The document provides an overview of Drupal security, highlighting the importance of protecting website data from unauthorized access, modification, and destruction. It outlines various attack vectors, reinforces the need to keep Drupal updated, and suggests best practices for configuring database users, utilizing HTTPS, and implementing security modules. Additionally, it emphasizes precautions for file uploads, firewall usage, and overall site security maintenance.

1. Intro into
Drupal Security
@CashWilliams
http://CashWilliams.com

2. What is Security

3. What is Security
• Protecting website data

4. What is Security
• Protecting website data
• Protecting from unauthorized access

5. What is Security
• Protecting website data
• Protecting from unauthorized access
• Protecting from modification

6. What is Security
• Protecting website data
• Protecting from unauthorized access
• Protecting from modification
• Protecting from destruction

7. What is Security
• Protecting website data
• Protecting from unauthorized access
• Protecting from modification
• Protecting from destruction
• Maintaining access to the data

8. Attack Vectors

9. Attack Vectors
• Drupal Vulnerabilities

10. Attack Vectors
• Drupal Vulnerabilities
• XSS

11. Attack Vectors
• Drupal Vulnerabilities
• XSS
• Access Bypass

12. Attack Vectors
• Drupal Vulnerabilities
• XSS
• Access Bypass
• CSRF

13. Attack Vectors
• Drupal Vulnerabilities
• XSS
• Access Bypass
• CSRF
• SQL Injection

14. Other Attack Vectors

15. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)

16. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System

17. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
• Web Server

18. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
• Web Server
• PHP

19. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
• Web Server
• PHP
• MySQL

20. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
• Web Server
• PHP
• MySQL
• Javascript (Theme, WYSIWYG, etc...)

21. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
• Web Server
• PHP
• MySQL
• Javascript (Theme, WYSIWYG, etc...)
• Authentication (Facebook, OpenID...)

22. Keep Up to Date
• How to stay informed (Drupal)
• Signup for emails from Security Team
• RSS Feed
• Twitter
• Update Status module - with email
setting

23. Security announcements
from Drupal.org

24. RSS Feeds from
Drupal.org
• http://drupal.org/node/406142
• http://drupal.org/security/rss.xml
• http://drupal.org/security/contrib/
rss.xml
• http://drupal.org/security/psa/rss.xml

25. Drupal Security from
Twitter

26. Update Status Module
• Enable the ‘Update status’ module from
the modules page
/admin/build/modules

27. Update Status Module
• Adjust the settings at
/admin/reports/updates/settings

28. Database Users

29. Database Users
• Use different database users for each site
you run

30. Database Users
• Use different database users for each site
you run
• Only give needed permissions on proper
database

31. Database Users
• Use different database users for each site
you run
• Only give needed permissions on proper
database
• Limit hosts a user can connect from
(‘username’@‘localhost’)

32. Database Users
• Use different database users for each site
you run
• Only give needed permissions on proper
database
• Limit hosts a user can connect from
(‘username’@‘localhost’)
• Don’t use root!

33. HTTPS

34. HTTPS
• Use HTTPS if at all possible
• Session hijacking
• Packet sniffing on open networks

35. HTTPS
• Use HTTPS if at all possible
• Session hijacking
• Packet sniffing on open networks
• Secure Pages module

36. HTTPS
• Use HTTPS if at all possible
• Session hijacking
• Packet sniffing on open networks
• Secure Pages module
• OR .htaccess rule to redirect all traffic

37. HTTPS
• Use HTTPS if at all possible
• Session hijacking
• Packet sniffing on open networks
• Secure Pages module
• OR .htaccess rule to redirect all traffic
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L]
php_value session.cookie_secure 1

38. Security Modules

39. Security Modules
• securepages &
securepages_prevent_hijack

40. Security Modules
• securepages &
securepages_prevent_hijack
• password_policy

41. Security Modules
• securepages &
securepages_prevent_hijack
• password_policy
• security_review

42. Security Modules
• securepages &
securepages_prevent_hijack
• password_policy
• security_review
• salt (Drupal 6 only)

43. Security Modules
• securepages &
securepages_prevent_hijack
• password_policy
• security_review
• salt (Drupal 6 only)
• login_security (Drupal 6 only)

44. Security Modules
• securepages &
securepages_prevent_hijack
• password_policy
• security_review
• salt (Drupal 6 only)
• login_security (Drupal 6 only)
• paranoia

45. Secure Pages & Secure
Pages Prevent Hijack
• http://drupal.org/project/securepages
• http://drupal.org/project/
securepages_prevent_hijack (Drupal 6
only)
• Redirects selected pages to use SSL
• Protects a few common pages by default
• Drupal 6 needs session hijack prevention

46. Password Policy
• http://drupal.org/project/
password_policy
• Allows site builders to define a password
complexity level for users
• Also implements a password expiration
feature

47. Security Review
• http://drupal.org/project/
security_review
• Checklist for site security integrated into
your site
• Still relies on you to do the manual work

48. Salt
• http://drupal.org/project/salt
• Adds ‘salt’ to passwords stored in the
database
• Helps fight against dictionary attacks on
password dump
• Not needed for Drupal 7

49. Paranoia
• http://drupal.org/project/paranoia
• Disables granting of the "use PHP for
block visibility" permission
• Disables creation of input formats that
use the PHP filter
• Disables editing the user #1 account
• Disables disabling itself

50. Login Security

51. Login Security
• http://drupal.org/project/login_security
• Drupal 6 only (Built in to Drupal 7 core)
• Limit the number of invalid login
attempts
• Can lock user accounts based on login
failures

52. Input Formats/Filters

53. Input Formats/Filters
• Default Input filter = EVERYONE has
access
• Better Formats module (Only needed for
Drupal 6)
• Some type of filtered input should be
default

54. Input Formats/Filters

55. Input Formats/Filters
• Use HTML filter
• Configure allowed tags
• Dangerous - SCRIPT, IMG, IFRAME, EMBED,
OBJECT, INPUT, LINK, STYLE, META, FRAMESET,
DIV, BASE, TABLE, TR, TD
• WYSIWYG editors - Don’t allow all tags

56. Input Formats/Filters
• PHP Filter module (comes in core)
• Don’t use it!
• Some recommend removing the module
from the code base
• If you do use it, make sure you know who
has access

57. File Uploads
• Don’t allow unsafe uploads
• Both core file uploads and fields/cck files

58. Protect Drupal from
Outside

59. Protect Drupal from
Outside
• Use a firewall to deny access

60. Protect Drupal from
Outside
• Use a firewall to deny access
• Deny access at the web server

61. Protect Drupal from
Outside
• Use a firewall to deny access
• Deny access at the web server
<LocationMatch "/(user|login|admin)/">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
#Example Network 1
Allow from 165.91.200.0/255.255.252.0
...
</LocationMatch>

62. Other Gotchas

63. Other Gotchas
• Settings.php
• ONLY web server needs read access to this
file
• Should not be writable

64. Other Gotchas
• Settings.php
• ONLY web server needs read access to this
file
• Should not be writable
• Leaving a sql dump in a web accessible folder

65. Other Gotchas
• Settings.php
• ONLY web server needs read access to this
file
• Should not be writable
• Leaving a sql dump in a web accessible folder
• Don’t e-mail passwords
• !password token

66. Security Reviews

67. Security Reviews
• Custom Security Review
• https://www.acquia.com/products-
services/acquia-professional-services/
service-offerings