Post on 22-Jan-2018
Best Practices around Alfresco Security
Phil Meadows & Toni de la Fuente
11th October 2017 - Tech Talk Live #110
Topics
● Who We Are
● Responsible Disclosure
● Product Security Processes and Policies
● Security Deployment Best Practices
● Hardening
● Backup and Disaster Recovery
Phil
Meadows
- Security
Director
• 20 years experience in the field of software
engineering and operations in a mixture of
technical and leadership roles.
• Joined Alfresco in 2014 working in the DevOps
team.
• Security Director since July 2017
Toni de la
Fuente
- Lead
Security
Operations
- Senior Cloud
Security
Architect
• Old timer Alfrescan
• Senior Solutions Engineer -> Principal
Solutions Engineer -> Senior Cloud Security
Architect -> Lead Security Operations
• Alfresco Security Best Practices Guide
• Alfresco Backup and Disaster Recovery
Whitepaper
• Alfresco BART
• Prowler
• phpRADmin
• Blyx.com
• …
Responsible Disclosure
• What is it?
• Why we need one?
• Status
Vulnerability Reporting
Product Security
1People
Security aware
Engineers
2Tools
Automated and
Manual Security
Analysis
3Processes and
PoliciesResponse,
Classification,
Standards
People
• Secure Coding Workshop.
– Hosted by 3rd Party
– 4 day course
– Covers basics of Web Application Security
– OWASP Top 10 (2017 edition on its way!)
• Regular Updates
– Brown Bag Sessions
– Lightning talks in Engineering meetups
• Virtual Secure Coding Expert Team
• Architectural Decision Records
Product Development - Security Touchpoints
Architecture
Engineers IDE
Source Code Repository
Build Pipeline
Release Process
Architecture
• Relies on People
• Security Concerns considered up front
• Architectural Decision Records
• Secure Coding Experts
Engineers
IDE
• No company wide agreed tools/solutions yet.
• Sooner found, sooner fixed.
• Good training tool.
Source Code
Repository
• Pull Request Integration.
• No solution found yet, investigating LGTM
https://lgtm.com/
• Free for open source projects.
– GitHub integration
– Currently no GitLab integration
• Security scan at pull request
• Historical security metrics
Build
Pipeline
• SonarQube https://www.sonarqube.org/
• Triggered by Maven goal
• Code Quality good for Security
• OWASP plugin - Security Dashboard
Release
Process
• VeraCode https://www.veracode.com/– Scan Binaries
– Extensive Reports
– Heavyweight
• Third Party Penetration Testing– Manual and Automated security scans
– Against a cloud hosted running environment
Security Issue Classification
• CVSS - Common Vulnerability Scoring System– https://www.first.org/cvss/
– https://www.first.org/cvss/calculator/3.0
• Gives a numeric score that we convert to a security level against which the
engineering teams have agreed response targets.
• Three security levels
–High - Patch or hotfix
–Medium - Hotfix or service pack depending on support level
–Low - Included in next scheduled release
Security Deployment Best Practices
What to do?
• Keep security triad in mind:
– Confidentiality
– Integrity
– Availability
Solution also
matters
• Single tier or multi-tier
• On-prem or in a cloud provider?
Alfresco CS
Security
Checklist
Hardening
• Network• Firewalls, IDS, IPS,
APT, Web Application
Firewalls, Antiviruses,
DDoS/DoS protection
devices.
• OS• RedHat, Ubuntu,
Suse
• Solaris
• Windows Server
• File permissions• alfresco-
global.properties
• dir_root/contentstore
• dir_root/solr
• dir_root/lucene-
indexes
• Minimum
privileges
• Port redirect
Network and
Operating
System
Protocol/Service Port TCP/UDPIN/OUTActive Comments
HTTP 8080 TCP IN Yes WebDavincluded
FTP 21 TCP IN Yes Passivemode
SMTP 25 TCP IN No
CIFS 137,138 UDP IN Yes
CIFS 139,445 TCP IN Yes
IMAP 143 or993
TCP IN No
SharePointProtocol 7070 TCP IN Yes
TomcatAdmin 8005 TCP IN Yes Unlessisnecessary,donotopenthisportatthe
firewall
TomcatAJP 8009 TCP IN Yes Unlessisnecessary,donotopenthisportatthefirewall
SOLRAdmin 8443 TCP IN Yes IfusedtoadminSolr,certhastobeinstalledinbrowser.Otherwisetakeitintoaccountincase
ofusingadedicated IndexServer,AlfrescorepositoryservermusthaveaccesstothisportINandOUT
NFS 111,2049TCP/UDPIN No ThisistherepositoryserviceNFSasVFS
RMI 50500-
50507
TCP IN Yes UsedforJMXmanagement.Unlessisnecessary,
donotopenthisportatthefirewall
Hazelcast 5701 TCP IN No Used by hazelcast to exchange information
betweenclusternodesfrom4.2
JGroups 7800 TCP IN No Clusterdiscoverybetweennodesbefore4.2
JGroups 7801-7802
TCP IN No Traffic EhcacheRMI between cluster nodesbefore4.2.
OpenOffice/JODconverter8100 TCP IN Yes Itworksinlocalhost,donotopenitatthefirewall
Firewall:
Inbound
ports
Protocol/Service Port TCP/UDPIN/OUTActive Comments
SMTP 25 TCP OUT No If you want Alfresco to send notifications,invitations,tasks,etc.OpenthisportfromAlfresco
toyourcorporateMTA
DB–PostgreSQL 5432 TCP OUT Yes* ItdependsontheDB
DB–MySQL 3306 TCP OUT Yes* ItdependsontheDB
DB–MSSQLServer 1433 TCP OUT Yes* ItdependsontheDB
DB–Oracle 1521 TCP OUT Yes* ItdependsontheDB
DB–DB2 50000 TCP OUT Yes* ItdependsontheDB
LDAPorAD 396 TCP OUT No Ifneededforauthenticationandsynchronization
LDAPSorAD 636 TCP OUT No Ifneededforauthenticationandsynchronization
docs.google.com 443 TCP OUT No
JGroups 7800-7802
TCP OUT No Ifclusteredbefore4.2,onlybetweennodes.
Hazelcast 5701 TCP IN No Used by hazelcast to exchange informationbetweenclusternodesfrom4.2,onlybetweennodes.
RemotestorageNFS 111,2049TCP/UDPOUT No IfaremoteNFSdriveisusedascontentstore
RemotestorageCIFS 137,138
139,145
UDP
TCP
OUT No IfaremoteCIFSdriveisusedascontentstore
AmazonS3 443 TCP OUT No IncaseAlfrescoisdeployedinAWSandAmazonS3isusedascontentstore
AlfrescoTransformationServer
80,443or8080,8443
TCP OUT No IncasearemoteAlfrescoTransformationServerisused
AlfrescoFSTR 8080 TCP OUT No IncaseofusingaremoteAlfrescoFileSystemTransferReceiver
AlfrescoRemoteServer 8080 or8443
TCP OUT No In case of using Alfresco Replication ServicebetweenAlfrescoservers
Kerberos 88 TCP/UDPOUT No IncaseKerberosSSOisrequired
ThirdPartySSO 443 TCP OUT No ThirdpartySSOservices
DNS 53 UDP OUT Yes Nameresolutionservice
Firewall:
Outbound
ports
Alfresco Implementation Best Practices
• Stay current• Service Packs, HF
• Never run as root
• Switch to SSL• HTTPS (Share,
Webdav, API, etc.)• App Server, Web Server,
Appliance
• SharePoint Protocol
• IMAPS
• SMTP Inbound TLS
• SMTP Outbound TLS
• FTPs
• LDAPS connection
• DB Connection
• Permissions
inheritance
• Custom roles
• Review your logs
• Change JMX
default credentials
• Change keystore
password
Best
Practices 1
• Audit• Enable it if needed
• Easy to query audit
records with curl
• Easier in RM
• Alfresco Support
Tools
• Get to know
connected users
besides other
tools
• Get to know how to
reset admin
password
• Control ticket
session duration
• Disable unneeded
services
• Disable guest user
Best
Practices 2
• Encrypt configuration
properties if needed
• Mitigating brute force
attack on user
passwords
• Use bcrypt
• Third party auth
system / Federated
Best
Practices 3
• Cross-Site Request
Fogery (CSRF) filters
• Clickjacking
mitigation
• Iframes and phising
attack mitigation
• Share HTML
processing
black/white list
• Site creation control
• Filter document
actions by user or
role
• Filter workflow by
user or role
• Change default
Share session
timeout
Alfresco
Share
Security
Backup and Disaster Recovery
Backup and
Disaster
Recovery
• Backup, Archiving, Disaster
Recovery
• Why?
• Business impact
• RPO (time between backups) and
RTO (time taken to restore)
Backup
Procedure
and Methods + Install
+ Config
+ Custom
• What to backup?
• Static / Dynamic
• Order
• Types
• Cold
• Warm
• Hot
1. Index
(index+cache)
3. Content
Store
2. DB
What about Zero-Downtime?
Restore
Procedure
1. Installation
2. Configuration
3. Customization
4. DB
5. Content Store
6. Indexes
Best Practices: content deletion
• Node deletion lifecycle• Why is important?
• Delete content when it is deleted
• Trashcan cleaner
• Records Management
• Wipe contentMore about
node deletion
Thanks!
Toni de la Fuente @ToniBlyx
Phil Meadows @meadowsp99