protected, or if a breach has occurred or has been attempted.

K2 blackpearl has many features to help facilitate AAA and CIA. Additionally, good software development practices and proper architecture planning and configuration can improve the implementations of CIA and AAA.

There's no such thing as 100% security.^[15] Or to phrase it another way, there's no such thing as zero risk, so this should not be the goal of information security. Every organization has a threshold of what is an acceptable loss if any of the tenants of the CIA Triad described earlier are violated. A better, more realistic goal is to calculate, estimate, or "ballpark" the level of risk to an enterprise's assets and attempt to lower the risk to these to an acceptable level. Before going any further it's important to mention that there are entire books written on the topic of risk analysis and by no means will the couple of paragraphs here attempt to be exhaustive, but instead hope to convey a framework for thinking about the information security of these systems and how much effort should be applied to a system's security.

Risk analysis helps an organization prioritize where to direct their information security programs based on the goals and priorities of the business itself. Without risk analysis, the security functions within an organization will choose priorities and goals whether they align with the priorities of the business or not; this disconnect can often cause conflict and even confusion within the organization as the functional business units clash with the security controls forced onto the organization. This often results in asymmetric and sometimes odd security policies and controls, and the inconsistent enforcement of security rules imposed on an organization. This isn't to say that when the business priorities align with the security functions of an organization that the security policy and controls won't cause friction within the organization. However, a strong case can be made for such policies and security controls, and thus it will be easier to get buy-in from management as well as support from the employees within the organization. It's important to have a basic, employee-targeted security training program because without it users may be lax or resistant to security controls if they don't understand why they have been put in place.

There are two common approaches to risk analysis — quantitative risk analysis and qualitative risk analysis:

This brief introduction on risk assessment aside, the important thing to understand about risk analysis is this: One of the main goals is to help direct the focus to the items requiring the most attention — those items that are most valuable and have the highest risk. Understanding which assets have higher values/higher risks prevents the wasting of time and money on systems with either little value or on items with low risk. Then time and effort can be put towards administrative controls — that is, the policies, procedures, standards, guidelines, logical or technical controls that are software based, and finally physical controls that protect the IT infrastructure from physical threats in the real world.

This brings us back to K2 blackpearl. Depending on the particulars of a K2 blackpearl implementation in a given environment, it stands to reason that the K2 blackpearl system can have data from just about any system in an enterprise pass through it and/or be stored within it. It also could potentially contain the credentials to pull data from back-end systems as well. Since data from many different systems can be accessible to or stored within K2 blackpearl and a large part of the enterprise may rely on it to function, it has the potential to be a highly valued asset with many potential risks.

All this to say: Because of the type of data potentially moving through K2 blackpearl and the heavy reliance on K2 as a core system within an enterprise, an organization cannot afford to gloss over the security of such an important core piece of technology, K2 blackpearl, including the systems that K2 blackpearl interacts with and are dependent on.

While risk assessments can help guide the security posture and the safeguards placed on particular IT systems, there are other factors that will require additional due care to be taken with IT systems — namely the Security Policy as well as laws and/or regulations that apply to a particular industry, public corporation, or government organization.

Get organized! Take the time to plan, document, and map out the K2 blackpearl deployment taking care to include all the software that will integrate with K2 blackpearl, be it Windows SharePoint Server 3.0 (WSS/MOSS), SQL Reporting Services 2005, IIS, and so on . Your organization may already have guidelines for systems documentation requirements. If so, start with those. However, they may not be exhaustive, so it will be helpful to add additional information.

The documentation will start with the deployment plan and architectural template discussed in Chapter 5. Additionally, it will be helpful to document all the additional pieces of information needed to set up and configure the entire infrastructure from scratch. This will also be critical for Business Continuity/disaster recovery (see Chapter 18 for more information on disaster recovery). The K2 blackpearl Installation Guide in the K2 blackpearl documentation also contains an Excel Workbook to document the installation process.

The following list contains information that will be helpful to document. This list is not exhaustive, but will provide a good starting point:

If unfamiliar with the K2 blackpearl installation process and configuration, invest in the time to become familiar with it by installing it on a virtual PC first, taking care to test the installation process, permissions required to install, how the product handles security internally, and operating system privileges required for the proper functioning of the system. Virtualization provides rollback abilities so mistakes can be undone, which can save time if problems are encountered while getting familiar with the software. This virtual image will serve as the proof of concept for an actual deployment and a playground for trying new things, patches, configuration settings, and so on. It's critical to have a level of competence and comfort with software before deploying it on any system for consumption, be it a development, staging, or production system. Once the system has been deployed and adopted, it is often difficult or impossible to make major changes to the installation since it may affect the availability of the system, meaning your organization may have to live with any mistakes you make during deployment.

Familiarity with the software, good documentation, and planning reduces the possibility of making mistakes during the final production installations (including test and/or staging environments) and assists with avoiding skipping important steps in the installation and securing process. This process will also serve to create an architecture diagram of the entire installation, which is often required as part of a project anyway but is often missing. Not only will this documentation assist in troubleshooting, but it will also help other administrators to understand what's been installed, how it's configured, what accounts are used, and what other dependent systems are involved. This will facilitate understanding of the K2 system and all its interdependencies, improving the organization's ability to troubleshoot issues, especially in the situation where the individual who integrated the servers into the environment is unavailable for some reason. Additionally, take extensive notes during the installation, documenting every step. Complete documentation on how to install and configure each software component as well as each server as it has been configured in the environment will aid in disaster recovery/Business Continuity plans.

If the availability of the K2 workflow engine affects an organization's ability to complete one of its core business functions and ends up creating a work stoppage, financial losses may result. Good up-to-date documentation and training at least one other administrator on the K2 blackpearl deployments is critical. For example, assume that the K2 server goes down and there are 75 users sitting with nothing to do, that is, orders aren't getting processed or customers aren't receiving the support or attention they need. If administrators are unable to bring the system back online because the one who did the installation and configuration is on vacation or was a consultant, that can potentially lead to real problems. Since availability is one of the core tenants of security, an unavailable system is classified as a security threat and should be taken into account during the risk assessment, and work should be done to mitigate it to reduce downtime. To help mitigate such risks, it's critical that multiple administrators understand how the K2 system has been integrated into their environment, what servers are involved, and what accounts are used to run the services, and how everything is configured. Also, a solid regularly updated and validated disaster recovery plan should be in place that includes all of the documentation created as part of the installation and system hardening process.

Finally, this documentation will serve as a checklist for all the items that need to be configured and the areas to focus on when securing.

After having planned and mapped out the K2 blackpearl installation and installation completes successfully, the final step is to harden, or increase the security, of all the servers and services that have been installed. Depending on the architectural template chosen, there may be only one server to harden or several.

There are industry and government standards for hardening operating systems, with varying levels of protections to implement depending on what the system is used for and the types of information available to the system. Initially, this process can be time-consuming and somewhat overwhelming. The goal is to automate this process as much as possible so it's repeatable and can be done quickly. Once the task is completed, schedule to resecure it on an ongoing basis because over time security settings often are removed or changed by administrators or application patches. If a security configuration change should be made permanent, don't forget to go back and update the documentation and automation files.

There are sources available on the Internet that have security checklists based on industry standards for configuring operating systems, networking equipment, application servers, and so on. By building up a library of Active Directory Group Policies, Security Templates, Registry files (.reg) and scripts, a system (for example, Web server, database server, K2 blackpearl server) can be realistically hardened in a reasonably short period of time. There is a learning curve to server hardening, so it's a skill that needs to be developed, but once an administrator has familiarity with the process, it doesn't take as much time.

There are security benchmarks and scoring tools available as well to help automate the scanning, detection, and configuring of systems. One place to download tools and checklists is The Center for Internet Security (www.cisecurity.org). The NSA and Department of Defense also have guides and checklists available online for the Gold and Platinum security standards for operating systems as well as Security Implementation Guides for server products. The Defense Information Systems Agency's guides are located at http://iase.disa.mil/stigs/index.html and the NSA guides are located at www.nsa.gov/snac.

Logging

The logging configuration is an important, but often overlooked step. Or if logging has been configured, it isn't monitored. Logs not only help you to troubleshoot issues, which is almost the only time they are reviewed, but they also can identify system attacks, potential availability issues, configuration problems, and other similar types of information. Log files should not be written to the application installation folders, as this often means the privileges within those folders need to be elevated. Instead, the log files should be configured to be on their own. Once the logging verbosity and file locations are configured appropriately, these folders also need to be secured. Only the service accounts for each corresponding service will need the ability to write to them. In order to prevent log tampering, no other accounts should be granted access to these folders except for administrators and the auditing group, if such a group exists within the organization. For the strictest environments, only the auditors should be configured to delete any logs. Administrators should only be granted Read permissions. The service account should be granted Modify or Full Control, depending on how the software manages its log files.

Also make sure the Audit Policy has been configured properly so important events are captured in the Application, Security, and System Event logs. Open the Local Security Settings (secpol.msc) MMC. Open Local Policies

Figure 16.1. Figure 16-1

The log files should be examined on a regular basis, including the Event logs. Anomalies and errors should be investigated and resolved.

For configuration details on K2 blackpearl logging, see Chapter 19.

Operating System Privileges

The following table documents the minimum operating system privileges needed to function for K2 blackpearl Service and the IIS Worker Process:

Account	Privilege
K2 Service Account	Requires the "Log on as a Service" privilege.
K2 Workspace Service Account	Adding this account to the IIS_WPG group will automatically grant it the operating system privileges needed for the K2 Workspace ASP.NET Web site to function.

To grant the "Log on as a Service" privilege:

1. Open the Local Security Settings (secpol.msc) MMC.

2. Open Local Policies

   

3. Add the K2 Service account to the list.

Figure 16-2 shows an example of the Local Security Policy settings.

Figure 16.2. Figure 16-2

The "Log on as a service" right should be granted automatically when setting the Credentials for K2 blackpearl server Service in the Services Console MMC.

File and Folder Permissions

The goal in securing the file system is to only allow the service accounts the minimum access to the folders and files required. Before installing any software, including the operating system, all drives should be formatted using the NTFS file systems.

If installing K2 blackpearl on another drive than %systemroot% (which is typically the C drive), remember that any additional drives created and formatted NTFS are granted excessive permissions. For example, if you are creating a new E drive, make sure to remove all the permissions on the root of that drive except SYSTEM and the local built-in Administrators' group. They should both have Full Control. When installing the software, the installer should set up the proper ACL's for each folder using the accounts specified. Then you manually need to add each service account as well to those drives with Read/Execute permissions.

The following table documents the file and folder-level permissions required for the K2 Service account on the K2 server:

Account	Rights	Folder
[a]
K2 Service Account	Full Control	%SYSTEMROOT% emp
K2 Service Account	Full Control	%ALLUSERSPROFILE%Application DataMicrosoftCryptoRSA [14]This setting is NOT typically needed. See the security footnote for a better workaround.
K2 Service Account	Read & Execute	%SYSTEMROOT%Microsoft.NETFrameworkv2.0.50727CONFIG
K2 Service Account	Read & Execute	[K2 Install Path]K2 blackpearl All subfolders and files, all K2 Logging should be configured to write to a folder outside of this path.
K2 Service Account	Modify	[K2 Install Path]K2 blackpearlHost ServerBinK2HostServer.config The service account needs write access to automatically encrypt connection strings in the K2HostServer.config file.
K2 Service Account	Create Folders	[K2 Install Path]K2 blackpearlHost ServerBin Important: Set the Apply onto drop-down to This folder only (Figure 16-3 shows how to configure this setting).
CREATOR OWNER	Full Control	[K2 Install Path]K2 blackpearlHost Serverin Important: Set the Apply Onto to Subfolders only When the K2 Service account creates the Work folder, it is the CREATOR OWNER. By granting this permission, it will have full control over the Work subfolder only.
[a] WARNING! Granting Full Control to the RSA folder is not recommended, but it will work around a problem created when switching the K2 User Account to run under a different user since the cryptographic key was created while running under the previous account. Instead of changing the ACLs on the RSA folder as the table suggests, fix the problem by reconfiguring the encrypted database connection string section in the K2HostServer.config file by replacing the encrypted section with a new unencrypted section. Then restart the K2 Service, this will trigger the creation of a new RSA cryptographic key with the correct permissions for the new K2 Service accountService account, and then it will rereencrypt the database connection string section.

Figure 16.3. Figure 16-3

The following table documents the permissions needed on the K2 Workspace Web server:

Account	Rights	Folder
[a]
Authenticated Users[15]	Read and Execute	[K2 Install Path]K2 blackpearlWorkspace
Authenticated Users[15]	Read and Execute	[K2 Install Path]K2 blackpearlWebServices
Authenticated Users[15]	Read and Execute	%SYSTEMROOT% emp
[a] If a subset of Domain Users will be using K2 blackpearl, create a group in Active Directory and assign that instead of Authenticated users. This is especially useful for the development and review environments as only a limited number of users should have access to them.

The following table documents the permissions needed on the SharePoint Web server:

Account	Rights	Folder
[a]
K2 Service Account	Full Control	%SYSTEMROOT% emp
K2 Service Account	Full Control	%ALLUSERSPROFILE%Application DataMicrosoftCryptoRSA
K2 Service Account	Full Control	%SYSTEMROOT%Microsoft.NETFrameworkv2.0.50727CONFIG
K2 Service Account	Write Access	%COMMONPROGRAMFILES%Microsoft Sharedweb server extensions12 Note: If installing SharePoint in a non-standard location, make sure to include that additional path.
Authenticated Users[16]	Modify	%COMMONPROGRAMFILES%Microsoft Sharedweb server extensions12 Note: If installing SharePoint in a non-standard location, make sure to include that additional path.
[a] If only a subset of Domain Users will be using K2 blackpearl and the corresponding SQL Reporting Services, create a group in Active Directory and assign that instead of Authenticated users. This is especially useful for the development and review environments as only a limited number of users should have access to them.

The following table documents the permissions needed on the SharePoint Web server:

Account	Rights	Folder
SharePoint Service Account	Modify	%SYSTEMROOT% emp
SharePoint Service Account	Write	%COMMONPROGRAMFILES%Microsoft Sharedweb server extensions12LayoutsFeatures
SharePoint Service Account	Write	%COMMONPROGRAMFILES%Microsoft Sharedweb server extensions12ISAPI

The following table documents the permissions needed on the SQL Reporting Services Web server:

Account	Rights	Folder
[a]
Authenticated Users[17]	Read and Execute	%SYSTEMROOT% emp
[a] If only a subset of Domain Users will be using K2 blackpearl and the corresponding SQL Reporting Services, create a group in Active Directory and assign that instead of Authenticated users. This is especially useful for development and review environments since only a limited number of users should have access.

K2 blackpearl comes with a service called the Discovery Service that allows the K2 Workspace or any component that makes an API call to discover the K2 blackpearl servers on the network. The Discovery Service listens on UDP Port 49599 (see DiscoveryService.config in the [K2 Install Path]k2 blackpearlHost Serverin folder to view or change the default port). When a component wants to discover the K2 servers in the environment, a call to the Discovery API will send out a broadcast datagram to the network. If the broadcast datagram is seen by the Discovery Service running on the K2 blackpearl Service, it will respond back directly to the system that initiated the broadcast and transmit the K2 blackpearl server's hostname, and Host Server port.

In environments with more stringent security requirements, it may be requested that this service be disabled so that it can't be discovered on the network. To disable the Discovery Service, simply remove the SourceCode.DiscoveryService.dll from the HostedServices in the [K2 Install Path]Host Serverin folder.

Security requirements for your specific environment may mandate the confidentiality of data that moves through a K2 blackpearl workflow. If personally identifiable information (PII) — for example, Social Security numbers, birth dates, personal names, and addresses — are fields within the processes or are used by SmartObjects, then communications should be encrypted over-the-wire. Additionally, corporate data or government data that has been assigned a security label — for example, Confidential, For Official Use Only (FOUO), and Sensitive — should also be taken into consideration when making the determination that data should be encrypted over-the-wire.

The architectural template chosen for the K2 blackpearl system architecture will affect the scope of what communication channels need to be encrypted. For example, if you are deploying a single server deployment where everything is installed on one server — K2 blackpearl, SQL Server, SQL Reporting Services, IIS, and WSS or MOSS — the only data that is transmitted over-the-wire will be the Web traffic from Web clients. In this scenario, only the Web traffic will need to be encrypted. However, if you are deploying the medium-scale architecture, there are more points of encryption that will be required.

There are a couple of different approaches that can be used to encrypt data communications for a given K2 topology — TLS/SSL and IPSec. All Web connectivity, including the Web services should use TLS/SSL Certificates, including K2 Workspace, Microsoft Office SharePoint, and SQL 2005 Reporting Services. Additionally all SQL Server connections can also be encrypted using SSL certificates. K2 blackpearl doesn't natively support encrypting its communication channels over-the-wire, so an add-on network encryption technology like IPSec can be used. IPSec is network encryption protocol that is available in Windows Server productions as well as Windows Desktop operating systems and can be used to encrypt data on specific ports and protocols. Additionally, third-party software and hardware can also be used to deploy IPSec communication between servers. Take care to not leave any significant gaps of unencrypted traffic when deploying IPSec with a hardware solution.

An additional layer of protection can be added by requiring Client Certificates on the Web Interfaces for SharePoint, SQL Reporting Services, and the K2 Workspace.

The specifics of how to configure SSL/TLS with IIS, and SQL Server and IPSec with K2 blackpearl are beyond the scope of this book.

See the following links for more information:

Additionally, for WSS 3.0 SSL Configuration, see the WSS 3.0 installation documentation.

K2 blackpearl comes with two authentication providers:

To help identify which authentication provider to use when assigning permissions or logging in, K2 blackpearl attaches a Security Label to the identity to associate specific credentials with a specific authentication provider. For example, the K2 SQL Provider uses the label K2SQL; the Active Directory Label uses the K2 prefix as the Security Label.

The K2 Workspace is a Web-based interface for K2 server Management. Access to the workspace should be granted based on the principal of least privilege.

By default, all areas of the Workspace are viewable by all users within the domain. To keep the administration overhead for the K2 Workspace permissions low, one approach would be to create a domain group for permissions in the K2 Workspace.

Navigate to the Workspace Permissions by clicking on the Security menu and selecting Workspace Permissions, as shown in Figure 16-4.

Figure 16.4. Figure 16-4

Figure 16-5 shows the left side menu where there is a list of the Workspace Components for which permissions are granted.

Figure 16.5. Figure 16-5

These items correspond with the top K2 Workspace Navigation Bar (see Figure 16-6).

Figure 16.6. Figure 16-6

The following table shows an example of a quick and easy way to setup the K2 Workspace Permissions:

Then add the domain groups and/or users using Active Directory Users & Computers that will need access to the required areas of the K2 Workspace.

The K2 Management Console is the primary interface for managing the K2 blackpearl server. This chapter will only cover the configuration options relating to Rights, Permissions, Users, and Roles. For in-depth coverage of the K2 Management Console, see Chapter 20 on the K2 Workspace and reporting.

Server Rights

The K2 server Rights (see Figure 16-7) provide an interface to add rights for K2 administrators, grant permissions for process designers, developers, and deployment users to export processes, and grant permission for users to impersonate other users.

Figure 16.7. Figure 16-7

Right	Description
Admin	This right allows the user to manage all aspects of the K2 Management Console; it also allows the repairing of processes, access to the reports, processes, and process instance data, and more. If it's in the K2 Workspace, the Admin right should grant access to it.
Export	Users with this right can deploy processes and SmartObjects to the K2 blackpearl server.
Can Impersonate	This right allows users to take actions on events within K2 blackpearl on behalf of another user.

The ability to impersonate another user is an important privilege within K2 blackpearl. For example, the SharePoint Service account needs to do things on behalf of SharePoint users, so it requires the right to impersonate a user to properly carry out its work on behalf of that user. Additionally, the Impersonate Right is also often required for server events that need to impersonate users to accomplish some task. Grant this privilege with care, as impersonation has the potential to violate CIA and AAA.

Process Rights

Process Rights (see Figure 16-8) grant users the ability to participate within a workflow.

The following table shows the five Process Rights. These rights are set on a per-process basis:

Figure 16.8. Figure 16-8

Permission	Description
Admin	Grants all of the rights below. Additionally is allows the management of the processes in the K2 Management Console. It also grants the ability to repair processes.
Start	Start a new instance of the process.
View	Allows the user to view any process instance for the process the permission is granted for, enabling reporting on the process in the K2 Workspace. The user is not able to participate in the process itself.
View Participate	Allows a participant in the process, for example, the user is defined as the destination user for one of the process activities, to view the details of the process instance. The user will only be able to access process reports and the activity instance once it has reached the activity for which they are a destination user.
Server Event	Asynchronous server events wait for a call-back from the external system to finish the server event. The user account used by the external system must be granted Server Event permissions for it to be allowed to finish the server event.

Process Action Rights

Each process allows specific rights to be assigned for each action that limit a user's interaction with activities or client events within an activity. These are called Process Action Rights (see Figure 16-9).

Figure 16.9. Figure 16-9

The following table describes the different Action Rights:

Action	Name
Allow	Allows the associated User/Group to view the activity or client event.
Denied	Prevents the associated User/Group from accessing the activity or client event.

K2 Server Roles

K2 server Roles (see Figure 16-10) allow the ability to create a server-level dynamic container of users that can be resolved at design time or at run time. These roles can then be assigned within a process (see Figure 16-11) to control different actor's roles within the workflow.

Figure 16.10. Figure 16-10

Take care when setting the role refresh interval. The interval sets the time interval that these roles will be repopulated with current account information from Active Directory. If the time interval is set too long, the accounts could become stale, and users that have been revoked access may still have access causing a breach in confidentiality, or new users that need access to the system won't have access affecting availability.

Figure 16.11. Figure 16-11

The Environment Library provides a flexible way to create and store environment specific settings, for example, connection strings, server names, configuration options, for use in multiple environments such as development and production.

The Environment Library templates can potentially contain sensitive information like server names, server usernames and passwords so it's important to apply the principal of least privilege when granted access to these settings. See Figure 16-12 for the Environment Library Template Security settings.

Figure 16.12. Figure 16-12

There are two Template Actions associated with the Environment Library Template Security listed in the following table:

Grant the developers and workflow designers, at minimum, the Read privilege to any Environment Library Templates that store environment information supporting the development environment they work with. Architects or developers who are in charge of designing and configuring the Environment Library Templates should be granted the Modify right for the development environment templates. If there are multiple environments for different projects under development, it is appropriate to partition those into different Environment Library Templates as well and only grant developers and process designers working on a specific project access to the corresponding Environment Library Templates.

For review/test environments, depending on how the organization is structured, test engineers may be responsible for configuring the review/test environment templates.

Finally, production environments should be set up and configured by the K2 server administrators who are responsible for supporting the production environment. Developers and test engineers should not have access to read or modify the templates on the production server, as an incorrectly configured environment template could potentially cause data integrity issues or availability issues.

SmartObjects have the ability to pull data from disparate systems and make them available through a common interface to K2 blackpearl processes or the .NET Data Provider for K2 SmartObjects. There are two global SmartObject permissions (see Figure 16-13):

Figure 16.13. Figure 16-13

The following table defines each one:

Apply the principal of least privilege to SmartObjects. On production servers, the ability to publish, and especially, delete SmartObjects should be granted judiciously.

SmartBox is the built-in SmartObject repository for K2 blackpearl that allows rapid development of data storage containers that are made available to processes and programmatic access via ADO.NET. For complete coverage of SmartBox, see Chapter 7. Figure 16-14 shows the security settings for any SmartBox object.

Figure 16.14. Figure 16-14

The following table lists and defines the permissions:

Most of the permissions listed in the table above govern the access control for who can access data in the SmartObject except the Modify Object permission. The Modify Object permissions allow changes to be applied to the SmartObject. Grant Modify Object permission with care on production servers as it can allow for the destruction of data.

The EventBus provides K2 blackpearl and API programmers the capability to fire events that are triggered based on various types of schedules (for example, a specific date and time has elapsed) or specific events (for example, a file in a folder being monitored has changed).

In order for new events to be registered within the Event Bus, a valid login is required to the K2 blackpearl server.

There are four interfaces that process designers use to develop new processes for K2 blackpearl:

Within these tools are two areas that security settings in K2 blackpearl govern:

Enable the Audit Policy in the Local Security Policy, and then turn on File auditing as well as Registry auditing in Windows for all failed attempts to access files and Registry data. This is a critical first step in troubleshooting issues related to accessing files/folders and for common Registry keys (HKLMSoftware and HKLMSecurity). This will reveal when the K2 Service account or a user can't access something on disk when it needs to. Figure 16-15 shows how to configure auditing of any failure to access a file or folder on the entire C drive for any user. The Failures will show up in the Security Event log.

To enable logging for a drive:

Repeat this for all Drives installed in the system. Additionally, follow the same process for auditing all failures for HKLMSoftware and HKLMSystem nodes using the Registry Editor (regedit.exe).

Figure 16.15. Figure 16-15

Review the Windows Application, Security, and System Event logs. Additionally, enable and review specific server log files (for example, K2 blackpearl, Microsoft Office SharePoint, SQL 2005 Reporting Services, and SQL Server 2005 all have different logging mechanisms).

Stop the K2 blackpearl Service, and start up K2 blackpearl in Console mode. Console mode provides real-time logging feedback from the K2 server. The data will be similar to what is output in the K2 Log files, but can be tuned to provide a different level of logging by editing the HostServerLogging.config file located in the [K2 Install Path]K2 blackpearlHost ServerBin folder.

If adding the K2 blackpearl Service account to the Administrators' group and cycling the K2 blackpearl Service seems to fix issues with K2 blackpearl, then chances are there is a right or privilege that has not been granted to the service account. Adding the account to the Administrators' group will prove this theory, but under NO circumstances leave the account in that group. Once you have narrowed it down to a security issue, then that limits the solution to a handful of items that are causing the issue. Review and audit file system and Registry permissions, the Local Security Policy privileges, and the log files to see if it reveals the access that is being denied.

If the previous tools aren't providing enough insight, Microsoft provides some more advanced tools like NetMon 3, Process Monitor, and Process Explorer to name a few. These aren't for the inexperienced, as understanding the output and knowing which false positives to ignore takes some experience and expertise. Most often than not, File and Registry auditing and reviewing log files will reveal what the issue is; however, occasionally I've found these tools helpful for getting to the root of an issue.