UAC Is a Luxury EPM Can't Afford
There are times when the realities of product design meet the harsh world of security requirements. This seems to happen more and more often, and one of the more glaring culprits is UAC.
We here at iArch Solutions are great proponents of security, and take the role of securing environments very seriously. We are also specialists in EPM and this product suite presents challenges with UAC. One of those challanges is the pesky need to run a lot of processes with elevated security. This is something that Microsoft’s UAC is designed to prevent.
So, what exactly is UAC?
UAC is an access control that aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorizes it.
Why, does EPM not like it?
Well, as noted in the definition above, the UAC code is designed to keep processes (and the service level accounts running them) from acting as administrators without confirmation. For server-side software, perhaps running behind-the-scenes processes at 2 AM, this confirmation can be an issue. Some of the items that UAC might flag are:
· Running an Application as an Administrator
· Changes to files in folders that standard users don't have permissions for (such as %SystemRoot% or %ProgramFiles% in most cases)
· Running Task Scheduler
· Backing up and restoring folders and files
All of the above are components and/or items that EPM software frequently activate. With the end result that Oracle has plastered their EPM documentation with explicit statements requiring that it be disabled:
In EPM 11.2.2, it is worded here:
In both the of above instance, this verbiage is not limited to simply installing and configuring the code-line. These are vendor stated requirements to ‘install, configure and run’ the EPM System products.
How does one disable it?
So, with the above stated, how does one disable it? Oracle has been helpful in the EPM 11.1.2.4 install guide and offered directions here. Those steps used to work pretty regularly in Windows Server 2008 R2, and sometimes in Windows Server 2012.
In newer versions, the above might not be enough. You may also find a need to edit the registry at the following key by setting the EnableLUA value 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
In closing, I feel I’d be remiss if I didn’t touch on the security ramifications of all of this. Essentially, the UAC process is good security. It is designed to prompt users (and this concept of user is important here) to confirm when changes to important system items are made. This prevents things from happening to their PCs without their knowledge. All client based operating systems do this…Mac, Windows, etc.
The concept of UAC becomes more problematic in a server based architecture. This is because most server based processes are not actively monitored, and administrators are not manning data centers, hands hovering over mouse buttons, ready to engage and resolve UAC prompts.
So, as architects we must understand that server-based architectures are different, and we are responsible for designing the surrounding security architecture (network, OS, physical, virus, malware, etc.) in such a fashion that UAC is a non-issue. If there’s already a hacker in your datacenter, on your server, executing code, and UAC is your last line of defense…well, you’ve got bigger problems.
In the meantime, Oracle EPM doesn’t really care about your security stance around UAC. It’s going to need to be turned off to work properly.