Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Alfresco Security Best Practices Guide

17,669 views

Published on

Alfresco Security Best Practices Guide, released at the Alfresco Summit 2014 (San Francisco and London)

Published in: Technology
  • Be the first to comment

Alfresco Security Best Practices Guide

  1. 1. Guide Alfresco Security Best Practices
  2. 2. Copyright 2014 by Alfresco and others. Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Alfresco. The trademarks, service marks, logos, or other intellectual property rights of Alfresco and others used in this documentation ("Trademarks") are the property of Alfresco and their respective owners. The furnishing of this document does not give you license to these patents, trademarks, copyrights, or other intellectual property except as expressly provided in any written agreement from Alfresco. The United States export control laws and regulations, including the Export Administration Regulations of the U.S. Department of Commerce, and other applicable laws and regulations apply to this documentation which prohibit the export or re-­‐export of content, products, services, and technology to certain countries and persons. You agree to comply with all export laws, regulations, and restrictions of the United States and any foreign agency or authority and assume sole responsibility for any such unauthorized exportation. You may not use this documentation if you are a competitor of Alfresco, except with Alfresco's prior written consent. In addition, you may not use the documentation for purposes of evaluating its functionality or for any other competitive purposes. This copyright applies to the current version of the licensed program. ii
  3. 3. iii Document History VERSION DATE AUTHOR DESCRIPTION OF CHANGE 0.1 23-Jul-14 Toni de la Fuente Initial version 0.2 16-Sept-14 Toni de la Fuente Version to review 0.3 18-Sept-14 Toni de la Fuente Added Steve Rigby and Pete Philips suggestions 0.4 23-Sept-14 Toni de la Fuente Added architecture info and made corrections. Sent to grammar review. 0.5 2-Oct-14 Toni de la Fuente Added Martin Kappel corrections 0.6 2-Oct-14 Toni de la Fuente Made Kimberly Watson grammar and style corrections 1.0 2-Oct-14 Toni de la Fuente Version to release
  4. 4. Table of contents INTRODUCTION ............................................................................................................................. 1 AUDIENCE .......................................................................................................................................... 1 RELATED PUBLICATIONS ..................................................................................................................... 1 HOW TO READ THIS GUIDE .................................................................................................................. 2 DISCLAIMER AND SCOPE ..................................................................................................................... 2 ALFRESCO SECURITY POLICY ............................................................................................................. 2 iv Release of Security Notifications .................................................................................................................................... 3 Severity Levels ............................................................................................................................................................... 3 Reporting a Security Issue to Alfresco ........................................................................................................................... 4 COMPONENTS TO CONSIDER ............................................................................................................... 4 THE EXTERNAL AND INTERNAL PERSPECTIVE ......................................................................... 5 EXTERNAL THREATS ........................................................................................................................... 5 Discovery, Information Gathering and Information Leaks .............................................................................................. 5 Brute Force Username and Passwords Attacks ............................................................................................................. 7 MITM Attacks ................................................................................................................................................................. 8 DOS and DDOS ............................................................................................................................................................. 8 Viruses ........................................................................................................................................................................... 9 VULNERABILITIES ASSESSMENT ........................................................................................................... 9 Public Vulnerabilities ...................................................................................................................................................... 9 Other Vulnerabilities ..................................................................................................................................................... 10 HARDENING THE NETWORK AND OPERATING SYSTEM ........................................................ 11 NETWORK ........................................................................................................................................ 11 OS SECURITY .................................................................................................................................. 11 CONFIGURING YOUR FIREWALL ......................................................................................................... 12 Inbound Ports ............................................................................................................................................................... 12 Outbound ports ............................................................................................................................................................. 13 Port Redirect ................................................................................................................................................................ 14 DETERMINING MINIMUM PRIVILEGES .................................................................................................. 14 ALFRESCO IMPLEMENTATION BEST PRACTICES ................................................................... 15 STAY CURRENT ................................................................................................................................ 15 DON NOT RUN THE APPLICATION SERVER AS ROOT ........................................................................... 15 REPOSITORY LEVEL SECURITY .......................................................................................................... 15 Enable SSL .................................................................................................................................................................. 15 Understanding Roles and Permissions ........................................................................................................................ 19 Custom Roles ............................................................................................................................................................... 20 Audit ............................................................................................................................................................................. 20 Reset Admin Password ................................................................................................................................................ 22 Ticket Session Duration Control ................................................................................................................................... 22 Disable Unneeded Services ......................................................................................................................................... 23 Disable Guest User ...................................................................................................................................................... 23 Review Sever Logs Periodically ................................................................................................................................... 23 Change JMX Default Credentials ................................................................................................................................. 24 Get Control of Deleted Content .................................................................................................................................... 24 Node Creation .............................................................................................................................................................. 24 Node Deletion ............................................................................................................................................................... 24 Questions and Answers About Content Deletion ......................................................................................................... 26 Wipe Content ................................................................................................................................................................ 28 SHARE LEVEL SECURITY ................................................................................................................... 28 Cross-Site Request Forgery (CSRF) Filters in Alfresco Share .................................................................................... 28 Security Filters and Clickjacking Mitigation in Alfresco Share ...................................................................................... 29 Iframes and Phishing Attack Mitigation in Alfresco Share ............................................................................................ 29 Share HTML Processing Black/White List .................................................................................................................... 29 Site Creation Control .................................................................................................................................................... 30 Filter Document Actions by User or Role ..................................................................................................................... 30 Filter workflow by role/group ........................................................................................................................................ 32 Change default Share session timeout ........................................................................................................................ 32
  5. 5. 5 ARCHITECTURE DEPLOYMENT BEST PRACTICES ................................................................. 33 Frontends ..................................................................................................................................................................... 33 Single tier ..................................................................................................................................................................... 34 Two tiers ....................................................................................................................................................................... 35 Three tiers .................................................................................................................................................................... 36 AWS deployments ........................................................................................................................................................ 37 BACKUP AND DISASTER RECOVERY ................................................................................................... 38 MOBILE SECURITY ...................................................................................................................... 39 FILE PROTECTION ............................................................................................................................ 39 HTTPS ........................................................................................................................................... 39 CERTIFICATE AUTHENTICATION ......................................................................................................... 39 MDM .............................................................................................................................................. 39 Alfresco for Good (iOS) ................................................................................................................................................ 39 MobileIron (Android) ..................................................................................................................................................... 39 Additional information ................................................................................................................................................... 40 SECURITY COMPLIANCE AND STANDARDS ............................................................................. 41 DOD5015.2 .................................................................................................................................... 41 OWASP .......................................................................................................................................... 41 HIPAA ............................................................................................................................................ 43 FISMA ............................................................................................................................................ 44 FEDRAMP ...................................................................................................................................... 44 ISO 27001 ...................................................................................................................................... 44 PCI DATA SECURITY STANDARD ....................................................................................................... 44 APPENDIX I: SECURITY CHECKLIST .......................................................................................... 46 APPENDIX II: THIRD PARTY LIBRARIES INCLUDED IN ALFRESCO .......................................... 1
  6. 6. Alfresco Security Best Practices Introduction This guide is intended to fill a need for Alfresco administrators to have a collection of tips for enhancing the security of their implementation. If you are concerned about the security of your content, this guide is specifically written for you. This guide addresses the security of an Alfresco implementation from two different views: • Threat view: We will identify how a potential attacker could exploit security issues with the installation; • Administrator view: We will discuss how an administrator can prevent and protect an installation. Audience This document is intended for the Alfresco Enterprise customer and partner network with special focus on technical teams, such as Enterprise Architecture, Development, Support, and Operations. As it requires a deep understanding of the architecture, components, and technologies involved in the operations of the Alfresco platform. The ideal reader should hold an Alfresco Certified Engineer (ACE) or Alfresco Certified Administrator (ACA) certification. More details on the certifications can be found at http://university.alfresco.com. Related Publications For some recommendations an official link will be provided. Furthermore here is a list of source of information related to Alfresco and this guide: 1 • Alfresco Security Policy1 • Alfresco Cloud Security Policy2 • Alfresco in the Cloud Security White Paper3 • Alfresco Backup and Disaster Recovery White Paper4 • Alfresco Security Best Practices talk in Alfresco Devcon 20125 1 http://docs.alfresco.com/support/concepts/su-­‐external-­‐security-­‐policy.html 2 http://docs.alfresco.com/support/concepts/su-­‐external-­‐security-­‐policy-­‐cloud.html 3 http://www2.alfresco.com/l/1234/2012-­‐08-­‐07/374w8d/1234/151131/Alfresco_in_the_cloud_Security.pdf 4 http://bit.ly/1lvNkcz 5 http://bit.ly/1rBtOme
  7. 7. Alfresco Security Best Practices How to Read this Guide This guide tries to accommodate two needs: (1) having a handy reference on how to secure the most common services and subsystems in Alfresco and (2) providing some background on Alfresco security. Understanding the Alfresco internals is essential if the reader wants to achieve a proper application hardening. Most of the advice and best practices included in this guide are based on Alfresco One version 4.2. Disclaimer and Scope This guide specifically does not address physical security, the protection of software and hardware against new exploits, basic IT security housekeeping, information assurance techniques, traffic analysis attacks, issues with key rollover and key management, securing client PC’s and mobile devices (theft or loss), proper Operations Security, social engineering attacks, protection against tempest attack techniques, jamming the encrypted channel or other similar attacks, which are typically employed to circumvent strong encryption. Alfresco Security Policy When a security issue is discovered, Alfresco will do the following: 2 1. Send it directly to the subject matter expert to evaluate the scope and severity of the issue; 2. Issue one or more versions, whatever is required, to resolve the security breach as soon as possible; 3. Inform our customers and partners that this version is available. The version(s) where a particular security issue is resolved will depend on the scope and severity of the issue, and may include: 1. A maintenance release for the last major version; 2. A hot fix for the last major versions; 3. Hot fixes for older maintained versions. Example 1: A security issue is discovered in Alfresco v4.1.2, which is unlikely to be exploited. Alfresco will: • Ensure that the next release, Alfresco 4.1.3, fixes the issue. Example 2: A security issue is discovered in Alfresco v4.1.2, which could be exploited. Alfresco will: • Issue a hot fix for Alfresco v4.1.2 as soon as possible; • Issue a hot fix for Alfresco v3.4, if applicable, as soon as possible; • Ensure the next release, Alfresco v4.1.3, fixes the issue.
  8. 8. Alfresco Security Best Practices 3 Example 3: A security issue is discovered in Alfresco v4.1.2, which is being exploited. Alfresco will: • Issue a hot fix for Alfresco v4.1.2 as soon as possible; • Issue a hot fix for Alfresco versions 3.0, 3.1, 3.2, 3.3, 3.4 and 4.0 as soon as possible; • Ensure the next release, Alfresco v4.1.3, fixes the issue. Release of Security Notifications When a security issue in an Alfresco product is found and fixed, Alfresco notifies customers in a number of ways: • If this is a blocker issue with a workaround, Alfresco sends a critical security alert email to all customers warning of the issue and providing the workaround. A second critical security alert will then be sent which includes details for the fixed version(s). • If this is a blocker issue without a workaround, Alfresco releases the version containing the fix and then sends a critical security alert email to all customers. • For all other severity issues, Alfresco releases the version containing the fix and then sends a security alert email to all customers. For all issues, there will be a security notice posted within the support portal at the same time the version with the fix is released. Severity Levels Alfresco classifies security vulnerabilities by severity, on a case by case basis, using common sense and the examples shown here as a guideline. High A vulnerability is classified as High severity if any of the following hold true: • Customer data can be compromised; • The server running the application can be compromised; • A Denial of Service (DoS) rendering the system unavailable; • The vulnerability was discovered externally, is known about externally, or is being actively exploited. Medium A vulnerability is classified as Medium severity if any of the following hold true: • It would otherwise be High severity but it was discovered internally and/or is not believed to be known externally; • It is a less serious vulnerability such as a XSS or CSRF. Low • A vulnerability is classified as Low severity for vulnerabilities which only pose a marginal or insignificant risk.
  9. 9. Alfresco Security Best Practices NOTE: Alfresco has an internal SLA to resolve vulnerabilities based on the severity classification mentioned above. Reporting a Security Issue to Alfresco Please report all security issues by logging a support case via the support portal. If you do not have access to the support portal, please email support@alfresco.com to ensure that the information is reported to Alfresco. This is essential so that the security issue does not enter into the public domain prematurely. Components to Consider As has been stated above in this document, there are different components that may affect application security. Below is a list of components that need to be considered, from the physical environment to the software: 4 1. Facilities; 2. Physical security; 3. Network infrastructure; 4. Virtual and/or physical infrastructure; 5. Network configuration; 6. Firewall; 7. Operating System; 8. JVM and Application Server; 9. Alfresco; 10. People; 11. Process. This guide mostly deals with Alfresco security. Additional security tips and guidelines are included for components that are directly related to Alfresco security and maintenance, such as JVM, and application server, operating system, and firewall security.
  10. 10. Alfresco Security Best Practices 5 The External and Internal Perspective External Threats If an Alfresco installation is exposed to the Internet it could potentially be the target of different types of attacks. In this section we list activities that can be used by an attacker to discover information pertaining to an Alfresco installation. For example, this information might include the application server, operating system and content items. Discovery, Information Gathering and Information Leaks Before performing an intrusion, an attacker may need to gather target information in order to enumerate devices, hostnames, domains or subdomains, ports, protocols, services, applications and even usernames or passwords. As Alfresco is mostly an Intranet or Extranet service, it can be configured to be connected directly to the Internet. In this case, an Alfresco installation may be discovered using many different techniques. Of the hundreds of tools available for discovery and information gathering, we will highlight some well-­‐known resources below: • Google and Bing: With a simple search we can find some servers that are exposed. https://www.google.com/?q=%222005- 2014+Alfresco+Software+Inc.+All+rights+reserved.%22 • Shodan6: This is a device search engine based on using ports and service headers or banner. https://www.shodan.io/search?query=%22alfresco%22+server+port%3A8080 • FOCA7: This is a graphic tool (Windows) that utilizes the Google and Bing search engines and DNS records to retrieve metadata from the documents that are available in the target domain. It searches for usernames, software versions and server or machine names. • Metagoofil: This is a command line tool (Linux) that utilizes the Google search engine to retrieve metadata from the documents that are available in the target domain. It searches for usernames, software versions and server or machine names. 6 http://www.shodanhq.com/ 7 http://www.informatica64.com/foca.aspx
  11. 11. Alfresco Security Best Practices 6 • theharvester: This is a command line tool (Linux) that looks for email accounts, usernames, hostname and subdomain by using Google, Bing, LinkedIn, Shodan and more. • Maltego: This is an open source intelligence and forensics application. It allows you to mine and gather information from public resources and then represent the information in a meaningful way. • Nmap port scanning: It is used to determine the state of TCP and UDP ports for the target host, among other network protocols. • Other manual tasks: Banner read to a Tomcat server: # echo -e "HEAD / HTTP/1.0nn" | nc 192.168.11.129 8080 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Length: 2763 Date: Fri, 12 Sep 2014 22:06:59 GMT Connection: close Test done to Alfresco Share: # echo -e "HEAD /share/page/ HTTP/1.0nn" | nc 192.168.11.129 8080 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Cache-Control: no-cache Content-Type: text/html;charset=utf-8 Content-Language: en-US Content-Length: 39170 Date: Fri, 12 Sep 2014 22:09:36 GMT Connection: close In addition to all the threats described above, these tools are also useful for gathering information from files. It is well known that most content items contain information about themselves inside their own files, their metadata. Besides the file name, photos will have information about the camera and even geo-­‐localization. MS Office, Open/LibreOffice or PDF documents may store user names, network resources, email address and other useful information for a potential intrusion test. Some of these properties are extracted automatically by Alfresco in order to populate its own database, but the properties are still being stored in the file itself. If Alfresco publishes these documents externally or the files are being accessed from portals, emails, etc., then we need to add protection in order to prevent information leaks.
  12. 12. Alfresco Security Best Practices Protection • Use an Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Host IDS, Advanced Threat Protection Systems and Web Application Firewall to mitigate some of these scans; • The Alfresco banner can be removed from the Alfresco Share login page; • Filter the access to Alfresco resources through a specific network or IP address. Refer to 7 the Architecture section in this document; • Clean document metadata before distributing them. Alfresco can do this for you with an easy customization. Tools for metadata cleaning include: ExifTool, OOMetaExtractor8, MS Office 2003 & XP9 or BatchPurifier. Demo and tools are available on the Alfresco DevCon 2012 site10; • Remove the application server and web server versions. For example, the default ErrorReportValve includes the Tomcat version number in the response that is sent to clients. To avoid this, custom error handling can be configured within each web application. Alternatively, you can explicitly configure an ErrorReportValve and set its showServerInfo attribute to false. The version number can also be changed by creating the file CATALINA_BASE/lib/org/apache/catalina/util/ServerInfo.properties with the following content: server.info=My App Server Brute Force Username and Passwords Attacks Passwords are one of the easiest elements that can be attacked in order to gain access to a system. Case in point, Alfresco stores usernames and passwords, which are hashed and not stored as plain text anywhere on the system. In most corporate environments, Alfresco is usually connected to a user directory like LDAP or Active Directory which would be responsible for managing passwords or controlling any kind of attack against them. Below is an example of dictionary based cracking to a WebDAV service with the Hydra tool (a very fast network logon cracker which support many different services): # hydra -L usernames.txt -P passwords.txt -u -s 8080 -m 'http://127.0.0.1' 127.0.0.1 http-get 8 http://www.codeplex.org/oometaextractor 9 http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e54edd43e-­‐42ca-­‐bc7b-­‐5446d34e5360 10 http://devcon.alfresco.com/speakers/toni-­‐de-­‐la-­‐fuente
  13. 13. Alfresco Security Best Practices 8 Protection • Implement a password rotation and strength policy11. • Implement error login threshold to prevent brute force or dictionary attacks, and a count of consecutive password failures. This is on your LDAP side or third party authentication system, and in most cases can be prevented by configuration. In some well-­‐known LDAP servers there is an attribute called “pwdMaxFailure” in order to control this behavior. NOTE: Prevent against DOS attacks by locking all accounts. MITM Attacks Man in the middle attacks can be performed in many different ways depending on the deployment architecture. For instance, having a four tier architecture with a web server or a load balancer in front of Alfresco, Index Server and a database server. An MITM attack can be performed between the users and webserver, the webserver and Alfresco, Alfresco and Index Server and finally between Alfresco and the database server. The way to prevent these types of attacks from happening is to use encrypted and authenticated communications. Protection • A secure architecture design in layers and with protection; • Out of the box Alfresco provides encryption and authentication between Alfresco repository and Index Server. Authentication is also provided for the users to connect to the DB but encryption is not. In this case, it is extremely important to consider enabling encryption at least for the end user communications; • Check your security certificate strength12 and tweak your SSL settings until you get an A grade or above. DOS and DDOS If the Alfresco server is facing the Internet there is a risk of being the target of a Denial of Service or a Distributed Denial of Service attack. A layer of protection should be added to guard against this. Protection • Use traditional firewall techniques to limit the attack surface for potential attackers. Deny traffic to and from the source of the destination of the attack. Manage the list of allowed destination servers and services. Manage the list of allowed sources of traffic, ports, and protocols.; • Use web application firewalls to inspect web packet traffic; 11 https://howsecureismypassword.net/ and https://secure.packetizer.com/pwgen/ 12 https://www.ssllabs.com/ssldb/analyze.html
  14. 14. Alfresco Security Best Practices 9 • Use IDS/IPS systems to prevent statistical or behavioral attacks and signature-­‐based algorithms to detect network attacks and Trojans; • Get control of ICMP and TCP SYN to prevent flooding; • Consider using vendor solutions like AWS, Akamai, DOS Arrest, Incapsula, etc. • Viruses Since viruses can be found in most kinds of content, an antivirus solution must be deployed throughout all infrastructure tiers, from client desktops to servers. Alfresco is fully compatible with any antivirus software that executes on a server or through the communication layer. This guarantees that no infected content is stored or accessible through the platform. Protection There is a third party module available for Alfresco called Alfviral13. This can be used inside the repository to trigger an analysis of a given content. It can also be used to check virus signatures against databases like VirusTotal or ClamAV solutions. The use of Advanced Threat Protection Systems are also recommended. Vulnerabilities Assessment Public Vulnerabilities Related to Alfresco since first version 2005: 1. SEC Consult SA-­‐20140716-­‐0 (MNT-­‐11793): Multiple SSRF vulnerabilities. FIXED in all major versions; 2. CVE-­‐2014-­‐2939: Summary: Multiple cross-­‐site scripting (XSS) vulnerabilities in Alfresco Enterprise before 4.1.6.13 allow remote attackers to inject arbitrary web script or HTML via (1) an XHTML document, (2) a <% tag, or (3) the taskId parameter to share/page/task-­‐edit. Published: 6/2/2014 3:55:03 PM. CVSS Severity: 4.3 MEDIUM; 3. CVE-­‐2014-­‐0125: Moodle integration using the session key in the file URL allowing anyone with the link to steal the identity of the user posting content.Summary: repository/alfresco/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2. Places a session key in a URL, which allows remote attackers to bypass intended Alfresco Repository file restrictions by impersonating a file's owner. Published: 3/24/2014 10:20:39 AM. CVS Severity: 5.8 MEDIUM; 4. Bugtraq ID 37578: Joomla Module for Alfresco 'id_pan' Parameter SQL Injection Vulnerability in Joomla not in Alfresco. 13 https://github.com/fegorama/alfviral
  15. 15. Alfresco Security Best Practices Other Vulnerabilities These were discovered due to internal periodic auditing or reported by customers and have been FIXED prior to the publication of this guide. Includes the following Alfresco versions: 3.4.X, 4.0.X, 4.1.X and 4.2.X: 10 1. CVE-­‐2014-­‐0050: Apache Commons FileUpload and Apache Tomcat DoS; 2. MNT-­‐10540: Share: Remote code execution. User has to be logged; 3. MNT-­‐10539: Parsing vulnerability in Xerces (Apache POI and Alfresco code); 4. MNT-­‐11793: Port scanning internal networks (proxy and cmisbrowser) .
  16. 16. Alfresco Security Best Practices Hardening the Network and Operating System Even if your Alfresco configuration is as secure as possible, a non-­‐properly configured operating system will make your work useless. In this section, we will consider some items to be take into account. In some cases the better the security in an Operating System means less usability. A good rule of thumb is to reduce privileges to the application on the operating system, if possible. Network In any enterprise architecture we can find different network elements. All of them must be configured to protect the existing network resources. The following should be considered for inclusion in the Alfresco security customization of firewalls: IDS, IPS, Antivirus, Web Application Firewall, and DoS/DDoS protection devices. OS Security Use OS Vendor specific security recommendations (for all supported OS in Alfresco One 4.2.3): 11 • Red Hat Linux 6.414 • Sun Solaris 11.115 • Ubuntu 12.04 LTS16 • Suse 11.317 • Microsoft Windows Server 201218 • Microsoft Windows Server 2008 R219 At the OS level, permissions for access to Alfresco are the most important components that must be applied. This is in order to allow them to only be accessible to the user who is running Alfresco. Change file permissions to allow only the application user to see and write these files and/or directories (i.e. Linux: chmod 0600 <path-­‐to-­‐file>): “alfresco-­‐global.properties” • “dir_root/contentstore” 14 https://access.redhat.com/documentation/en-­‐US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/index.html 15 http://docs.oracle.com/cd/E23824_01/html/819-­‐3195/index.html 16 https://help.ubuntu.com/12.04/serverguide/security.html 17 https://www.suse.com/documentation/sles11/singlehtml/book_security/book_security.html 18 http://technet.microsoft.com/en-­‐us/library/jj898542.aspx 19 http://technet.microsoft.com/en-­‐us/library/gg236605.aspx
  17. 17. Alfresco Security Best Practices 12 • “dir_root/solr” or “dir_root/lucene-­‐indexes” Configuring Your Firewall Your operating system firewall is a powerful line of defense for your server. Do not run Alfresco without it. When configuring the firewall, you can use the same rule of thumb as for all OS settings, block everything and then add privileges one at a time until you have allowed the minimum amount of access required for your scenario. When determining what traffic will be allowed, be sure to consider both inbound and outbound activity. There is no reason to allow outbound activity via interfaces that you do not need. These could potentially be exploited by malicious applications. For example, outbound HTTP requests are often used by malware programs to communicate with operators. Inbound Ports Port listed below can be considered for both server and network firewall. Protocol/Service Port TCP/UDP IN/OUT Active Comments HTTP 8080 TCP IN Yes WebDAV included FTP 21 TCP IN Yes Passive mode SMTP 25 TCP IN No CIFS 137,138 UDP IN Yes CIFS 139,445 TCP IN Yes IMAP 143 or 993 TCP IN No SharePoint Protocol 7070 TCP IN Yes Tomcat Admin 8005 TCP IN Yes Unless is necessary, do not open this port at the firewall Tomcat AJP 8009 TCP IN Yes Unless is necessary, do not open this port at the firewall SOLR Admin 8443 TCP IN Yes If used to admin Solr, cert has to be installed in browser. Otherwise take it in to account in case of using a dedicated Index Server. Alfresco repository server must have access to this port IN and OUT NFS 111,2049 TCP/UDP IN No This is the repository service NFS as VFS RMI 50500-­‐ 50507 TCP IN Yes Used for JMX management. Unless is necessary, do not open this port at the firewall Hazelcast 5701 TCP IN No Used by Hazelcast to exchange information between cluster nodes from 4.2 JGroups 7800 TCP IN No Cluster discovery between nodes before 4.2 JGroups 7801-­‐ 7802 TCP IN No Traffic Ehcache RMI between cluster nodes before 4.2.
  18. 18. Alfresco Security Best Practices 13 OpenOffice/JODconverter 8100 TCP IN Yes It works in localhost, do not open it at the firewall Outbound ports It is just as important to control all outbound traffic as it is to control inbound traffic. This will prevent some intrusions by not allowing access to backdoors or malicious remote sites. Here is a list of all outbound traffic you may consider opening, depending on your security policy and Alfresco deployment: Protocol/Service Port TCP/UDP IN/OUT Active Comments SMTP 25 TCP OUT No If you want Alfresco to send notifications, invitations, tasks, etc. the open this port from Alfresco to your corporate MTA. DB – PostgreSQL 5432 TCP OUT Yes* It depends on the DB. DB – MySQL 3306 TCP OUT Yes* It depends on the DB. DB – MS SQL Server 1433 TCP OUT Yes* It depends on the DB. DB – Oracle 1521 TCP OUT Yes* It depends on the DB. DB – DB2 50000 TCP OUT Yes* It depends on the DB. LDAP or AD 396 TCP OUT No If needed for authentication and synchronization. LDAPS or AD 636 TCP OUT No If needed for authentication and synchronization. docs.google.com 443 TCP OUT No JGroups 7800-­‐ 7802 TCP OUT No If clustered before 4.2, only between nodes. Hazelcast 5701 TCP IN No Used by hazelcast to exchange information between cluster nodes from 4.2, only between nodes. Remote storage NFS 111,2049 TCP/UDP OUT No If a remote NFS drive is used as the content store. Remote storage CIFS 137,138 139,145 UDP TCP OUT No If a remote CIFS drive is used as the content store. Amazon S3 443 TCP OUT No In case Alfresco is deployed in AWS and Amazon S3 is used as the content store Alfresco Transformation Server 80,443 or 8080,844 3 TCP OUT No In case a remote Alfresco Transformation Server is used Alfresco FSTR 8080 TCP OUT No In case of using a remote Alfresco File System Transfer Receiver Alfresco Remote Server 8080 or 8443 TCP OUT No In case of using Alfresco Replication Service between Alfresco servers
  19. 19. Alfresco Security Best Practices Kerberos 14 88 TCP/UDP OUT No In case Kerberos SSO is required Third Party SSO 443 TCP OUT No Third party SSO services DNS 53 UDP OUT Yes Name resolution service Facebook, Twitter, LinkedIn, Slideshare, Youtube, Flickr, Wordpress or Typepad 80 or 443 TCP OUT No In case of using Alfresco Publishing Framework or Site blog publishing Port Redirect When Alfresco is not running as root, a local port redirect must be performed in order to forward all incoming traffic from the standard port to the non-­‐standard port and be above 1024. Here is an example of local port redirect for iptables and FTP port configured in Alfresco to listen in port 2121 TCP: iptables -t nat -A PREROUTING -p tcp --dport 21 -j REDIRECT --to-ports 2121 iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT Determining Minimum Privileges The user you create to run Alfresco should be allowed only the minimum privileges required to run the application server as required by your scenario. From a security standpoint, the ideal user will only have permission to write logs and read files, period. However, many users may find it necessary or convenient to allow the modification of start-­‐up scripts and configuration files, or the deployment of new versions for patches or hotfixes. Whatever configuration you use, simply make sure that you are aware of the associated risks.
  20. 20. Alfresco Security Best Practices 15 Alfresco Implementation Best Practices Stay Current Alfresco is a product in continuous evolution. Our customers and the community are improving the software by recommending new features, finding bugs and suggesting solutions. The easiest way to improve the security of your Alfresco platform is to keep your version up to date. New bug fixes and security patches are added in every release. Alfresco also notifies the Enterprise user and community members of major security threats and patches via the Support Portal, email and forums. Always upgrade to the latest stable version of Alfresco, as soon as possible, and read the Release Notes to be aware of the fixed security bugs. Don Not Run the Application Server as Root As it has been stated above, when running any Internet or intranet service, it is always a good idea to avoid running it as the root user, if possible. When installing the application server, create a new user with a minimum set of privileges that will always run the application server for you, as part of your configuration process. Note that restricting privileges in this fashion can introduce problems with listening to privileged ports. These are commonly solved in Linux by using the iptables tool to redirect ports to non-­‐privileged ones. See more in the next section. Repository Level Security Enable SSL In production environments, enabling encryption is a must. In this section we will see how to enable encryption in the most used Alfresco interfaces. HTTP – HTTPS There are different methods to implement SSL for the HTTP access to Alfresco Repository (WebDAV, API and Admin Panel) and Alfresco Share. In most cases all methods are valid for both Alfresco repository and Share web access. We may classify three different methods depending on the Alfresco work load. All of the methods may work for any sizing depending on the system tuning. This is just a best practice for where to locate the SSL end point to avoid SSL CPU consumption that may affect the Alfresco performance. 1. Low or reduced load, 10-­‐100 concurrent sessions;
  21. 21. Alfresco Security Best Practices 16 a. Application server enabled SSL: depending on the application server vendor, this can be configured in different ways and it is extensively documented. Here is a list of resources to enable SSL in all our supported application servers: i. Apache Tomcat20 ii. JBOSS21 iii. Weblogic22 iv. Websphere23 2. Medium load, 100-­‐500 concurrent sessions; a. Apache, IIS or Nginx enabled SSL in a frontend-­‐dedicated server. 3. High load, +500 concurrent sessions; a. SSL dedicated hardware appliance or other third party solutions. Additionally, if Alfresco Share is in a separate layer than the Alfresco Repository, you may want to encrypt any traffic that’s in between both of them. Once HTTPS is enabled in both application servers then just change the Alfresco Share configuration URLs to connect the Alfresco Repository in ${extensionRoot}/alfresco/web-­‐extension/share-­‐config-­‐custom.xml and adapt all <endpoint-­‐url> to your repository HTTPS URL. NOTE: in any case always enable HSTS (HTTP Strict Transport Security) to guarantee HTTPS always. SharePoint Protocol There are two ways to approach getting the Alfresco SharePoint Protocol to run over SSL and avoid having to modify the Windows registry24 to allow non-­‐SSL connections from MS Office (in both Windows and Mac). • One way is to use the out of the box SSL certificate that Alfresco uses for communications between itself and Solr, which is not recommended for production systems; 20 http://tomcat.apache.org/tomcat-­‐7.0-­‐doc/ssl-­‐howto.html 21 https://access.redhat.com/documentation/en-­‐ US/JBoss_Enterprise_Application_Platform/6/html/Administration_and_Configuration_Guide/Implement_SSL_Encryption_for_the_JBoss_Ente rprise_Application_Platform_Web_Server1.html 22 http://docs.oracle.com/cd/E24329_01/web.1211/e24422/ssl.htm 23 http://www.ibm.com/developerworks/websphere/techjournal/1210_lansche/1210_lansche.html 24 http://support.microsoft.com/kb/2123563
  22. 22. Alfresco Security Best Practices • The other is to generate a new certificate25 and configure Alfresco to use it. If you want 17 to use a custom certificate, this is the option to use. Next steps tested on Alfresco 4.2 and it should work in 4.2 as well for both Enterprise and Community. There are instructions on how to enable SSL in the Alfresco SharePoint interface on the official documentation portal26. IMAP – IMAPS To enable SSL to the IMAP protocol implemented by Alfresco to get access to the repository from an email client follow the official documentation instructions27 or configuring the IMAP subsystem in the Enterprise Admin Panel. SMTP Inbound with TLS Alfresco supports secure connections when it has SMTP inbound enabled. It can be set by customizing the email subsystem28 through alfresco-global.properties with the option “email.server.enableTLS=true” and configuring the Java keystore29 or in the Enterprise Admin Console. 25 http://docs.alfresco.com/4.2/tasks/SharePoint-­‐HTTPS-­‐setup.html 26 http://docs.alfresco.com/4.2/tasks/SharePoint-­‐SSL.html 27 http://docs.alfresco.com/4.2/concepts/IMAP-­‐subsystem-­‐props.html 28 http://docs.alfresco.com/4.2/concepts/email-­‐inboundsmtp-­‐props.html 29 http://docs.alfresco.com/4.2/concepts/troubleshoot-­‐inboundemail.html
  23. 23. Alfresco Security Best Practices SMTP Outbound with TLS SSL-TLS configuration for external emails sent by Alfresco to users for notifications, invitations, etc., depends on the remote server features, and it has to support secure connections. Configuration examples may be found on the official documentation portal30 and in the Enterprise Admin Panel as well. 30 http://docs.alfresco.com/4.2/concepts/email-­‐outboundsmtp-­‐props.html 18
  24. 24. Alfresco Security Best Practices FTP – FTPS The FTP interface implemented by Alfresco can also be configured in secure mode to encrypt the communication between client and server. It has to be configured by the alfresco-­‐ 19 global.properties file by following instructions in the official documentation31. Connect to LDAP in Secure Mode with LDAPS In order to enable SSL communication between the Alfresco repository and an LDAP server, it has to be supported by the remote directory server. For SSL it is required that you switch the port from 389 to 636. NOTE: Ask your LDAP or Active Directory administrator before changing any Alfresco configurations. Hazelcast This is not usually required in SSL but messages communication between cluster nodes may be encrypted32. Understanding Roles and Permissions It is well known that Alfresco comes with a complex and very flexible permissions model. Alfresco uses roles to determine what a user can and cannot do within a site and the content. 31 http://docs.alfresco.com/4.2/concepts/fileserv-­‐ftp-­‐props.html 32 http://hazelcast.org/docs/latest/manual/html/ssl.html#encryption
  25. 25. Alfresco Security Best Practices Each role is associated with permissions. Permissions apply to dashboards33 and to content34. By default, permissions applied to a node in the repository inherits it if it is not deactivated. Custom Roles Creating a new role may be a common task when we are working with custom Alfresco deployments. The process is easy, you just need to follow some steps35. Just bear in mind, the most important file where default roles are defined is located in: TOMCAT_HOME/webapps/alfresco/WEB_INF/classes/alfresco/model/permissionDefinitions. xml Audit The Audit Service provides a configurable record of actions and events. It collects information and stores it in a simple database form. The Audit Service includes the ability to audit system and user events, metadata changes and data stored in the Alfresco database. In order to have the Audit feature enabled in Alfresco you need to add the following values in the 20 alfresco-­‐ global.properties36 file:: audit.enabled=true audit.sync.enabled=true audit.tagging.enabled=true audit.alfresco-access.enabled=true audit.alfresco-access.sub-actions.enabled=true audit.cmischangelog.enabled=true NOTE: If Alfresco Cloud Sync is used, audit.enable and audit.sync.enabled must be true. Any information related to auditory is in the Alfresco database, it has to be queried through the API. To check if the Audit feature is enabled in Alfresco and what is being audited: #curl -u admin:admin http://localhost:8080/alfresco/service/api/audit/control { "enabled" : true, "applications": [ { "name": "Alfresco Sync Service", "path" : "/sync", "enabled" : true } 33 http://docs.alfresco.com/4.2/references/permissions_share_other.html 34 http://docs.alfresco.com/4.2/references/permissions_share_components.html 35 https://wiki.alfresco.com/wiki/Custom_Permissions_in_Share 36 http://docs.alfresco.com/4.2/tasks/audit-­‐enable.html
  26. 26. Alfresco Security Best Practices 21 , { "name": "Alfresco Tagging Service", "path" : "/tagging", "enabled" : true } , { "name": "RM", "path" : "/RM", "enabled" : true } ] } Audit authentication has to be enabled by renaming the file ${extensionRoot}/alfresco/extension/audit/alfresco-­‐audit-­‐example-­‐login.xml.sample to ${extensionRoot}/alfresco/extension/audit/alfresco-­‐audit-­‐example-­‐login.xml then restart and test the last authentications to Alfresco with a command like below: # curl -u admin:admin "http://localhost:8080/alfresco/service/api/audit/query/AuditExampleLogin1" or to see how many failed authentications performed by the admin user: # curl -u admin:admin "http://localhost:8080/alfresco/service/api/audit/query/AuditExampleLogin1?ve rbose=true&user=admin" More queries and information about auditing Alfresco can be found in the official documentation37. Get to Know Logged Users Thanks to the Alfresco Support Tools38 module, available for the Enterprise Admin console, an administrator can always check who is logged in the system. 37 http://docs.alfresco.com/4.2/concepts/audit-­‐intro.html 38 https://addons.alfresco.com/addons/support-­‐tools-­‐admin-­‐console
  27. 27. Alfresco Security Best Practices Reset Admin Password If the admin password is missed there is a way to reset it to “admin” by changing the database. First of all, it is needed to search the admin password field: SELECT anp1.node_id, anp1.qname_id, anp1.string_value 22 FROM alf_node_properties anp1 INNER JOIN alf_qname aq1 ON aq1.id = anp1.qname_id INNER JOIN alf_node_properties anp2 ON anp2.node_id = anp1.node_id INNER JOIN alf_qname aq2 ON aq2.id = anp2.qname_id WHERE aq1.local_name = 'password' AND aq2.local_name = 'username' AND anp2.string_value = 'admin'; +---------+----------+----------------------------------+ | node_id | qname_id | string_value | +---------+----------+----------------------------------+ | 4 | 10 | 209c6174da490caeb422f3fa5a7ae634 | +---------+----------+----------------------------------+ 1 row in set (0.16 sec) Note: node_id and gname_id for later modification. Additionally, “209c6174da490caeb422f3fa5a7ae634” is the MD4 hash value for “admin”. Now it can be set as follows: UPDATE alf_node_properties SET string_value='209c6174da490caeb422f3fa5a7ae634' WHERE node_id=THE_NODE_ID_ABOVE and qname_id=THE_QNAME_VALUE_ABOVE; Ticket Session Duration Control In case of third a party application connection, you may need a ticket. This ticket can be queried by accessing http://localhost:8080/alfresco/service/api/login?u=admin&pw=admin The length or duration of this authentication ticket can be configured with: authentication.ticket.validDuration=PT1H in the alfresco-­‐global.properties file, which means 1 hour. Remember to use HTTPS to get the ticket.
  28. 28. Alfresco Security Best Practices 23 Disable Unneeded Services All of these options can be added to the alfresco-­‐global.properties file. Unless the Alfresco Enterprise Admin Console is used to make the changes, a restart is required: • Enable/Disable FTP: ftp.enabled=false • Enable/Disable CIFS: cifs.enabled=false • Enable/Disable IMAP: imap.server.enabled=false • Enable/Disable NFS: nfs.enabled=false • Enable/Disable Audit (do not disable it if Cloud Sync is used): audit.enabled=true • Enable the alfresco-­‐access audit application: audit.alfresco-access.enabled=true audit.alfresco-access.sub-events.enabled=true audit.cmischangelog.enabled=true • Disable Webdav: system.webdav.servlet.enabled=true • Disable Share Point: Uninstall VTI module. • Prevent replication from the server configuration: replication.enabled=false transferservice.receiver.enabled=false Disable Guest User • For NTLM-­‐Default (default is true): alfresco.authentication.allowGuestLogin=false • For pass-­‐through (default is false): passthru.authentication.guestAccess=false • For LDAP/AD (default is true): ldap.authentication.allowGuestLogin=false Review Sever Logs Periodically The administrator always keeps an eye on the server logs along with the application logs. Consider using a central logging sever to easily manage logs and unload the server I/O.
  29. 29. Alfresco Security Best Practices Change JMX Default Credentials As you already know, Alfresco One can be accessed using JMX for configuration (port RMI 50500 TCP), this access is authenticated but credentials are public and must be changed in order to avoid unauthorized accesses39. Get Control of Deleted Content In terms of security control, it is imperative to know how Alfresco works when a content item is deleted and also how the content deletion works in Records Management (RM). Basic content deletion is already very well explained in a Ixxus blog post40 but there are some differences in the database schema between Alfresco 4.1 and 4.2 worth noting, such as the “alf_node” table has a field named “node_deleted” in versions 4.0 and earlier. To develop a deep knowledge about Alfresco security and also how to configure Alfresco backup and disaster recovery41, you should first understand how the Alfresco repository manages the lifecycle of a content item. Node Creation When a node is created, regardless how it is uploaded or created (via the API, web UI, FTP, CIFS, etc.) Alfresco will do the following: 24 1. Metadata properties are stored in the database in the logical store workspace://SpacesStore (alf_node, alf_content_url among others). 2. The file itself is store and renamed as .bin under alf_data/contentstore/YYYY/MM/DD/hh/mm/url-­‐id-­‐of-­‐the-­‐file.bin 3. Next, depending on the indexing you choose, its index entries are created within Lucene (alf_data/lucene-­‐indexes/workspace/SpacesStore) or Solr (alf_data/solr/workspace/SpacesStore). 4. Finally, in most cases, a content thumbnail is created as a child of the file created. Node Deletion There are two phases to node deletion: Phase 1: A user or admin deletes a content item (sending it to the trashcan) 1. When someone deletes a content item, the content and its children (eg. thumbnails) are moved (archived) in the DB from workspace://SpacesStore to archive://SpacesStore. Nothing else happens in the DB. 39 http://docs.alfresco.com/4.2/tasks/jmx-­‐access.html 40 http://www.ixxus.com/blog/2011/09/alfresco-­‐node-­‐lifecycle 41 http://blyx.com/2013/12/04/my-­‐talk-­‐about-­‐alfresco-­‐backup-­‐and-­‐recovery-­‐tool-­‐in-­‐the-­‐alfresco-­‐summit/
  30. 30. Alfresco Security Best Practices 25 2. The actual content “.bin” file remains in the same location inside the contentstore directory. 3. Finally, the indexes are moved from the existing location to the corresponding archive (alf_data/lucene-­‐indexes/archive/SpacesStore) or Solr (alf_data/solr/archive/SpacesStore) depending on your index engine selection. NOTE: A deleted node stays in the trashcan FOREVER, unless the user or admin either empties the trashcan or recovers the file. This default behavior can be changed by using third party modules that empty the trashcan automatically on a custom schedule. See below for more information on these modules. The trashcan may be found at these locations: Alfresco Share: User -­‐> My Profile -­‐> Trashcan (admin user will see all users deleted files, since 4.2 all users can also see and restore their own deleted files). Alfresco Explorer: User Profile -­‐> Manage Deleted Items (for all users). Phase 2: Any user or admin (or trashcan cleaner) empties the trashcan: 1. That means the content is marked as an “orphan” and after a pre-­‐determined amount of time elapses, the orphaned content item is moved from the alf_data/contentstore directory to alf_data/contentstore.deleted directory. 2. Internally at the DB level a timestamp (UNIX format) is added to the alf_content_url.orphan_time field where an internal process called contentStoreCleanerJobDetail will check how long the content has been orphaned. If it is more than 14 days old, (system.content.orphanProtectDays option) the .bin file is moved to contentstore.deleted. 3. Finally, another process will purge all of its references in the database by running nodeServiceCleanupJobDetail and once the index knows the node has been removed, the indexes will be purged as well. NOTE: Alfresco will never delete content in the alf_data/contentstore.deleted folder. It has to be deleted manually or by a scheduled job configured by the system administrator. By default, the contentStoreCleanerJobDetail runs every day at 4AM by checking the age of an orphan node. If it exceeds system.content.orphanProtectDays (14 days) it is moved to contentstore.deleted. Additionally, the nodeServiceCleanupJobDetail runs every day at 9PM and purges information related to nodes that were deleted from the database. Now, that we understand how Alfresco works by default, let’s learn how to modify Alfresco’s behavior in order to clean the trashcan automatically.
  31. 31. Alfresco Security Best Practices There are several third party modules that can be used to achieve this, but I recommend the Alfresco Trashcan Cleaner42 by Alfresco’s very own Rui Fernandes. Once the amp is installed, you can use this sample configuration by copying it to the 26 alfresco-­‐ global.properties file: trashcan.cron=0 30 * * * ? trashcan.daysToKeep=7 trashcan.deleteBatchCount=1000 The options above configure the cleaner to run every hour on the half hour and it will remove content from the trashcan and mark it as an orphan if it has been in the trashcan for more than 7 days. It will do this in batches of 1000 deletions every time it runs. To delete from the trashcan without waiting any grace period set the trashcan.daysToKeep property value to -­‐1. Questions and Answers About Content Deletion Can I configure Alfresco to avoid using contentstore.deleted and ensure it really deletes a file after the trashcan is cleaned? Yes, this is possible by setting system.content.eagerOrphanCleanup=true in the alfresco-­‐ global.properties file, and once the trashcan is emptied, the file will not be moved to contentstore.deleted but it will be deleted from the file system (contentstore). After that, nodeServiceCleanupJobDetail will purge any related information from the database. What is the recommended configuration for a production server? This is something you have to figure out based on your backup and disaster recovery strategy43. If you have a proper backup strategy, you can offer your users a grace period of 30 days to recover their own deleted documents from the trashcan. After the grace period, delete them simultaneously from the trashcan and the file system. This can be achieved by installing the previously mentioned trashcan-­‐cleaner and with this configuration in the alfresco-­‐ global.properties file: system.content.eagerOrphanCleanup=false trashcan.cron=0 30 * * * ? trashcan.daysToKeep=30 trashcan.deleteBatchCount=1000 What about Alfresco Records Management, does it work in the same way? How a record destruction works? In the Records Management world you don’t tend to delete documents as often as it is done in Document Management. When a content item is deleted from the RM file plan, it is considered 42 https://code.google.com/p/alfresco-­‐trashcan-­‐cleaner/ 43 http://blyx.com/2013/12/04/my-­‐talk-­‐about-­‐alfresco-­‐backup-­‐and-­‐recovery-­‐tool-­‐in-­‐the-­‐alfresco-­‐summit/.
  32. 32. Alfresco Security Best Practices to be a regular delete operation. This is rarely used and only done by RM admins when there is some justifiable reason, such as correcting a mistake that requires a record to be removed. The only difference is that the deleted record bypasses the archive store, hence it never goes to the trashcan, and it is marked as an orphan once it is deleted. Then it will be moved to contentstore.deleted 27 after orphanProtectDays or it is truly deleted if eagerOrphanCleanup is set as true. Destruction of a record works in the same way that a record is removed. This will by-­‐pass the archive and immediately trigger the clean-­‐up (eagerOrphanCleanup) process so the content does not stay in the file system contentstore or contentstore.deleted. As far as the meta-­‐data goes, there are two options; the first is that all the meta-­‐data (and hence the node itself) are completely deleted. The alternate method cleans out all the content but the node remains with only the meta-­‐data (called ghosting). In Alfresco RM versions prior to 2.2, this was a global configuration value (rm.ghosting.enabled=true). In 2.2 it can be defined on the destroy step of the disposition schedule: “Maintain record metadata after destroy”.
  33. 33. Alfresco Security Best Practices Figure 1: Content deletion diagram Wipe Content As we have seen, Alfresco offers different ways to delete content. It is important to remember, even if Alfresco completely deletes content, like when using the destroy option in RM or by using eagerOrphanCleanup, Alfresco will not wipe the removed content from the physical storage. It therefore can be recovered by file system recovery tools. Wiping a deleted content item may vary depending on multiple factors, from file system type to hardware configuration, etc. If you want to guarantee a real physical wipe of a file in your file system, third party software must be used to “zero out” the corresponding disk sectors. The specific tools depend on the operating system type, hardware, etc. Share Level Security Cross-Site Request Forgery (CSRF) Filters in Alfresco Share Based on the OWASP project definition, Cross-­‐Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. 28
  34. 34. Alfresco Security Best Practices 29 You can configure CSRFPolicy in Alfresco Share to prevent CSRF attacks that allow malicious requests to be unknowingly loaded by a user. You can configure the CSRF filter to run with third party plugins and to stop specific repository services from being accessible directly through the Share proxy. See official documentation for apply the prevention procedure44. Security Filters and Clickjacking Mitigation in Alfresco Share As per OWASP definition, clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both. You can configure a security filter, SecurityHeadersPolicy that mitigates clickjacking attacks in Alfresco Share. See official documentation for apply the prevention procedure45. Iframes and Phishing Attack Mitigation in Alfresco Share You can configure IFramePolicy to protect users against a phishing attack, which attempts to acquire information such as user names or passwords by simulating a trustworthy entity. Alfresco allows you to control which domain pages or content are included in Share to create a whitelist of allowed domains. A whitelist is a list of email addresses or IP addresses that are considered to be safe for use within your organization. See official documentation for apply the prevention procedure46. Share HTML Processing Black/White List Alfresco Share has a number of features to protect against XSS attacks. One of the most aggressive features is the automatic processing of 3rd party HTML (wiki, blog, forum) to “sanitize” or “strip” out unwanted HTML tags and attributes before rendering in the page. 44 http://docs.alfresco.com/4.2/concepts/csfr-­‐policy.html 45 http://docs.alfresco.com/4.2/concepts/security-­‐policy.html 46 http://docs.alfresco.com/4.2/concepts/iframe-­‐policy.html
  35. 35. Alfresco Security Best Practices Since Alfresco 3.4.9, 4.0.2 and newer, it is possible to fully configure the black/white list of HTML tags and attributes that the HTML stripping process will use. The default black/white list Is available in {TOMCAT_HOME}/webapps/share/WEB-­‐INF/classes/alfresco/slingshot-­‐ application-­‐context.xml. It can be overridden with a file called 30 custom-­‐slingshot-­‐application-­‐ context.xml, which is generally found in {TOMCAT_HOME}/shared/classes/alfresco/web-­‐ extension. More information is available in the Alfresco corporate blog47. Site Creation Control In some circumstances, you may need to prevent users other than administrators or specific group members, from creating sites. There are different ways to accomplish this using public resources48. Filter Document Actions by User or Role You may restrict the visibility of document action item for different Share site/user role by modifying: • {TOMCAT_HOME}/webapps/share/WEB-­‐INF/classes/alfresco/site-­‐ webscripts/org/alfresco/components/document-­‐details/document-­‐ actions.get.config.xml • {TOMCAT_HOME}/shared/classes/alfresco/web-­‐extension/site-­‐ webscripts/org/alfresco/components/document-­‐details/document-­‐ actions.get.config.xml For example, to set document action “Delete” visible to “admin” user only, you need to modify the action you want to hide from anyone but the admin, by adding 'permission="admin"'. For example, modify in document-­‐actions.get.config.xml file from: <action type="action-link" id="onActionDelete" permission="delete" label="actions.document.delete" /> to: <action type="action-link" id="onActionDelete" permission="admin" label="actions.document.delete" /> Additionally, you may use the tables below as reference when there is a requirement for customize document action per site role. For example, add, remove, or hide visibility of certain document action(s) for certain site role(s) in permission="<symbol>". Site role-­‐based Visibility 47 http://blogs.alfresco.com/wp/kevinr/2012/06/19/configuring-­‐the-­‐share-­‐html-­‐processing-­‐blackwhite-­‐list/ 48 https://forums.alfresco.com/forum/end-­‐user-­‐discussions/alfresco-­‐share/disable-­‐create-­‐site-­‐link-­‐42-­‐community-­‐01102013-­‐1306
  36. 36. Alfresco Security Best Practices 31 Symbol Site Role # Admin/Site Manager * Collaborator % Contributor/Consumer <actionSet id="document">: Default OOTB permission level for Document Action components. Information is extracted from Enterprise 3.4.6, File: {TOMCAT_HOME}/webapps/share/WEB-­‐ INF/classes/alfresco/site-­‐webscripts/org/alfresco/components/document-­‐details/document-­‐ actions.get.config.xml: Action Name Action id Permission Corresponding label name Visible to Download id="onActionDownload" <global, no specific permission required> label="actions.document.d ownload" %;*;# View in Browser id="onActionView" <global, no specific permission required> label="actions.document.v iew" %;*;# Edit Metadata id="onActionDetails" permission="edit" label="actions.document.e dit-­‐metadata" *;# ? id="onActionSimpleAppr ove" permission="simple-­‐ approve" label="actions.document.si mple-­‐approve" n/a ? id="onActionSimpleReje ct" permission="simple-­‐ reject" label="actions.document.si mple-­‐reject" n/a Upload New Version id="onActionUploadNew Version" permission="edit" label="actions.document.u pload-­‐new-­‐version" *;# Inline Edit id="onActionInlineEdit" permission="edit,inline-­‐ edit" label="actions.document.i nline-­‐edit" *;# Edit Online id="onActionEditOnline" permission="edit,online -­‐edit" label="actions.document.e dit-­‐online" *;# Edit Offline id="onActionEditOffline" permission="edit,~goog ledocs-­‐edit" label="actions.document.e dit-­‐offline" *;# ? id="onActionCheckoutT oGoogleDocs" permission="edit,googl edocs-­‐edit" label="actions.document.c heckout-­‐google" *;# Copy to… id="onActionCopyTo" <global, no specific label="actions.document.c %;*;#
  37. 37. Alfresco Security Best Practices 32 permission required> opy-­‐to" Move to… id="onActionMoveTo" permission="delete" label="actions.document. move-­‐to" # Delete Document id="onActionDelete" permission="delete" label="actions.document.d elete" # Start Workflow id="onActionAssignWork flow" <global, no specific permission required> label="actions.document.a ssign-­‐workflow" %;*;# Manage Permission id="onActionManagePer missions" permission="permission s" label="actions.document. manage-­‐permissions" # Manage Aspect id="onActionManageAsp ects" permission="edit" label="actions.document. manage-­‐aspects" *;# Filter workflow by role/group Alfresco Share doesn’t have the ability to filter or control the list of workflows showed to an user or group, by default all available workflows are shown to any user. There is different ways to get this done, based on filters in share-­‐config-­‐custom.xml and also third party developments to control workflow list49. Change default Share session timeout It may be needed to reduce or increase the default session timeout for Alfresco Share user cookies which is 60 minutes. Edit {TOMCAT_HOME}/webapps/share/WEB-­‐INF/web.xml and change next lines, a restart is needed: <session-config> <session-timeout>60</session-timeout> </session-config> 49 https://addons.alfresco.com/addons/workflow-­‐permissions
  38. 38. Alfresco Security Best Practices Architecture deployment best practices Sample architecture diagrams and protection tips for Alfresco installed on-­‐premises and in AWS. Frontends In this section we will see a tip about how to protect some resources in Alfresco using custom frontend server like Apache, Nginx or HAProxy. Good practice is to protect always front Share and Alfresco with a web server (Apache/Nginx/HAProxy), and run the application server to only be accessed by the web server. If this is all on one node, then have the application server only listen on localhost then the web server forward to localhost. If this is on a multi-­‐tiered environment then only allow access to the Share and Alfresco tier from the web node tier via iptables. In order to force all Alfresco cookies to be secure instead of 33 httponly use a web server to rewrite the cookies. Example of HAProxy configuration to do it: # Set all cookies to be Secure. acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure rspirep ^(set-cookie:.*) 1; Secure if !secured_cookie Protect Alfresco API URL and proxy (Apache, Nginx, etc.) Webscript URLs should be accessed only by localhost applications (Alfresco Explorer and Share) and known third party applications. To deny access from all other networks (to Alfresco tier data Webscripts, you can do the same for Share if needed), you need to set a frontend web server as follows: Apache: <Location /alfresco/service/*> Order allow,deny Allow from 1.2.3.4 Allow from 1.2.3.5 </Location> <Location /share/service/*> Order allow,deny Allow from 1.2.3.4 Allow from 1.2.3.5 </Location> <Location /alfresco/proxy> Order allow,deny Allow from 1.2.3.4 Allow from 1.2.3.5 </Location>
  39. 39. Alfresco Security Best Practices <Location /alfresco/cmisbrowser> 34 Order allow,deny Allow from 1.2.3.4 Allow from 1.2.3.5 </Location> Nginx: location ~ ^/(alfresco|share)/service/ { allow 1.2.3.4; allow 1.2.3.5; deny all; } location ~ ^/alfresco/proxy { allow 1.2.3.4; allow 1.2.3.5; deny all; } location ~ ^/alfresco/cmisbrowser { allow 1.2.3.4; allow 1.2.3.5; deny all; } Where 1.2.3.4 and 1.2.3.5 are our applications or networks. Single tier Alfresco installed all in one server and using external database and storage for content store, use always dedicated network interfaces, i.e. 3 nics being service, backend and administration and backup:
  40. 40. Alfresco Security Best Practices 35 Two tiers
  41. 41. Alfresco Security Best Practices Three tiers Another real world diagram with details: 36
  42. 42. Alfresco Security Best Practices 37 AWS deployments Example of multi tier deployment and different layers of security:
  43. 43. Alfresco Security Best Practices Backup and Disaster recovery Please refer to the existing Backup and Disaster Recovery White Paper presented in the Alfresco Summit 201350. 50 https://summit.alfresco.com/cmis/views/workspace%253A%252F%252FSpacesStore%252F2a6f08b9-­‐e026-­‐4674-­‐b81a-­‐cac234491d9f 38
  44. 44. Alfresco Security Best Practices 39 Mobile Security File Protection Encrypts files stored on this device when it is locked. Has to be enabled in the mobile application settings. It is only available in Alfresco Mobile if it is connected to an Alfresco One server or Alfresco in the Cloud. HTTPS Enable HTTPS connection if available on the server side. Alfresco in the Cloud has HTTPS support by default. Certificate Authentication Enable certificate authentication from the mobile client side is available. MDM At the moment this guide is written, there is one solution to implement MDM with Alfresco: Alfresco for Good (iOS) Alfresco for Good mobile app provides a secure connection, secure storage and policy enforcement when accessing business critical documents stored in Alfresco One on premise from anywhere. Alfresco for Good 1.0 includes the following features: • Secure access to on premise Alfresco repository based on existing user privileges • Full access to repository structure including collaboration sites • Easy favoring and joining of sites • Activity feed for repository • File exchange via Good For Enterprise • Local storage of files for offline viewing NOTE: Existing version is only compatible with iOS 7. MobileIron (Android) Alfresco and MobileIron provide an end to end secure solution to access critical content stored on premise, in the cloud or both as well as run key workflows to make things happen on the go. Alfresco is an enterprise grade solution that can reliably mobilize hundreds to millions of documents. Alfresco is open, so you can retain control and customizable so you can build the solutions you need. • Secure access to Alfresco One repository based on existing user privileges • Full access to repository structure including collaboration sites • Activity feed
  45. 45. Alfresco Security Best Practices 40 • File exchange within the MobileIron ecosystem • Local sync of files for offline viewing of up to date files • Initiate or take part in workflows such as “Review and Approve” NOTE: Alfresco is working for a new MobileIron app for Android and iOS. Not release date at this moment. Additional information For enterprise Android users, Alfresco Mobile 1.4 is available in the Samsung KNOX store. Working with other MDM vendors like Symantec Sealed (Android) and Citrix Worx.
  46. 46. Alfresco Security Best Practices Security Compliance and Standards A very common question about Alfresco and security is related to standards. In this section we will see a review about some standards related to security and how Alfresco can address with them. For more information about other standards and security in Alfresco Cloud please visit this51 site. DOD5015.2 Alfresco Records Management is certified to the DoD 5015.02 base line standard, the Alfresco RM solutions has been implemented on top of a flexible records management metadata model, allowing other standards (such as MoReq2010, NOARK, etc.) to be supported.52 From the security stand point; Alfresco RM has additional security features like: • Specific roles related to RM tasks • Web based role manager to view, modify or delete existing roles and create new ones • Web based audit tool to make reports about any action on any record, folder, category 41 in the File Plan • Users, groups and roles reports • Different behavior for record deletion and record destroy than deletion in DM. See section about deletion in this document. OWASP In Alfresco we use the OWASP guides extensively in development and have a tool, which scans all code nightly and ensures compliance with OWASP top ten. Here a list of comments about the OWASP top 1053: 1. A1 -­‐ Injection: Alfresco uses prepared non-­‐dynamic statements and variable binding using the ORM framework 'myBatis', which prevents SQL injection. Alfresco Share uses a white-­‐list to strip potential danger from submitted content with mime-­‐types of Javascript or HTML. Note: For HTML content submission, unsafe content is stripped on display, not storage. Summary: OOTB Alfresco is secured against injection attacks 2. A2 -­‐ Broken Authentication and Session Management: This is normally an issue in home-­‐grown authentication frameworks, but all Alfresco custom development and configuration passes through its own authentication framework which is based on the Spring Security (Acegi) framework. Summary: OOTB Alfresco has a robust authentication and session management subsystem, however there may be weaknesses 51 http://www.alfresco.com/products/cloud/security-­‐data-­‐privacy 52 http://blogs.alfresco.com/wp/understanding-­‐the-­‐facts-­‐dod-­‐5015-­‐certification 53 https://www.owasp.org/index.php/Top_10_2013-­‐Top_10
  47. 47. Alfresco Security Best Practices 42 if the following processes are not followed: 1) Only use SSL encryption for all access; 2) Integrate with LDAP memberships services (or if using Alfresco native user management: Enable an additional Alfresco customisation for password-­‐expiry and complexity requirements); 3) Potential to permanently disable 'invite external user' capabilities. 3. A3-­‐Cross-­‐Site Scripting (XSS): See 'Configuring the Share HTML processing black/white list'54. Summary: OOTB Alfresco is secured against XSS attacks. Pre go-­‐live checks must ensure that configuration changes have not disabled this security feature. Check vulnerability list in this document and new XSS threats. 4. A4-­‐Insecure Direct Object References: Content-­‐object access is only allowed through the Alfresco API which ACL checks all content-­‐based requests against the current authenticated session user. Summary: OOTB Alfresco is secured against direct access and the manipulation of reference. 5. A5-­‐Security Misconfiguration: Default passwords are stored for JMX or installation passwords stored as well. Summary: OOTB Alfresco does not encrypt initial admin password, JMX read and write password and DB connection password. In case of using Alfresco internal DB for users, their passwords are stored in MD4. 6. A6-­‐Sensitive Data Exposure: We do not typically store user-­‐sensitive information in Alfresco. Summary: OOTB Alfresco is secure from exposure of sensitive data. This assumes correct ACL/permission application and that the server has not been compromised allowing direct access to the underlying file-­‐system. 7. A7-­‐Missing Function Level Access Control: Alfresco enforces 'roles' and group-­‐ membership to define the function access that a user may have. Summary: OOTB Alfresco is secured against function level access control. Security ACL checks against role and group occurs on the server not just to hide or expose UI elements. 8. A8-­‐Cross-­‐Site Request Forgery (CSRF): See 'Introducing the CSRFPolicy in Alfresco Share'55. OOTB Alfresco is secured against CSRF attacks. Pre go-­‐live checks must ensure that configuration changes have not disabled this security feature. 9. A9-­‐Using Components with Known Vulnerabilities: According to the Alfresco public JIRA, there are no known exploitable components used by Alfresco. An audit is required to every third party component should be done to confirm this. Alfresco recommends the latest security patched version of Alfresco and its supported components, as well of OS, Java, Application Server and DB server. Summary: OOTB Alfresco is secure, at the time of writing. Best practice should include the patching of dependent components with the latest security patches as they become available. Typical components to consider for an ongoing patch policy: Operating System RHEL/CentOS/Win2008R2; Database MySQL/Oracle/MSSQL; Java updates; third-­‐party out-­‐of-­‐process command-­‐ line tools (anything outside the JVM sandbox such as Open Office / ImageMagick, etc.). 54 http://blogs.alfresco.com/wp/kevinr/2012/06/19/configuring-­‐the-­‐share-­‐html-­‐processing-­‐blackwhite-­‐list/ 55 http://blogs.alfresco.com/wp/ewinlof/2013/03/11/introducing-­‐the-­‐new-­‐csrf-­‐filter-­‐in-­‐alfresco-­‐share/
  48. 48. Alfresco Security Best Practices 43 10. A10-­‐Unvalidated Redirects and Forwards: Alfresco allows the display of user-­‐defined hyperlinks, potentially to external websites, but these are not forwards or re-­‐directs. Alfresco Share does allow the arbitrary embedding of IFrames within the UI, either through the 'web view' dashlet, or within custom developed code, and this does need protection. This risk is mitigated with the introduction of the 'IFramepolicy'. See 'Introducing the IFramePolicy in Alfresco Share'56. The default configuration allows any page to be iframed. Summary: OOTB Alfresco is not secure against non-­‐validated redirection. However a simple configuration change enforces the security. The Alfresco software engineers take care about OWASP security standard by using a software plugin57 that defines a list of vulnerabilities that can occur in any software project. It provides rules engines to find violations that can be matched with a lot of OWASP vulnerabilities, allowing us to know the security level reached. HIPAA The US Government “Health Insurance Portability and Accountability Act” can be applied or adopted by Alfresco taking into account considerations below: • Audit everything (who accessed, when accessed and what). Alfresco does it and stores all in the DB. • Encrypt PHI, is not a requirement but to avoid reporting in case of information lost (backup tape for example). Alfresco does it with encrypted metadata by using the property called “d:encrypted” in the data model, and encrypting the backup as well. • Encrypt Content (encryption at rest), as normal recommendation the backup should be encrypted. • For index a best practice is to encrypt the backup or don’t do backup to avoid losing backup tape and have to report it. Indexing can be re-­‐build in case of need. • Disable Quick Share feature in Share. • Enable HTTPS. • Optionally: retention policies (it may vary depending on every US State) and can be implemented with Alfresco RM. 56 http://blogs.alfresco.com/wp/ewinlof/2013/03/12/introducing-­‐the-­‐iframepolicy-­‐in-­‐alfresco-­‐share/ 57 http://www.excentia.es/plugins/owasp/caracteristicas_en.html
  49. 49. Alfresco Security Best Practices FISMA FISMA compliance is a mandate against the operating environment where Alfresco may be deployed. The application is not subject to any specific certification, but may be monitored as part of a FISMA security plan. FedRAMP The Federal Risk and Authorization Management Program (FedRAMP) is a unified, government-­‐ wide risk management program focused on large outsourced and multi-­‐agency systems. FedRAMP has been established to provide a standard approach to Assessing and Authorizing (A&A) cloud computing services and products. FedRAMP allows joint authorizations and continuous security and monitoring services for Government and Commercial cloud computing systems intended for multi-­‐agency use. Alfresco's traditional products (Alfresco One, Activiti, etc.) are not directly subject to FedRAMP authorization, rather, the customer is responsible for validating that their Alfresco deployment specifically complies with the different FedRAMP requirements. This applies to both on-­‐prem and cloud-­‐hosted deployments. At the moment, Alfresco has not made any specific commitment to obtain FedRAMP authorization for Alfresco in the Cloud or any future SaaS products. ISO 27001 ISO 27001 is an international standard published by the International Standardization Organization (ISO), and it describes how to manage information security in a company. Alfresco application is not subject to this certification but it may be used as main repository for document centralization and management for creation, review and approval, distribution, categorization, usage and updates of the documents and records. PCI Data Security Standard This section is a quick point approach to highlight some of PCI-­‐DSS requirements and how Alfresco may assist in compliance. 44 • Alfresco uses standard TCP/IP connectivity with common protocols such as https (encrypted for security) allowing organizations to easily integrate with existing firewalls and other intrusion detection/prevention services. • Alfresco provides default database names and accounts for simple deployment. These are usually setup upon first launch of Alfresco. However, in order to recognize the needs of such requirements as PCI-­‐DSS, these can be simply overridden through a configuration file change, allowing the organization to create uniquely named databases and database accounts. We have well documented methods to how to perform this
  50. 50. Alfresco Security Best Practices task. Integration with enterprise database systems allow for DBAs to enable encrypted writes directly into database tables without modifying Alfresco in any way. • Alfresco’s Records Management Module allows for compliance management for data retention, such as retention and disposition schedules, auditing of access to records, destruction and data deletion as well as event triggers, eDiscovery and so forth. • Alfresco can be configured to use strong SSL encryption for https connections, allowing for encryption of data inflight once authorized access to that data has been approved via Alfresco’s Authentication, Authorization and Permissions Management subsystems. • Alfresco stores files as their native data streams and metadata in the database. This can 45 be integrated with standard corporate Antivirus applications to ensure compliance. • As has been already said in this guide, Alfresco takes security very seriously and has a rigorous vulnerability detection program working with third party security organizations to perform penetration testing. Alfresco has a process in place to then quickly patch, test, release and inform Alfresco One customers of any breaches. • Alfresco provides a complete authentication and authorization subsystem along with a granular permissions management system that can be integrated with corporate directory services to enable secure user access only to data they have been authorized to see. Management can be performed at the individual user level or by group membership – this allows an organization to easily develop role-­‐based access to data and content. • All users have a unique ID -­‐ whether that granted by the corporate directory service, or internally for users that are not part of the directory structure. Alfresco has a complete auditing subsystem that can be incorporated into enterprise reporting applications. • Alfresco provides a complete auditing subsystem that tracks reads and writes to all content and metadata within the repository. This auditing mechanism can be integrated with enterprise reporting tools, or custom interfaces (eg web) and delivery methods (email, RSS feeds, etc) can be built and maintained.

×