Alfresco is one of the most famous document management system in the world. In addition to its user-friendly design and easy-to-use features, Alfresco is also recommended for its strong security. However like in case of all software tools, your Alfresco implementation is only as strong as its configuration. For a secure Alfresco you need an air-tight defense from all possible points of attack. So in this blog we are going to talk about securing your Alfresco installation.
In addition, in most practical solutions every Alfresco installation is linked to other tools like portals, intranets, business intelligence tools, CMS, ECM and CRM, so it’s advisable to secure integrated tools as well. Also, if you have installed clusters of Alfresco, you should checking the security of all nodes becomes mandatory.
1. Checking All the Passwords
- Change all the default passwords of the Alfresco installation.
- Change the default JMX passwords associated with controlRole and monitorRole parameters.
- Check whether the passwords stored in Properties files are encrypted or not.
- Check the passwords and security of all connected API, Services, and Shared proxies.
2. Checking the permissions
- If you are using linux, make sure that you are using non-root user for running application servers.
- Change the permissions at alfresco-global.properties, dir_root/contentstore, dir_root/solr, and dir_root/lucene-indexes to allow access of only application users.
- Disable guest users.
- If you are using Kerberos, check the ‘file-servers-custom.xml’ file’s permissions.
- Check the configuration and passwords of FTSR files.
- If you are going to integrate Alfresco with third party tools (and we know that you are going to do that ;) ) create a dedicated user to them allow access to Alfresco instead of giving them access via admin user.
- Unless and until your project specifically require them, set the Alfresco Share’s iFramePolicy to ‘deny’.
- Recheck the permissions and configurations of Alfresco log directories. All Alfresco logs and application server logs are usually stored in the same directory so it’s imperative that you secure it.
- Alfresco is full of services and features. It’s recommended to disable all unneeded services to ensure best performance from Alfresco both from general, work and security point of view.
3. Important configurations to check after every installation
- Remove the Alfresco icon from the login page and if possible change the styling
- Enable SSL for all major services. If you are using any third party authentication, run all authentication requests between Alfresco and server through an SSL secure server.
- Whenever you are replicating Alfresco services, use HTTPS services only. Also either use a pre-created user or create a new dedicated user for the same instead of using admin user.
- Enable auditing to check the performance of your system.
- Enable encryption in your Alfresco system.
4. Using Fi
2. Protect your Alfresco Installation Today
Alfresco is one of the most famous
document management system in the
world.
However like in case of all software
tools, your Alfresco implementation is
only as strong as its configuration.
3. Protect your Alfresco Installation Today
For a secure Alfresco you need an air-
tight defense from all possible points
of attack.
So in this slide we are going to talk
about securing your Alfresco
installation.
4. Protect your Alfresco Installation Today
Now even before we begin, I cannot list
down all the possible configurations.
Instead I am going to focus on main
security related considerations.
6. Checking All the Passwords
The most important aspects of
security are passwords that can be
used to access the documents.
Your passwords are your first line of
defense so use as strong a password
as possible.
7. Checking All the Passwords
➔ Change all the default
passwords of the Alfresco
installation.
➔ Change the default JMX
passwords associated with
controlRole and monitorRole
parameters.
8. Checking All the Passwords
➔ Check whether the passwords
stored in Properties files are
encrypted or not.
➔ Check the passwords and
security of all connected API,
and shared proxies.
10. Checking All the Passwords
➔ If you are using linux, make sure that
you are using non-root user for
running application servers.
➔ If you are using Kerberos, check the
‘file-servers-custom.xml’ file’s
permissions.
11. Checking All the Passwords
➔ Change the permissions at alfresco-
global.properties,
to allow access of only application
users.
➔ Disable guest users.
dir_root/contentstore, dir_root/solr, and dir_root/lucene-
indexes
12. Checking All the Passwords
➔ If you are going to integrate
Alfresco with third party tools
(and we know that you are going
to do that ;)) create a dedicated
user to them allow access to
Alfresco instead of giving them
access via admin user.
13. ➔ Unless and until your project
specifically require them, set
the Alfresco Share’s
iFramePolicy to ‘deny’.
Checking the Permissions
14. ➔ It’s recommended to disable
all unneeded services to
ensure best performance from
Alfresco both from general,
work and security point of
view.
Checking the Permissions
16. ➔ Remove the Alfresco icon
from the login page and if
possible change the styling.
Also, change the default login
URLs to further ensure
security.
Configurations to check after every installation
17. ➔ Enable SSL for all major services. If
you are using any third party
authentication, run all
authentication requests between
Alfresco and server through an SSL
secure server.
➔ Maintain a black/white list to
configure HTML processing.
Configurations to check after every installation
18. ➔ Configure your SecurityHeaderPolicy
values and enable the services to
secure yourself from clickjacking
attacks.
➔ Create and maintain custom error
message pages.
Configurations to check after every installation
19. ➔ Enable auditing to check the
performance of your system.
➔ Always set proper permissions for
metadata files as well.
➔ Enable encryption in your Alfresco
system.
Configurations to check after every installation
20. ➔ Third party firewalls also play a
major role in securing your
application environment. You
have to setup and configure the
firewalls to maintain secure
inbound and outbound traffic.
Configurations to check after every installation
22. Consult the experts when in doubt
Algoworks technologies has built its business working with
Alfresco. We have built hundreds of Alfresco Projects combining
the document manager with every popular technology.
We are world leaders in Alfresco Development and Customization.
23. sales@algoworks.com Toll Free : +1-877-284-1028
Author
Co-Founder & Director
Open-Source | Salesforce | ECM
Pratyush is Co-Founder and Director at
Algoworks. He is responsible for managing,
growing open source technologies and
Salesforce CRM team .
He provides consulting and advisory to clients
looking for services relating to CRM(Customer
Relationship Management) and ECM(Enterprise
Content Management).
Pratyush Kumar
Write to me @ pratyush@algoworks.com
24. Learn about how Algoworks can help your
business!
Call us at : +1-877-284-1028
Mail us at: sales@algoworks.com
support@algoworks.com
Official Blog Link: http://www.algoworks.com/blog/alfresco-installation-security-tips