Minimum Windows Permissions for Capture and VRS
Issue
Security policies require that our Windows users have more restrictive permissions than those documented in the Capture and VRS Installation Guides.
What are the minimum Windows user permissions for installers and users of Capture and/or VRS products?
Solution
The Kofax Capture Installation Guide (Chapter 2, pages 18-22) details the user permissions required to run Capture. The Kofax VRS Installation Guide describes the permissions necessary to install and run VRS. The requirements documented in the Installation Guides are fully tested by Kofax and are simple to apply.
However, for administrators who wish to restrict user permissions further, there are minimum Windows User permissions that have been demonstrated to work with the following products:
- Capture 11.x
- VRS 5.x
Minimum permissions for installing Kofax Capture and/or Kofax VRS
Kofax Capture and Kofax VRS must be installed by a member of the local Administrator Group. For Kofax Capture installs, the local Administrator account must also have Full Control of the Capture share on the Kofax Capture server and all of the Capture share’s subfolders.
Minimum permissions for using Kofax Capture and/or Kofax VRS
Kofax Capture and VRS users must have the following file permissions:
| Folder or File | Typical Location | Permissions |
|---|---|---|
| Kofax folder and all subfolders, if present | C:\Program Files (x86)\Kofax | Read & Execute |
| Kofax share and its subfolders on the Kofax Capture Server | \\server\CaptureSV | MODIFY+Delete Subfolders and Files |
| System and user Temp folder | C:\Users\UserName\AppData \Local\Temp or C:\Windows \Temp | Full Control |
| Temporary image folder | Below the Kofax share, or elsewhere. For a new batch, the default path is \Images. For an imported batch, the path specified for the batch class is used. | MODIFY+Delete Subfolders and Files |
| Calera.ini | C:\Windows | Read, Read & Execute, Modify |
| kpmsw.ini | C:\Windows | Read, Read & Execute, Modify |
| Kfxisis.ini | C:\Windows | Read, Read & Execute, Modify |
| odbc.ini | C:\Windows | Read, Read & Execute, Modify |
| Kofax200.ini | C:\Windows | Read, Read & Execute, Modify |
| odbcinst.ini | C:\Windows | Read, Read & Execute, Modify |
| Kofaxkim.ini | C:\Windows | Read, Read & Execute, Modify |
| pixcache.ini | C:\Windows | Read, Read & Execute, Modify |
| Kpm.ini | C:\Windows | Read, Read & Execute, Modify |
| setscan.ini | C:\Windows | Read, Read & Execute, Modify |
| Kpmadr.ini | C:\Windows | Read, Read & Execute, Modify |
| vcdem32p.ini | C:\Windows | Read, Read & Execute, Modify |
| Kpmcache.ini | C:\Windows | Read, Read & Execute, Modify |
| vrsinput.ini | C:\Windows | Read, Read & Execute, Modify |
| Kpmcolpr.ini | C:\Windows | Read, Read & Execute, Modify |
| Kpmcrtnt.ini | C:\Windows | Read, Read & Execute, Modify |
All users must have the following Registry permissions:
| Registry Key | Permissions |
|---|---|
| HKEY_CURRENT_USER\Software\Kofax Image Products | Full Control |
| HKEY_LOCAL MACHINE\Software\Kofax Image Products | Read |
| HKEY_LOCAL_MACHINE\Software\Kofax | Read (Kofax VRS users require Full Control) |
SecurityBoost Permissions
Use SecurityBoost to protect critical Kofax Capture files. You must first set minimum system permissions for your operators so they cannot access critical Kofax Capture files and folders. Then you create a special SecurityBoost user with permissions that do allow access to these files and folders.
Note To use the Administration module, the SecurityBoost user must be a member of the local Administrators group. Otherwise, the Administration module cannot be started.
If SecurityBoost is enabled and you encounter an issue that prevents a module from running, the following error may occur:
<Module_name> is already running on this workstation. Only one instance is allowed.
You can resolve the error by updating the Local Security Policy.
1. In Control Panel, select Administrative Tools > Local Security Policy.
2. On the list of policies, select Local Policies > User Rights Assignment.
3. On the Policy list, double-click Impersonate a client after authentication.
4. As applicable, add the operator's user account and/or user groups to this privilege.
5. Click OK and restart the computer.
Minimum Permissions for the SecurityBoost User
To run Kofax Capture with SecurityBoost, the SecurityBoost user must have minimum permissions that are the equivalent of the required permissions described in Client/Server Required Permissions and Standalone Required Permissions. In a client/server installation, the SecurityBoost user must be a domain user.
If SecurityBoost is used strictly to protect the batch image folder, the SecurityBoost user needs the following permissions for the batch image folder:
File system:
• List folder / read data
• Create folders / append data
• Read permissions
Share:
• Full control
With SecurityBoost, additional permissions may be required, based on your Group Policy settings. The SecurityBoost account should be granted full control for the HKEY_CURRENT_USER Registry hive for all interactive users. As a result, the SecurityBoost account is permitted to access the current user's settings so that Windows can continue processing the credentials.
Note The SecurityBoost user must have access to all operator TEMP files
The SecurityBoost user is shared by the entire installation. SecurityBoost users must be either local (for standalone installations) or part of a Windows domain (for client/server or standalone installations)
Level of Complexity
Easy
Applies to
| Product | Version | Build | Environment | Hardware |
|---|---|---|---|---|
| Kofax Capture | 11.1 11.0 |
ALL | ALL | N/A |
| Kofax VRS | 5.2 5.1.2 5.1.1 |
ALL | ALL | N/A |