The document discusses Alfresco security best practices. It covers topics such as hardening the network and operating system, implementing firewall rules, assessing vulnerabilities, and compliance with standards. Best practices for the Alfresco implementation include staying current with patches, enforcing strong permissions, and deleting content when it is removed. The document provides an overview of security considerations for the Alfresco architecture, mobile access, and other deployment aspects.

1. Alfresco Security Best
Practices
Toni de la Fuente!
Principal Solutions Engineer
toni.delafuente@alfresco.com
@ToniBlyx – blyx.com
#AlfrescoSecurity

2. “Some&mes,
you
have
to
demo
a
threat
to
spark
a
solu&on”
Barnaby
Jack,
1977-­‐2013

3. How to solve all your problems:
@ToniBlyx #AlfrescoSecurity
UPGRADE!!

4. That’s all folks!
THANKS
@ToniBlyx #AlfrescoSecurity

5. Agenda
• Demo
• Alfresco Security Policy
• Elements
• External Threats
• Vulnerabilities Assessment
• Network and Operating System
• Implementation Best Practices
• Architecture
• Mobile
• Compliance and Standards

6. The Guide
• Alfresco Security Best
Practices Guide!
• https://my.alfresco.com/
share/s/
85CnNsR0ROaSV0Bwm
KWncg
@ToniBlyx #AlfrescoSecurity

7. User Adoption
Security!Open, Modern
@ToniBlyx #AlfrescoSecurity
Architecture!
SIMPLE/CONNECTED
Integral support for mobile
workers and external partners,
interface built with the end user in
mind vs. IT, seamlessly integrated
with today’s most common
productivity tools
CONTROLLED
Enterprise-grade security, easy
compliance policy definition and
enforcement, fully compliant
SIMPLE/SMART/CONNECTED
Enterprise-grade, hybrid,
open-source, flexible architecture that
meets today’s IT demands
Open integration interface, ease of
administration, allow IT org to
integrate with other LOB applications,
support for open standards
Alfresco Value Pillars
Content Encryption
Records Mgmt.
MDM Certification

8. Alfresco Security Policy
• Issues Discovery!
• Security Notifications!
• Severity Levels!
• High
• Medium
• Low
• Reporting a Security Issue to us!
• support@alfresco.com
@ToniBlyx #AlfrescoSecurity

9. Alfresco Security Components:
Deployment
• People!
• Process!
• Alfresco application:!
• Patches, HF,
Upgrades,
Features
• JVM!
• Operating System!
• Firewall!
@ToniBlyx #AlfrescoSecurity
• Network configuration!
• Virtualization
infrastructure!
• Network infrastructure!
• Physical infrastructure!
• Physical security!
• Facilities!

10. AWS Shared Security Model,
A Good Reference
@ToniBlyx #AlfrescoSecurity

11. Multiple External Threats 1
Discovery, gathering
information and
information leaks:!
• Search tools
• Google, Bing, Shodan
• Gathering info
• FOCA, metagoofil,
theharvester, maltego
• Manual discovery
• Nmap, others
@ToniBlyx #AlfrescoSecurity
Protection:!
• IDS
• Banner
• Filter access to
resources
• Clean metadata

12. Multiple External Threats 2
Brute force user and
password or dictionary
attacks:!
• Online tools
• Hydra
• Metasploit
@ToniBlyx #AlfrescoSecurity
Protection:!
• IDS
• Password rotation
• Password strength policy
• Error login threshold
• Prevent DoS

13. Multiple External Threats 3
Man In the Middle Attacks:
and DDoS/DoS:!
• Multiple ways
• Complex to protect
@ToniBlyx #AlfrescoSecurity
Protection:!
• Architecture design
• Encryption
• Certificate strenght
• Firewalls (network, host
and application level)
• IDS/IPS
• AlfViral
• Corporate-Network
solutions – ATP
• Monitoring
Viruses:!
• Content
• All tiers

14. Source of Vulnerabilities
Public Sources!
• CVE-2014-0050: Apache
Commons FileUpload
• CVE-2014-0125: Moodle
• Bugtraq ID 37578: Joomla
@ToniBlyx #AlfrescoSecurity
Internal Sources!
• *MNT-11793: SSRF, port
scanning
• CVE-2014-2939: XSS
• MNT-10540: Share remote
execution
• *MNT-10539: Xerces / POI

15. Hardening Network and
Operating System
@ToniBlyx #AlfrescoSecurity

16. Network and Operating System
• Network!
• Firewalls, IDS, IPS, APT,
Web Application
Firewalls, Antiviruses,
DDoS/DoS protection
devices.
• OS!
• RedHat, Ubuntu, Suse
• Solaris
• Windows Server
@ToniBlyx #AlfrescoSecurity
• File permissions!
• alfresco-global.
properties
• dir_root/contentstore
• dir_root/solr
• dir_root/lucene-indexes
• Minimum privileges!
• Port redirect!

17. Firewall:
Inbound
ports
Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments,
HTTP, 8080# TCP# IN# Yes# WebDav#included#
FTP, 21# TCP# IN# Yes# Passive#mode#
SMTP, 25# TCP# IN# No# #
CIFS, 137,138# UDP# IN# Yes# #
CIFS, 139,445# TCP# IN# Yes# #
IMAP, 143# or#
@ToniBlyx #AlfrescoSecurity
993#
TCP# IN# No# #
SharePoint,,Protocol, 7070# TCP# IN# Yes# #
Tomcat,Admin, 8005# TCP# IN# Yes# Unless#is#necessary,#do#not#open#this#port#at#the#
firewall#
Tomcat,AJP, 8009# TCP# IN# Yes# Unless#is#necessary,#do#not#open#this#port#at#the#
firewall#
SOLR,Admin, 8443# TCP# IN# Yes# If#used#to#admin#Solr,#cert#has#to#be#installed#in#
browser.#Otherwise#take#it#in#to#account#in#case#
of# using# a# dedicated# Index# Server,# Alfresco#
repository#server#must#have#access#to#this#port#
IN#and#OUT#
NFS, 111,2049# TCP/UDP# IN# No# This#is#the#repository#service#NFS#as#VFS#
RMI, 50500S
50507#
TCP# IN# Yes# Used#for#JMX#management.#Unless#is#necessary,#
do#not#open#this#port#at#the#firewall#
Hazelcast, 5701# TCP# IN# No# Used# by# hazelcast# to# exchange# information#
between#cluster#nodes#from#4.2##
JGroups, 7800# TCP# IN# No# Cluster#discovery#between#nodes#before#4.2#
JGroups, 7801S
7802#
TCP# IN# No# Traffic# Ehcache# RMI# between# cluster# nodes#
before#4.2.#
OpenOffice/JODconverter, 8100# TCP# IN# Yes# It# works# in# localhost,# do# not# open# it# at# the#
firewall#
#

18. Firewall:
Outbound
ports
@ToniBlyx #AlfrescoSecurity
Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments,
SMTP, 25# TCP# OUT# No# If# you# want# Alfresco# to# send# notifications,#
invitations,#tasks,#etc.#Open#this#port#from#Alfresco#
to#your#corporate#MTA#
DB,–,PostgreSQL, 5432# TCP# OUT# Yes*# It#depends#on#the#DB#
DB,–,MySQL, 3306# TCP# OUT# Yes*# It#depends#on#the#DB#
DB,–,MS,SQL,Server, 1433# TCP# OUT# Yes*# It#depends#on#the#DB#
DB,–,Oracle, 1521# TCP# OUT# Yes*# It#depends#on#the#DB#
DB,–,DB2, 50000# TCP# OUT# Yes*# It#depends#on#the#DB#
LDAP,or,AD, 396# TCP# OUT# No# If#needed#for#authentication#and#synchronization#
LDAPS,or,AD, 636# TCP# OUT# No# If#needed#for#authentication#and#synchronization#
docs.google.com, 443# TCP# OUT# No# #
JGroups, 7800P
7802#
TCP# OUT# No# If#clustered#before#4.2,#only#between#nodes.#
Hazelcast, 5701# TCP# IN# No# Used# by# hazelcast# to# exchange# information#
between# cluster# nodes# from# 4.2,# only# between#
nodes.#
Remote,storage,NFS,, 111,2049# TCP/UDP# OUT# No# If#a#remote#NFS#drive#is#used#as#contentstore#
Remote,storage,CIFS, 137,138#
139,145#
UDP#
TCP#
OUT# No# If#a#remote#CIFS#drive#is#used#as#contentstore#
Amazon,S3, 443# TCP# OUT# No# In#case#Alfresco#is#deployed#in#AWS#and#Amazon#S3#
is#used#as#contentstore##
Alfresco,Transformation,
Server,
80,443# or#
8080,844
3#
TCP# OUT# No# In#case#a#remote#Alfresco#Transformation#Server#is#
used#
Alfresco,FSTR, 8080# TCP# OUT# No# In# case# of# using# a# remote# Alfresco# File# System#
Transfer#Receiver#
Alfresco,Remote,Server, 8080# or#
8443#
TCP# OUT# No# In# case# of# using# Alfresco# Replication# Service#
between#Alfresco#servers#
Kerberos, 88# TCP/UDP# OUT# No# In#case#Kerberos#SSO#is#required#
Third,Party,SSO, 443# TCP# OUT# No# Third#party#SSO#services#
DNS, 53# UDP# OUT# Yes# Name#resolution#service#
Facebook,,Twitter,,
LinkedIn,,Slideshare,,
Youtube,,Flickr,,Wordpress,
or,Typepad,
80#or#443# TCP# OUT# No# In# case# of# using#Alfresco# Publishing# Framework# or#
Site#blog#publishing#
#

19. Alfresco Implementation Best
Practices
@ToniBlyx #AlfrescoSecurity

20. Best Practices 1
• Stay current!
• Service Packs, HF
• Never run as root!
• Switch to SSL!
• HTTPS (Share, Webdav,
API, etc.)
• App Server, Web Server, Appliance
• SharePoint Protocol
• IMAPS
• SMTP Inbound TLS
• SMTP Outbound TLS
@ToniBlyx #AlfrescoSecurity
• FTPs
• LDAPS connection
• Consider Hazelcast or
Jgroups / DB
Connection
• Permissions
inheritance !
• Custom roles!
• Review your logs!
• Change JMX
default credentials!

21. Best Practices 2
• Audit!
• Enable it if needed
• Easy to query audit
records with curl
• Easier in RM
• Alfresco Support
Tools!
• Get to know
connected users
besides other tools
@ToniBlyx #AlfrescoSecurity
• Get to know how
to reset admin
password!
• Control ticket
session duration!
• Disable unneeded
services!
• Disable guest user!

22. Best Practices: content deletion
• Node deletion lifecycle!
• Why is important?
@ToniBlyx #AlfrescoSecurity

23. More about node deletion
• Delete content when it is deleted!
• Trashcan cleaner!
• Records Management!
• Wipe content!
@ToniBlyx #AlfrescoSecurity

24. Alfresco Share Security
• Cross-Site Request
Fogery (CSRF) filters!
• Clickjacking
mitigation!
• Iframes and phising
attack mitigation!
• Share HTML
processing black/
white list!
• Site creation control!
@ToniBlyx #AlfrescoSecurity
• Filter document
actions by user or
role!
• Filter workflow by
user or role!
• Change default
Share session
timeout!

25. Architecture Best Practices 1
• Frontends!
• Protect URLs
• Apache, Nginx,
HAProxy
• /alfresco/service
• /share/service
• /alfresco/proxy
• /alfresco/cmisbrowser
@ToniBlyx #AlfrescoSecurity

26. Architecture
Best
Practices 2
@ToniBlyx #AlfrescoSecurity

27. Architecture Best Practices 3
@ToniBlyx #AlfrescoSecurity

28. @ToniBlyx #AlfrescoSecurity
AWS sample

29. Backup and Disaster Recovery
• White Paper!
• http://slidesha.re/
1o1HUY9
@ToniBlyx #AlfrescoSecurity

30. Mobile Security
• File Protection!
• Encryption when locked
• HTTPS!
• Certificate
Authentication!
• MDM!
• Alfresco for Good (iOS)
• MobileIron (Android)
@ToniBlyx #AlfrescoSecurity
• MDM next version!
• Symantec Sealed
(Android)
• Citrix Worx
• MobileIron (iOS)

31. Security Compliance & Standards
• DoD5015.2!
• OWASP!
• Top 10
• HIPPA!
• FISMA!
• FedREMP!
• ISO 27001!
• PCI-DSS!
@ToniBlyx #AlfrescoSecurity

32. Finally, a review:
@ToniBlyx #AlfrescoSecurity

33. Alfresco
Security
Checklist
@ToniBlyx #AlfrescoSecurity

34. List of
Alfresco
third party
components
@ToniBlyx #AlfrescoSecurity

35. Now… Yes!
That’s all folks!
Questions? Suggestions?
Complaints? Beers?
@ToniBlyx #AlfrescoSecurity

36. Thanks
@ToniBlyx #AlfrescoSecurity
Toni de la Fuente!
Principal Solutions Engineer
toni.delafuente@alfresco.com
@ToniBlyx – blyx.com