While attending Alfresco
security keynote of Toni de la Fuente, I compiled some notes for
Training Blog Post. It is better explained in Alfresco
Security Best Practices and the keynote, but you can use this as
a basic checklist.
- Keep updated, it’s a basic about security (last service pack or
hotfix of your alfresco version).
- Remember to change admin and JMX passwords.
- Run application as non-root user nating priviledged ports via iptables.
- Use iptables to control local Alfresco ports.
- Set chmod 0600 permissions for alfresco-global.properties,
dir.root/contentstore, dir.root/solr and any other file that could
contain password information, for example, ldap-authentication.properties
- Use different tiers and machine for frontend, Alfresco share app,
Alfresco Repository, SOLR, Transformation and Database Server when possible.
- Use firewalls policies for inbound and outbound traffic.
- Use secure HTTP connections, at least in the frontend tier.
- Use SSL in protocols like FTP, IMAP, SMTP, Sharepoint. Also in LDAP.
- Disable unneeded services such as transfer service, replication,
audit, protocols or system quotas if it is not required for the project.
- Disable guest user for alfresco authentication subsystems
(alfresco NTLM and ldap).
- Monitor your Alfresco instance via Nagios/Icinga plugin or JMX
(i.e jmxterm), for example paratemers such as JVM heap, threads,
database connections, active users, disk usage….
- Backup and restore procedure tested, for example with Alfresco BART.
- Set ticket and session timeout of Share and Repository
applications, taking in consideration if other timeouts affect (for
example, cookie based SSO external authentication timeout).
- Check server logs periodically.
- Check CSRF policies in Alfresco Share.
- Use Apache frontend config for allowing and restricting access to
Alfresco API (/alfresco/service/*, /alfresco/proxy).
- Use Secure cookies.
MUST in an Alfresco installation.