Oracle Hospitality RES 3700 Security Guide Release 5.5 E May 2016

Similar documents
Oracle Hospitality Cruise Meal Count System Security Guide Release 8.3 E

Oracle Hospitality Inventory Management Security Guide Release 9.1 E

Oracle Hospitality Cruise Fine Dining System Security Guide Release E

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

Oracle Hospitality e7 Point-of-Sale. Security Guide

Oracle Hospitality ecommerce Integration Cloud Service Security Guide Release 4.2 E

Oracle Hospitality ecommerce Integration Cloud Service Security Guide Release 18.1 E

Oracle Hospitality Cruise AffairWhere Security Guide Release E April 2017

Oracle Payment Interface Token Proxy Service Security Guide Release 6.1 E November 2017

Oracle Hospitality RES 3700 Server Setup Guide Release 5.5 E May 2016

Oracle Hospitality OPERA Exchange Interface Cloud Authentication. October 2017

Oracle Hospitality Suite8 Export to Outlook User Manual Release 8.9. July 2015

Oracle MICROS Simphony Server Setup Guide Server Version 1. April 2015

Oracle Hospitality Simphony First Edition Venue Management (SimVen) Installation Guide Release 3.8 Part Number: E

Oracle Payment Interface Installation and Reference Guide Release E April 2018

Oracle Hospitality MICROS Commerce Platform Release Notes Release Part Number: E December 2015

Security Guide Release 4.0

Oracle Hospitality 9700 Point-of-Sale Server Setup Guide - Server Version 2 Release 4.0 Part Number: E July 2016

Oracle Hospitality OPERA Property Management Security Guide Versions: Part Number: E

Oracle Communications Services Gatekeeper

Oracle Hospitality Simphony Venue Management Installation Guide Release 3.10 E March 2018

Oracle Payment Interface Oracle Hospitality OPERA Property Management System Installation Guide Release 6.1 E

Oracle Simphony Venue Management (SimVen) Installation Guide Release Part Number: E

Oracle Hospitality Cruise Shipboard Property Management System Topaz Signature Device Installation Guide Release 8.00 E

Oracle Hospitality Simphony Engagement Cloud Service Release Notes Release 2.0 E January 2016

Oracle mymicros.net, icare, myinventory and mylabor Self Host Release Notes Release v April 2015

Oracle Hospitality Cruise Fleet Management Security Guide Release 9.0 E

Oracle Hospitality e7 Point-of-Sale Release Notes. Release 4.2

Oracle Hospitality BellaVita Hardware Requirements. June 2016

What s New for Cloud at Customer What's New for the Cloud Services on Oracle Cloud at Customer New Documentation for Oracle Cloud at Customer

Oracle Hospitality Hotel Mobile OPERA Web Services Server Installation Guide Release 1.1 E May 2017

Oracle Hospitality Suite8 XML Export of Invoice Data for Hungarian Tax Authority Release and Higher E November 2016

Oracle Hospitality Simphony Cloud Services Post-Installation or Upgrade Guide Release 2.10 E July 2018

StorageTek Linear Tape File System, Library Edition

Oracle Hospitality Simphony First Edition Server Setup Guide - Version 2.0 Release 1.7 Part Number: E February 2016

Oracle Communications Configuration Management

Oracle Hospitality e7 Point-of-Sale Release Notes. Release 4.4 Global

Oracle Enterprise Manager Ops Center

Oracle Hospitality RES 3700 Enterprise Management Patch Release Notes Release Part Number: E

Microsoft Active Directory Plug-in User s Guide Release

Oracle Hospitality Materials Control. Server Sizing Guide

Oracle Hospitality Simphony Venue Management Release Notes Release 3.9 E March 2017

Oracle Hospitality BellaVita Adding a New Language Release 2.7. September 2015

Oracle Communications WebRTC Session Controller

Oracle Hospitality Cruise Shipboard Property Management System DESKO Penta Installation Guide Release 8.00 F

Database Change Reference Release 6.3

Contents About Connecting the Content Repository... 5 Prerequisites for Configuring a Content Repository and Unifier... 5

Oracle Hospitality Cruise Shipboard Property Management System Quick Encode Installation Guide Release 8.00 E

Release for Microsoft Windows

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need. Creating vservers 12c Release 1 ( )

Oracle Hospitality Query and Analysis Languages and Translation Configuration Guide. March 2016

OKM Key Management Appliance

Oracle Hospitality Materials Control Mobile Solutions. Installation and Configuration Guide

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need. Installing and Updating Local Software Packages 12c Release

Oracle Hospitality Materials Control Release Notes. Release 8.32

Oracle Utilities Customer Self Service

Recipe Calculation Survey. Materials Control. Copyright by: MICROS-FIDELIO GmbH Europadamm 2-6 D Neuss Date: August 21 st 2007.

Oracle Retail MICROS Stores2 Functional Document Stores2 for Portugal Disaster Recovery Release

Oracle Payment Interface Oracle Hospitality Simphony FE MGDH Installation Guide Release E April 2017

Oracle. Field Service Cloud Using Android and ios Mobile Applications 18B

Oracle Payment Interface Oracle Hospitality Simphony V2 MGDH Installation Guide Release E April 2017

Oracle Fusion Middleware

Oracle Hospitality Cruise Shipboard Property Management System Fargo HDP5000 Printer Installation Guide Release 8.0 E

PeopleSoft Fluid Required Fields Standards

Oracle Utilities Opower Custom URL Configuration

Oracle Hospitality Simphony Post-Installation or Upgrade Guide. Release 18.2

Defining Constants and Variables for Oracle Java CAPS Environments

Oracle Fusion Middleware

General Security Principles

Oracle Hospitality Cruise Fleet Management Release Notes Release 9.0 E

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need

Oracle Retail MICROS Stores2 Functional Document Sales - Receipt List Screen Release September 2015

Oracle Hospitality Cruise Shipboard Property Management System

Oracle Enterprise Manager

Oracle Communications Policy Management Configuring NetBackup for Upgrade Method of Procedure

Report Management and Editor!

Copyright 1998, 2009, Oracle and/or its affiliates. All rights reserved.

Oracle Cloud. Using Oracle Eloqua Adapter Release E

Materials Control. Account Classes. Product Version Account Classes. Document Title: Joerg Trommeschlaeger

Oracle Enterprise Manager Ops Center E Introduction

Oracle Hospitality Cruise Silverwhere Release Notes for GDF Interface and Template Release 8.0. March 2016

JavaFX. JavaFX System Requirements Release E

Oracle Cloud. Using the Google Calendar Adapter Release 16.3 E

Microsoft Internet Information Services (IIS) Plug-in User s Guide Release

Oracle Hospitality Hotel Mobile Release Notes. Release (1.30)

Oracle Transportation Mobile. Guide Release 1.3 Part No. E

Oracle Retail Workforce Management Installation Guide Release August 2015

Oracle NoSQL Database Integration with SQL Developer. Release 18.1

Oracle Linux. UEFI Secure Boot Signing Key Update Notice

Oracle Retail MICROS Stores2 Functional Document Malta Taxation Release July 2017

Oracle Enterprise Manager Ops Center

Quick Start for Coders and Approvers

Oracle Communications Convergent Charging Controller. Sample Message Flows Reference Guide Release 6.0.1

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need. Hardware and Software Configuration

Oracle Utilities Work and Asset Cloud Service End-User Provisioning Guide

Oracle Hospitality Materials Control Server Sizing Guide Release 8.31 E February 2017

Materials Control. Password & User Account Management. Product Version Joerg Trommeschlaeger

User's Guide Release

Introduction to Auto Service Request

Contents About This Guide... 5 Installing P6 Professional API... 7 Authentication Modes... 9 Legal Notices... 14

Transcription:

Oracle Hospitality RES 3700 Security Guide Release 5.5 E76231-01 May 2016

Copyright 1998, 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.

Contents Preface... iv Audience... iv Customer Support... iv Documentation... iv Revision History... iv 1 RES 3700 Security Overview... 1-1 Basic Security Considerations... 1-1 Overview of RES 3700 Security... 1-1 Understanding the RES 3700 Environment... 1-2 Recommended Deployment Configurations... 1-3 Oracle Hospitality RES 3700 Security... 1-4 2 Performing a Secure RES 3700 Installation... 2-1 Pre-Installation Configuration... 2-1 Disable System Restore... 2-1 Encrypt PageFile.sys... 2-1 Clear the System PageFile.sys on Shutdown... 2-1 Disable System Management of PageFile.sys... 2-1 Disable Error Reporting... 2-2 Installing RES 3700 Securely... 2-2 Post-Installation Configuration... 2-2 3 Implementing RES 3700 Security... 3-1 Database Manager Pass Phrase Encryption and Storage... 3-1 Client Trust Pass Phrase... 3-1 Encrypted Key File... 3-1 4 Security Considerations for Developers... 4-1 Appendix A Secure Deployment Checklist... 1 iii

Preface This document provides security reference and guidance for Oracle Hospitality RES 3700. Audience This document is intended for administrators, developers, and system integrators who perform the following functions: Document specific security features and configuration details for the Oracle Hospitality RES 3700, in order to facilitate and support the secure operation of the product and any external compliance standards. Guide administrators, developers, and system integrators on secure product implementation, integration, and administration. It is assumed that the readers have general knowledge of administering the underlying technologies and the application. Customer Support To contact Oracle Customer Support, access My Oracle Support at the following URL: Documentation Revision History https://support.oracle.com When contacting Customer Support, please provide the following: Product version and program/module name Functional and technical description of the problem (include business impact) Detailed step-by-step instructions to re-create Exact error message received Screen shots of each step you take Oracle Hospitality product documentation is available on the Oracle Help Center at http://docs.oracle.com/en/industries/hospitality/ Date Description of Change May 2016 Initial publication. iv Preface

1 RES 3700 Security Overview This chapter provides an overview of Oracle Hospitality RES 3700 security and explains the general principles of application security. Basic Security Considerations The following principles are fundamental to using any application securely: Keep software up to date. This includes the latest product release and any patches that apply to it. Limit privileges as much as possible. Users should be given only the access necessary to perform their work. User privileges should be reviewed periodically to determine relevance to current work requirements. Monitor system activity. Establish who should access which system components, and how often, and monitor those components. Install software securely. For example, use firewalls, secure protocols using TLS (SSL), and secure passwords. See Performing a Secure RES 3700 Installation for more information. Learn about and use the RES 3700 security features. See Implementing RES 3700 Security for more information. Use secure development practices. For example, take advantage of existing database security functionality instead of creating your own application security. Keep up to date on security information. Oracle regularly issues securityrelated patch updates and security alerts. You must install all security patches as soon as possible. See the Critical Patch Updates and Security Alerts Web site: http://www.oracle.com/technetwork/topics/security/alerts-086861.html Overview of RES 3700 Security Oracle Hospitality RES 3700 (or RES) is an on premise client/server architecture. The POS server is a dedicated machine where the database server, supporting applications, POS middleware and infrastructure is installed and running. The POS clients run the POS Operations application, Kitchen Display application, the Configuration applications and/or the Back Office applications. RES uses role-based access control for employees to configure the system. Employees are required to have a unique username and a password. Password complexity rules are enforced, and passwords must be changed and not repeated per specific requirements. Employee passwords are hashed using a modern and secure algorithm and stored in the RES database. The RES database and transaction log are encrypted using AES-128. This database encryption key is derived from a generated random passphrase. This passphrase can be rotated using the Database Manager Application; it is referred to as the Database Key. Sensitive data stored within the database is also encrypted at the column level. This data is encrypted using AES-128. The encryption key used for this data is derived from a RES 3700 Security Overview 1-1

random passphrase. This passphrase can be rotated using the Database Manager Application; it is referred to as the Sensitive Data Key. A Client Trust Passphrase must be entered at every network node (PC, workstation, RDC/KDS Display, Handheld) that is part of a RES system. This passphrase is userdefined, intended to be unique per site, it should be kept secret and known only to trusted personnel. This passphrase is entered via the Client Trust Passphrase Utility; this application is launched automatically at startup on a properly configured RES client when the client does not match the server s Client Trust Passphrase. When the passphrase is changed at the server, existing clients will automatically get updated with the new passphrase. This passphrase is encrypted using the Microsoft Data Protection API (DPAPI) and stored in the machine s local registry. Network nodes must have matching Client Trust Passphrases in order to communicate successfully. Database backup files are encrypted using AES-256. The encryption key for this data is derived from the Database Restore Passphrase. This passphrase is user-defined, intended to be unique per site, it should be kept secret and known only to trusted personnel. This passphrase is entered via the Database Manager application. This passphrase is encrypted using the DPAPI and stored in the machine s local registry. Sensitive data transmitted on the local POS network is encrypted using RSA-2048. This encryption algorithm uses public keys at each POS client to encrypt the sensitive data and then a private key at the server to decrypt the data. These key pairs are generated using the Microsoft Crypto API. They are encrypted using the DPAPI. The public key is sent securely to the POS clients using AES-256 encryption in a session that uses a unique key which is derived from the Client Trust Passphrase. Understanding the RES 3700 Environment When planning your Oracle Hospitality RES 3700 implementation, consider the following: Which resources need to be protected? o You need to protect customer data, such as credit-card numbers. o You need to protect internal data, such as proprietary source code. o You need to protect system components from being disabled by external attacks or intentional system overloads. Who are you protecting data from? For example, you need to protect your subscribers data from other subscribers, but someone in your organization might need to access that data to manage it. You can analyze your workflows to determine who needs access to the data. For example, a system administrator can manage your system components without needing to access the system data. What will happen if protections on strategic resources fail? In some cases, a fault in your security scheme is nothing more than an inconvenience. In other cases, a fault might cause great damage to you or your customers. Understanding the security ramifications of each resource will help you protect it properly. 1-2 RES 3700 Security Overview

Recommended Deployment Configurations The RES Primary Server should be configured with a firewall blocking inbound traffic from the public internet. The firewall should block outbound access except for what may be necessary to run your business. The most common examples of exceptions would be the URLs used for Credit Card processing, the URL used for integration with mymicros.net, other URLs for specific corporate websites. RES 3700 Security Overview 1-3

Oracle Hospitality RES 3700 Security When installing RES 3700, see instructions in these documents: RES 5.0 Install Readme First RES 5.5 Release Note RES 3700 5.5 PA-DSS Implementation Guide RES 3700 uses the following ports: Port Protocol Comment 2638 TCP SAP Sybase database Server 7300 TCP CAL Server 7301 UDP CAL Server 5101 TCP Alert Manager, optional 5102 TCP Alert Manager, optional 5103 TCP Alert Manager, optional 80 TCP Manager Procedures 50123 TCP MDS Http Service 5100 TCP Cash Management 6000 TCP International Liquor Dispensing System 5022 TCP KDS Display 5023 TCP KDS Controller 7019 TCP Caller ID Service 5021 TCP Distributed Service Manager 23230 TCP Stored Value Card Service 50200 TCP Table Management Service 50201 TCP Table Management Service RES 3700 uses the following Microsoft Services: Remote Procedure Call (RPC) DCOM Server Process Launcher RPC Endpoint Mapper World Wide Web Publishing Service 1-4 RES 3700 Security Overview

2 Performing a Secure RES 3700 Installation For information about installing RES 3700, see the Oracle Hospitality RES 5.0 Install Readme First. Pre-Installation Configuration On the RES 3700 Server, you must perform the following configurations. Disable System Restore Encrypt PageFile.sys 1. Right-click Computer and select Properties. 2. On the System dialog box, click Advanced system settings. 3. On the System Protection tab, click Configure. 4. Select Turn off system protection, click Apply, and then click OK until you return to the System dialog box. 5. Restart the computer. Your hard disk must be formatted using NTFS to perform this operation. 1. Click the Start button and enter cmd in the search field. 2. Right-click cmd.exe and select Run as Administrator. 3. Enter the command: fsutil behavior set EncryptPagingFile 1 To disable encryption, enter 0 instead of 1. 4. Enter the command: fsutil behavior query EncryptPagingFile 5. Verify that the command prompt returns: EncryptPagingFile = 1 Clear the System PageFile.sys on Shutdown You can enable the option to clear PageFile.sys on system shutdown to purge temporary data. This ensures that information such as system and application passwords and cardholder data are not inadvertently kept in the temporary files. Enabling this feature may increase the time it takes for system shutdown. 1. Click the Start button and enter regedit in the search field. 2. Right-click regedit.exe and select Run as Administrator. 3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ 4. Right-click ClearPageFileAtShutdown and select Modify. If ClearPageFileAtShutdown does not exist, right-click the Memory Management folder, select New, and select DWORD (32-bit) Value. 5. Set the Value data field to 1 and click OK. Disable System Management of PageFile.sys 1. Right-click Computer and select Properties. Performing a Secure RES 3700 Installation 2-1

Disable Error Reporting 2. On the System dialog box, click Advanced system settings. 3. On the Advanced tab, click Settings for Performance. 4. On the Advanced tab, click Change. 5. Deselect Automatically manage page file size for all drives, select Custom size, and set the following fields: a. Initial Size: the amount of Random Access Memory (RAM) available. b. Maximum Size: 2x the amount of RAM. 6. Click OK until you return to the System dialog box. 7. Restart the computer. Installing RES 3700 Securely 1. Click the Start button, select Control Panel, and then click Action Center. 2. Click Change Action Center settings, then click Problem reporting settings. 3. Select Never check for solutions, then click OK. When installing RES 3700, the setup program will prompt you for some necessary parameters. Provide them in a manner consistent with configuration you desire. At the end of the Setup process, you will be asked for a Client Trust Passphrase. This should be a unique phase for each installation. It should be difficult to guess, but must be remembered to complete the installation at EACH client in the system. After each client installs the software, the user is prompted to enter the Client Trust Passphrase. If this passphrase does not match the Server, then the RES Applications will not operate at the client. Post-Installation Configuration This section explains security configuration to complete after Oracle Hospitality RES 3700 is installed. POS Operations will not function until ALL of these steps are performed. A privileged user must use Database Manager to perform the following: Change the DBA and MICROS database user passwords Change the Database Encryption Key (passphrase) Change the Sensitive Data Encryption Key (passphrase) Set the Transport Encryption Keys A privileged user must use POS Configurator to perform the following: CA/EDC Tenders must Mask CC Account Number and Expiration Date Classic Security must be turned OFF Password Expiration must be set for 90 days or less Password Length must be 7 or more Password Repeat Interval must be 4 or more Password must be set to require Alpha characters Maximum Failed Logins must be <= 6 and not zero Maximum Idle Time must be <= 15 minutes and not zero 2-2 Performing a Secure RES 3700 Installation

3 Implementing RES 3700 Security Database Manager Pass Phrase Encryption and Storage Database Manager allows you to set and change pass phrases for the Client Trust Utility and for the database. Pass phrases must follow the following complexity guidelines: Minimum 15 characters, Maximum 32 characters, Mixed case, Client Trust Pass Phrase Encrypted Key File Contain alpha and numeric and special characters You can set, change, and perform actions using the pass phrases through the Database Manager utility or through the command line. When run for the first time, Database Manager prompts you to approve the Auto Discovery Mode. This allows the Client Trust Utility to allow new clients to securely download the client trust pass phrase without performing manual creation and maintenance. Database Manager uses AES 128/256 and a randomly-generated passphrase to store and encrypt passwords and encryption keys in the MICROSKeyBackup.mbz5g3 key file. Database Manager generates a new encryption passphrase after every database backup, and the key file stores the passphrase and a text file named MICROSKeyBackup.regx containing the following encrypted passwords and keys: dba database password (DataS5) micros database password (DataS6) transportation public key (DataS3) transportation private key (DataS4) database encryption key (DataS1) sensitive data pass phrase (DataS2) When Database Manager restores the database using the backup file, it uses the encryption passphrase to decrypt the sensitive data. Implementing RES 3700 Security 3-1

4 Security Considerations for Developers RES 3700 is built with an industry standard relational database. This makes it possible for third party developers to create applications that access the RES database. These applications must NOT use the built-in database users, DBA and MICROS, to connect to the RES database. The RES Utility, Database Manager, can be used to create custom database users. Third party applications are responsible for managing their own password securely. Security Considerations for Developers 4-1

Appendix A Secure Deployment Checklist The following security guideline checklist to help you secure RES 3700 and its components: Make sure the operating system is secured according to the security recommendations of the operating system security guide. Follow the Oracle Database Security checklist for Oracle Database installation. Follow the Internet Information Services (IIS) Security checklist. Secure Deployment Checklist A-1

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback