SlideShare a Scribd company logo
1 of 36
Download to read offline
Alfresco Security Best 
Practices 
Toni de la Fuente! 
Principal Solutions Engineer 
toni.delafuente@alfresco.com 
@ToniBlyx – blyx.com 
#AlfrescoSecurity
“Some&mes, 
you 
have 
to 
demo 
a 
threat 
to 
spark 
a 
solu&on” 
Barnaby 
Jack, 
1977-­‐2013
How to solve all your problems: 
@ToniBlyx #AlfrescoSecurity 
UPGRADE!!
That’s all folks! 
THANKS 
@ToniBlyx #AlfrescoSecurity
Agenda 
• Demo 
• Alfresco Security Policy 
• Elements 
• External Threats 
• Vulnerabilities Assessment 
• Network and Operating System 
• Implementation Best Practices 
• Architecture 
• Mobile 
• Compliance and Standards
The Guide 
• Alfresco Security Best 
Practices Guide! 
• https://my.alfresco.com/ 
share/s/ 
85CnNsR0ROaSV0Bwm 
KWncg 
@ToniBlyx #AlfrescoSecurity
User Adoption 
Security!Open, Modern 
@ToniBlyx #AlfrescoSecurity 
Architecture! 
SIMPLE/CONNECTED 
Integral support for mobile 
workers and external partners, 
interface built with the end user in 
mind vs. IT, seamlessly integrated 
with today’s most common 
productivity tools 
CONTROLLED 
Enterprise-grade security, easy 
compliance policy definition and 
enforcement, fully compliant 
SIMPLE/SMART/CONNECTED 
Enterprise-grade, hybrid, 
open-source, flexible architecture that 
meets today’s IT demands 
Open integration interface, ease of 
administration, allow IT org to 
integrate with other LOB applications, 
support for open standards 
Alfresco Value Pillars 
Content Encryption 
Records Mgmt. 
MDM Certification
Alfresco Security Policy 
• Issues Discovery! 
• Security Notifications! 
• Severity Levels! 
• High 
• Medium 
• Low 
• Reporting a Security Issue to us! 
• support@alfresco.com 
@ToniBlyx #AlfrescoSecurity
Alfresco Security Components: 
Deployment 
• People! 
• Process! 
• Alfresco application:! 
• Patches, HF, 
Upgrades, 
Features 
• JVM! 
• Operating System! 
• Firewall! 
@ToniBlyx #AlfrescoSecurity 
• Network configuration! 
• Virtualization 
infrastructure! 
• Network infrastructure! 
• Physical infrastructure! 
• Physical security! 
• Facilities!
AWS Shared Security Model, 
A Good Reference 
@ToniBlyx #AlfrescoSecurity
Multiple External Threats 1 
Discovery, gathering 
information and 
information leaks:! 
• Search tools 
• Google, Bing, Shodan 
• Gathering info 
• FOCA, metagoofil, 
theharvester, maltego 
• Manual discovery 
• Nmap, others 
@ToniBlyx #AlfrescoSecurity 
Protection:! 
• IDS 
• Banner 
• Filter access to 
resources 
• Clean metadata
Multiple External Threats 2 
Brute force user and 
password or dictionary 
attacks:! 
• Online tools 
• Hydra 
• Metasploit 
@ToniBlyx #AlfrescoSecurity 
Protection:! 
• IDS 
• Password rotation 
• Password strength policy 
• Error login threshold 
• Prevent DoS
Multiple External Threats 3 
Man In the Middle Attacks: 
and DDoS/DoS:! 
• Multiple ways 
• Complex to protect 
@ToniBlyx #AlfrescoSecurity 
Protection:! 
• Architecture design 
• Encryption 
• Certificate strenght 
• Firewalls (network, host 
and application level) 
• IDS/IPS 
• AlfViral 
• Corporate-Network 
solutions – ATP 
• Monitoring 
Viruses:! 
• Content 
• All tiers
Source of Vulnerabilities 
Public Sources! 
• CVE-2014-0050: Apache 
Commons FileUpload 
• CVE-2014-0125: Moodle 
• Bugtraq ID 37578: Joomla 
@ToniBlyx #AlfrescoSecurity 
Internal Sources! 
• *MNT-11793: SSRF, port 
scanning 
• CVE-2014-2939: XSS 
• MNT-10540: Share remote 
execution 
• *MNT-10539: Xerces / POI
Hardening Network and 
Operating System 
@ToniBlyx #AlfrescoSecurity
Network and Operating System 
• Network! 
• Firewalls, IDS, IPS, APT, 
Web Application 
Firewalls, Antiviruses, 
DDoS/DoS protection 
devices. 
• OS! 
• RedHat, Ubuntu, Suse 
• Solaris 
• Windows Server 
@ToniBlyx #AlfrescoSecurity 
• File permissions! 
• alfresco-global. 
properties 
• dir_root/contentstore 
• dir_root/solr 
• dir_root/lucene-indexes 
• Minimum privileges! 
• Port redirect!
Firewall: 
Inbound 
ports 
Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments, 
HTTP, 8080# TCP# IN# Yes# WebDav#included# 
FTP, 21# TCP# IN# Yes# Passive#mode# 
SMTP, 25# TCP# IN# No# # 
CIFS, 137,138# UDP# IN# Yes# # 
CIFS, 139,445# TCP# IN# Yes# # 
IMAP, 143# or# 
@ToniBlyx #AlfrescoSecurity 
993# 
TCP# IN# No# # 
SharePoint,,Protocol, 7070# TCP# IN# Yes# # 
Tomcat,Admin, 8005# TCP# IN# Yes# Unless#is#necessary,#do#not#open#this#port#at#the# 
firewall# 
Tomcat,AJP, 8009# TCP# IN# Yes# Unless#is#necessary,#do#not#open#this#port#at#the# 
firewall# 
SOLR,Admin, 8443# TCP# IN# Yes# If#used#to#admin#Solr,#cert#has#to#be#installed#in# 
browser.#Otherwise#take#it#in#to#account#in#case# 
of# using# a# dedicated# Index# Server,# Alfresco# 
repository#server#must#have#access#to#this#port# 
IN#and#OUT# 
NFS, 111,2049# TCP/UDP# IN# No# This#is#the#repository#service#NFS#as#VFS# 
RMI, 50500S 
50507# 
TCP# IN# Yes# Used#for#JMX#management.#Unless#is#necessary,# 
do#not#open#this#port#at#the#firewall# 
Hazelcast, 5701# TCP# IN# No# Used# by# hazelcast# to# exchange# information# 
between#cluster#nodes#from#4.2## 
JGroups, 7800# TCP# IN# No# Cluster#discovery#between#nodes#before#4.2# 
JGroups, 7801S 
7802# 
TCP# IN# No# Traffic# Ehcache# RMI# between# cluster# nodes# 
before#4.2.# 
OpenOffice/JODconverter, 8100# TCP# IN# Yes# It# works# in# localhost,# do# not# open# it# at# the# 
firewall# 
#
Firewall: 
Outbound 
ports 
@ToniBlyx #AlfrescoSecurity 
Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments, 
SMTP, 25# TCP# OUT# No# If# you# want# Alfresco# to# send# notifications,# 
invitations,#tasks,#etc.#Open#this#port#from#Alfresco# 
to#your#corporate#MTA# 
DB,–,PostgreSQL, 5432# TCP# OUT# Yes*# It#depends#on#the#DB# 
DB,–,MySQL, 3306# TCP# OUT# Yes*# It#depends#on#the#DB# 
DB,–,MS,SQL,Server, 1433# TCP# OUT# Yes*# It#depends#on#the#DB# 
DB,–,Oracle, 1521# TCP# OUT# Yes*# It#depends#on#the#DB# 
DB,–,DB2, 50000# TCP# OUT# Yes*# It#depends#on#the#DB# 
LDAP,or,AD, 396# TCP# OUT# No# If#needed#for#authentication#and#synchronization# 
LDAPS,or,AD, 636# TCP# OUT# No# If#needed#for#authentication#and#synchronization# 
docs.google.com, 443# TCP# OUT# No# # 
JGroups, 7800P 
7802# 
TCP# OUT# No# If#clustered#before#4.2,#only#between#nodes.# 
Hazelcast, 5701# TCP# IN# No# Used# by# hazelcast# to# exchange# information# 
between# cluster# nodes# from# 4.2,# only# between# 
nodes.# 
Remote,storage,NFS,, 111,2049# TCP/UDP# OUT# No# If#a#remote#NFS#drive#is#used#as#contentstore# 
Remote,storage,CIFS, 137,138# 
139,145# 
UDP# 
TCP# 
OUT# No# If#a#remote#CIFS#drive#is#used#as#contentstore# 
Amazon,S3, 443# TCP# OUT# No# In#case#Alfresco#is#deployed#in#AWS#and#Amazon#S3# 
is#used#as#contentstore## 
Alfresco,Transformation, 
Server, 
80,443# or# 
8080,844 
3# 
TCP# OUT# No# In#case#a#remote#Alfresco#Transformation#Server#is# 
used# 
Alfresco,FSTR, 8080# TCP# OUT# No# In# case# of# using# a# remote# Alfresco# File# System# 
Transfer#Receiver# 
Alfresco,Remote,Server, 8080# or# 
8443# 
TCP# OUT# No# In# case# of# using# Alfresco# Replication# Service# 
between#Alfresco#servers# 
Kerberos, 88# TCP/UDP# OUT# No# In#case#Kerberos#SSO#is#required# 
Third,Party,SSO, 443# TCP# OUT# No# Third#party#SSO#services# 
DNS, 53# UDP# OUT# Yes# Name#resolution#service# 
Facebook,,Twitter,, 
LinkedIn,,Slideshare,, 
Youtube,,Flickr,,Wordpress, 
or,Typepad, 
80#or#443# TCP# OUT# No# In# case# of# using#Alfresco# Publishing# Framework# or# 
Site#blog#publishing# 
#
Alfresco Implementation Best 
Practices 
@ToniBlyx #AlfrescoSecurity
Best Practices 1 
• Stay current! 
• Service Packs, HF 
• Never run as root! 
• Switch to SSL! 
• HTTPS (Share, Webdav, 
API, etc.) 
• App Server, Web Server, Appliance 
• SharePoint Protocol 
• IMAPS 
• SMTP Inbound TLS 
• SMTP Outbound TLS 
@ToniBlyx #AlfrescoSecurity 
• FTPs 
• LDAPS connection 
• Consider Hazelcast or 
Jgroups / DB 
Connection 
• Permissions 
inheritance ! 
• Custom roles! 
• Review your logs! 
• Change JMX 
default credentials!
Best Practices 2 
• Audit! 
• Enable it if needed 
• Easy to query audit 
records with curl 
• Easier in RM 
• Alfresco Support 
Tools! 
• Get to know 
connected users 
besides other tools 
@ToniBlyx #AlfrescoSecurity 
• Get to know how 
to reset admin 
password! 
• Control ticket 
session duration! 
• Disable unneeded 
services! 
• Disable guest user!
Best Practices: content deletion 
• Node deletion lifecycle! 
• Why is important? 
@ToniBlyx #AlfrescoSecurity
More about node deletion 
• Delete content when it is deleted! 
• Trashcan cleaner! 
• Records Management! 
• Wipe content! 
@ToniBlyx #AlfrescoSecurity
Alfresco Share Security 
• Cross-Site Request 
Fogery (CSRF) filters! 
• Clickjacking 
mitigation! 
• Iframes and phising 
attack mitigation! 
• Share HTML 
processing black/ 
white list! 
• Site creation control! 
@ToniBlyx #AlfrescoSecurity 
• Filter document 
actions by user or 
role! 
• Filter workflow by 
user or role! 
• Change default 
Share session 
timeout!
Architecture Best Practices 1 
• Frontends! 
• Protect URLs 
• Apache, Nginx, 
HAProxy 
• /alfresco/service 
• /share/service 
• /alfresco/proxy 
• /alfresco/cmisbrowser 
@ToniBlyx #AlfrescoSecurity
Architecture 
Best 
Practices 2 
@ToniBlyx #AlfrescoSecurity
Architecture Best Practices 3 
@ToniBlyx #AlfrescoSecurity
@ToniBlyx #AlfrescoSecurity 
AWS sample
Backup and Disaster Recovery 
• White Paper! 
• http://slidesha.re/ 
1o1HUY9 
@ToniBlyx #AlfrescoSecurity
Mobile Security 
• File Protection! 
• Encryption when locked 
• HTTPS! 
• Certificate 
Authentication! 
• MDM! 
• Alfresco for Good (iOS) 
• MobileIron (Android) 
@ToniBlyx #AlfrescoSecurity 
• MDM next version! 
• Symantec Sealed 
(Android) 
• Citrix Worx 
• MobileIron (iOS)
Security Compliance & Standards 
• DoD5015.2! 
• OWASP! 
• Top 10 
• HIPPA! 
• FISMA! 
• FedREMP! 
• ISO 27001! 
• PCI-DSS! 
@ToniBlyx #AlfrescoSecurity
Finally, a review: 
@ToniBlyx #AlfrescoSecurity
Alfresco 
Security 
Checklist 
@ToniBlyx #AlfrescoSecurity
List of 
Alfresco 
third party 
components 
@ToniBlyx #AlfrescoSecurity
Now… Yes! 
That’s all folks! 
Questions? Suggestions? 
Complaints? Beers? 
@ToniBlyx #AlfrescoSecurity
Thanks 
@ToniBlyx #AlfrescoSecurity 
Toni de la Fuente! 
Principal Solutions Engineer 
toni.delafuente@alfresco.com 
@ToniBlyx – blyx.com

More Related Content

What's hot

What's hot (20)

Collaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoCollaborative Editing Tools for Alfresco
Collaborative Editing Tools for Alfresco
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco
 
Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
 
Upgrading to Alfresco 6
Upgrading to Alfresco 6Upgrading to Alfresco 6
Upgrading to Alfresco 6
 
Intro to the Alfresco Public API
Intro to the Alfresco Public APIIntro to the Alfresco Public API
Intro to the Alfresco Public API
 
Alfresco tuning part1
Alfresco tuning part1Alfresco tuning part1
Alfresco tuning part1
 
Alfresco node lifecyle, services and zones
Alfresco node lifecyle, services and zonesAlfresco node lifecyle, services and zones
Alfresco node lifecyle, services and zones
 
Alfresco tuning part2
Alfresco tuning part2Alfresco tuning part2
Alfresco tuning part2
 
Alfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperAlfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White Paper
 
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora  - Benchmark ...The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora  - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
 
From zero to hero Backing up alfresco
From zero to hero Backing up alfrescoFrom zero to hero Backing up alfresco
From zero to hero Backing up alfresco
 
Oracle GoldenGate入門
Oracle GoldenGate入門Oracle GoldenGate入門
Oracle GoldenGate入門
 
Metadata Extraction and Content Transformation
Metadata Extraction and Content TransformationMetadata Extraction and Content Transformation
Metadata Extraction and Content Transformation
 
Moving From Actions & Behaviors to Microservices
Moving From Actions & Behaviors to MicroservicesMoving From Actions & Behaviors to Microservices
Moving From Actions & Behaviors to Microservices
 
Scale your Alfresco Solutions
Scale your Alfresco Solutions Scale your Alfresco Solutions
Scale your Alfresco Solutions
 
Alfresco tuning part1
Alfresco tuning part1Alfresco tuning part1
Alfresco tuning part1
 
Alfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionAlfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in Action
 
Bulk Export Tool for Alfresco
Bulk Export Tool for AlfrescoBulk Export Tool for Alfresco
Bulk Export Tool for Alfresco
 
Moving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco RepositoryMoving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco Repository
 

Similar to Alfresco Security Best Practices 2014

XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
Balazs Bucsay
 

Similar to Alfresco Security Best Practices 2014 (20)

Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
 
DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016
DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016
DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
Fuzzing RTC @ Kamailio World 2019
Fuzzing RTC @ Kamailio World 2019Fuzzing RTC @ Kamailio World 2019
Fuzzing RTC @ Kamailio World 2019
 
Alfresco Tech Talk Live 106
Alfresco Tech Talk Live 106Alfresco Tech Talk Live 106
Alfresco Tech Talk Live 106
 
How fluentd fits into the modern software landscape
How fluentd fits into the modern software landscapeHow fluentd fits into the modern software landscape
How fluentd fits into the modern software landscape
 
voip_en
voip_envoip_en
voip_en
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
 
Scanning & Penetration Testing
Scanning & Penetration Testing Scanning & Penetration Testing
Scanning & Penetration Testing
 
Faraday Blackhat 2011 Arsenal
Faraday Blackhat 2011 ArsenalFaraday Blackhat 2011 Arsenal
Faraday Blackhat 2011 Arsenal
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok   Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakes
 

More from Toni de la Fuente

Monitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/IcingaMonitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/Icinga
Toni de la Fuente
 
Alfresco Day Madrid - Jeff Potts - Community
Alfresco Day Madrid - Jeff Potts - CommunityAlfresco Day Madrid - Jeff Potts - Community
Alfresco Day Madrid - Jeff Potts - Community
Toni de la Fuente
 
Alfresco Day Madrid - Jeff Potts - Activiti
Alfresco Day Madrid - Jeff Potts - ActivitiAlfresco Day Madrid - Jeff Potts - Activiti
Alfresco Day Madrid - Jeff Potts - Activiti
Toni de la Fuente
 
Alfresco Day Madrid - Partner - VASS
Alfresco Day Madrid - Partner - VASSAlfresco Day Madrid - Partner - VASS
Alfresco Day Madrid - Partner - VASS
Toni de la Fuente
 

More from Toni de la Fuente (20)

SANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a ServiceSANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a Service
 
OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a Service
 
Alfresco DevCon 2018: From Zero to Hero Backing up Alfresco
Alfresco DevCon 2018: From Zero to Hero Backing up AlfrescoAlfresco DevCon 2018: From Zero to Hero Backing up Alfresco
Alfresco DevCon 2018: From Zero to Hero Backing up Alfresco
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Seguridad en Internet para todos los públicos
Seguridad en Internet para todos los públicosSeguridad en Internet para todos los públicos
Seguridad en Internet para todos los públicos
 
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYAlfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLY
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices Guide
 
Alfresco One (Enterprise) vs Alfresco Community 2014
Alfresco One (Enterprise) vs Alfresco Community 2014Alfresco One (Enterprise) vs Alfresco Community 2014
Alfresco One (Enterprise) vs Alfresco Community 2014
 
Alfresco Backup and Recovery Tool: a real world backup solution for Alfresco
Alfresco Backup and Recovery Tool: a real world backup solution for AlfrescoAlfresco Backup and Recovery Tool: a real world backup solution for Alfresco
Alfresco Backup and Recovery Tool: a real world backup solution for Alfresco
 
Comparativa entre Alfresco Enterprise vs Community
Comparativa entre Alfresco Enterprise vs Community Comparativa entre Alfresco Enterprise vs Community
Comparativa entre Alfresco Enterprise vs Community
 
Monitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/IcingaMonitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/Icinga
 
Nuevo Alfresco Records Management 2.0
Nuevo Alfresco Records Management 2.0Nuevo Alfresco Records Management 2.0
Nuevo Alfresco Records Management 2.0
 
Consejos de seguridad con Alfresco
Consejos de seguridad con AlfrescoConsejos de seguridad con Alfresco
Consejos de seguridad con Alfresco
 
Alfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en españolAlfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en español
 
Alfresco Day Madrid - Jeff Potts - Community
Alfresco Day Madrid - Jeff Potts - CommunityAlfresco Day Madrid - Jeff Potts - Community
Alfresco Day Madrid - Jeff Potts - Community
 
Alfresco Day Madrid - Jeff Potts - Activiti
Alfresco Day Madrid - Jeff Potts - ActivitiAlfresco Day Madrid - Jeff Potts - Activiti
Alfresco Day Madrid - Jeff Potts - Activiti
 
Alfresco Day Madrid - Partner - VASS
Alfresco Day Madrid - Partner - VASSAlfresco Day Madrid - Partner - VASS
Alfresco Day Madrid - Partner - VASS
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
UK Journal
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 

Recently uploaded (20)

Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 

Alfresco Security Best Practices 2014

  • 1. Alfresco Security Best Practices Toni de la Fuente! Principal Solutions Engineer toni.delafuente@alfresco.com @ToniBlyx – blyx.com #AlfrescoSecurity
  • 2. “Some&mes, you have to demo a threat to spark a solu&on” Barnaby Jack, 1977-­‐2013
  • 3. How to solve all your problems: @ToniBlyx #AlfrescoSecurity UPGRADE!!
  • 4. That’s all folks! THANKS @ToniBlyx #AlfrescoSecurity
  • 5. Agenda • Demo • Alfresco Security Policy • Elements • External Threats • Vulnerabilities Assessment • Network and Operating System • Implementation Best Practices • Architecture • Mobile • Compliance and Standards
  • 6. The Guide • Alfresco Security Best Practices Guide! • https://my.alfresco.com/ share/s/ 85CnNsR0ROaSV0Bwm KWncg @ToniBlyx #AlfrescoSecurity
  • 7. User Adoption Security!Open, Modern @ToniBlyx #AlfrescoSecurity Architecture! SIMPLE/CONNECTED Integral support for mobile workers and external partners, interface built with the end user in mind vs. IT, seamlessly integrated with today’s most common productivity tools CONTROLLED Enterprise-grade security, easy compliance policy definition and enforcement, fully compliant SIMPLE/SMART/CONNECTED Enterprise-grade, hybrid, open-source, flexible architecture that meets today’s IT demands Open integration interface, ease of administration, allow IT org to integrate with other LOB applications, support for open standards Alfresco Value Pillars Content Encryption Records Mgmt. MDM Certification
  • 8. Alfresco Security Policy • Issues Discovery! • Security Notifications! • Severity Levels! • High • Medium • Low • Reporting a Security Issue to us! • support@alfresco.com @ToniBlyx #AlfrescoSecurity
  • 9. Alfresco Security Components: Deployment • People! • Process! • Alfresco application:! • Patches, HF, Upgrades, Features • JVM! • Operating System! • Firewall! @ToniBlyx #AlfrescoSecurity • Network configuration! • Virtualization infrastructure! • Network infrastructure! • Physical infrastructure! • Physical security! • Facilities!
  • 10. AWS Shared Security Model, A Good Reference @ToniBlyx #AlfrescoSecurity
  • 11. Multiple External Threats 1 Discovery, gathering information and information leaks:! • Search tools • Google, Bing, Shodan • Gathering info • FOCA, metagoofil, theharvester, maltego • Manual discovery • Nmap, others @ToniBlyx #AlfrescoSecurity Protection:! • IDS • Banner • Filter access to resources • Clean metadata
  • 12. Multiple External Threats 2 Brute force user and password or dictionary attacks:! • Online tools • Hydra • Metasploit @ToniBlyx #AlfrescoSecurity Protection:! • IDS • Password rotation • Password strength policy • Error login threshold • Prevent DoS
  • 13. Multiple External Threats 3 Man In the Middle Attacks: and DDoS/DoS:! • Multiple ways • Complex to protect @ToniBlyx #AlfrescoSecurity Protection:! • Architecture design • Encryption • Certificate strenght • Firewalls (network, host and application level) • IDS/IPS • AlfViral • Corporate-Network solutions – ATP • Monitoring Viruses:! • Content • All tiers
  • 14. Source of Vulnerabilities Public Sources! • CVE-2014-0050: Apache Commons FileUpload • CVE-2014-0125: Moodle • Bugtraq ID 37578: Joomla @ToniBlyx #AlfrescoSecurity Internal Sources! • *MNT-11793: SSRF, port scanning • CVE-2014-2939: XSS • MNT-10540: Share remote execution • *MNT-10539: Xerces / POI
  • 15. Hardening Network and Operating System @ToniBlyx #AlfrescoSecurity
  • 16. Network and Operating System • Network! • Firewalls, IDS, IPS, APT, Web Application Firewalls, Antiviruses, DDoS/DoS protection devices. • OS! • RedHat, Ubuntu, Suse • Solaris • Windows Server @ToniBlyx #AlfrescoSecurity • File permissions! • alfresco-global. properties • dir_root/contentstore • dir_root/solr • dir_root/lucene-indexes • Minimum privileges! • Port redirect!
  • 17. Firewall: Inbound ports Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments, HTTP, 8080# TCP# IN# Yes# WebDav#included# FTP, 21# TCP# IN# Yes# Passive#mode# SMTP, 25# TCP# IN# No# # CIFS, 137,138# UDP# IN# Yes# # CIFS, 139,445# TCP# IN# Yes# # IMAP, 143# or# @ToniBlyx #AlfrescoSecurity 993# TCP# IN# No# # SharePoint,,Protocol, 7070# TCP# IN# Yes# # Tomcat,Admin, 8005# TCP# IN# Yes# Unless#is#necessary,#do#not#open#this#port#at#the# firewall# Tomcat,AJP, 8009# TCP# IN# Yes# Unless#is#necessary,#do#not#open#this#port#at#the# firewall# SOLR,Admin, 8443# TCP# IN# Yes# If#used#to#admin#Solr,#cert#has#to#be#installed#in# browser.#Otherwise#take#it#in#to#account#in#case# of# using# a# dedicated# Index# Server,# Alfresco# repository#server#must#have#access#to#this#port# IN#and#OUT# NFS, 111,2049# TCP/UDP# IN# No# This#is#the#repository#service#NFS#as#VFS# RMI, 50500S 50507# TCP# IN# Yes# Used#for#JMX#management.#Unless#is#necessary,# do#not#open#this#port#at#the#firewall# Hazelcast, 5701# TCP# IN# No# Used# by# hazelcast# to# exchange# information# between#cluster#nodes#from#4.2## JGroups, 7800# TCP# IN# No# Cluster#discovery#between#nodes#before#4.2# JGroups, 7801S 7802# TCP# IN# No# Traffic# Ehcache# RMI# between# cluster# nodes# before#4.2.# OpenOffice/JODconverter, 8100# TCP# IN# Yes# It# works# in# localhost,# do# not# open# it# at# the# firewall# #
  • 18. Firewall: Outbound ports @ToniBlyx #AlfrescoSecurity Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments, SMTP, 25# TCP# OUT# No# If# you# want# Alfresco# to# send# notifications,# invitations,#tasks,#etc.#Open#this#port#from#Alfresco# to#your#corporate#MTA# DB,–,PostgreSQL, 5432# TCP# OUT# Yes*# It#depends#on#the#DB# DB,–,MySQL, 3306# TCP# OUT# Yes*# It#depends#on#the#DB# DB,–,MS,SQL,Server, 1433# TCP# OUT# Yes*# It#depends#on#the#DB# DB,–,Oracle, 1521# TCP# OUT# Yes*# It#depends#on#the#DB# DB,–,DB2, 50000# TCP# OUT# Yes*# It#depends#on#the#DB# LDAP,or,AD, 396# TCP# OUT# No# If#needed#for#authentication#and#synchronization# LDAPS,or,AD, 636# TCP# OUT# No# If#needed#for#authentication#and#synchronization# docs.google.com, 443# TCP# OUT# No# # JGroups, 7800P 7802# TCP# OUT# No# If#clustered#before#4.2,#only#between#nodes.# Hazelcast, 5701# TCP# IN# No# Used# by# hazelcast# to# exchange# information# between# cluster# nodes# from# 4.2,# only# between# nodes.# Remote,storage,NFS,, 111,2049# TCP/UDP# OUT# No# If#a#remote#NFS#drive#is#used#as#contentstore# Remote,storage,CIFS, 137,138# 139,145# UDP# TCP# OUT# No# If#a#remote#CIFS#drive#is#used#as#contentstore# Amazon,S3, 443# TCP# OUT# No# In#case#Alfresco#is#deployed#in#AWS#and#Amazon#S3# is#used#as#contentstore## Alfresco,Transformation, Server, 80,443# or# 8080,844 3# TCP# OUT# No# In#case#a#remote#Alfresco#Transformation#Server#is# used# Alfresco,FSTR, 8080# TCP# OUT# No# In# case# of# using# a# remote# Alfresco# File# System# Transfer#Receiver# Alfresco,Remote,Server, 8080# or# 8443# TCP# OUT# No# In# case# of# using# Alfresco# Replication# Service# between#Alfresco#servers# Kerberos, 88# TCP/UDP# OUT# No# In#case#Kerberos#SSO#is#required# Third,Party,SSO, 443# TCP# OUT# No# Third#party#SSO#services# DNS, 53# UDP# OUT# Yes# Name#resolution#service# Facebook,,Twitter,, LinkedIn,,Slideshare,, Youtube,,Flickr,,Wordpress, or,Typepad, 80#or#443# TCP# OUT# No# In# case# of# using#Alfresco# Publishing# Framework# or# Site#blog#publishing# #
  • 19. Alfresco Implementation Best Practices @ToniBlyx #AlfrescoSecurity
  • 20. Best Practices 1 • Stay current! • Service Packs, HF • Never run as root! • Switch to SSL! • HTTPS (Share, Webdav, API, etc.) • App Server, Web Server, Appliance • SharePoint Protocol • IMAPS • SMTP Inbound TLS • SMTP Outbound TLS @ToniBlyx #AlfrescoSecurity • FTPs • LDAPS connection • Consider Hazelcast or Jgroups / DB Connection • Permissions inheritance ! • Custom roles! • Review your logs! • Change JMX default credentials!
  • 21. Best Practices 2 • Audit! • Enable it if needed • Easy to query audit records with curl • Easier in RM • Alfresco Support Tools! • Get to know connected users besides other tools @ToniBlyx #AlfrescoSecurity • Get to know how to reset admin password! • Control ticket session duration! • Disable unneeded services! • Disable guest user!
  • 22. Best Practices: content deletion • Node deletion lifecycle! • Why is important? @ToniBlyx #AlfrescoSecurity
  • 23. More about node deletion • Delete content when it is deleted! • Trashcan cleaner! • Records Management! • Wipe content! @ToniBlyx #AlfrescoSecurity
  • 24. Alfresco Share Security • Cross-Site Request Fogery (CSRF) filters! • Clickjacking mitigation! • Iframes and phising attack mitigation! • Share HTML processing black/ white list! • Site creation control! @ToniBlyx #AlfrescoSecurity • Filter document actions by user or role! • Filter workflow by user or role! • Change default Share session timeout!
  • 25. Architecture Best Practices 1 • Frontends! • Protect URLs • Apache, Nginx, HAProxy • /alfresco/service • /share/service • /alfresco/proxy • /alfresco/cmisbrowser @ToniBlyx #AlfrescoSecurity
  • 26. Architecture Best Practices 2 @ToniBlyx #AlfrescoSecurity
  • 27. Architecture Best Practices 3 @ToniBlyx #AlfrescoSecurity
  • 29. Backup and Disaster Recovery • White Paper! • http://slidesha.re/ 1o1HUY9 @ToniBlyx #AlfrescoSecurity
  • 30. Mobile Security • File Protection! • Encryption when locked • HTTPS! • Certificate Authentication! • MDM! • Alfresco for Good (iOS) • MobileIron (Android) @ToniBlyx #AlfrescoSecurity • MDM next version! • Symantec Sealed (Android) • Citrix Worx • MobileIron (iOS)
  • 31. Security Compliance & Standards • DoD5015.2! • OWASP! • Top 10 • HIPPA! • FISMA! • FedREMP! • ISO 27001! • PCI-DSS! @ToniBlyx #AlfrescoSecurity
  • 32. Finally, a review: @ToniBlyx #AlfrescoSecurity
  • 33. Alfresco Security Checklist @ToniBlyx #AlfrescoSecurity
  • 34. List of Alfresco third party components @ToniBlyx #AlfrescoSecurity
  • 35. Now… Yes! That’s all folks! Questions? Suggestions? Complaints? Beers? @ToniBlyx #AlfrescoSecurity
  • 36. Thanks @ToniBlyx #AlfrescoSecurity Toni de la Fuente! Principal Solutions Engineer toni.delafuente@alfresco.com @ToniBlyx – blyx.com