Data Storage and File Security
Overview
Quasar Server stores encrypted data, keys, and management information in database files on the local filesystem. In Quasar v3, a connection to an SQL Server database was required for storage of sensitive, non-sensitive, and job control and management data. In Quasar v4, this has been changed to use local files on the application server’s NTFS filesystem to store the above data separately.
Quasar’s sensitive data is stored as compressed encrypted blocks, packed into container files. This has enabled significant enhancements to performance, cost, and security in Quasar v4.
Default File Locations
The local file location defaults to c:\programdata\quasar, but can be controlled by changing the location in quasarserver.cfg and quasarui.cfg.
Quasar expects that the local filesystem uses NTFS as it uses NTFS permissions to enforce security.
As the UI and server components make use of the same files, it is important that they are located on the same machine.
Quasar does not support using network drives for storage of the data files.
Data Folder Usage
| Folder Security | Use |
|---|---|
| data\default | Not currently used |
| data\low | Contains miscellaneous files and the management database used for job control and agent tracking. No cardholder data is ever stored here. Also contains temp files and logs. |
| data\high | Contains encrypted data files, local encryption keys, and the user actions audit log database |
Data Folder Security
| Folder Security | Permissions |
|---|---|
| default | Inherits rtfs permissions from its parent. No changes are made. |
| low | As default and assigns everyone the pseudo-user. Allows permissions to be modified but does not grant Full Control. This is to ensure that admins can read the logs, and that the applications can manage their temp space effectively. |
| high | The owner is the account quasar is running under. Inherited permissions are stripped / removed. The account has full control for the folder, subfolders, and files. No other permissions are permitted. |
Further Information on High Security
The data files and data encryption keys are stored in separate areas under a high security data folder. NTFS permissions are set by the server to:
- Strip / Remove all permissions normally inherited from parent folders.
- Set ownership to the account / user the server is running as.
- Lock down permissions so that user and only that user has read / write access to the high security folder.
Quasar checks the folder security every time the server starts. If there are any problems, the server will log an error to the Windows event log and refuse to start. On startup, Quasar checks:
- Read / Write to the required Quasar folders
- Security permissions set on the required Quasar folders
- Access to the management database
- Access to any data store files