Alfresco Security Best Practices - Guide PDF
Alfresco Security Best Practices - Guide PDF
Alfresco Security Best Practices - Guide PDF
Guide
ii
Document History
iii
Table of contents
INTRODUCTION ............................................................................................................................. 1
AUDIENCE .......................................................................................................................................... 1
RELATED PUBLICATIONS ..................................................................................................................... 1
HOW TO READ THIS GUIDE.................................................................................................................. 2
DISCLAIMER AND SCOPE ..................................................................................................................... 2
ALFRESCO SECURITY POLICY ............................................................................................................. 2
Release of Security Notifications .................................................................................................................................... 3
Severity Levels ............................................................................................................................................................... 3
Reporting a Security Issue to Alfresco ........................................................................................................................... 4
COMPONENTS TO CONSIDER ............................................................................................................... 4
THE EXTERNAL AND INTERNAL PERSPECTIVE......................................................................... 5
EXTERNAL THREATS ........................................................................................................................... 5
Discovery, Information Gathering and Information Leaks .............................................................................................. 5
Brute Force Username and Passwords Attacks ............................................................................................................. 7
MITM Attacks ................................................................................................................................................................. 8
DOS and DDOS ............................................................................................................................................................. 8
Viruses ........................................................................................................................................................................... 9
VULNERABILITIES ASSESSMENT ........................................................................................................... 9
Public Vulnerabilities ...................................................................................................................................................... 9
Other Vulnerabilities ..................................................................................................................................................... 10
iv
ARCHITECTURE DEPLOYMENT BEST PRACTICES ................................................................. 33
Frontends ..................................................................................................................................................................... 33
Single tier ..................................................................................................................................................................... 34
Two tiers ....................................................................................................................................................................... 35
Three tiers .................................................................................................................................................................... 36
AWS deployments ........................................................................................................................................................ 37
BACKUP AND DISASTER RECOVERY ................................................................................................... 38
MOBILE SECURITY ...................................................................................................................... 39
FILE PROTECTION ............................................................................................................................ 39
HTTPS ........................................................................................................................................... 39
CERTIFICATE AUTHENTICATION ......................................................................................................... 39
MDM .............................................................................................................................................. 39
Alfresco for Good (iOS) ................................................................................................................................................ 39
MobileIron (Android) ..................................................................................................................................................... 39
Additional information ................................................................................................................................................... 40
5
Alfresco Security Best Practices
Introduction
This
guide
is
intended
to
fill
a
need
for
Alfresco
administrators
to
have
a
collection
of
tips
for
enhancing
the
security
of
their
implementation.
If
you
are
concerned
about
the
security
of
your
content,
this
guide
is
specifically
written
for
you.
This
guide
addresses
the
security
of
an
Alfresco
implementation
from
two
different
views:
• Threat
view:
We
will
identify
how
a
potential
attacker
could
exploit
security
issues
with
the
installation;
• Administrator
view:
We
will
discuss
how
an
administrator
can
prevent
and
protect
an
installation.
Audience
This
document
is
intended
for
the
Alfresco
Enterprise
customer
and
partner
network
with
special
focus
on
technical
teams,
such
as
Enterprise
Architecture,
Development,
Support,
and
Operations.
As
it
requires
a
deep
understanding
of
the
architecture,
components,
and
technologies
involved
in
the
operations
of
the
Alfresco
platform.
The
ideal
reader
should
hold
an
Alfresco
Certified
Engineer
(ACE)
or
Alfresco
Certified
Administrator
(ACA)
certification.
More
details
on
the
certifications
can
be
found
at
http://university.alfresco.com.
Related Publications
For
some
recommendations
an
official
link
will
be
provided.
Furthermore
here
is
a
list
of
source
of
information
related
to
Alfresco
and
this
guide:
• Alfresco
Security
Policy1
• Alfresco
Cloud
Security
Policy2
• Alfresco
in
the
Cloud
Security
White
Paper3
• Alfresco
Backup
and
Disaster
Recovery
White
Paper4
• Alfresco
Security
Best
Practices
talk
in
Alfresco
Devcon
20125
1
http://docs.alfresco.com/support/concepts/su-‐external-‐security-‐policy.html
2
http://docs.alfresco.com/support/concepts/su-‐external-‐security-‐policy-‐cloud.html
3
http://www2.alfresco.com/l/1234/2012-‐08-‐07/374w8d/1234/151131/Alfresco_in_the_cloud_Security.pdf
4
http://bit.ly/1lvNkcz
5
http://bit.ly/1rBtOme
1
Alfresco Security Best Practices
2
Alfresco Security Best Practices
Example
3:
A
security
issue
is
discovered
in
Alfresco
v4.1.2,
which
is
being
exploited.
Alfresco
will:
• Issue
a
hot
fix
for
Alfresco
v4.1.2
as
soon
as
possible;
• Issue
a
hot
fix
for
Alfresco
versions
3.0,
3.1,
3.2,
3.3,
3.4
and
4.0
as
soon
as
possible;
• Ensure
the
next
release,
Alfresco
v4.1.3,
fixes
the
issue.
Severity Levels
Alfresco
classifies
security
vulnerabilities
by
severity,
on
a
case
by
case
basis,
using
common
sense
and
the
examples
shown
here
as
a
guideline.
High
A
vulnerability
is
classified
as
High
severity
if
any
of
the
following
hold
true:
• Customer
data
can
be
compromised;
• The
server
running
the
application
can
be
compromised;
• A
Denial
of
Service
(DoS)
rendering
the
system
unavailable;
• The
vulnerability
was
discovered
externally,
is
known
about
externally,
or
is
being
actively
exploited.
Medium
A
vulnerability
is
classified
as
Medium
severity
if
any
of
the
following
hold
true:
• It
would
otherwise
be
High
severity
but
it
was
discovered
internally
and/or
is
not
believed
to
be
known
externally;
• It
is
a
less
serious
vulnerability
such
as
a
XSS
or
CSRF.
Low
• A
vulnerability
is
classified
as
Low
severity
for
vulnerabilities
which
only
pose
a
marginal
or
insignificant
risk.
3
Alfresco Security Best Practices
NOTE:
Alfresco
has
an
internal
SLA
to
resolve
vulnerabilities
based
on
the
severity
classification
mentioned
above.
Components to Consider
As
has
been
stated
above
in
this
document,
there
are
different
components
that
may
affect
application
security.
Below
is
a
list
of
components
that
need
to
be
considered,
from
the
physical
environment
to
the
software:
1. Facilities;
2. Physical
security;
3. Network
infrastructure;
4. Virtual
and/or
physical
infrastructure;
5. Network
configuration;
6. Firewall;
7. Operating
System;
8. JVM
and
Application
Server;
9. Alfresco;
10. People;
11. Process.
This
guide
mostly
deals
with
Alfresco
security.
Additional
security
tips
and
guidelines
are
included
for
components
that
are
directly
related
to
Alfresco
security
and
maintenance,
such
as
JVM,
and
application
server,
operating
system,
and
firewall
security.
4
Alfresco Security Best Practices
• Shodan6:
This
is
a
device
search
engine
based
on
using
ports
and
service
headers
or
banner.
https://www.shodan.io/search?query=%22alfresco%22+server+port%3A8080
• FOCA7:
This
is
a
graphic
tool
(Windows)
that
utilizes
the
Google
and
Bing
search
engines
and
DNS
records
to
retrieve
metadata
from
the
documents
that
are
available
in
the
target
domain.
It
searches
for
usernames,
software
versions
and
server
or
machine
names.
• Metagoofil:
This
is
a
command
line
tool
(Linux)
that
utilizes
the
Google
search
engine
to
retrieve
metadata
from
the
documents
that
are
available
in
the
target
domain.
It
searches
for
usernames,
software
versions
and
server
or
machine
names.
6
http://www.shodanhq.com/
7
http://www.informatica64.com/foca.aspx
5
Alfresco Security Best Practices
• theharvester:
This
is
a
command
line
tool
(Linux)
that
looks
for
email
accounts,
usernames,
hostname
and
subdomain
by
using
Google,
Bing,
LinkedIn,
Shodan
and
more.
• Maltego:
This
is
an
open
source
intelligence
and
forensics
application.
It
allows
you
to
mine
and
gather
information
from
public
resources
and
then
represent
the
information
in
a
meaningful
way.
• Nmap
port
scanning:
It
is
used
to
determine
the
state
of
TCP
and
UDP
ports
for
the
target
host,
among
other
network
protocols.
• Other
manual
tasks:
Banner
read
to
a
Tomcat
server:
# echo -e "HEAD / HTTP/1.0\n\n" | nc 192.168.11.129 8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 2763
Date: Fri, 12 Sep 2014 22:06:59 GMT
Connection: close
Test
done
to
Alfresco
Share:
# echo -e "HEAD /share/page/ HTTP/1.0\n\n" | nc 192.168.11.129 8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Content-Length: 39170
Date: Fri, 12 Sep 2014 22:09:36 GMT
Connection: close
In
addition
to
all
the
threats
described
above,
these
tools
are
also
useful
for
gathering
information
from
files.
It
is
well
known
that
most
content
items
contain
information
about
themselves
inside
their
own
files,
their
metadata.
Besides
the
file
name,
photos
will
have
information
about
the
camera
and
even
geo-‐localization.
MS
Office,
Open/LibreOffice
or
PDF
documents
may
store
user
names,
network
resources,
email
address
and
other
useful
information
for
a
potential
intrusion
test.
Some
of
these
properties
are
extracted
automatically
by
Alfresco
in
order
to
populate
its
own
database,
but
the
properties
are
still
being
stored
in
the
file
itself.
If
Alfresco
publishes
these
documents
externally
or
the
files
are
being
accessed
from
portals,
emails,
etc.,
then
we
need
to
add
protection
in
order
to
prevent
information
leaks.
6
Alfresco Security Best Practices
Protection
• Use
an
Intrusion
Detection
System
(IDS),
Intrusion
Prevention
System
(IPS),
Host
IDS,
Advanced
Threat
Protection
Systems
and
Web
Application
Firewall
to
mitigate
some
of
these
scans;
• The
Alfresco
banner
can
be
removed
from
the
Alfresco
Share
login
page;
• Filter
the
access
to
Alfresco
resources
through
a
specific
network
or
IP
address.
Refer
to
the
Architecture
section
in
this
document;
• Clean
document
metadata
before
distributing
them.
Alfresco
can
do
this
for
you
with
an
easy
customization.
Tools
for
metadata
cleaning
include:
ExifTool,
OOMetaExtractor8,
MS
Office
2003
&
XP9
or
BatchPurifier.
Demo
and
tools
are
available
on
the
Alfresco
DevCon
2012
site10;
• Remove
the
application
server
and
web
server
versions.
For
example,
the
default
ErrorReportValve
includes
the
Tomcat
version
number
in
the
response
that
is
sent
to
clients.
To
avoid
this,
custom
error
handling
can
be
configured
within
each
web
application.
Alternatively,
you
can
explicitly
configure
an
ErrorReportValve
and
set
its
showServerInfo
attribute
to
false.
The
version
number
can
also
be
changed
by
creating
the
file
CATALINA_BASE/lib/org/apache/catalina/util/ServerInfo.properties
with
the
following
content:
server.info=My App Server
8
http://www.codeplex.org/oometaextractor
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e54edd43e-‐42ca-‐bc7b-‐5446d34e5360
9
10
http://devcon.alfresco.com/speakers/toni-‐de-‐la-‐fuente
7
Alfresco Security Best Practices
Protection
• Implement
a
password
rotation
and
strength
policy11.
• Implement
error
login
threshold
to
prevent
brute
force
or
dictionary
attacks,
and
a
count
of
consecutive
password
failures.
This
is
on
your
LDAP
side
or
third
party
authentication
system,
and
in
most
cases
can
be
prevented
by
configuration.
In
some
well-‐known
LDAP
servers
there
is
an
attribute
called
“pwdMaxFailure”
in
order
to
control
this
behavior.
NOTE:
Prevent
against
DOS
attacks
by
locking
all
accounts.
MITM Attacks
Man
in
the
middle
attacks
can
be
performed
in
many
different
ways
depending
on
the
deployment
architecture.
For
instance,
having
a
four
tier
architecture
with
a
web
server
or
a
load
balancer
in
front
of
Alfresco,
Index
Server
and
a
database
server.
An
MITM
attack
can
be
performed
between
the
users
and
webserver,
the
webserver
and
Alfresco,
Alfresco
and
Index
Server
and
finally
between
Alfresco
and
the
database
server.
The
way
to
prevent
these
types
of
attacks
from
happening
is
to
use
encrypted
and
authenticated
communications.
Protection
• A
secure
architecture
design
in
layers
and
with
protection;
• Out
of
the
box
Alfresco
provides
encryption
and
authentication
between
Alfresco
repository
and
Index
Server.
Authentication
is
also
provided
for
the
users
to
connect
to
the
DB
but
encryption
is
not.
In
this
case,
it
is
extremely
important
to
consider
enabling
encryption
at
least
for
the
end
user
communications;
• Check
your
security
certificate
strength12
and
tweak
your
SSL
settings
until
you
get
an
A
grade
or
above.
Protection
• Use
traditional
firewall
techniques
to
limit
the
attack
surface
for
potential
attackers.
Deny
traffic
to
and
from
the
source
of
the
destination
of
the
attack.
Manage
the
list
of
allowed
destination
servers
and
services.
Manage
the
list
of
allowed
sources
of
traffic,
ports,
and
protocols.;
• Use
web
application
firewalls
to
inspect
web
packet
traffic;
11
https://howsecureismypassword.net/
and
https://secure.packetizer.com/pwgen/
12
https://www.ssllabs.com/ssldb/analyze.html
8
Alfresco Security Best Practices
• Use
IDS/IPS
systems
to
prevent
statistical
or
behavioral
attacks
and
signature-‐based
algorithms
to
detect
network
attacks
and
Trojans;
• Get
control
of
ICMP
and
TCP
SYN
to
prevent
flooding;
• Consider
using
vendor
solutions
like
AWS,
Akamai,
DOS
Arrest,
Incapsula,
etc.
•
Viruses
Since
viruses
can
be
found
in
most
kinds
of
content,
an
antivirus
solution
must
be
deployed
throughout
all
infrastructure
tiers,
from
client
desktops
to
servers.
Alfresco
is
fully
compatible
with
any
antivirus
software
that
executes
on
a
server
or
through
the
communication
layer.
This
guarantees
that
no
infected
content
is
stored
or
accessible
through
the
platform.
Protection
There
is
a
third
party
module
available
for
Alfresco
called
Alfviral13.
This
can
be
used
inside
the
repository
to
trigger
an
analysis
of
a
given
content.
It
can
also
be
used
to
check
virus
signatures
against
databases
like
VirusTotal
or
ClamAV
solutions.
The
use
of
Advanced
Threat
Protection
Systems
are
also
recommended.
Vulnerabilities Assessment
Public Vulnerabilities
Related
to
Alfresco
since
first
version
2005:
1. SEC
Consult
SA-‐20140716-‐0
(MNT-‐11793):
Multiple
SSRF
vulnerabilities.
FIXED
in
all
major
versions;
2. CVE-‐2014-‐2939:
Summary:
Multiple
cross-‐site
scripting
(XSS)
vulnerabilities
in
Alfresco
Enterprise
before
4.1.6.13
allow
remote
attackers
to
inject
arbitrary
web
script
or
HTML
via
(1)
an
XHTML
document,
(2)
a
<%
tag,
or
(3)
the
taskId
parameter
to
share/page/task-‐edit.
Published:
6/2/2014
3:55:03
PM.
CVSS
Severity:
4.3
MEDIUM;
3. CVE-‐2014-‐0125:
Moodle
integration
using
the
session
key
in
the
file
URL
allowing
anyone
with
the
link
to
steal
the
identity
of
the
user
posting
content.Summary:
repository/alfresco/lib.php
in
Moodle
through
2.3.11,
2.4.x
before
2.4.9,
2.5.x
before
2.5.5,
and
2.6.x
before
2.6.2.
Places
a
session
key
in
a
URL,
which
allows
remote
attackers
to
bypass
intended
Alfresco
Repository
file
restrictions
by
impersonating
a
file's
owner.
Published:
3/24/2014
10:20:39
AM.
CVS
Severity:
5.8
MEDIUM;
4. Bugtraq
ID
37578:
Joomla
Module
for
Alfresco
'id_pan'
Parameter
SQL
Injection
Vulnerability
in
Joomla
not
in
Alfresco.
13
https://github.com/fegorama/alfviral
9
Alfresco Security Best Practices
Other Vulnerabilities
These
were
discovered
due
to
internal
periodic
auditing
or
reported
by
customers
and
have
been
FIXED
prior
to
the
publication
of
this
guide.
Includes
the
following
Alfresco
versions:
3.4.X,
4.0.X,
4.1.X
and
4.2.X:
1. CVE-‐2014-‐0050:
Apache
Commons
FileUpload
and
Apache
Tomcat
DoS;
2. MNT-‐10540:
Share:
Remote
code
execution.
User
has
to
be
logged;
3. MNT-‐10539:
Parsing
vulnerability
in
Xerces
(Apache
POI
and
Alfresco
code);
4. MNT-‐11793:
Port
scanning
internal
networks
(proxy
and
cmisbrowser)
.
10
Alfresco Security Best Practices
Network
In any enterprise architecture we can find different network elements. All of them must be
configured to protect the existing network resources. The following should be considered for
inclusion in the Alfresco security customization of firewalls: IDS, IPS, Antivirus, Web Application
Firewall, and DoS/DDoS protection devices.
OS Security
Use
OS
Vendor
specific
security
recommendations
(for
all
supported
OS
in
Alfresco
One
4.2.3):
• Red
Hat
Linux
6.414
• Sun
Solaris
11.115
• Ubuntu
12.04
LTS16
• Suse
11.317
• Microsoft
Windows
Server
201218
• Microsoft
Windows
Server
2008
R219
At
the
OS
level,
permissions
for
access
to
Alfresco
are
the
most
important
components
that
must
be
applied.
This
is
in
order
to
allow
them
to
only
be
accessible
to
the
user
who
is
running
Alfresco.
Change
file
permissions
to
allow
only
the
application
user
to
see
and
write
these
files
and/or
directories
(i.e.
Linux:
chmod
0600
<path-‐to-‐file>):
“alfresco-‐global.properties”
• “dir_root/contentstore”
14
https://access.redhat.com/documentation/en-‐US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/index.html
15
http://docs.oracle.com/cd/E23824_01/html/819-‐3195/index.html
16
https://help.ubuntu.com/12.04/serverguide/security.html
17
https://www.suse.com/documentation/sles11/singlehtml/book_security/book_security.html
18
http://technet.microsoft.com/en-‐us/library/jj898542.aspx
http://technet.microsoft.com/en-‐us/library/gg236605.aspx
19
11
Alfresco Security Best Practices
Inbound Ports
Port
listed
below
can
be
considered
for
both
server
and
network
firewall.
12
Alfresco Security Best Practices
Outbound ports
It
is
just
as
important
to
control
all
outbound
traffic
as
it
is
to
control
inbound
traffic.
This
will
prevent
some
intrusions
by
not
allowing
access
to
backdoors
or
malicious
remote
sites.
Here
is
a
list
of
all
outbound
traffic
you
may
consider
opening,
depending
on
your
security
policy
and
Alfresco
deployment:
139,145
TCP
Amazon
S3
443
TCP
OUT
No
In
case
Alfresco
is
deployed
in
AWS
and
Amazon
S3
is
used
as
the
content
store
Alfresco
Transformation
80,443
or
TCP
OUT
No
In
case
a
remote
Alfresco
Transformation
Server
is
Server
8080,844 used
3
Alfresco
FSTR
8080
TCP
OUT
No
In
case
of
using
a
remote
Alfresco
File
System
Transfer
Receiver
Alfresco
Remote
Server
8080
or
TCP
OUT
No
In
case
of
using
Alfresco
Replication
Service
8443
between
Alfresco
servers
13
Alfresco Security Best Practices
Port Redirect
When
Alfresco
is
not
running
as
root,
a
local
port
redirect
must
be
performed
in
order
to
forward
all
incoming
traffic
from
the
standard
port
to
the
non-‐standard
port
and
be
above
1024.
Here
is
an
example
of
local
port
redirect
for
iptables
and
FTP
port
configured
in
Alfresco
to
listen
in
port
2121
TCP:
iptables -t nat -A PREROUTING -p tcp --dport 21 -j REDIRECT --to-ports 2121
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED
-j ACCEPT
14
Alfresco Security Best Practices
HTTP – HTTPS
There
are
different
methods
to
implement
SSL
for
the
HTTP
access
to
Alfresco
Repository
(WebDAV,
API
and
Admin
Panel)
and
Alfresco
Share.
In
most
cases
all
methods
are
valid
for
both
Alfresco
repository
and
Share
web
access.
We
may
classify
three
different
methods
depending
on
the
Alfresco
work
load.
All
of
the
methods
may
work
for
any
sizing
depending
on
the
system
tuning.
This
is
just
a
best
practice
for
where
to
locate
the
SSL
end
point
to
avoid
SSL
CPU
consumption
that
may
affect
the
Alfresco
performance.
1. Low
or
reduced
load,
10-‐100
concurrent
sessions;
15
Alfresco Security Best Practices
a. Application
server
enabled
SSL:
depending
on
the
application
server
vendor,
this
can
be
configured
in
different
ways
and
it
is
extensively
documented.
Here
is
a
list
of
resources
to
enable
SSL
in
all
our
supported
application
servers:
i. Apache
Tomcat20
ii. JBOSS21
iii. Weblogic22
iv. Websphere23
2. Medium
load,
100-‐500
concurrent
sessions;
a. Apache,
IIS
or
Nginx
enabled
SSL
in
a
frontend-‐dedicated
server.
3. High
load,
+500
concurrent
sessions;
a. SSL
dedicated
hardware
appliance
or
other
third
party
solutions.
Additionally,
if
Alfresco
Share
is
in
a
separate
layer
than
the
Alfresco
Repository,
you
may
want
to
encrypt
any
traffic
that’s
in
between
both
of
them.
Once
HTTPS
is
enabled
in
both
application
servers
then
just
change
the
Alfresco
Share
configuration
URLs
to
connect
the
Alfresco
Repository
in
${extensionRoot}/alfresco/web-‐extension/share-‐config-‐custom.xml
and
adapt
all
<endpoint-‐url>
to
your
repository
HTTPS
URL.
NOTE:
in
any
case
always
enable
HSTS
(HTTP
Strict
Transport
Security)
to
guarantee
HTTPS
always.
SharePoint Protocol
There
are
two
ways
to
approach
getting
the
Alfresco
SharePoint
Protocol
to
run
over
SSL
and
avoid
having
to
modify
the
Windows
registry24
to
allow
non-‐SSL
connections
from
MS
Office
(in
both
Windows
and
Mac).
• One
way
is
to
use
the
out
of
the
box
SSL
certificate
that
Alfresco
uses
for
communications
between
itself
and
Solr,
which
is
not
recommended
for
production
systems;
20
http://tomcat.apache.org/tomcat-‐7.0-‐doc/ssl-‐howto.html
21
https://access.redhat.com/documentation/en-‐
US/JBoss_Enterprise_Application_Platform/6/html/Administration_and_Configuration_Guide/Implement_SSL_Encryption_for_the_JBoss_Ente
rprise_Application_Platform_Web_Server1.html
22
http://docs.oracle.com/cd/E24329_01/web.1211/e24422/ssl.htm
23
http://www.ibm.com/developerworks/websphere/techjournal/1210_lansche/1210_lansche.html
24
http://support.microsoft.com/kb/2123563
16
Alfresco Security Best Practices
The
other
is
to
generate
a
new
certificate25
and
configure
Alfresco
to
use
it.
If
you
want
•
to
use
a
custom
certificate,
this
is
the
option
to
use.
Next
steps
tested
on
Alfresco
4.2
and
it
should
work
in
4.2
as
well
for
both
Enterprise
and
Community.
There
are
instructions
on
how
to
enable
SSL
in
the
Alfresco
SharePoint
interface
on
the
official
documentation
portal26.
IMAP – IMAPS
To enable SSL to the IMAP protocol implemented by Alfresco to get access to the repository
from an email client follow the official documentation instructions27 or configuring the IMAP
subsystem in the Enterprise Admin Panel.
25
http://docs.alfresco.com/4.2/tasks/SharePoint-‐HTTPS-‐setup.html
26
http://docs.alfresco.com/4.2/tasks/SharePoint-‐SSL.html
27
http://docs.alfresco.com/4.2/concepts/IMAP-‐subsystem-‐props.html
28
http://docs.alfresco.com/4.2/concepts/email-‐inboundsmtp-‐props.html
29
http://docs.alfresco.com/4.2/concepts/troubleshoot-‐inboundemail.html
17
Alfresco Security Best Practices
30
http://docs.alfresco.com/4.2/concepts/email-‐outboundsmtp-‐props.html
18
Alfresco Security Best Practices
FTP – FTPS
The
FTP
interface
implemented
by
Alfresco
can
also
be
configured
in
secure
mode
to
encrypt
the
communication
between
client
and
server.
It
has
to
be
configured
by
the
alfresco-‐
global.properties
file
by
following
instructions
in
the
official
documentation31.
Hazelcast
This
is
not
usually
required
in
SSL
but
messages
communication
between
cluster
nodes
may
be
encrypted32.
31
http://docs.alfresco.com/4.2/concepts/fileserv-‐ftp-‐props.html
32
http://hazelcast.org/docs/latest/manual/html/ssl.html#encryption
19
Alfresco Security Best Practices
Each
role
is
associated
with
permissions.
Permissions
apply
to
dashboards33
and
to
content34.
By
default,
permissions
applied
to
a
node
in
the
repository
inherits
it
if
it
is
not
deactivated.
Custom Roles
Creating
a
new
role
may
be
a
common
task
when
we
are
working
with
custom
Alfresco
deployments.
The
process
is
easy,
you
just
need
to
follow
some
steps35.
Just
bear
in
mind,
the
most
important
file
where
default
roles
are
defined
is
located
in:
TOMCAT_HOME/webapps/alfresco/WEB_INF/classes/alfresco/model/permissionDefinitions.
xml
Audit
The
Audit
Service
provides
a
configurable
record
of
actions
and
events.
It
collects
information
and
stores
it
in
a
simple
database
form.
The
Audit
Service
includes
the
ability
to
audit
system
and
user
events,
metadata
changes
and
data
stored
in
the
Alfresco
database.
In
order
to
have
the
Audit
feature
enabled
in
Alfresco
you
need
to
add
the
following
values
in
the
alfresco-‐
global.properties36
file::
audit.enabled=true
audit.sync.enabled=true
audit.tagging.enabled=true
audit.alfresco-access.enabled=true
audit.alfresco-access.sub-actions.enabled=true
audit.cmischangelog.enabled=true
NOTE:
If
Alfresco
Cloud
Sync
is
used,
audit.enable
and
audit.sync.enabled
must
be
true.
Any
information
related
to
auditory
is
in
the
Alfresco
database,
it
has
to
be
queried
through
the
API.
To
check
if
the
Audit
feature
is
enabled
in
Alfresco
and
what
is
being
audited:
#curl -u admin:admin http://localhost:8080/alfresco/service/api/audit/control
{
"enabled" : true,
"applications":
[
{
"name": "Alfresco Sync Service",
"path" : "/sync",
"enabled" : true
}
33
http://docs.alfresco.com/4.2/references/permissions_share_other.html
34
http://docs.alfresco.com/4.2/references/permissions_share_components.html
35
https://wiki.alfresco.com/wiki/Custom_Permissions_in_Share
36
http://docs.alfresco.com/4.2/tasks/audit-‐enable.html
20
Alfresco Security Best Practices
,
{
"name": "Alfresco Tagging Service",
"path" : "/tagging",
"enabled" : true
}
,
{
"name": "RM",
"path" : "/RM",
"enabled" : true
}
]
}
Audit
authentication
has
to
be
enabled
by
renaming
the
file
${extensionRoot}/alfresco/extension/audit/alfresco-‐audit-‐example-‐login.xml.sample
to
${extensionRoot}/alfresco/extension/audit/alfresco-‐audit-‐example-‐login.xml
then
restart
and
test
the
last
authentications
to
Alfresco
with
a
command
like
below:
# curl -u admin:admin
"http://localhost:8080/alfresco/service/api/audit/query/AuditExampleLogin1"
or
to
see
how
many
failed
authentications
performed
by
the
admin
user:
# curl -u admin:admin
"http://localhost:8080/alfresco/service/api/audit/query/AuditExampleLogin1?ve
rbose=true&user=admin"
More
queries
and
information
about
auditing
Alfresco
can
be
found
in
the
official
documentation37.
37
http://docs.alfresco.com/4.2/concepts/audit-‐intro.html
38
https://addons.alfresco.com/addons/support-‐tools-‐admin-‐console
21
Alfresco Security Best Practices
22
Alfresco Security Best Practices
23
Alfresco Security Best Practices
Node Creation
When
a
node
is
created,
regardless
how
it
is
uploaded
or
created
(via
the
API,
web
UI,
FTP,
CIFS,
etc.)
Alfresco
will
do
the
following:
1. Metadata
properties
are
stored
in
the
database
in
the
logical
store
workspace://SpacesStore
(alf_node,
alf_content_url
among
others).
2. The
file
itself
is
store
and
renamed
as
.bin
under
alf_data/contentstore/YYYY/MM/DD/hh/mm/url-‐id-‐of-‐the-‐file.bin
3. Next,
depending
on
the
indexing
you
choose,
its
index
entries
are
created
within
Lucene
(alf_data/lucene-‐indexes/workspace/SpacesStore)
or
Solr
(alf_data/solr/workspace/SpacesStore).
4. Finally,
in
most
cases,
a
content
thumbnail
is
created
as
a
child
of
the
file
created.
Node Deletion
There
are
two
phases
to
node
deletion:
39
http://docs.alfresco.com/4.2/tasks/jmx-‐access.html
40
http://www.ixxus.com/blog/2011/09/alfresco-‐node-‐lifecycle
41
http://blyx.com/2013/12/04/my-‐talk-‐about-‐alfresco-‐backup-‐and-‐recovery-‐tool-‐in-‐the-‐alfresco-‐summit/
24
Alfresco Security Best Practices
2. The
actual
content
“.bin”
file
remains
in
the
same
location
inside
the
contentstore
directory.
3. Finally,
the
indexes
are
moved
from
the
existing
location
to
the
corresponding
archive
(alf_data/lucene-‐indexes/archive/SpacesStore)
or
Solr
(alf_data/solr/archive/SpacesStore)
depending
on
your
index
engine
selection.
NOTE:
A
deleted
node
stays
in
the
trashcan
FOREVER,
unless
the
user
or
admin
either
empties
the
trashcan
or
recovers
the
file.
This
default
behavior
can
be
changed
by
using
third
party
modules
that
empty
the
trashcan
automatically
on
a
custom
schedule.
See
below
for
more
information
on
these
modules.
The
trashcan
may
be
found
at
these
locations:
Alfresco
Share:
User
-‐>
My
Profile
-‐>
Trashcan
(admin
user
will
see
all
users
deleted
files,
since
4.2
all
users
can
also
see
and
restore
their
own
deleted
files).
Alfresco
Explorer:
User
Profile
-‐>
Manage
Deleted
Items
(for
all
users).
Phase 2: Any user or admin (or trashcan cleaner) empties the trashcan:
1. That
means
the
content
is
marked
as
an
“orphan”
and
after
a
pre-‐determined
amount
of
time
elapses,
the
orphaned
content
item
is
moved
from
the
alf_data/contentstore
directory
to
alf_data/contentstore.deleted
directory.
2. Internally
at
the
DB
level
a
timestamp
(UNIX
format)
is
added
to
the
alf_content_url.orphan_time
field
where
an
internal
process
called
contentStoreCleanerJobDetail
will
check
how
long
the
content
has
been
orphaned.
If
it
is
more
than
14
days
old,
(system.content.orphanProtectDays
option)
the
.bin
file
is
moved
to
contentstore.deleted.
3. Finally,
another
process
will
purge
all
of
its
references
in
the
database
by
running
nodeServiceCleanupJobDetail
and
once
the
index
knows
the
node
has
been
removed,
the
indexes
will
be
purged
as
well.
NOTE:
Alfresco
will
never
delete
content
in
the
alf_data/contentstore.deleted
folder.
It
has
to
be
deleted
manually
or
by
a
scheduled
job
configured
by
the
system
administrator.
By
default,
the
contentStoreCleanerJobDetail
runs
every
day
at
4AM
by
checking
the
age
of
an
orphan
node.
If
it
exceeds
system.content.orphanProtectDays
(14
days)
it
is
moved
to
contentstore.deleted.
Additionally,
the
nodeServiceCleanupJobDetail
runs
every
day
at
9PM
and
purges
information
related
to
nodes
that
were
deleted
from
the
database.
Now,
that
we
understand
how
Alfresco
works
by
default,
let’s
learn
how
to
modify
Alfresco’s
behavior
in
order
to
clean
the
trashcan
automatically.
25
Alfresco Security Best Practices
There
are
several
third
party
modules
that
can
be
used
to
achieve
this,
but
I
recommend
the
Alfresco
Trashcan
Cleaner42
by
Alfresco’s
very
own
Rui
Fernandes.
Once
the
amp
is
installed,
you
can
use
this
sample
configuration
by
copying
it
to
the
alfresco-‐
global.properties
file:
trashcan.cron=0 30 * * * ?
trashcan.daysToKeep=7
trashcan.deleteBatchCount=1000
The
options
above
configure
the
cleaner
to
run
every
hour
on
the
half
hour
and
it
will
remove
content
from
the
trashcan
and
mark
it
as
an
orphan
if
it
has
been
in
the
trashcan
for
more
than
7
days.
It
will
do
this
in
batches
of
1000
deletions
every
time
it
runs.
To
delete
from
the
trashcan
without
waiting
any
grace
period
set
the
trashcan.daysToKeep
property
value
to
-‐1.
42
https://code.google.com/p/alfresco-‐trashcan-‐cleaner/
43
http://blyx.com/2013/12/04/my-‐talk-‐about-‐alfresco-‐backup-‐and-‐recovery-‐tool-‐in-‐the-‐alfresco-‐summit/.
26
Alfresco Security Best Practices
to
be
a
regular
delete
operation.
This
is
rarely
used
and
only
done
by
RM
admins
when
there
is
some
justifiable
reason,
such
as
correcting
a
mistake
that
requires
a
record
to
be
removed.
The
only
difference
is
that
the
deleted
record
bypasses
the
archive
store,
hence
it
never
goes
to
the
trashcan,
and
it
is
marked
as
an
orphan
once
it
is
deleted.
Then
it
will
be
moved
to
contentstore.deleted
after
orphanProtectDays
or
it
is
truly
deleted
if
eagerOrphanCleanup
is
set
as
true.
Destruction
of
a
record
works
in
the
same
way
that
a
record
is
removed.
This
will
by-‐pass
the
archive
and
immediately
trigger
the
clean-‐up
(eagerOrphanCleanup)
process
so
the
content
does
not
stay
in
the
file
system
contentstore
or
contentstore.deleted.
As
far
as
the
meta-‐data
goes,
there
are
two
options;
the
first
is
that
all
the
meta-‐data
(and
hence
the
node
itself)
are
completely
deleted.
The
alternate
method
cleans
out
all
the
content
but
the
node
remains
with
only
the
meta-‐data
(called
ghosting).
In
Alfresco
RM
versions
prior
to
2.2,
this
was
a
global
configuration
value
(rm.ghosting.enabled=true).
In
2.2
it
can
be
defined
on
the
destroy
step
of
the
disposition
schedule:
“Maintain
record
metadata
after
destroy”.
27
Alfresco Security Best Practices
Wipe Content
As
we
have
seen,
Alfresco
offers
different
ways
to
delete
content.
It
is
important
to
remember,
even
if
Alfresco
completely
deletes
content,
like
when
using
the
destroy
option
in
RM
or
by
using
eagerOrphanCleanup,
Alfresco
will
not
wipe
the
removed
content
from
the
physical
storage.
It
therefore
can
be
recovered
by
file
system
recovery
tools.
Wiping
a
deleted
content
item
may
vary
depending
on
multiple
factors,
from
file
system
type
to
hardware
configuration,
etc.
If
you
want
to
guarantee
a
real
physical
wipe
of
a
file
in
your
file
system,
third
party
software
must
be
used
to
“zero
out”
the
corresponding
disk
sectors.
The
specific
tools
depend
on
the
operating
system
type,
hardware,
etc.
28
Alfresco Security Best Practices
You
can
configure
CSRFPolicy
in
Alfresco
Share
to
prevent
CSRF
attacks
that
allow
malicious
requests
to
be
unknowingly
loaded
by
a
user.
You
can
configure
the
CSRF
filter
to
run
with
third
party
plugins
and
to
stop
specific
repository
services
from
being
accessible
directly
through
the
Share
proxy.
See
official
documentation
for
apply
the
prevention
procedure44.
44
http://docs.alfresco.com/4.2/concepts/csfr-‐policy.html
45
http://docs.alfresco.com/4.2/concepts/security-‐policy.html
46
http://docs.alfresco.com/4.2/concepts/iframe-‐policy.html
29
Alfresco Security Best Practices
Since
Alfresco
3.4.9,
4.0.2
and
newer,
it
is
possible
to
fully
configure
the
black/white
list
of
HTML
tags
and
attributes
that
the
HTML
stripping
process
will
use.
The
default
black/white
list
Is
available
in
{TOMCAT_HOME}/webapps/share/WEB-‐INF/classes/alfresco/slingshot-‐
application-‐context.xml.
It
can
be
overridden
with
a
file
called
custom-‐slingshot-‐application-‐
context.xml,
which
is
generally
found
in
{TOMCAT_HOME}/shared/classes/alfresco/web-‐
extension.
More
information
is
available
in
the
Alfresco
corporate
blog47.
to:
<action type="action-link" id="onActionDelete" permission="admin"
label="actions.document.delete" />
Additionally,
you
may
use
the
tables
below
as
reference
when
there
is
a
requirement
for
customize
document
action
per
site
role.
For
example,
add,
remove,
or
hide
visibility
of
certain
document
action(s)
for
certain
site
role(s)
in
permission="<symbol>".
Site
role-‐based
Visibility
47
http://blogs.alfresco.com/wp/kevinr/2012/06/19/configuring-‐the-‐share-‐html-‐processing-‐blackwhite-‐list/
48
https://forums.alfresco.com/forum/end-‐user-‐discussions/alfresco-‐share/disable-‐create-‐site-‐link-‐42-‐community-‐01102013-‐1306
30
Alfresco Security Best Practices
# Admin/Site Manager
* Collaborator
% Contributor/Consumer
<actionSet
id="document">:
Default
OOTB
permission
level
for
Document
Action
components.
Information
is
extracted
from
Enterprise
3.4.6,
File:
{TOMCAT_HOME}/webapps/share/WEB-‐
INF/classes/alfresco/site-‐webscripts/org/alfresco/components/document-‐details/document-‐
actions.get.config.xml:
Action
Name
Action
id
Permission
Corresponding
label
name
Visible
to
31
Alfresco Security Best Practices
49
https://addons.alfresco.com/addons/workflow-‐permissions
32
Alfresco Security Best Practices
Frontends
In
this
section
we
will
see
a
tip
about
how
to
protect
some
resources
in
Alfresco
using
custom
frontend
server
like
Apache,
Nginx
or
HAProxy.
Good
practice
is
to
protect
always
front
Share
and
Alfresco
with
a
web
server
(Apache/Nginx/HAProxy),
and
run
the
application
server
to
only
be
accessed
by
the
web
server.
If
this
is
all
on
one
node,
then
have
the
application
server
only
listen
on
localhost
then
the
web
server
forward
to
localhost.
If
this
is
on
a
multi-‐tiered
environment
then
only
allow
access
to
the
Share
and
Alfresco
tier
from
the
web
node
tier
via
iptables.
In
order
to
force
all
Alfresco
cookies
to
be
secure
instead
of
httponly
use
a
web
server
to
rewrite
the
cookies.
Example
of
HAProxy
configuration
to
do
it:
# Set all cookies to be Secure.
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if !secured_cookie
<Location /share/service/*>
Order allow,deny
Allow from 1.2.3.4
Allow from 1.2.3.5
</Location>
<Location /alfresco/proxy>
Order allow,deny
Allow from 1.2.3.4
Allow from 1.2.3.5
</Location>
33
Alfresco Security Best Practices
<Location /alfresco/cmisbrowser>
Order allow,deny
Allow from 1.2.3.4
Allow from 1.2.3.5
</Location>
Nginx:
location ~ ^/(alfresco|share)/service/ {
allow 1.2.3.4;
allow 1.2.3.5;
deny all;
}
location ~ ^/alfresco/proxy {
allow 1.2.3.4;
allow 1.2.3.5;
deny all;
}
location ~ ^/alfresco/cmisbrowser {
allow 1.2.3.4;
allow 1.2.3.5;
deny all;
}
Single tier
Alfresco
installed
all
in
one
server
and
using
external
database
and
storage
for
content
store,
use
always
dedicated
network
interfaces,
i.e.
3
nics
being
service,
backend
and
administration
and
backup:
34
Alfresco Security Best Practices
Two tiers
35
Alfresco Security Best Practices
Three tiers
Another
real
world
diagram
with
details:
36
Alfresco Security Best Practices
AWS deployments
Example
of
multi
tier
deployment
and
different
layers
of
security:
37
Alfresco Security Best Practices
50
https://summit.alfresco.com/cmis/views/workspace%253A%252F%252FSpacesStore%252F2a6f08b9-‐e026-‐4674-‐b81a-‐cac234491d9f
38
Alfresco Security Best Practices
Mobile Security
File Protection
Encrypts
files
stored
on
this
device
when
it
is
locked.
Has
to
be
enabled
in
the
mobile
application
settings.
It
is
only
available
in
Alfresco
Mobile
if
it
is
connected
to
an
Alfresco
One
server
or
Alfresco
in
the
Cloud.
HTTPS
Enable
HTTPS
connection
if
available
on
the
server
side.
Alfresco
in
the
Cloud
has
HTTPS
support
by
default.
Certificate Authentication
Enable
certificate
authentication
from
the
mobile
client
side
is
available.
MDM
At
the
moment
this
guide
is
written,
there
is
one
solution
to
implement
MDM
with
Alfresco:
MobileIron (Android)
Alfresco
and
MobileIron
provide
an
end
to
end
secure
solution
to
access
critical
content
stored
on
premise,
in
the
cloud
or
both
as
well
as
run
key
workflows
to
make
things
happen
on
the
go.
Alfresco
is
an
enterprise
grade
solution
that
can
reliably
mobilize
hundreds
to
millions
of
documents.
Alfresco
is
open,
so
you
can
retain
control
and
customizable
so
you
can
build
the
solutions
you
need.
• Secure
access
to
Alfresco
One
repository
based
on
existing
user
privileges
• Full
access
to
repository
structure
including
collaboration
sites
• Activity
feed
39
Alfresco Security Best Practices
Additional information
For
enterprise
Android
users,
Alfresco
Mobile
1.4
is
available
in
the
Samsung
KNOX
store.
Working
with
other
MDM
vendors
like
Symantec
Sealed
(Android)
and
Citrix
Worx.
40
Alfresco Security Best Practices
DOD5015.2
Alfresco
Records
Management
is
certified
to
the
DoD
5015.02
base
line
standard,
the
Alfresco
RM
solutions
has
been
implemented
on
top
of
a
flexible
records
management
metadata
model,
allowing
other
standards
(such
as
MoReq2010,
NOARK,
etc.)
to
be
supported.52
From
the
security
stand
point;
Alfresco
RM
has
additional
security
features
like:
• Specific
roles
related
to
RM
tasks
• Web
based
role
manager
to
view,
modify
or
delete
existing
roles
and
create
new
ones
• Web
based
audit
tool
to
make
reports
about
any
action
on
any
record,
folder,
category
in
the
File
Plan
• Users,
groups
and
roles
reports
• Different
behavior
for
record
deletion
and
record
destroy
than
deletion
in
DM.
See
section
about
deletion
in
this
document.
OWASP
In
Alfresco
we
use
the
OWASP
guides
extensively
in
development
and
have
a
tool,
which
scans
all
code
nightly
and
ensures
compliance
with
OWASP
top
ten.
Here
a
list
of
comments
about
the
OWASP
top
1053:
1. A1
-‐
Injection:
Alfresco
uses
prepared
non-‐dynamic
statements
and
variable
binding
using
the
ORM
framework
'myBatis',
which
prevents
SQL
injection.
Alfresco
Share
uses
a
white-‐list
to
strip
potential
danger
from
submitted
content
with
mime-‐types
of
Javascript
or
HTML.
Note:
For
HTML
content
submission,
unsafe
content
is
stripped
on
display,
not
storage.
Summary:
OOTB
Alfresco
is
secured
against
injection
attacks
2. A2
-‐
Broken
Authentication
and
Session
Management:
This
is
normally
an
issue
in
home-‐grown
authentication
frameworks,
but
all
Alfresco
custom
development
and
configuration
passes
through
its
own
authentication
framework
which
is
based
on
the
Spring
Security
(Acegi)
framework.
Summary:
OOTB
Alfresco
has
a
robust
authentication
and
session
management
subsystem,
however
there
may
be
weaknesses
51
http://www.alfresco.com/products/cloud/security-‐data-‐privacy
52
http://blogs.alfresco.com/wp/understanding-‐the-‐facts-‐dod-‐5015-‐certification
53
https://www.owasp.org/index.php/Top_10_2013-‐Top_10
41
Alfresco Security Best Practices
if
the
following
processes
are
not
followed:
1)
Only
use
SSL
encryption
for
all
access;
2)
Integrate
with
LDAP
memberships
services
(or
if
using
Alfresco
native
user
management:
Enable
an
additional
Alfresco
customisation
for
password-‐expiry
and
complexity
requirements);
3)
Potential
to
permanently
disable
'invite
external
user'
capabilities.
3. A3-‐Cross-‐Site
Scripting
(XSS):
See
'Configuring
the
Share
HTML
processing
black/white
list'54.
Summary:
OOTB
Alfresco
is
secured
against
XSS
attacks.
Pre
go-‐live
checks
must
ensure
that
configuration
changes
have
not
disabled
this
security
feature.
Check
vulnerability
list
in
this
document
and
new
XSS
threats.
4. A4-‐Insecure
Direct
Object
References:
Content-‐object
access
is
only
allowed
through
the
Alfresco
API
which
ACL
checks
all
content-‐based
requests
against
the
current
authenticated
session
user.
Summary:
OOTB
Alfresco
is
secured
against
direct
access
and
the
manipulation
of
reference.
5. A5-‐Security
Misconfiguration:
Default
passwords
are
stored
for
JMX
or
installation
passwords
stored
as
well.
Summary:
OOTB
Alfresco
does
not
encrypt
initial
admin
password,
JMX
read
and
write
password
and
DB
connection
password.
In
case
of
using
Alfresco
internal
DB
for
users,
their
passwords
are
stored
in
MD4.
6. A6-‐Sensitive
Data
Exposure:
We
do
not
typically
store
user-‐sensitive
information
in
Alfresco.
Summary:
OOTB
Alfresco
is
secure
from
exposure
of
sensitive
data.
This
assumes
correct
ACL/permission
application
and
that
the
server
has
not
been
compromised
allowing
direct
access
to
the
underlying
file-‐system.
7. A7-‐Missing
Function
Level
Access
Control:
Alfresco
enforces
'roles'
and
group-‐
membership
to
define
the
function
access
that
a
user
may
have.
Summary:
OOTB
Alfresco
is
secured
against
function
level
access
control.
Security
ACL
checks
against
role
and
group
occurs
on
the
server
not
just
to
hide
or
expose
UI
elements.
8. A8-‐Cross-‐Site
Request
Forgery
(CSRF):
See
'Introducing
the
CSRFPolicy
in
Alfresco
Share'55.
OOTB
Alfresco
is
secured
against
CSRF
attacks.
Pre
go-‐live
checks
must
ensure
that
configuration
changes
have
not
disabled
this
security
feature.
9. A9-‐Using
Components
with
Known
Vulnerabilities:
According
to
the
Alfresco
public
JIRA,
there
are
no
known
exploitable
components
used
by
Alfresco.
An
audit
is
required
to
every
third
party
component
should
be
done
to
confirm
this.
Alfresco
recommends
the
latest
security
patched
version
of
Alfresco
and
its
supported
components,
as
well
of
OS,
Java,
Application
Server
and
DB
server.
Summary:
OOTB
Alfresco
is
secure,
at
the
time
of
writing.
Best
practice
should
include
the
patching
of
dependent
components
with
the
latest
security
patches
as
they
become
available.
Typical
components
to
consider
for
an
ongoing
patch
policy:
Operating
System
RHEL/CentOS/Win2008R2;
Database
MySQL/Oracle/MSSQL;
Java
updates;
third-‐party
out-‐of-‐process
command-‐
line
tools
(anything
outside
the
JVM
sandbox
such
as
Open
Office
/
ImageMagick,
etc.).
54
http://blogs.alfresco.com/wp/kevinr/2012/06/19/configuring-‐the-‐share-‐html-‐processing-‐blackwhite-‐list/
http://blogs.alfresco.com/wp/ewinlof/2013/03/11/introducing-‐the-‐new-‐csrf-‐filter-‐in-‐alfresco-‐share/
55
42
Alfresco Security Best Practices
10. A10-‐Unvalidated
Redirects
and
Forwards:
Alfresco
allows
the
display
of
user-‐defined
hyperlinks,
potentially
to
external
websites,
but
these
are
not
forwards
or
re-‐directs.
Alfresco
Share
does
allow
the
arbitrary
embedding
of
IFrames
within
the
UI,
either
through
the
'web
view'
dashlet,
or
within
custom
developed
code,
and
this
does
need
protection.
This
risk
is
mitigated
with
the
introduction
of
the
'IFramepolicy'.
See
'Introducing
the
IFramePolicy
in
Alfresco
Share'56.
The
default
configuration
allows
any
page
to
be
iframed.
Summary:
OOTB
Alfresco
is
not
secure
against
non-‐validated
redirection.
However
a
simple
configuration
change
enforces
the
security.
The
Alfresco
software
engineers
take
care
about
OWASP
security
standard
by
using
a
software
plugin57
that
defines
a
list
of
vulnerabilities
that
can
occur
in
any
software
project.
It
provides
rules
engines
to
find
violations
that
can
be
matched
with
a
lot
of
OWASP
vulnerabilities,
allowing
us
to
know
the
security
level
reached.
HIPAA
The
US
Government
“Health
Insurance
Portability
and
Accountability
Act”
can
be
applied
or
adopted
by
Alfresco
taking
into
account
considerations
below:
• Audit
everything
(who
accessed,
when
accessed
and
what).
Alfresco
does
it
and
stores
all
in
the
DB.
• Encrypt
PHI,
is
not
a
requirement
but
to
avoid
reporting
in
case
of
information
lost
(backup
tape
for
example).
Alfresco
does
it
with
encrypted
metadata
by
using
the
property
called
“d:encrypted”
in
the
data
model,
and
encrypting
the
backup
as
well.
• Encrypt
Content
(encryption
at
rest),
as
normal
recommendation
the
backup
should
be
encrypted.
• For
index
a
best
practice
is
to
encrypt
the
backup
or
don’t
do
backup
to
avoid
losing
backup
tape
and
have
to
report
it.
Indexing
can
be
re-‐build
in
case
of
need.
• Disable
Quick
Share
feature
in
Share.
• Enable
HTTPS.
• Optionally:
retention
policies
(it
may
vary
depending
on
every
US
State)
and
can
be
implemented
with
Alfresco
RM.
56
http://blogs.alfresco.com/wp/ewinlof/2013/03/12/introducing-‐the-‐iframepolicy-‐in-‐alfresco-‐share/
57
http://www.excentia.es/plugins/owasp/caracteristicas_en.html
43
Alfresco Security Best Practices
FISMA
FISMA
compliance
is
a
mandate
against
the
operating
environment
where
Alfresco
may
be
deployed.
The
application
is
not
subject
to
any
specific
certification,
but
may
be
monitored
as
part
of
a
FISMA
security
plan.
FedRAMP
The
Federal
Risk
and
Authorization
Management
Program
(FedRAMP)
is
a
unified,
government-‐
wide
risk
management
program
focused
on
large
outsourced
and
multi-‐agency
systems.
FedRAMP
has
been
established
to
provide
a
standard
approach
to
Assessing
and
Authorizing
(A&A)
cloud
computing
services
and
products.
FedRAMP
allows
joint
authorizations
and
continuous
security
and
monitoring
services
for
Government
and
Commercial
cloud
computing
systems
intended
for
multi-‐agency
use.
Alfresco's
traditional
products
(Alfresco
One,
Activiti,
etc.)
are
not
directly
subject
to
FedRAMP
authorization,
rather,
the
customer
is
responsible
for
validating
that
their
Alfresco
deployment
specifically
complies
with
the
different
FedRAMP
requirements.
This
applies
to
both
on-‐prem
and
cloud-‐hosted
deployments.
At
the
moment,
Alfresco
has
not
made
any
specific
commitment
to
obtain
FedRAMP
authorization
for
Alfresco
in
the
Cloud
or
any
future
SaaS
products.
ISO 27001
ISO
27001
is
an
international
standard
published
by
the
International
Standardization
Organization
(ISO),
and
it
describes
how
to
manage
information
security
in
a
company.
Alfresco
application
is
not
subject
to
this
certification
but
it
may
be
used
as
main
repository
for
document
centralization
and
management
for
creation,
review
and
approval,
distribution,
categorization,
usage
and
updates
of
the
documents
and
records.
44
Alfresco Security Best Practices
task.
Integration
with
enterprise
database
systems
allow
for
DBAs
to
enable
encrypted
writes
directly
into
database
tables
without
modifying
Alfresco
in
any
way.
• Alfresco’s
Records
Management
Module
allows
for
compliance
management
for
data
retention,
such
as
retention
and
disposition
schedules,
auditing
of
access
to
records,
destruction
and
data
deletion
as
well
as
event
triggers,
eDiscovery
and
so
forth.
• Alfresco
can
be
configured
to
use
strong
SSL
encryption
for
https
connections,
allowing
for
encryption
of
data
inflight
once
authorized
access
to
that
data
has
been
approved
via
Alfresco’s
Authentication,
Authorization
and
Permissions
Management
subsystems.
• Alfresco
stores
files
as
their
native
data
streams
and
metadata
in
the
database.
This
can
be
integrated
with
standard
corporate
Antivirus
applications
to
ensure
compliance.
• As
has
been
already
said
in
this
guide,
Alfresco
takes
security
very
seriously
and
has
a
rigorous
vulnerability
detection
program
working
with
third
party
security
organizations
to
perform
penetration
testing.
Alfresco
has
a
process
in
place
to
then
quickly
patch,
test,
release
and
inform
Alfresco
One
customers
of
any
breaches.
• Alfresco
provides
a
complete
authentication
and
authorization
subsystem
along
with
a
granular
permissions
management
system
that
can
be
integrated
with
corporate
directory
services
to
enable
secure
user
access
only
to
data
they
have
been
authorized
to
see.
Management
can
be
performed
at
the
individual
user
level
or
by
group
membership
–
this
allows
an
organization
to
easily
develop
role-‐based
access
to
data
and
content.
• All
users
have
a
unique
ID
-‐
whether
that
granted
by
the
corporate
directory
service,
or
internally
for
users
that
are
not
part
of
the
directory
structure.
Alfresco
has
a
complete
auditing
subsystem
that
can
be
incorporated
into
enterprise
reporting
applications.
• Alfresco
provides
a
complete
auditing
subsystem
that
tracks
reads
and
writes
to
all
content
and
metadata
within
the
repository.
This
auditing
mechanism
can
be
integrated
with
enterprise
reporting
tools,
or
custom
interfaces
(eg
web)
and
delivery
methods
(email,
RSS
feeds,
etc)
can
be
built
and
maintained.
45
Alfresco Security Best Practices
46
Alfresco Security Best Practices
1
Alfresco Security Best Practices
2
Alfresco Security Best Practices
o Mockito
http://www.opensource.org/licenses/mit-‐ • Apache2
license.php
o acegi
commons
o SLF4J
http://www.slf4j.org/license.html
http://sourceforge.net/projects/acegisecurity/
o Mootools
http://docs.mootools.net/
o dbcp
http://jakarta.apache.org/commons/
• MPL
o Apache
CXF
http://cxf.apache.org/
o rhino-‐js
http://www.mozilla.org/rhino/
o Greenmail
o juniversalcharsetdet
http://www.icegreen.com/greenmail/readme.ht
http://juniversalchardet.googlecode.com/
ml
• ODMG
License
o jslideshare
http://www.odbms.org/ODMG/OG/wrayjohnson.asp http://code.google.com/p/jslideshare/
x
o pdfbox
http://pdfbox.apache.org/
o odmg
http://www.odmg.org/wrayjohnson.htm
o POI
http://poi.apache.org/legal.html
• Oracle
Binary
Code
License
Agreement
o mybatis
http://code.google.com/p/mybatis/
o activation
o quartz
http://quartz-‐scheduler.org/
http://www.oracle.com/technetwork/java/jaf11-‐ o Apache
Tika
139815.html
http://lucene.apache.org/tika/license.html
o Oracle
JDK
o TrueLicense
https://truelicense.dev.java.net/
http://www.oracle.com/technetwork/java/javas o wss4j
http://ws.apache.org/wss4j/
e/terms/license/index.html
o Spring
Surf
• Public
Domain
License
http://www.springsource.com/download/comm
o AOP
Alliance
http://aopalliance.sourceforge.net/
unity
o hrtlib
http://www.javaworld.com/javaqa/2003-‐ • Artistic
(BSD
style)
01/01-‐qa-‐0110-‐timing.html
o chiba
http://sourceforge.net/projects/chiba
o XZ
http://tukaani.org/xz/java.html
• BSD
• Sun
Public
License
o FreeMarker
http://freemarker.sourceforge.net/
o BSH
http://www.beanshell.org/
o YUI
http://developer.yahoo.com/yui/
• XAM
o jibx
http://jibx.sourceforge.net/jibx-‐license.html
o XAM
Connector
• LGPL
3.0
http://www.emc.com/products/detail/software/ o JODConverter
centera-‐sdk-‐xam.htm
http://jodconverter.sourceforge.net/
• LGPL
2.1
Alfresco
has
modified
the
source
code
of
the
following
o hibernate
http://www.hibernate.org/
third
party
libraries.
Below
is
the
list
of
modified
modules
o PDF
Renderer
http://java.net/projects/pdf-‐
and
corresponding
licenses.
The
svn
diff
files
with
the
renderer
details
of
the
changes
can
be
found
in
the
following
• MPL
location:
root/projects/3rd-‐party/src.
o rhino-‐js
http://www.mozilla.org/rhino/
3