Enterprise Server minimum folder security / permissions

We are an all-Intel shop with Windows 2003 servers.
We are still on ERP 8.0 (SP23_O2) and figure to remain on this release for the foreseeable future.
As installed by JDE, security on the B7334 directory and all of it's subdirectories on the Enterprise Server is too loose.
I am looking for guidelines on how much I can lock down the directories and still have JDE function properly.
In the old days, Edwards support provided such information but now they suggest that we contact their consulting group (for $$$).
I found an old ERP 8.0 installation guide but nothing is specific enough regarding security to help me.
Certainly a boilerplate configuration exists which will get me in the ballpark without disabling JDE but I can find nothing.

[ QUOTE ]
We are an all-Intel shop with Windows 2003 servers.
We are still on ERP 8.0 (SP23_O2) and figure to remain on this release for the foreseeable future.
As installed by JDE, security on the B7334 directory and all of it's subdirectories on the Enterprise Server is too loose.
I am looking for guidelines on how much I can lock down the directories and still have JDE function properly.
In the old days, Edwards support provided such information but now they suggest that we contact their consulting group (for $$$).
I found an old ERP 8.0 installation guide but nothing is specific enough regarding security to help me.
Certainly a boilerplate configuration exists which will get me in the ballpark without disabling JDE but I can find nothing.

[/ QUOTE ]


I'll float an idea that I have:

Is it still necessary with W2K3 to do directory/file security when "Allow inheritable permissions from parent to propagate to this object" is cleared?

Enterprise Server security is all together different than Deployment Server security. For a general guideline of DS filesystem security, search JDEList and the Oracle Customer Connection.

Back to the ES: your users will typically need nothing more than access to the PrintQueue, which technically does not need to be located in the same directory as the rest of the JDE application, and does not need to be shared out by the server. Reason for this is, when your users pull files from the PrintQueue using the web or fat client, the files are being pulled down using JDENET protocol, using port 6xxx (whatever you define in the ES and JAS/Client JDE.INI file).

First question:

Do you share your B7334 directory? If so, why?

Second question:

Who, besides server administrators and auditors require access to the server? The reason I ask is, if you don't allow users direct logon access to the server, and you don't share the B7334 directory, and users can't access the hidden shares of the server (e.g. C$, D$) remotely, you can lock the directory down to the point where only admins, CNC and auditors can access the directory, with full control being granted to local admins, modify to CNC and read/only to authenticated users (everyone else who can login to the server using RDP or directly on the console).

I should add that, if you use a domain service account to run the JDE network and queue services (to enable printing to remote print servers on the same domain, for instance), the domain service account should be a member of either local admin (either directly or indirectly) or a member of the CNC group (either directly or indirectly) and the account should be able to write to the servers temp directory for PDF temp files.

You hit the nail on the head about DS v. ES security documentation. The installation guide has pretty complete instructions about the DS but anything I found about the ES was pretty vague.

On question 1: We recently set up new Enterprise Servers and the B7334 directory is not shared. I believe that on our old servers, it was.

On Question 2: The domain service account running the network and queue services and the CNC admin's account are both domain admins and are in the local admin group for the server (I know this is a probably little too much capability for these accounts).

Given this, it looks like I can lock down B7334 as you suggest.