Synchronization of CCH ProSystem fx Engagement or Workpaper Manager workpapers between the server and local workstations is not handled via Windows File Service; therefore users do not need to have access to the folders where the Central File Room Workpapers are stored. File transfer is handled by the PFXSYNPFTService. The PFXSYNPFTService will need rights to the Workpapers folder where the Central File Room workpapers are stored. The default logon of Local System is sufficient for this service.

If the Workpapers folder has been placed on a non-local volume, the PFXSYNPFTService will need to be given a login on the office server different from Local System which has access to that volume. 

• How do I change the log on account for CCH ProSystem fx Engagement Services? .

All permissions are normally set correctly during the initial installation of CCH ProSystem fx Engagement or Workpaper Manager; however, these permissions can be changed by Group Policy, or firm policies and may cause issues for users. For that reason, the below is listed as a guideline for avoiding issues with the program due to changing permissions. 
 

Minimum Permissions on Folders and Registries:

Notes: At all times set in the Advanced section to propagate down and replace permissions. 

• For folder level access, it is under File properties > Security > Advanced > Change permissions > "Replace all child object permissions with inheritable permissions from this object."

• For registry level access, it is under Permissions > Advanced > "Replace all child object permissions with inheritable permissions from this object."
   

Groups assigned by default when CCH ProSystem fx Engagement or Workpaper Manager is installed:

• Administrators – Full Control.

• Authenticated users – Modify, Read & Execute, List Folder Contents, Read, and Write.

• Users – Read & Execute, List Folder Contents, and Read.

• System – Full Control.

Important: Use these permissions to reset folder access if you notice your permissions are different than those assigned during installation.
 

Replacing the authenticated users group after installation:

The authenticated users group may be replaced by a different user group after installation. The group selected to replace the authenticated users group should be configured with the same rights as assigned to the authenticated users group during installation.
 

Additional groups not configured by the installation which may be required based on your deployment of CCH ProSystem fx Engagement or Workpaper Manager:

• Domain Users – Modify, Read & Execute, List Folder Contents, Read, and Write.

• Remote Desktop Users – Modify, Read & Execute, List Folder Contents, Read, and Write.

• Terminal Server User – Modify, Read & Execute, List Folder Contents, Read, and Write.

• Power User – Modify, Read & Execute, List Folder Contents, Read, and Write.

File folders and locations which may require the additional groups not configured by the installation of Engagement or Workpaper Manager:

• Engagement or Workpaper Manager Installation Path
  • ?:\Pfx Engagement
  • ?:\Program Files (x86)\Pfx Engagement
    • Note: "?" is the storage drive that the program is installed to. 

• Central File Room Workpapers Path
  • ?:\Pfx Engagement\Admin\Workpapers\{CENTRAL FILE ROOM WORKPAPER FOLDERS}
  • ?:\Program Files (x86)\Pfx Engagement\Admin\Workpapers\{CENTRAL FILE ROOM WORKPAPER FOLDERS}
    • Note: The Central File Room workpapers can be stored outside of the default directory in the example above.

• For Terminal Server environments:

  • ?:\Pfx Engagement\WM\Workpapers\ 

  • ?:\Program Files (x86)\Pfx Engagement\WM\Workpapers

    • Note: The Local File Room workpapers for a terminal server can be stored outside of the default directory in the example above.

    • They will always be shared in Windows as \\{SERVERNAME}\Workpapers.
       

• SQL
  • C:\Program Files\Microsoft SQL Server
  • C:\Program Files (X86)\Microsoft SQL Server

• Microsoft Office
  • C:\Program Files\Microsoft Office\Office##\Library
  • C:\Program Files (X86)\Microsoft Office\Office##\Library

• Adobe
  • C:\Program Files\Adobe
  • C:\Program Files (X86)\Adobe

Registry folders (keys):

• 32-Bit operating systems:

  • HKEY_LOCAL_MACHINE\Software\PROFXENGAGEMENT30

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server

  • HKEY_LOCAL_MACHINE\Software\Microsoft\MSSQLServer

• 64-Bit operating systems:

• HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ProFxENGAGEMENT30
• HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft SQL Server
• HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSSQLServer

Wolters Kluwer recognizes the efforts of those in the security community. This article was created and/or updated with contribution by Ken Pyle, Exploit Developer and Partner @ CYBIR.