Alfresco Security Best Practices Toni de la Fuente!Principal Solutions Engineer toni.delafuente@alfresco.com @ToniBlyx – blyx.com #AlfrescoSecurity

“Some&mes,  you  have  to  demo  a  threat  to  spark  a  solu&on”  

Barnaby  Jack,  1977-­‐2013      

@ToniBlyx #AlfrescoSecurity

How to solve all your problems:

UPGRADE!!  

@ToniBlyx #AlfrescoSecurity

That’s all folks!

THANKS

Agenda •  Demo •  Alfresco Security Policy •  Elements •  External Threats •  Vulnerabilities Assessment •  Network and Operating System •  Implementation Best Practices •  Architecture •  Mobile •  Compliance and Standards

@ToniBlyx #AlfrescoSecurity

The Guide

•  Alfresco Security Best Practices Guide!•  https://my.alfresco.com/

share/s/85CnNsR0ROaSV0BwmKWncg

@ToniBlyx #AlfrescoSecurity

Security!User Adoption   Open, Modern Architecture!

SIMPLE/CONNECTED 

Integral support for mobile workers and external partners,

interface built with the end user in mind vs. IT, seamlessly integrated

with today’s most common productivity tools

 

CONTROLLED  

Enterprise-grade security, easy compliance policy definition and

enforcement, fully compliant  

SIMPLE/SMART/CONNECTED

Enterprise-grade, hybrid, open-source, flexible architecture that

meets today’s IT demands  Open integration interface, ease of

administration, allow IT org to integrate with other LOB applications,

support for open standards  

Alfresco Value Pillars

Content Encryption Records Mgmt.

MDM Certification

@ToniBlyx #AlfrescoSecurity

Alfresco Security Policy •  Issues Discovery!•  Security Notifications!•  Severity Levels!•  High •  Medium •  Low

•  Reporting a Security Issue to us!•  support@alfresco.com

@ToniBlyx #AlfrescoSecurity

Alfresco Security Components: Deployment •  People!•  Process!•  Alfresco application:!•  Patches, HF,

Upgrades, Features

•  JVM!•  Operating System!•  Firewall!

•  Network configuration!•  Virtualization

infrastructure!•  Network infrastructure!•  Physical infrastructure!•  Physical security!•  Facilities!

@ToniBlyx #AlfrescoSecurity

AWS Shared Security Model, A Good Reference

@ToniBlyx #AlfrescoSecurity

Multiple External Threats 1

Discovery, gathering information and information leaks:!•  Search tools

•  Google, Bing, Shodan

•  Gathering info •  FOCA, metagoofil,

theharvester, maltego •  Manual discovery

•  Nmap, others

Protection:!•  IDS •  Banner •  Filter access to

resources •  Clean metadata

@ToniBlyx #AlfrescoSecurity

Multiple External Threats 2

Brute force user and password or dictionary attacks:!•  Online tools

•  Hydra •  Metasploit

Protection:!•  IDS •  Password rotation •  Password strength policy •  Error login threshold

•  Prevent DoS

@ToniBlyx #AlfrescoSecurity

Multiple External Threats 3

Man In the Middle Attacks: and DDoS/DoS:!

•  Multiple ways •  Complex to protect

Protection:!•  Architecture design •  Encryption •  Certificate strenght •  Firewalls (network, host

and application level) •  IDS/IPS •  AlfViral •  Corporate-Network

solutions – ATP •  Monitoring

Viruses:!•  Content •  All tiers

@ToniBlyx #AlfrescoSecurity

Source of Vulnerabilities

Public Sources!•  CVE-2014-0050: Apache

Commons FileUpload •  CVE-2014-0125: Moodle •  Bugtraq ID 37578: Joomla

Internal Sources!•  *MNT-11793: SSRF, port

scanning •  CVE-2014-2939: XSS •  MNT-10540: Share remote

execution •  *MNT-10539: Xerces / POI

@ToniBlyx #AlfrescoSecurity

Hardening Network and Operating System

@ToniBlyx #AlfrescoSecurity

Network and Operating System

•  Network!•  Firewalls, IDS, IPS, APT,

Web Application Firewalls, Antiviruses, DDoS/DoS protection devices.

•  OS!•  RedHat, Ubuntu, Suse •  Solaris •  Windows Server

•  File permissions!•  alfresco-

global.properties •  dir_root/contentstore •  dir_root/solr •  dir_root/lucene-indexes

•  Minimum privileges!•  Port redirect!

@ToniBlyx #AlfrescoSecurity

Firewall: Inbound ports

Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments,

HTTP, 8080# TCP# IN# Yes# WebDav#included#

FTP, 21# TCP# IN# Yes# Passive#mode#

SMTP, 25# TCP# IN# No# #

CIFS, 137,138# UDP# IN# Yes# #

CIFS, 139,445# TCP# IN# Yes# #

IMAP, 143# or#993#

TCP# IN# No# #

SharePoint,,Protocol, 7070# TCP# IN# Yes# #

Tomcat,Admin, 8005# TCP# IN# Yes# Unless#is#necessary,#do#not#open#this#port#at#the#firewall#

Tomcat,AJP, 8009# TCP# IN# Yes# Unless#is#necessary,#do#not#open#this#port#at#the#firewall#

SOLR,Admin, 8443# TCP# IN# Yes# If#used#to#admin#Solr,#cert#has#to#be#installed#in#browser.#Otherwise#take#it#in#to#account#in#case#of# using# a# dedicated# Index# Server,# Alfresco#repository#server#must#have#access# to# this#port#IN#and#OUT#

NFS, 111,2049# TCP/UDP# IN# No# This#is#the#repository#service#NFS#as#VFS#

RMI, 50500S50507#

TCP# IN# Yes# Used#for#JMX#management.#Unless#is#necessary,#do#not#open#this#port#at#the#firewall#

Hazelcast, 5701# TCP# IN# No# Used# by# hazelcast# to# exchange# information#between#cluster#nodes#from#4.2##

JGroups, 7800# TCP# IN# No# Cluster#discovery#between#nodes#before#4.2#

JGroups, 7801S7802#

TCP# IN# No# Traffic# Ehcache# RMI# between# cluster# nodes#before#4.2.#

OpenOffice/JODconverter, 8100# TCP# IN# Yes# It# works# in# localhost,# do# not# open# it# at# the#firewall#

#

@ToniBlyx #AlfrescoSecurity

Firewall: Outbound ports

Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments,

SMTP, 25# TCP# OUT# No# If# you# want# Alfresco# to# send# notifications,#invitations,#tasks,#etc.#Open#this#port#from#Alfresco#to#your#corporate#MTA#

DB,–,PostgreSQL, 5432# TCP# OUT# Yes*# It#depends#on#the#DB#

DB,–,MySQL, 3306# TCP# OUT# Yes*# It#depends#on#the#DB#

DB,–,MS,SQL,Server, 1433# TCP# OUT# Yes*# It#depends#on#the#DB#

DB,–,Oracle, 1521# TCP# OUT# Yes*# It#depends#on#the#DB#

DB,–,DB2, 50000# TCP# OUT# Yes*# It#depends#on#the#DB#

LDAP,or,AD, 396# TCP# OUT# No# If#needed#for#authentication#and#synchronization#

LDAPS,or,AD, 636# TCP# OUT# No# If#needed#for#authentication#and#synchronization#

docs.google.com, 443# TCP# OUT# No# #

JGroups, 7800P7802#

TCP# OUT# No# If#clustered#before#4.2,#only#between#nodes.#

Hazelcast, 5701# TCP# IN# No# Used# by# hazelcast# to# exchange# information#between# cluster# nodes# from# 4.2,# only# between#nodes.#

Remote,storage,NFS,, 111,2049# TCP/UDP# OUT# No# If#a#remote#NFS#drive#is#used#as#contentstore#

Remote,storage,CIFS, 137,138#

139,145#

UDP#

TCP#

OUT# No# If#a#remote#CIFS#drive#is#used#as#contentstore#

Amazon,S3, 443# TCP# OUT# No# In#case#Alfresco#is#deployed#in#AWS#and#Amazon#S3#is#used#as#contentstore##

Alfresco,Transformation,Server,

80,443# or#8080,8443#

TCP# OUT# No# In#case#a#remote#Alfresco#Transformation#Server# is#used#

Alfresco,FSTR, 8080# TCP# OUT# No# In# case# of# using# a# remote# Alfresco# File# System#Transfer#Receiver#

Alfresco,Remote,Server, 8080# or#8443#

TCP# OUT# No# In# case# of# using# Alfresco# Replication# Service#between#Alfresco#servers#

Kerberos, 88# TCP/UDP# OUT# No# In#case#Kerberos#SSO#is#required#

Third,Party,SSO, 443# TCP# OUT# No# Third#party#SSO#services#

DNS, 53# UDP# OUT# Yes# Name#resolution#service#

Facebook,,Twitter,,LinkedIn,,Slideshare,,Youtube,,Flickr,,Wordpress,or,Typepad,

80#or#443# TCP# OUT# No# In# case# of# using# Alfresco# Publishing# Framework# or#Site#blog#publishing#

#

@ToniBlyx #AlfrescoSecurity

Alfresco Implementation Best Practices

@ToniBlyx #AlfrescoSecurity

Best Practices 1 •  Stay current!•  Service Packs, HF

•  Never run as root!•  Switch to SSL!•  HTTPS (Share, Webdav,

API, etc.) •  App Server, Web Server, Appliance

•  SharePoint Protocol •  IMAPS •  SMTP Inbound TLS •  SMTP Outbound TLS

•  FTPs •  LDAPS connection •  Consider Hazelcast or

Jgroups / DB Connection

•  Permissions inheritance !

•  Custom roles!•  Review your logs!•  Change JMX

default credentials!

@ToniBlyx #AlfrescoSecurity

Best Practices 2

•  Audit!•  Enable it if needed •  Easy to query audit

records with curl •  Easier in RM

•  Alfresco Support Tools!•  Get to know

connected users besides other tools

•  Get to know how to reset admin password!

•  Control ticket session duration!

•  Disable unneeded services!

•  Disable guest user!

@ToniBlyx #AlfrescoSecurity

Best Practices: content deletion

•  Node deletion lifecycle!•  Why is important?

@ToniBlyx #AlfrescoSecurity

More about node deletion

•  Delete content when it is deleted!•  Trashcan cleaner!•  Records Management!•  Wipe content!

@ToniBlyx #AlfrescoSecurity

Alfresco Share Security •  Cross-Site Request

Fogery (CSRF) filters!•  Clickjacking

mitigation!•  Iframes and phising

attack mitigation!•  Share HTML

processing black/white list!

•  Site creation control!

•  Filter document actions by user or role!

•  Filter workflow by user or role!

•  Change default Share session timeout!

@ToniBlyx #AlfrescoSecurity

Architecture Best Practices 1 •  Frontends!•  Protect URLs •  Apache, Nginx,

HAProxy •  /alfresco/service •  /share/service •  /alfresco/proxy •  /alfresco/cmisbrowser

@ToniBlyx #AlfrescoSecurity

Architecture Best Practices 2

@ToniBlyx #AlfrescoSecurity

Architecture Best Practices 3

@ToniBlyx #AlfrescoSecurity

AWS sample

@ToniBlyx #AlfrescoSecurity

Backup and Disaster Recovery •  White Paper!•  http://slidesha.re/

1o1HUY9

@ToniBlyx #AlfrescoSecurity

Mobile Security •  File Protection!•  Encryption when locked

•  HTTPS!•  Certificate

Authentication!•  MDM!•  Alfresco for Good (iOS) •  MobileIron (Android)

•  MDM next version!•  Symantec Sealed

(Android) •  Citrix Worx •  MobileIron (iOS)

@ToniBlyx #AlfrescoSecurity

Security Compliance & Standards •  DoD5015.2!•  OWASP!•  Top 10

•  HIPPA!•  FISMA!•  FedREMP!•  ISO 27001!•  PCI-DSS!

@ToniBlyx #AlfrescoSecurity

Finally, a review:

@ToniBlyx #AlfrescoSecurity

Alfresco Security Checklist

@ToniBlyx #AlfrescoSecurity

List of Alfresco third party components

@ToniBlyx #AlfrescoSecurity

Now… Yes!That’s all folks!

Questions? Suggestions?

Complaints? Beers?

@ToniBlyx #AlfrescoSecurity

Thanks

Toni de la Fuente!Principal Solutions Engineer

toni.delafuente@alfresco.com @ToniBlyx – blyx.com