Slide deck used during Tech Talk Live #110 in October 2017. Phil Meadows and myself discussed about Alfresco products security and I went through Alfresco CS security best practices.
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
TTL Alfresco Product Security and Best Practices 2017
1. Best Practices around Alfresco Security
Phil Meadows & Toni de la Fuente
11th October 2017 - Tech Talk Live #110
2. Topics
● Who We Are
● Responsible Disclosure
● Product Security Processes and Policies
● Security Deployment Best Practices
● Hardening
● Backup and Disaster Recovery
3. Phil
Meadows
- Security
Director
• 20 years experience in the field of software
engineering and operations in a mixture of
technical and leadership roles.
• Joined Alfresco in 2014 working in the DevOps
team.
• Security Director since July 2017
4. Toni de la
Fuente
- Lead
Security
Operations
- Senior Cloud
Security
Architect
• Old timer Alfrescan
• Senior Solutions Engineer -> Principal
Solutions Engineer -> Senior Cloud Security
Architect -> Lead Security Operations
• Alfresco Security Best Practices Guide
• Alfresco Backup and Disaster Recovery
Whitepaper
• Alfresco BART
• Prowler
• phpRADmin
• Blyx.com
• …
7. People
• Secure Coding Workshop.
– Hosted by 3rd Party
– 4 day course
– Covers basics of Web Application Security
– OWASP Top 10 (2017 edition on its way!)
• Regular Updates
– Brown Bag Sessions
– Lightning talks in Engineering meetups
• Virtual Secure Coding Expert Team
• Architectural Decision Records
8. Product Development - Security Touchpoints
Architecture
Engineers IDE
Source Code Repository
Build Pipeline
Release Process
9. Architecture
• Relies on People
• Security Concerns considered up front
• Architectural Decision Records
• Secure Coding Experts
10. Engineers
IDE
• No company wide agreed tools/solutions yet.
• Sooner found, sooner fixed.
• Good training tool.
11. Source Code
Repository
• Pull Request Integration.
• No solution found yet, investigating LGTM
https://lgtm.com/
• Free for open source projects.
– GitHub integration
– Currently no GitLab integration
• Security scan at pull request
• Historical security metrics
13. Release
Process
• VeraCode https://www.veracode.com/
– Scan Binaries
– Extensive Reports
– Heavyweight
• Third Party Penetration Testing
– Manual and Automated security scans
– Against a cloud hosted running environment
14. Security Issue Classification
• CVSS - Common Vulnerability Scoring System
– https://www.first.org/cvss/
– https://www.first.org/cvss/calculator/3.0
• Gives a numeric score that we convert to a security level against which the
engineering teams have agreed response targets.
• Three security levels
–High - Patch or hotfix
–Medium - Hotfix or service pack depending on support level
–Low - Included in next scheduled release
20. • Network
• Firewalls, IDS, IPS,
APT, Web Application
Firewalls, Antiviruses,
DDoS/DoS protection
devices.
• OS
• RedHat, Ubuntu,
Suse
• Solaris
• Windows Server
• File permissions
• alfresco-
global.properties
• dir_root/contentstore
• dir_root/solr
• dir_root/lucene-
indexes
• Minimum
privileges
• Port redirect
Network and
Operating
System
21. Protocol/Service Port TCP/UDP IN/OUT Active Comments
HTTP 8080 TCP IN Yes WebDav included
FTP 21 TCP IN Yes Passive mode
SMTP 25 TCP IN No
CIFS 137,138 UDP IN Yes
CIFS 139,445 TCP IN Yes
IMAP 143 or
993
TCP IN No
SharePoint Protocol 7070 TCP IN Yes
Tomcat Admin 8005 TCP IN Yes Unless is necessary, do not open this port at the
firewall
Tomcat AJP 8009 TCP IN Yes Unless is necessary, do not open this port at the
firewall
SOLR Admin 8443 TCP IN Yes If used to admin Solr, cert has to be installed in
browser. Otherwise take it in to account in case
of using a dedicated Index Server, Alfresco
repository server must have access to this port
IN and OUT
NFS 111,2049 TCP/UDP IN No This is the repository service NFS as VFS
RMI 50500-
50507
TCP IN Yes Used for JMX management. Unless is necessary,
do not open this port at the firewall
Hazelcast 5701 TCP IN No Used by hazelcast to exchange information
between cluster nodes from 4.2
JGroups 7800 TCP IN No Cluster discovery between nodes before 4.2
JGroups 7801-
7802
TCP IN No Traffic Ehcache RMI between cluster nodes
before 4.2.
OpenOffice/JODconverter 8100 TCP IN Yes It works in localhost, do not open it at the
firewall
Firewall:
Inbound
ports
22. Protocol/Service Port TCP/UDP IN/OUT Active Comments
SMTP 25 TCP OUT No If you want Alfresco to send notifications,
invitations, tasks, etc. Open this port from Alfresco
to your corporate MTA
DB – PostgreSQL 5432 TCP OUT Yes* It depends on the DB
DB – MySQL 3306 TCP OUT Yes* It depends on the DB
DB – MS SQL Server 1433 TCP OUT Yes* It depends on the DB
DB – Oracle 1521 TCP OUT Yes* It depends on the DB
DB – DB2 50000 TCP OUT Yes* It depends on the DB
LDAP or AD 396 TCP OUT No If needed for authentication and synchronization
LDAPS or AD 636 TCP OUT No If needed for authentication and synchronization
docs.google.com 443 TCP OUT No
JGroups 7800-
7802
TCP OUT No If clustered before 4.2, only between nodes.
Hazelcast 5701 TCP IN No Used by hazelcast to exchange information
between cluster nodes from 4.2, only between
nodes.
Remote storage NFS 111,2049 TCP/UDP OUT No If a remote NFS drive is used as contentstore
Remote storage CIFS 137,138
139,145
UDP
TCP
OUT No If a remote CIFS drive is used as contentstore
Amazon S3 443 TCP OUT No In case Alfresco is deployed in AWS and Amazon S3
is used as contentstore
Alfresco Transformation
Server
80,443 or
8080,844
3
TCP OUT No In case a remote Alfresco Transformation Server is
used
Alfresco FSTR 8080 TCP OUT No In case of using a remote Alfresco File System
Transfer Receiver
Alfresco Remote Server 8080 or
8443
TCP OUT No In case of using Alfresco Replication Service
between Alfresco servers
Kerberos 88 TCP/UDP OUT No In case Kerberos SSO is required
Third Party SSO 443 TCP OUT No Third party SSO services
DNS 53 UDP OUT Yes Name resolution service
Firewall:
Outbound
ports
24. • Stay current
• Service Packs, HF
• Never run as root
• Switch to SSL
• HTTPS (Share,
Webdav, API, etc.)
• App Server, Web Server,
Appliance
• SharePoint Protocol
• IMAPS
• SMTP Inbound TLS
• SMTP Outbound TLS
• FTPs
• LDAPS connection
• DB Connection
• Permissions
inheritance
• Custom roles
• Review your logs
• Change JMX
default credentials
• Change keystore
password
Best
Practices 1
25. • Audit
• Enable it if needed
• Easy to query audit
records with curl
• Easier in RM
• Alfresco Support
Tools
• Get to know
connected users
besides other
tools
• Get to know how to
reset admin
password
• Control ticket
session duration
• Disable unneeded
services
• Disable guest user
Best
Practices 2
26. • Encrypt configuration
properties if needed
• Mitigating brute force
attack on user
passwords
• Use bcrypt
• Third party auth
system / Federated
Best
Practices 3
27. • Cross-Site Request
Fogery (CSRF) filters
• Clickjacking
mitigation
• Iframes and phising
attack mitigation
• Share HTML
processing
black/white list
• Site creation control
• Filter document
actions by user or
role
• Filter workflow by
user or role
• Change default
Share session
timeout
Alfresco
Share
Security
29. Backup and
Disaster
Recovery
• Backup, Archiving, Disaster
Recovery
• Why?
• Business impact
• RPO (time between backups) and
RTO (time taken to restore)
30. Backup
Procedure
and Methods + Install
+ Config
+ Custom
• What to backup?
• Static / Dynamic
• Order
• Types
• Cold
• Warm
• Hot
1. Index
(index+cache)
3. Content
Store
2. DB
What about Zero-Downtime?