Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alfresco Security Best Practices

Published byLillie Eldredge Modified over 9 years ago

Similar presentations

Presentation on theme: "Alfresco Security Best Practices"— Presentation transcript:

1 Alfresco Security Best Practices
Toni de la Fuente Alfresco Senior Solutions Engineer Blog: blyx.com

2 Who I am? Alfresco Senior Solutions Engineer
Working with Alfresco for 5 years More than 2 years as part of the team Always involved with: Operating Systems Networks Security Open Source Consultant & Auditor: ethical hacking, penetration tests. And writing about that at blyx.com since 2002

3 Agenda Intro Project life cycle and security
Planning Installation Post-install configuration and hardening Maintenance Monitoring and auditoring Other security-related tasks Demo: information leaks and metadata Conclusions Next steps

4 Electronic Records Management
The Alfresco Platform The Alfresco Platform A robust, modern ECM platform focused on scalability & usability Consumer like UI drag-and-drop with MS Office intergration Business Process Rules and workflow that users can use Social features content activity feeds & social feedback Metadata and Security building rich context around content Ecosystem of Integrations CIFS, WebDAV, SharePoint, Exchange, GoogleDocs, CMIS, SAP, Salesforce, Kofax, and thousands more. Alfresco Document Management Team Collaboration Rich Media Support Web Content Services Process Management Image Management Electronic Records Management

5 Introduction

6 Introduction In Alfresco we must take security seriously.
Because we care about contents If Alfresco stops working and that poses a problem for your business, security is important. Security is a process not a product. Think of protection, integrity and privacy. Reduce as much as posible the MTBF, to guarantee minimum MTTR posible. Taking into account the Security Plan of the organization, Contingency Plan and Disaster Recovery Plan.

7 Project Life Cycle and Security

8 Planning and previous review
What should I secure? It depends on… Project needs Interfaces Users, applications or both Customization Architecture, high availability and scalability Document Management Records Management Collaboration Web Content Management Archive Interfaces? Customization? Number of…?

9 It depends on the network architecture
B A Share App Srv Alfresco Content Store Index DataBase

10 Installation

11 Best practices and tips 1/2
Run Alfresco as a non-root user Configure all ports beyond 1024 Authbind on Debian-like OS IPTables port redirect Avoid default password (admin, db, jmx). Change default certificates and keys in SOLR. Use keytool or your own certificates. installRoot/alf_data/solr/CreateSSLKeystores.txt Set permissions for configuration files, content store, indexes and logs. Only the user running Alfresco must be able to access this folders. chown –R alfresco:alfresco installRoot/ chmod –R 600 installRoot/

12 Best practices and tips 2/2
Before installing run Alfresco Environment Validation Tool in order to avoid conflictive services and ports. Keep SSL active when possible: Do not use self-signed certificates in live environments. Take care with SSL Strip: force using SSL and teach your users! Check your certificate strength on: Use Apache (or other web server) to protect your application server and services. SELinux (review alfresco.sh) When possible, run bundle installer to keep third party binary files controlled and avoid rootkits If third party applications are installed by OS rpm repository use rpm command rpm –Vf /path/to/binary rpm –V <rpm-name> Check third party vulnerabilities often.

13 Post Installation Configuration

14 Which ports should I open? IN

15 Which ports should I open and keep in mind? OUT
* Also allow outbound traffic to Facebook, Twitter, LinkedIn, Slideshare, Youtube, Flickr, Blogs if you are able to use Publishing Framework, Target Servers for Replication or Cloud Sync.

16 Control and review Controls processes and ports used by the system (Linux): # netstat -tulpn|grep -i java tcp : :* LISTEN 8591/java tcp : :* LISTEN 8591/java tcp : :* LISTEN 8591/java tcp : :* LISTEN 8591/java tcp : :* LISTEN 8591/java tcp : :* LISTEN 8591/java tcp : :* LISTEN 8591/java tcp : :* LISTEN 8591/java tcp : :* LISTEN 8591/java udp : :* /java On Windows OS: netstat –an | findstr <port #> On Windows OS: Netstat –an|findstr <port no>

17 Activate SSL for all services required
HTTP  HTTPS Appliance supporting SSL offloading Activate HTTPS on a frontal web server (Apache, IIS, etc) Activate HTTPS on the application server FTP  FTPS Check official documentation SharePoint (jetty)  SSL You will avoid MS users related workarounds SMTP  SMTPS: IN and OUT IMAP  IMAP-SSL Greenmail (based) or Perdition or Stunnel JGroups Stunnel or Proxy

18 Post installation configuration - 1/5
Redirect ports below 1024: E.g. for FTP and IPTables: iptables -t nat -A PREROUTING -p tcp --dport 21-j REDIRECT --to-ports 2121 Change JMX credentials and roles jmx-de-alfresco/ Make sure you have control of your logs alfresco/

19 Post installation configuration - 2/5
Are you going to use external authentication? Encrypt communication between Alfresco and the LDAP/AD or SSO system (port 636 TCP for LDAPS) Disable unneeded services: ftp.enabled=false cifs.enabled=false imap.server.enabled=false nfs.enabled=false transferservice.receiver.enabled=false audit.enabled=false webdav: disable on tomcat/webapps/alfresco/WEB-INF/web.xml SharePoint: do not install VTI module if unneeded.

20 Post installation configuration - 3/5
Backup configuration and sequence Backup Lucene 2 AM installRoot/alf_data/backup-lucene-indexes Backup SOLR 2 AM Alfresco core and 4 AM Archive core. installRoot/workspace-SpacesStore installRoot/archive-SpacesStore Backup SQL. Backup contentStore, audit, etc. Consider using LVM snapshots for the contenstore and snapshot-like backup for db For small amounts of content you may use: Try recovery often as a preventive measure Add a checked Alfresco recovery procedure to your Contingence Plan Consider using Replication Service for disaster recovery plan: replication.enabled=true and replication.transfer.readonly=false

21 Post installation configuration - 4/5
Disable guest user: For NTLM-Default: alfresco.authentication.allowGuestLogin=false (default is true) For pass-through: passthru.authentication.guestAccess=false (default is false) For LDAP/AD: ldap.authentication.allowGuestLogin=false (default is true) Limit number of users and state of the repository: server.maxusers=-1 (-1 no limit) server.allowedusers=admin,toni,bill (empty for all) server.transaction.allow-writes=true (false to turn the whole system into read only mode)

22 Post installation configuration - 5/5
Disable trashcan: Create a file like *-context.xml with the following content: <bean id="storeArchiveMap" class="org.alfresco.repo.node.StoreArchiveMap"> <property name="archiveMap"> <map> </map> </property> <property name="tenantService"> <ref bean="tenantService" /> </bean>

23 Maintenance

24 Maintenance Daily review of logs and audit records (if enabled).
Daily review of backup. Delete orphan files, log rotation and temporary files cleaning. Use a crontab script, for further information: alfresco.html

25 Monitoring and Auditory

26 Monitoring and Auditory
JMX Jconsole VisualVM Hyperic hyperic-auditsurf-jmx-rocks/ Nagios/Icinga Javamelody javamelody/

27 Nagios/Icinga plugin Always monitoring! Nagios4Alfresco Plugin
Datos sensibles

28 Monitoring and Auditory
Failed logins auditory: audit.enabled=true audit.tagging.enabled=true audit.alfresco-access.enabled=true audit.alfresco-access.sub-events.enabled=true audit.cmischangelog.enabled=true To know what is being audited: $ curl -u admin:admin Rename: tomcat/shared/classes/alfresco/extension/audit/alfresco-audit- example-login.xml.sample $ curl -u admin:admin " amplelogin1/login/error/user?verbose=true" { "count":5, "entries": [ { "id":7, "application":"AuditExampleLogin1", "user":null, "time":" T19:20: :00", "values": { "\/auditexamplelogin1\/login\/error\/user":"toni" } }

29 Other security-related tasks

30 Other security-related tasks - 1/2
Avoid information leaks through metadata (demo) content + metadata in Alfresco DB vs. (content + metadata) + metadata in Alfresco Consider using the new type “d:encrypted” Add checksum to the content (third party development) User blocking after a certain number of failed authentications (LDAP or third party) Change webdav visibility root Session timeout for Explorer and Webdav Session timeout for Share Session timeout for CIFS Set CIFS and FTP on read only mode if required Standard and custom metadata + Hidden information (printers, network resources, template paths, internal servers, thumbnails, software versions, operating systems, etc ) and metadata inside pictures embeded on MS word documents!

31 Other security-related tasks - 2/2
Consider using a network scanner in order to avoid storing of viruses and trojans or an internal action like ALFVIRAL (Google Code). mod_security to limit file size or intercept content (audit purposes). To filter which applications can access to services or remote API <Location /alfresco/service/*> order allow,deny allow from localhost.localdomain # Add additional allowed hosts as needed # allow from .example.com </Location> <Location /share/service/*> allow from Datos sensibles

32 Demo: Alfresco for avoid leaks information

33 Demo Script Peparing an atack: gathering information
Google Hacking & Shodan FOCA (URL) Exiftool & wget Publishing/Replication/Sync contents with Alfresco (web sites, blog, social networks or just contents.) Backdoors and metadata: yes, we can… Cleaning contents with Alfresco cmd-line-action-clean-metadata amp Configuration (script + alfresco-global.properties) Add rule Test

34 Tools, References and Links
Gathering info tools: FOCA - a.aspx Exiftool - iftool/ Metagoofil - security.com/metagoofil.php Libextractor - ractor/ Shodan - Alfresco Security Toolkit CMD LINE cmd-line-action-clean-metadata amp Cleaners: Exiftool OOMetaExtractor - xtractor MS Office 2003 & XP ads/details.aspx?displaylang=en &FamilyID=144e54edd43e-42ca- bc7b-5446d34e5360 BatchPurifier - $19 (BatchPurifierCon.exe) Explanation: – theory – practice / POC

35 Conclusions

36 Conclusions Working on Security could be sometimes a nightmare but…
Picture from:

37 Conclusions Trust no one, including users! Nobody cleans documents.
Almost everything can reveal information Currently we have tools and information available to secure Alfresco, but unfortunately they are not on a single place and we have to improve some of them. Remember: security measures have to be taken constantly! Other topics to be covered in future related to security: Security in development In-depth auditory Users, roles and permissions. Authentication subsystems creation (webinar already carried out in Spanish) SSO with CAS, Siteminder, OpenSSO, JoSSO, ForgeRock, Oracle Identity Manager, etc. PKI integration or best practices for digital signatures, content encryption, etc.

38 Next steps Lets use “Alfresco Security Toolkit” as main project for collection of security related docs and tools. “Hardening Alfresco Guide”. “Bastille Alfresco” – useful? Any idea?

39 Any questions?

40 # while you=applause; do echo THANKS!; done
Toni de la Fuente Alfresco Senior Solutions Engineer Blog: blyx.com

Download ppt "Alfresco Security Best Practices"

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
1 Integration Made Easy Agile Integration: Connecting Salesforce With Your Enterprise.

1 Integration Made Easy Agile Integration: Connecting Salesforce With Your Enterprise.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
JourneyTEAM - www.journeyteam.com – 801.565.9199 Tales From The Field: 2010 to 2013 Upgrade Horror Stories and How to Avoid Creating a Horror of Your Own.

JourneyTEAM - – Tales From The Field: 2010 to 2013 Upgrade Horror Stories and How to Avoid Creating a Horror of Your Own.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Best Practices in Moodle Administration Best Practices in Moodle Administration A variety of topics from technical to practical Jonathan Moore Vice President.

Best Practices in Moodle Administration Best Practices in Moodle Administration A variety of topics from technical to practical Jonathan Moore Vice President.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
8/1/2015. Please Ask Questions! 2 Hacks In The News Office of Personnel Management (OPN) Flash vulnerabilities Sony Heartbleed iCloud Leaked Pictures.

8/1/2015. Please Ask Questions! 2 Hacks In The News Office of Personnel Management (OPN) Flash vulnerabilities Sony Heartbleed iCloud Leaked Pictures.
Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May 20121.0First version. Modified from Enterprise edition.NBL.

Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May First version. Modified from Enterprise edition.NBL.
FEATURES & FUNCTIONALITY. Page 2 Agenda Main topics Packet Filter Firewall Application Control Other features.

FEATURES & FUNCTIONALITY. Page 2 Agenda Main topics Packet Filter Firewall Application Control Other features.
Secure ASP.NET MVC5 Application with Asp.Net Identity Changde Wu Self Introduction Professional.NET Developer in greater Boston area Specialized in WPF.

Secure ASP.NET MVC5 Application with Asp.Net Identity Changde Wu Self Introduction Professional.NET Developer in greater Boston area Specialized in WPF.

Similar presentations

Ads by Google