Pragma Fortress should be installed on an NTFS partition to increase security on the private keys.
These are the minimum permissions needed for Pragma Fortress to run and log in a user. We recommend a high security implementation for the installation subdirectories. These directories contain the encryption keys.
|
DIRECTORY\FILE |
ACCOUNT |
MIN. PERMISSIONS |
|
Installation Directory |
SYSTEM |
Execute |
|
key files |
SYSTEM - Recommend that this is only account with access to these files If any file needs to be regenerated, the user running sshkeygen.exe will need Change access |
Full Control |
|
Home Directory |
All ssh users |
Read, Execute |
|
CMD.EXE |
All ssh users |
Execute |
|
%SystemRoot% |
All ssh users |
Read, Write, & Execute |
You can apply "NO ACCESS" permissions to all files and sub-directories in %SystemRoot% directory except as noted below.
|
DIRECTORY\FILE |
ACCOUNT |
MIN. PERMISSIONS |
|
%SystemRoot%\system32 |
All ssh users |
Read |
You can apply "NO ACCESS" permissions to all files and sub-directories in %SystemRoot%\system32 except as noted below. If the user knows that one of these files will never be needed in a session, it can have "NO ACCESS" permissions.
|
DIRECTORY\FILE |
ACCOUNT |
MIN. PERMISSIONS |
|
AUTOEXEC.NT |
All ssh users |
Read |
|
COMMAND.COM |
All ssh users |
Read |
|
CONFIG.NT |
All ssh users |
Read |
|
EDIT.COM |
All ssh users |
Read & Execute |
|
NTDOS.SYS |
All ssh users |
Read |
|
NTIO.SYS |
All ssh users |
Read |
|
NTVDM.EXE |
All ssh users |
Read & Execute |
|
QBASIC.EXE |
All ssh users |
Read |
Any sub-directory (unless specified as the user's home directory; see below) for which you give permissions to a user or group, the user or group must have at least Read and Execute permissions on the root. For example, say you want to give your Fortress users permissions to a subdirectory named USERS, located in C:\TEST1\TEST2\TEST3\USERS. In order for your users to have access, you must give them at least Read and Execute permissions on the root (C:\), and then whatever permissions you want them to have on USERS. If the user has been granted the Advanced User Right, Bypass Traverse Checking, in the NT User Management, this will work even if you have assigned "NO ACCESS" permissions to \TEST1, \TEST2, and \TEST3. If Bypass Traverse Checking has not been granted to the user, then at least Read and Execute permissions will need to be assigned on all parent directories, not just the root (i.e., TEST1, TEST2, AND TEST3).
For printing, all telnet users must have read/write access to the configured Spool Directory and Save Directory, if that feature is enabled. See Printing Monitoring.
For logging, if using the user context option, all telnet users must have read/write access to the configured Log File Directory. See Logging Options.