This documentation is archived and is not being maintained.

Security Considerations in Speech Application Analysis and Tuning

Speech Server 2007

This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.

The following security issues relate to analysis and tuning of Speech Server applications.

Users of Speech Server tuning and analysis tools are strongly encouraged to appropriately manage privacy issues related to end-user data. For example, users must ensure that private data, such as credit card numbers, is being appropriately managed during application design, logging, log file reading, and database access.

Log Files

The content of event trace log (ETL) files can contain private data. This data can be a security issue while it is stored in log files or as output from the MssLogToText.exe command-line tool. The administrator should select a secure location for log storage and restrict log access appropriately.

Database Data

Log files imported into the Microsoft SQL??Server tuning database can contain private data.

.wav Files

Audio files extracted by the MssContentExtract.exe command-line tool can contain private data.

.ats files can contain database connection credentials, as well as query and view data that is saved by Analytics and Tuning Studio users. Connection credentials are handled differently, depending on the type of authentication used:

  • If Windows (integrated) Authentication is used, credentials are not stored in the .ats file.
  • If SQL Authentication is used, the credentials are encrypted and only work for that same user on the same computer. If another user tries to open the .ats file or the .ats file is opened on a different computer, the user has to re-enter credentials.

Be sure that .ats files are appropriately secured.

Users are cautioned to not store user name and password data in response files. For more information, see the security notice included with command-line tool documentation. For an example, see Import Log Files into the Tuning Database.