We have reviewed the claim of a security vulnerability in our Fulltext server. When DocuWare is installed on a server running the default configuration of the Windows firewall, the fulltext ports are blocked. That is, there is no access to the fulltext server. Therefore, the only way for the fulltext index data can be accessed outside of the DocuWare server is for the firewall to be reconfigured in an insecure manner. DocuWare does not alter firewall configurations in any way. We maintain therefore, that there is no inherent security vulnerability in DocuWare on a Windows server in its default configuration. It is always the responsibility of the system administrator to ensure that their network is secure.
We accept however, that when DocuWare is installed in a multi-server environment, that the dispersed DocuWare services require access to the fulltext server. For most the easy way to achieve this is to simply open the DocuWare ports in the firewalls, or worse still turn the firewalls off altogether. This practice immediately exposes client data to a security risk.
DocuWare does not condone this practice. The system administrator must always follow best practices when allowing specific traffic between servers that is not exposed to any client, either local or remote.
There may well be a further arguement, that even with the firewall correctly configured, that access to the fulltext server will still be possible when logged in to the server. Again, we would stress that proper security measures must be in place to limit access to any server by other than system administrators.
In order to mitigate the possibility in the future of inexperienced administrators creating a security vulnerability in their DocuWare system we will be modifying our installation package to issue a warning when installing DocuWare. This warning will indicate the need to properly configure firewalls on all servers, and will require the installer to accept the warning before continuing the installation.
Senior Director Support Americas