Notes on Alfresco Security

This week I'm in London during Alfresco Summit 2014 conferences. While attending Alfresco security keynote of Toni de la Fuente, I compiled some notes for the Alfresco Training Blog Post. It is better explained in Alfresco Security Best Practices and the keynote, but you can use this as a basic checklist.
  • Keep updated, it's a basic about security (last service pack or hotfix of your alfresco version).
  • Remember to change admin and JMX passwords.
  • Run application as non-root user nating priviledged ports via iptables.
  • Use iptables to control local Alfresco ports.
  • Set chmod 0600 permissions for, dir.root/contentstore, dir.root/solr and any other file that could contain password information, for example,
  • Use different tiers and machine for frontend, Alfresco share app, Alfresco Repository, SOLR, Transformation and Database Server when possible.
  • Use firewalls policies for inbound and outbound traffic. 
  • Use secure HTTP connections, at least in the frontend tier.
  • Use SSL in protocols like FTP, IMAP, SMTP, Sharepoint. Also in LDAP.
  • Disable unneeded services such as transfer service, replication, audit, protocols or system quotas if it is not required for the project.
  • Disable guest user for alfresco authentication subsystems (alfresco NTLM and ldap).
  • Monitor your Alfresco instance via Nagios/Icinga plugin or JMX (i.e jmxterm), for example paratemers such as JVM heap, threads, database connections, active users, disk usage....  
  • Backup and restore procedure tested, for example with Alfresco BART.
  • Set ticket and session timeout of Share and Repository applications, taking in consideration if other timeouts affect (for example, cookie based SSO external authentication timeout).
  • Check server logs periodically.
  • Check CSRF policies in Alfresco Share.
  • Use Apache frontend config for allowing and restricting access to Alfresco API (/alfresco/service/*, /alfresco/proxy).
  • Use Secure cookies.
The final security check list appendix of the paper, is a MUST in an Alfresco installation.

More Blog Entries