Setting security restrictions on file uploads
You can restrict BMC Remedy AR System users from uploading and viewing files with certain extensions in BMC Remedy Mid Tier. This feature helps prevent users from uploading malicious attachments and viewing them.
Best practice
Restricting attachments
Use the Attachment Security tab in the AR System Administration: Server Information form in the BMC Remedy AR System Administration Console. You must be logged on as an administrator to perform this procedure.
To restrict attachments
Important
This form shows the local level value of the configuration. If a local value does not exist, the form displays the global level configuration. If you modify the value on this form, the local level configuration value is modified.
For example, if a configuration shows global level value and you modify the value by using this form, the local level value gets created for the configuration.
- In a browser, open the AR System Administration Console, and click System > General > Server Information.
The AR System Administration: Server Information form appears. - Click the Attachment Security tab as shown in the following figure:
AR System Administration: Server Information form — Attachment Security tab
(Click to expand the image.) - Enter the attachment options that you need, and click Apply.
The following table describes the available options:
Field name | Description |
---|---|
Attachment criteria |
Important If you disallow attachments with specific extensions, this impacts all the features that have attachments. For example, Import Export features or email attachment. To avoid this, you can add related exception form to the Attachment exception list. For example, For executing a UDM job if the attachment extension is disallowed, add DMT:ErrorException form in the Attachment exception list. |
Comma separated list of limit extensions | Attachment extensions that are allowed or not allowed, based on the Attachment criteria selected. |
Attachment exception list | The list of Form names (field ID) for which attachment limitations do not apply—for example, Data Visualization Module(3450298). If the user uploads any attachment in the form fields specified in attachment exception list, these fields are not validated and the attachments are uploaded without verification in the fields. |
Attachment validation plugin name | Name of the custom validation plug-in that you developed for verifying attachments. The custom validation can perform any function per your requirements. You can develop the plug-in for performing functions like verifying the attachment containing malicious content, verifying whether the attachment is a virus, verifying whether the user has changed the extension for uploading the attachment, and so on. Example: EXAMPLE.ARF.SIMPLE (name of the custom plug-in that you developed) If you are using a C plug-in, add the .dll/.so path in the ar.cfg or ar.conf file in the following format to load the plug-in: Specifications for plug-in development: The custom validation plug-in should be a Filter API Plug-in, which has only one API. Following is the prototype for the API:
|
Display criteria |
The display criteria are applied to all the existing extensions in the BMC Remedy Mid Tier application. |
Comma separated list of display extensions | Lists the attachment extensions that you want to allow or not, based on Display criteria. |
Attachments flowchart
The following flowchart helps you understand the attachment security based on the options that you select from the Attachment criteria list.
Attachment security flowchart
Scenarios for restricting attachments
The following table lists examples of parameter values for requests that include attachments:
Parameter | Scenario 1 | Scenario 2 | Scenario 3 | Scenario 4 | Scenario 5 | Scenario 6 |
---|---|---|---|---|---|---|
Attachment criteria | Allow all attachments | Allow attachment with the following extensions | Allow attachment with the following extensions | Allow attachments with the following extensions | Disallow attachments with the following extensions | Disallow attachments with the following extensions |
Comma separated list of limit extensions | doc xls jpg gif | doc xls jpg gif | doc xls jpg gif | doc xls jpg gif | exe dll db | exe dll db |
Attachment exception list | - | Data Visualization Module(41006), Report (2000012) | - | - | - | - |
Attached File examples | example.dll, example.gif | example.jar (JAR File field on Data Visualization Module form) | example.doc, example.jpg | example.exe, example.db | example.doc, example.txt | example.exe, example.dll |
Status | File is attached. All attachment options are permitted. | File is attached. The JAR File field ID is added to the attachment exception list. | File is attached. Its extension is on the list of permitted extensions. | File is not attached. Its extension is not on the list of permitted extensions. | File is attached. Its extension is not on the list of disallowed extensions. | File is not attached. Its extension is on the list of disallowed extensions. |
Disabling views
You can also restrict users from viewing the content of certain types of files. Use the Attachment Security tab in the AR System Administration: Server Information form in the BMC Remedy AR System Administration Console. You must be logged on as an administrator to perform this procedure.
- In a browser, open the AR System Administration Console, and click System > General > Server Information.
The AR System Administration: Server Information form appears. - Click the Attachment Security tab, shown in the following figure
AR System Administration: Server Information form — Attachment Security tab
(Click to expand the image.) - Enter the display options that you need, and click Apply.
For any particular attachment that you want to view, the Display button in BMC Remedy Mid Tier or the Display menu command in the BMC Remedy User Tool is enabled only if Display criteria enables you to view that attachment. For all other attachments, the Display button or menu command is dimmed.
Comments
Are the attachment security settings mentioned on this page available from Centralized Configuration rather than the AR Server Information form?
Log in or register to comment.