About SecurityBoost
Use SecurityBoost to enhance Kofax Capture security. To use SecurityBoost, you first set minimum system permissions for your operators so that they cannot access critical Kofax Capture files and folders. You also create a special user with permissions that allow access to these files and folders.
When SecurityBoost is enabled, Kofax Capture uses the permissions granted to the special user instead of those granted to the operators. In other words, Kofax Capture can access the required folders, but your operators cannot. For example, your operators are not able to open or delete files from your Kofax Capture image folder using Windows Explorer.
When deploying SecurityBoost, you need to do the following:
- For your operators, or other non-administrative Kofax Capture users, create Windows accounts with limited rights and permissions (see below for minimums).
- Create one SecurityBoost user with at least the minimum rights and permissions described below. Do not inform your operators of the password or name for this user.
- Enable SecurityBoost.
- Have your operators log on normally (not as the SecurityBoost user). When using Windows Explorer or other non- Kofax Capture applications, they are not able to access any of the critical Kofax Capture files and folders.
- When an operator runs an application, that application assumes the identity (and permissions) of the SecurityBoost user. Consequently, the operator is able to run Kofax Capture even without extensive rights and permissions. Activities performed by the operator are logged under that interactive user's ID when User Tracking is enabled.
Protect batch image folder only
Optionally, you can apply SecurityBoost to protect only the batch image folder. In this situation, access to the batch image folder is restricted to the SecurityBoost user, but access to other folders and Kofax Capture modules is based on the permissions normally granted to the operator.
When
Protect batch image folder only
is selected, the SecurityBoost user requires the following minimum permissions for
the batch image folder:
-
List folder / read data
-
Create folders / append data
-
Read permissions
-
Write permissions
Because each batch class can have its own batch image folder, be sure to set the appropriate permissions for all affected folders.
Permissions
This section provides information on the minimum folder and file permissions required for the operators and SecurityBoost user. It also has important additional information about permissions when using the Scan or Export modules.
Minimum Permissions for the Operator
The minimum permissions for operators are considerably more restrictive than the permissions for the SecurityBoost user. If you are not planning to use SecurityBoost, then your operators require the same minimum permissions as those listed for the SecurityBoost user.
Protect batch image folder onlyis selected, the operator user should be granted minimum permissions similar to the SecurityBoost user, except for the access permission for the batch image folder.
The following list shows the minimum permissions for client/server installations. Where the following folders exist, these permissions apply to both the client and server workstations.
The following items are on the server.
- Item: Domain user on local computer
- Permission: None
- Item: TEMP folder
- Permission: None
- Example: Path specified in environment variables
- Item: C:\Program Files\Common Files
- Permission: None
- Item: Server software folder
- Permission: None
- Example: C:\Program Files\Kofax\CaptureSS
- Item: Server files folder
- Permission: Read-only
- Example: C:\Documents and Settings\All Users\Application Data\Kofax\CaptureSV
- Item: Config subfolder
- Permission: Read-only
- Example: C:\Documents and Settings\All Users\Application Data\Kofax\CaptureSV\Config
- Item: Logs subfolder
- Permission: Read/Write
- Example: C:\Documents and Settings\All Users\Application Data\Kofax\CaptureSV\Logs
- Item: Other subfolders and files
- Permission: None
The following items are on the client.
- Item: Workstation folder
- Permission: Read - Execute
- Item: Local subfolder
- Permission: Full control (including subfolders)
- Example: C:\Documents and Settings\All Users\Application Data\Kofax\Capture\Local
- Item: Bin subfolder
- Permission: Read - Execute
- Example: C:\Program Files\Kofax\Capture\Bin
- Item: Other subfolders
- Permission: None
The following list shows the minimum workstation permissions for standalone installations.
- Item: Domain user on local computer
- Permission: None
- Item: TEMP folder
- Permission: None
- Example: Path specified in environment variables
- Item: C:\Program Files\Common Files
- Permission: None
- Item: Installation folder
- Permission: Read - Execute
- Example: C:\Program Files\Kofax\Capture
- Item: Local subfolder
- Permission: Full control (including subfolders)
- Example: C:\Documents and Settings\All Users\Application Data\Kofax\Capture\Local
- Item: Bin subfolder
- Permission: Read - Execute
- Example: C:\Program Files\Kofax\Capture\Bin
- Item: Other subfolders and files
- Permission: None
Minimum Permissions for the SecurityBoost User
To run Kofax Capture with SecurityBoost, the SecurityBoost user must have the minimum permissions listed below. In a client/server installation, the SecurityBoost user must be a domain user.
Protect batch image folder onlyoption, see the section Protect batch image folder only for information about minimum permissions.
The following list shows the minimum permissions for client/server installations. Where the following folders exist, these permissions apply to both the client and server workstations.
The SecurityBoost user is shared for the entire installation. SecurityBoost users must be either local (for standalone systems) or part of a Windows domain (for client/server or standalone installations).
The following items are on the server.
- Item: Domain user on local computer
- Permission: Administrators
- Item: TEMP folder
- Permission: Read/Write
- Example: Path specified in environment variables
- Item: C:\Program Files\Common Files
- Permission: Read/Write
- Item: Server software folder
- Permission: None
- Example: C:\Program Files\Kofax\CaptureSS
- Item: Server files folder and subfolders
- Permission: Read/Write
- Example: C:\Documents and Settings\All Users\Application Data\Kofax\CaptureSV
The following items are on the client.
- Item: Workstation folder and subfolders
- Read/Write - Execute
- Example: C:\Program Files\Kofax\Capture
- Your batch class image folder
- Read/Write
- Example: Path specified in batch class properties
The following list shows the minimum workstation permissions for standalone installations.
- Item: Domain user on local computer
- Permission: Administrators
- Item: TEMP folder
- Permission: Read/Write
- Example: Path specified in environment variables
- Item: C:\Program Files\Common Files
- Permission: Read/Write
- Item: Installation folder
- Permission: Read/Write - Execute
- Example: C:\Program Files\Kofax\Capture
- Item: Your batch class image folder
- Permission: Read/Write
- Example: Path specified in batch class properties
Permissions When Using the Scan and Export Modules
In certain cases, it may be advisable to bypass SecurityBoost with the Scan module or the Export module, particularly if you can run these on an otherwise secure workstation.
If you need to run these applications with SecurityBoost enabled, you may need to take extra precautions when setting up the permissions for your operators and SecurityBoost user.
Scan Module
When using the Scan module to import image files, both the SecurityBoost user and the operator need read permission to the folder or folders that contain those files.
Do not enable SecurityBoost in an Active Directory environment. If SecurityBoost is enabled in an Active Directory environment, mapped drives cannot be used for temporary image paths for a batch class. An error occurs after clicking Scan in the Scan module. This concern does not apply if you are using the Scan module to scan paper documents.
Export Connectors
When exporting with the standard text and database export connectors that ship with Kofax Capture, the SecurityBoost user needs read and write permissions for all the following folders:
- Your text file index storage location folders
- Your export image files folders
- Your OCR Full Text folders
- Your Kofax PDF folders
Refer to the documentation for other export connectors to get information about their compatibility with SecurityBoost.
Applications That Use SecurityBoost
When SecurityBoost is enabled, only the following Kofax Capture applications take advantage of the SecurityBoost feature:
- Batch Manager module
- Kofax Capture Network Server (KCN Server) Remote Synchronization Agent (RSA)
- Scan module
- Quality Control module
- Validation module
- Verification module
- Recognition Server module
- OCR Full Text module
- PDF Generator module
Import scripts and custom modules do not support SecurityBoost unless you explicitly provide that capability within the script or module.
Applications That Do Not Use SecurityBoost
In general, applications that involve the configuration of your Kofax Capture system do not use SecurityBoost. These applications should only be used by system administrators, and require full permissions to function properly. Operators, because of their limited permissions, are not able to launch these modules.
Specifically, the following applications do not support SecurityBoost:
- Administration module
- Database Utility
- Kofax Capture Extension Registration Utility (RegAscEx.exe)
- Kofax Capture Export Connector Registration Utility (RegAscSC.exe)
- License Utility
- Separator Sheet Utility
- Email Import Connector Configuration Utility (AcisCfg.exe)
- Kofax Capture Service