This week I’m in London during Alfresco Summit 2014 conferences.
While attending Alfresco
security keynote of Toni de la Fuente, I compiled some notes for
the Alfresco
Training Blog Post. It is better explained in Alfresco
Security Best Practices and the keynote, but you can use this as
a basic checklist.
While attending Alfresco
security keynote of Toni de la Fuente, I compiled some notes for
the Alfresco
Training Blog Post. It is better explained in Alfresco
Security Best Practices and the keynote, but you can use this as
a basic checklist.
- Keep updated, it’s a basic about security (last service pack or
hotfix of your alfresco version). - Remember to change admin and JMX passwords.
- Run application as non-root user nating priviledged ports via iptables.
- Use iptables to control local Alfresco ports.
- Set chmod 0600 permissions for alfresco-global.properties,
dir.root/contentstore, dir.root/solr and any other file that could
contain password information, for example, ldap-authentication.properties - Use different tiers and machine for frontend, Alfresco share app,
Alfresco Repository, SOLR, Transformation and Database Server when possible. - Use firewalls policies for inbound and outbound traffic.
- Use secure HTTP connections, at least in the frontend tier.
- Use SSL in protocols like FTP, IMAP, SMTP, Sharepoint. Also in LDAP.
- Disable unneeded services such as transfer service, replication,
audit, protocols or system quotas if it is not required for the project. - Disable guest user for alfresco authentication subsystems
(alfresco NTLM and ldap). - Monitor your Alfresco instance via Nagios/Icinga plugin or JMX
(i.e jmxterm), for example paratemers such as JVM heap, threads,
database connections, active users, disk usage…. - Backup and restore procedure tested, for example with Alfresco BART.
- Set ticket and session timeout of Share and Repository
applications, taking in consideration if other timeouts affect (for
example, cookie based SSO external authentication timeout). - Check server logs periodically.
- Check CSRF policies in Alfresco Share.
- Use Apache frontend config for allowing and restricting access to
Alfresco API (/alfresco/service/*, /alfresco/proxy). - Use Secure cookies.
The final security check list appendix of the paper, is a
MUST in an Alfresco installation.
MUST in an Alfresco installation.