alfresco security best practices 2012
DESCRIPTION
Alfresco DevCon 2012 slidesTRANSCRIPT
![Page 1: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/1.jpg)
Alfresco Security Best Practices
Toni de la Fuente !Alfresco Senior Solutions Engineer!Blog: blyx.com Twitter: @ToniBlyx!
![Page 2: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/2.jpg)
Who I am? • Alfresco Senior Solutions Engineer!• Working with Alfresco for 5 years!• More than 2 years as part of the team!• Always involved with:!
• Operating Systems!• Networks!• Security!• Open Source!
• Consultant & Auditor: ethical hacking, penetration tests.!• And writing about that at blyx.com since 2002 !
![Page 3: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/3.jpg)
Agenda • Intro!• Project life cycle and security!
• Planning!• Installation!• Post-install configuration and hardening!• Maintenance!• Monitoring and auditoring!
• Other security-related tasks!• Demo: information leaks and metadata!• Conclusions!• Next steps!
![Page 4: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/4.jpg)
The Alfresco Platform
A robust, modern ECM platform focused on scalability & usability !Consumer like UI drag-and-drop with MS Office intergration!Business Process"Rules and workflow that users can use!Social features content activity feeds & social feedback!Metadata and Security building rich context around content!Ecosystem of Integrations"CIFS, WebDAV, SharePoint, Exchange, GoogleDocs, CMIS, SAP, Salesforce, Kofax, and thousands more.!
Alfresco
Document Management
Team Collaboration
Rich Media Support
Web Content Services
Process Management
Image Management
Electronic Records
Management
The Alfresco Platform
![Page 5: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/5.jpg)
Introduction
![Page 6: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/6.jpg)
Introduction
• In Alfresco we must take security seriously.!• Because we care about contents!
• If Alfresco stops working and that poses a problem for your business, security is important.!
• Security is a process not a product.!• Think of protection, integrity and privacy.!• Reduce as much as posible the MTBF, to guarantee
minimum MTTR posible.!• Taking into account the Security Plan of the
organization, Contingency Plan and Disaster Recovery Plan.!
![Page 7: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/7.jpg)
Project Life Cycle and Security
![Page 8: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/8.jpg)
Planning and previous review!• What should I secure? It depends on…
• Project needs • Interfaces • Users, applications or both • Customization • Architecture, high availability and scalability
Document Management
Records Management
Collaboration Web Content Management
Email Archive
Interfaces? Customization? Number of…?
![Page 9: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/9.jpg)
It depends on the network architecture
Share
App Srv
Alfresco
Con
tent
S
tore
Inde
x
Dat
aBas
e
A
B
![Page 10: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/10.jpg)
Installation
![Page 11: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/11.jpg)
Best practices and tips 1/2
• Run Alfresco as a non-root user!• Configure all ports beyond 1024!• Authbind on Debian-like OS!• IPTables port redirect!
• Avoid default password (admin, db, jmx).!• Change default certificates and keys in SOLR.!
• Use keytool or your own certificates.!• installRoot/alf_data/solr/CreateSSLKeystores.txt!
• Set permissions for configuration files, content store, indexes and logs. Only the user running Alfresco must be able to access this folders.!
• chown –R alfresco:alfresco installRoot/!• chmod –R 600 installRoot/!
![Page 12: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/12.jpg)
Best practices and tips 2/2 • Before installing run Alfresco Environment Validation Tool in order
to avoid conflictive services and ports.!• Keep SSL active when possible:!
• Do not use self-signed certificates in live environments.!• Take care with SSL Strip: force using SSL and teach your users!!• Check your certificate strength on:!
• https://www.ssllabs.com/ssldb/analyze.html!• Use Apache (or other web server) to protect your application server
and services.!• SELinux (review alfresco.sh)!• When possible, run bundle installer to keep third party binary files
controlled and avoid rootkits !• If third party applications are installed by OS rpm repository use rpm command!• rpm –Vf /path/to/binary!• rpm –V <rpm-name>!
• Check third party vulnerabilities often.!
![Page 13: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/13.jpg)
Post Installation Configuration
![Page 14: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/14.jpg)
Which ports should I open? IN Protocol' Port' TCP/UDP' IN/OUT' Activated' Comments'HTTP$ 8080$ TCP$ IN$ Yes$ Including$WebDav$FTP$ 21$ TCP$ IN$ Yes$ Passive$mode$SMTP$ 25$ TCP$ IN$ No$ $CIFS$ 137,138$ UDP$ IN$ Yes$ $CIFS$ 139,445$ TCP$ IN$ Yes$ $IMAP$ 143$ TCP$ IN$ No$ $Share$Point$$Protocol$
7070$ TCP$ IN$ Yes$ $
Tomcat$Admin$ 8005$ TCP$ IN$ Yes$ $Tomcat$AJP$ 8009$ TCP$ IN$ Yes$ $SOLR$admin$ 8443$ TCP$ IN$ Yes$ Cert$installation$on$the$
browser$needed$NFS$ 111,2049$ TCP/UDP$ IN$ No$ $Lotus$Quickr$ 6060$ TCP$ IN$ No$ $RMI$ 50500T50507$ TCP$ IN$ Yes$ Used$by$EHCache$for$
cluster$and$JMX$management$
JGroups$ 7800$ TCP$ IN$ No$ Cluster$discovery$$JGroups$ 7801T7802$ TCP$ IN$ No$ Ehcache$RMI$
communication$between$node$cluster$
OpenOffice$ 8100$ TCP$ IN$ Yes$ Localhost$only,$not$needed$to$open.$
$
![Page 15: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/15.jpg)
Which ports should I open and keep in mind? OUT Protocol' Port' TCP/UDP'IN/OUT' Activated' Comments'SMTP% 25% TCP% OUT% No% To%your%MTA.%DB%–%PostgreSQL% 5432% TCP% OUT% Yes*% Depending%on%DB%DB%–%MySQL% 3306% TCP% OUT% Yes*% Depending%on%DB%DB%–%MS%SQL%Server%1433% TCP% OUT% Yes*% Depending%on%DB%DB%–%Oracle% 1521% TCP% OUT% Yes*% Depending%on%DB%DB%–%DB2% 50000% TCP% OUT% Yes*% Depending%on%DB%LDAP% 396% TCP% OUT% No% For%authetication/sync%LDAPS% 636% TCP% OUT% No% For%authetication/sync%docs.google.com% 443% TCP% OUT% No% %OpenOffice% 8100% TCP% OUT% No% Only%for%remote%OpenOffice%or%
Alfresco%Transformation%Server%JGroups% 7800T7802% TCP% OUT% No% Between%cluster%nodes%NFS% 111,2049% TCP/UDP% OUT% No% Only%if%using%remote%NFS%for%
contentstore%Kerberos% 88% TCP/UDP% OUT% No% If%Kerberos%SSO%is%configured%DNS% 53% UDP% OUT% Yes% Basic%DNS%service%NTP% 123% UDP% OUT% Yes% Network%Time%%
* Also allow outbound traffic to Facebook, Twitter, LinkedIn, Slideshare, Youtube, Flickr, Blogs if you are able to use Publishing Framework,
Target Servers for Replication or Cloud Sync.
![Page 16: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/16.jpg)
Control and review!• Controls processes and ports used by the system
(Linux):
# netstat -‐tulpn|grep -‐i java tcp 0 0 0.0.0.0:50500 0.0.0.0:* LISTEN 8591/java tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 8591/java tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 8591/java tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 8591/java tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 8591/java tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 8591/java tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 8591/java tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 8591/java tcp 0 0 0.0.0.0:7070 0.0.0.0:* LISTEN 8591/java udp 0 0 0.0.0.0:137 0.0.0.0:* 8591/java !
• On Windows OS: !• netstat –an | findstr <port #>!
![Page 17: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/17.jpg)
Activate SSL for all services required
• HTTP à HTTPS!• Appliance supporting SSL offloading!• Activate HTTPS on a frontal web server (Apache, IIS, etc)!• Activate HTTPS on the application server!
• FTP à FTPS !• Check official documentation!
• SharePoint (jetty) à SSL!• You will avoid MS users related workarounds!• Check official documentation!
• SMTP à SMTPS: IN and OUT!• Check official documentation!
• IMAP à IMAP-SSL !• Greenmail (based) or Perdition or Stunnel!
• JGroups!• Stunnel or Proxy!
![Page 18: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/18.jpg)
Post installation configuration - 1/5
• Redirect ports below 1024:!• E.g. for FTP and IPTables: !
• iptables -t nat -A PREROUTING -p tcp --dport 21-j REDIRECT --to-ports 2121!
• http://wiki.alfresco.com/wiki/File_Server_Configuration!• Change JMX credentials and roles!
• http://blyx.com/2011/12/20/persistencia-en-las-credenciales-jmx-de-alfresco/!
• Make sure you have control of your logs!• http://blyx.com/2011/06/02/consejos-sobre-los-logs-en-alfresco/!
![Page 19: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/19.jpg)
Post installation configuration - 2/5 • Are you going to use external authentication?!
• Encrypt communication between Alfresco and the LDAP/AD or SSO system (port 636 TCP for LDAPS)!
• Replication Service between on-premises?!• HTTPS!!!
• Disable unneeded services:!• ftp.enabled=false!• cifs.enabled=false !• imap.server.enabled=false !• nfs.enabled=false !• transferservice.receiver.enabled=false!• audit.enabled=false/true!• webdav: disable on tomcat/webapps/alfresco/WEB-INF/web.xml!• SharePoint: do not install VTI module if unneeded.!
![Page 20: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/20.jpg)
Post installation configuration - 3/5 • Backup configuration and sequence!• Backup Lucene 2 AM!
• installRoot/alf_data/backup-lucene-indexes!• Backup SOLR 2 AM Alfresco core and 4 AM Archive core.!
• installRoot/workspace-SpacesStore !• installRoot/archive-SpacesStore!
• Backup SQL.!• Backup contentStore, audit, etc.!
• Consider using LVM snapshots for the contenstore and snapshot-like backup for db!
• For small amounts of content you may use:!• http://code.google.com/p/share-import-export/!
• Try recovery often as a preventive measure !• Add a checked Alfresco recovery procedure to your Contingence Plan!• Consider using Replication Service for disaster recovery plan:!
• replication.enabled=true and replication.transfer.readonly=false!
![Page 21: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/21.jpg)
Post installation configuration - 4/5 • Disable guest user:!
• For NTLM-Default:!• alfresco.authentication.allowGuestLogin=false (default is true)!
• For pass-through:!• passthru.authentication.guestAccess=false (default is false)!
• For LDAP/AD:!• ldap.authentication.allowGuestLogin=false (default is true)!
• Limit number of users and state of the repository:!• server.maxusers=-1 (-1 no limit)!• server.allowedusers=admin,toni,bill (empty for all)!• server.transaction.allow-writes=true (false to turn the whole system
into read only mode)!
![Page 22: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/22.jpg)
Post installation configuration - 5/5 • Do you want to have control of deletion?!
• http://camelcase.blogspot.com/2011/03/purge-alfresco-archived-nodes.html!
• Disable trashcan:!• Create a file like *-context.xml with the following content:!
<bean id="storeArchiveMap" class="org.alfresco.repo.node.StoreArchiveMap"> <property name="archiveMap"> <map> </map> </property> <property name="tenantService"> <ref bean="tenantService" /> </property> </bean>
![Page 23: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/23.jpg)
Maintenance
![Page 24: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/24.jpg)
Maintenance
• Daily review of logs and audit records (if enabled).!• Daily review of backup, and monthly restoring!!• Delete orphan files, log rotation/compression and
temporary files cleaning.!• Use a crontab script, for further information:!
• http://www.fegor.com/2011/08/mantenimiento-diario-de-alfresco.html!
![Page 25: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/25.jpg)
Monitoring and Auditory
![Page 26: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/26.jpg)
Monitoring and Auditory • JMX!
• Jconsole!• VisualVM!
• Hyperic!• http://blyx.com/2009/11/19/monitoring-alfresco-nagiosicinga-
hyperic-auditsurf-jmx-rocks/!• Nagios/Icinga!
• http://blyx.com/2009/11/19/monitoring-alfresco-nagiosicinga-hyperic-auditsurf-jmx-rocks/!
• Javamelody!• http://blyx.com/2010/09/13/monitoring-alfresco-con-javamelody/!
!
![Page 27: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/27.jpg)
Nagios/Icinga plugin • Always monitoring! !• Nagios4Alfresco Plugin!
![Page 28: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/28.jpg)
Monitoring and Auditory • Failed logins auditory:!audit.enabled=true audit.tagging.enabled=true audit.alfresco-‐access.enabled=true audit.alfresco-‐access.sub-‐events.enabled=true audit.cmischangelog.enabled=true • To know what is being audited:!$ curl -‐u admin:admin http://localhost:8080/alfresco/service/api/audit/control!• Rename: tomcat/shared/classes/alfresco/extension/audit/alfresco-audit-example-login.xml.sample !$ curl -‐u admin:admin "http://localhost:8080/alfresco/service/api/audit/query/AuditExampleLogin1/auditexamplelogin1/login/error/user?verbose=true" { "count":5, "entries": [ { "id":7, "application":"AuditExampleLogin1", "user":null, "time":"2012-‐03-‐05T19:20:48.994+01:00", "values": { "\/auditexamplelogin1\/login\/error\/user":"toni" } }
![Page 29: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/29.jpg)
Other security-related tasks
![Page 30: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/30.jpg)
Other security-related tasks - 1/2 • Avoid information leaks through metadata (demo)!
• content + metadata in Alfresco DB !!vs.!
• (content + metadata) + metadata in Alfresco!• Consider using the new type “d:encrypted”!• Add checksum to the content (third party development)!• User blocking after a certain number of failed
authentications (LDAP or third party)!• Change webdav visibility root!• Session timeout for Explorer and Webdav!• Session timeout for Share!• Session timeout for CIFS!• Set CIFS and FTP on read only mode if required!
![Page 31: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/31.jpg)
Other security-related tasks - 2/2 • Consider using a network scanner in order to avoid storing of viruses
and trojans or an internal action like ALFVIRAL (Google Code). !• mod_security to limit file size or intercept content (audit purposes).!• To filter which applications can access to services or remote API!
!<Location /alfresco/service/*> order allow,deny allow from localhost.localdomain # Add additional allowed hosts as needed # allow from .example.com </Location> <Location /share/service/*> order allow,deny allow from localhost.localdomain allow from 79.148.213.73
# allow from .example.com </Location>
![Page 32: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/32.jpg)
Demo: Alfresco for avoid leaks information
![Page 33: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/33.jpg)
Demo Script • Starting an attack: gathering information!
• Google Hacking!• FOCA!
• Exiftool & wget!• Publishing/Replication/Sync contents with Alfresco (web
sites, blog, social networks or just contents.)!• Backdoors and metadata: yes, we can…!• Cleaning contents with Alfresco!
• cmd-line-action-clean-metadata-1.0.1.amp!• Configuration (script + alfresco-global.properties)!• Add rule!• Test!
![Page 34: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/34.jpg)
Tools, References and Links • Gathering info tools:!
• FOCA - http://www.informatica64.com/foca.aspx!
• Exiftool - http://owl.phy.queensu.ca/~phil/exiftool/ !
• Metagoofil - http://www.edge-security.com/metagoofil.php!
• Libextractor - http://www.gnu.org/software/libextractor/!
• Shodan - http://www.shodanhq.com/!
• Alfresco Security Toolkit CMD LINE !
• cmd-line-action-clean-metadata-1.0.1.amp!
• Cleaners:!• Exiftool!• OOMetaExtractor -
http://www.codeplex.org/oometaextractor!
• MS Office 2003 & XP http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e54edd43e-42ca-bc7b-5446d34e5360!
• BatchPurifier - $19 (BatchPurifierCon.exe)!
• Explanation:!• http://blyx.com – theory!• http://blyx.com – practice / POC !
![Page 35: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/35.jpg)
Conclusions
![Page 36: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/36.jpg)
Conclusions • Working on Security could be sometimes a nightmare but…!
!
Picture from: http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-alonso-palazon-tactical_fingerprinting.pdf
![Page 37: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/37.jpg)
Conclusions • Trust no one, including users!!• Nobody cleans documents.!
• Almost everything can reveal information!• Currently we have tools and information available to secure
Alfresco, but unfortunately they are not on a single place and we have to improve some of them.!
• Remember: security measures have to be taken constantly!!• Other topics to be covered in future related to security:!
• Security in development!• In-depth auditory !• Users, roles and permissions.!• Authentication subsystems creation (webinar already carried out in Spanish)!• SSO with CAS, Siteminder, OpenSSO, JoSSO, ForgeRock, Oracle Identity
Manager, etc. !• PKI integration or best practices for digital signatures, content encryption, etc.!
![Page 38: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/38.jpg)
Next steps • Lets use “Alfresco Security Toolkit” as main project for
collection of security related docs and tools. !• http://code.google.com/p/alfresco-security-toolkit/!
• “Hardening Alfresco Guide”.!• “Bastille Alfresco” – useful?!• Any idea? !
![Page 39: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/39.jpg)
Any questions?
![Page 40: Alfresco Security Best Practices 2012](https://reader036.vdocument.in/reader036/viewer/2022081717/545c9202b0af9fb32c8b4989/html5/thumbnails/40.jpg)
# while you=applause; do echo THANKS!;
done
Toni de la Fuente!Alfresco Senior Solutions Engineer!Blog: blyx.com Twitter: @ToniBlyx!