Hello,

At the moment we are trying to optimize Windows security settings for a network installation of Adagio on Windows Server 2016 Standard. The network environment is domain based with active directory services. We are running about 10 Adagio modules with 15 user licenses (Lanpak).

The administrator at the company, where the installation is being completed, is concerned that the requirement to give all Adagio users "full control" on the "\softrak\" root folder undermines all file system security for the directory. Now any user can access the shared folder [which they have mapped] and inadvertently [or otherwise] delete/copy/corrupt files.

Other software systems we are familiar with use services, elevated permissions, or other mechanisms to prevent this type of situation.

Is there a suggested security mechanism to protect the data files under the "\softrak\" folders, while still allowing the software to function correctly?

The only people that have access to the Adagio file structure are those that actually must use the software to perform the jobs.

Files in the "\sofrak\" folder should still be protected even if these users are trusted to use the software.

For example, an order entry clerk requires access to the "\softrak\data" directory, however they should not be able to access files pertaining to AP. Likewise files pertaining to AP can be accidentally destroyed by employees working in that functions\ [outside the confines of the software]. My main concern is that usres can view these files and may (unintentionally) move or delete data files.

Please provide a solution to this issue.

Thank you,
Sam and Jason

Hi Samuel:

I have seen this accomplished in a Remote Desktop/Terminal Server deployment. From their local computer the user doesn't have any access to the Softrak data or application. IT puts a RemoteApp icon on their desktop. That icon logs into the server, starts the Adagio application and then logs out of the server when the Adagio application is closed.

Under this approach the user never sees a desktop on the server and therefore does not have the ability to browse the Softrak data or application folders. It's not 100% airtight however as there are some functions in Adagio that will allow the user to browse the folder structure. This is the issue that Softrak was able to solve in the Adagio Cloud deployment.

Having said that, in 20 years I've never had a user deliberately or accidentally delete any files that they shouldn't have. It makes sense to seriously consider the issue but I think the likelihood is low and the resolution (restoring a backup) has become relatively easy thanks to backup software that often runs several times per day and Adagio's new backup options.

Hi Bruce and Sam,

I was going to say that the solution to the problem was to hire better staff, but then decided that was a little too flippant. But ultimately, it's the solution,

Bruce,

I agree with your solution. However, I seem to remember a client I once had that was set up that way and they had issues with importing into Adagio. I can't recall exactly what the problem was, but I think it had something to do with the file access from the workstation to the remote desktop. I could be wrong though.

And presumably, the person who has access to import, should be trusted enough to have increased access to the file/folder structure on the RDP. I think we solved it for that client by giving the person responsible for imports, the RDP desktop access. I just thought I'd point this out as a potential pitfall.

But I tend to agree that the risk is generally quite low that someone would be "playing" in the Softrak folder. Especially if the data and any related files that are not program files are kept in a separate directory.

Hi Andrew,

I seriously doubt the solution is to hire "better" staff.

No company is immune to disgruntled employees, and I for one would like my organization's data made less susceptible to malicious intent.

Furthermore, I don't like the idea of every functional group having access to all the data in the system. Can you provide 100% assurance that data captured from the file system cannot be reverse engineered, and confidential information be gleaned by and resealed to unintended parties?

One commenter posted here that in 20 years, he has never seen this type of occurrence. I can also remember a time when we didn't need firewalls, we didn't need to shred personal documents before disposing of them, and when we didn't need to secure our personal computer.

As my organisation grows, and the number of users on the accounting system increases, I have to feel confident that the software package I select, has built in the greatest effort possible to protect the security and integrity of the data it commands.

Rather than flippant comments, I'd like to see us constructively discuss ways forward and a software evolution that addresses ever increasing security needs.

For now the terminal emulation work-around may have to do, but as someone also pointed out, it is not without its own shortcomings.

Hello Jason,

Thanks for adding your view to this thread, and I agree that no company is immune to disgruntled employees. However, there are limits to what computer software can do to protect against that threat and still be usable. In my experience, more troubleshooting time is spent figuring out why software isn't working as expected due to high security settings, than problems with the application.

It's also true that no software development comes free. For efforts spent on increasing data security, we don't have those resources available to work on useful feature improvements.

Accounts Payable clerks need access to the general ledger to decide what accounts to allocate expenses to. You can prevent OrderEntry users from having access to Accounts Payable and its data.

The Adagio ExcelDirect button is one of its nicest features for someone in the accounting department. The trade-off is that it allows people to drop information that may be confidential directly into Excel. An organization has to evaluate letting users have access to the feature against the risk (you can turn the feature off on a person-by-person basis).

Password protecting and encrypting the data makes it difficult to have an experienced person help troubleshoot a problem at their site. And the severe consequence of losing the encryption key means that it must be stored somewhere accessible.

Adagio Receivables 9.3A will bring Adagio into line with the PCI-DSS standard for storing credit card information (it won't allow you to store credit card information in Adagio). Having a breach of that data is probably a bigger risk to an organization than someone unauthorized seeing your financial statements, but that's just a personal opinion.

Adagio Cloud has more robust security model with Adagio Manager, which can hide entire datasets from a user and only allows them to browse in specific directories.

Andrew: What is the feasibility of migrating the Cloud version of Adagio Manager to on-site installations? Would this module make sense for this type of environment?

Hi Samuel,

We asked exactly that question of our Resellers and they didn't feel there was a market for that. It's probably easier to move a client to Adagio Cloud if security is that important.