Guide Alfresco Security Best Practices Copyright 2014 by Alfresco and others. Information in this d
Views 118 Downloads 2 File size 2MB
Guide
Alfresco Security Best Practices
Copyright 2014 by Alfresco and others. Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Alfresco. The trademarks, service marks, logos, or other intellectual property rights of Alfresco and others used in this documentation ("Trademarks") are the property of Alfresco and their respective owners. The furnishing of this document does not give you license to these patents, trademarks, copyrights, or other intellectual property except as expressly provided in any written agreement from Alfresco. The United States export control laws and regulations, including the Export Administration Regulations of the U.S. Department of Commerce, and other applicable laws and regulations apply to this documentation which prohibit the export or re-‐export of content, products, services, and technology to certain countries and persons. You agree to comply with all export laws, regulations, and restrictions of the United States and any foreign agency or authority and assume sole responsibility for any such unauthorized exportation. You may not use this documentation if you are a competitor of Alfresco, except with Alfresco's prior written consent. In addition, you may not use the documentation for purposes of evaluating its functionality or for any other competitive purposes. This copyright applies to the current version of the licensed program.
ii
Document History VERSION
DATE
AUTHOR
DESCRIPTION OF CHANGE
0.1
23-Jul-14
Toni de la Fuente
Initial version
0.2
16-Sept-14
Toni de la Fuente
Version to review
0.3
18-Sept-14
Toni de la Fuente
Added Steve Rigby and Pete Philips suggestions
0.4
23-Sept-14
Toni de la Fuente
Added architecture info and made corrections. Sent to grammar review.
0.5
2-Oct-14
Toni de la Fuente
Added Martin Kappel corrections
0.6
2-Oct-14
Toni de la Fuente
Made Kimberly Watson grammar and style corrections
1.0
2-Oct-14
Toni de la Fuente
Version to release
iii
Table of contents INTRODUCTION ............................................................................................................................. 1 AUDIENCE .......................................................................................................................................... 1 RELATED PUBLICATIONS ..................................................................................................................... 1 HOW TO READ THIS GUIDE.................................................................................................................. 2 DISCLAIMER AND SCOPE ..................................................................................................................... 2 ALFRESCO SECURITY POLICY ............................................................................................................. 2 Release of Security Notifications .................................................................................................................................... 3 Severity Levels ............................................................................................................................................................... 3 Reporting a Security Issue to Alfresco ........................................................................................................................... 4 COMPONENTS TO CONSIDER ............................................................................................................... 4
THE EXTERNAL AND INTERNAL PERSPECTIVE......................................................................... 5 EXTERNAL THREATS ........................................................................................................................... 5 Discovery, Information Gathering and Information Leaks .............................................................................................. 5 Brute Force Username and Passwords Attacks ............................................................................................................. 7 MITM Attacks ................................................................................................................................................................. 8 DOS and DDOS ............................................................................................................................................................. 8 Viruses ........................................................................................................................................................................... 9 VULNERABILITIES ASSESSMENT ........................................................................................................... 9 Public Vulnerabilities ...................................................................................................................................................... 9 Other Vulnerabilities ..................................................................................................................................................... 10
HARDENING THE NETWORK AND OPERATING SYSTEM ........................................................ 11 NETWORK ........................................................................................................................................ 11 OS SECURITY .................................................................................................................................. 11 CONFIGURING YOUR FIREWALL ......................................................................................................... 12 Inbound Ports ............................................................................................................................................................... 12 Outbound ports ............................................................................................................................................................. 13 Port Redirect ................................................................................................................................................................ 14 DETERMINING MINIMUM PRIVILEGES .................................................................................................. 14
ALFRESCO IMPLEMENTATION BEST PRACTICES ................................................................... 15 STAY CURRENT ................................................................................................................................ 15 DON NOT RUN THE APPLICATION SERVER AS ROOT ........................................................................... 15 REPOSITORY LEVEL SECURITY .......................................................................................................... 15 Enable SSL .................................................................................................................................................................. 15 Understanding Roles and Permissions ........................................................................................................................ 19 Custom Roles ............................................................................................................................................................... 20 Audit ............................................................................................................................................................................. 20 Reset Admin Password ................................................................................................................................................ 22 Ticket Session Duration Control ................................................................................................................................... 22 Disable Unneeded Services ......................................................................................................................................... 23 Disable Guest User ...................................................................................................................................................... 23 Review Sever Logs Periodically ................................................................................................................................... 23 Change JMX Default Credentials ................................................................................................................................. 24 Get Control of Deleted Content .................................................................................................................................... 24 Node Creation .............................................................................................................................................................. 24 Node Deletion ............................................................................................................................................................... 24 Questions and Answers About Content Deletion ......................................................................................................... 26 Wipe Content ................................................................................................................................................................ 28 SHARE LEVEL SECURITY ................................................................................................................... 28 Cross-Site Request Forgery (CSRF) Filters in Alfresco Share .................................................................................... 28 Security Filters and Clickjacking Mitigation in Alfresco Share ...................................................................................... 29 Iframes and Phishing Attack Mitigation in Alfresco Share ............................................................................................ 29 Share HTML Processing Black/White List .................................................................................................................... 29 Site Creation Control .................................................................................................................................................... 30 Filter Document Actions by User or Role ..................................................................................................................... 30 Filter workflow by role/group ........................................................................................................................................ 32 Change default Share session timeout ........................................................................................................................ 32
iv
ARCHITECTURE DEPLOYMENT BEST PRACTICES ................................................................. 33 Frontends ..................................................................................................................................................................... 33 Single tier ..................................................................................................................................................................... 34 Two tiers ....................................................................................................................................................................... 35 Three tiers .................................................................................................................................................................... 36 AWS deployments ........................................................................................................................................................ 37 BACKUP AND DISASTER RECOVERY ................................................................................................... 38
MOBILE SECURITY ...................................................................................................................... 39 FILE PROTECTION ............................................................................................................................ 39 HTTPS ........................................................................................................................................... 39 CERTIFICATE AUTHENTICATION ......................................................................................................... 39 MDM .............................................................................................................................................. 39 Alfresco for Good (iOS) ................................................................................................................................................ 39 MobileIron (Android) ..................................................................................................................................................... 39 Additional information ................................................................................................................................................... 40
SECURITY COMPLIANCE AND STANDARDS............................................................................. 41 DOD5015.2 .................................................................................................................................... 41 OWASP.......................................................................................................................................... 41 HIPAA ............................................................................................................................................ 43 FISMA ............................................................................................................................................ 44 FEDRAMP ...................................................................................................................................... 44 ISO 27001 ...................................................................................................................................... 44 PCI DATA SECURITY STANDARD ....................................................................................................... 44 APPENDIX I: SECURITY CHECKLIST .......................................................................................... 46 APPENDIX II: THIRD PARTY LIBRARIES INCLUDED IN ALFRESCO .......................................... 1
5
Alfresco Security Best Practices
Introduction This guide is intended to fill a need for Alfresco administrators to have a collection of tips for enhancing the security of their implementation. If you are concerned about the security of your content, this guide is specifically written for you. This guide addresses the security of an Alfresco implementation from two different views: • Threat view: We will identify how a potential attacker could exploit security issues with the installation; • Administrator view: We will discuss how an administrator can prevent and protect an installation.
Audience This document is intended for the Alfresco Enterprise customer and partner network with special focus on technical teams, such as Enterprise Architecture, Development, Support, and Operations. As it requires a deep understanding of the architecture, components, and technologies involved in the operations of the Alfresco platform. The ideal reader should hold an Alfresco Certified Engineer (ACE) or Alfresco Certified Administrator (ACA) certification. More details on the certifications can be found at http://university.alfresco.com.
Related Publications For some recommendations an official link will be provided. Furthermore here is a list of source of information related to Alfresco and this guide: • Alfresco Security Policy1 • Alfresco Cloud Security Policy2 • Alfresco in the Cloud Security White Paper3 • Alfresco Backup and Disaster Recovery White Paper4 • Alfresco Security Best Practices talk in Alfresco Devcon 20125
1
http://docs.alfresco.com/support/concepts/su-‐external-‐security-‐policy.html
2
http://docs.alfresco.com/support/concepts/su-‐external-‐security-‐policy-‐cloud.html
3
http://www2.alfresco.com/l/1234/2012-‐08-‐07/374w8d/1234/151131/Alfresco_in_the_cloud_Security.pdf
4
http://bit.ly/1lvNkcz
5
http://bit.ly/1rBtOme
1
Alfresco Security Best Practices
How to Read this Guide This guide tries to accommodate two needs: (1) having a handy reference on how to secure the most common services and subsystems in Alfresco and (2) providing some background on Alfresco security. Understanding the Alfresco internals is essential if the reader wants to achieve a proper application hardening. Most of the advice and best practices included in this guide are based on Alfresco One version 4.2.
Disclaimer and Scope This guide specifically does not address physical security, the protection of software and hardware against new exploits, basic IT security housekeeping, information assurance techniques, traffic analysis attacks, issues with key rollover and key management, securing client PC’s and mobile devices (theft or loss), proper Operations Security, social engineering attacks, protection against tempest attack techniques, jamming the encrypted channel or other similar attacks, which are typically employed to circumvent strong encryption.
Alfresco Security Policy When a security issue is discovered, Alfresco will do the following: 1. Send it directly to the subject matter expert to evaluate the scope and severity of the issue; 2. Issue one or more versions, whatever is required, to resolve the security breach as soon as possible; 3. Inform our customers and partners that this version is available. The version(s) where a particular security issue is resolved will depend on the scope and severity of the issue, and may include: 1. A maintenance release for the last major version; 2. A hot fix for the last major versions; 3. Hot fixes for older maintained versions. Example 1: A security issue is discovered in Alfresco v4.1.2, which is unlikely to be exploited. Alfresco will: • Ensure that the next release, Alfresco 4.1.3, fixes the issue. Example 2: A security issue is discovered in Alfresco v4.1.2, which could be exploited. Alfresco will: • Issue a hot fix for Alfresco v4.1.2 as soon as possible; • Issue a hot fix for Alfresco v3.4, if applicable, as soon as possible; • Ensure the next release, Alfresco v4.1.3, fixes the issue.
2
Alfresco Security Best Practices
Example 3: A security issue is discovered in Alfresco v4.1.2, which is being exploited. Alfresco will: • Issue a hot fix for Alfresco v4.1.2 as soon as possible; • Issue a hot fix for Alfresco versions 3.0, 3.1, 3.2, 3.3, 3.4 and 4.0 as soon as possible; • Ensure the next release, Alfresco v4.1.3, fixes the issue.
Release of Security Notifications When a security issue in an Alfresco product is found and fixed, Alfresco notifies customers in a number of ways: • If this is a blocker issue with a workaround, Alfresco sends a critical security alert email to all customers warning of the issue and providing the workaround. A second critical security alert will then be sent which includes details for the fixed version(s). • If this is a blocker issue without a workaround, Alfresco releases the version containing the fix and then sends a critical security alert email to all customers. • For all other severity issues, Alfresco releases the version containing the fix and then sends a security alert email to all customers. For all issues, there will be a security notice posted within the support portal at the same time the version with the fix is released.
Severity Levels Alfresco classifies security vulnerabilities by severity, on a case by case basis, using common sense and the examples shown here as a guideline. High
A vulnerability is classified as High severity if any of the following hold true: • Customer data can be compromised; • The server running the application can be compromised; • A Denial of Service (DoS) rendering the system unavailable; • The vulnerability was discovered externally, is known about externally, or is being actively exploited. Medium
A vulnerability is classified as Medium severity if any of the following hold true: • It would otherwise be High severity but it was discovered internally and/or is not believed to be known externally; • It is a less serious vulnerability such as a XSS or CSRF. Low • A vulnerability is classified as Low severity for vulnerabilities which only pose a marginal or insignificant risk. 3
Alfresco Security Best Practices
NOTE: Alfresco has an internal SLA to resolve vulnerabilities based on the severity classification mentioned above.
Reporting a Security Issue to Alfresco Please report all security issues by logging a support case via the support portal. If you do not have access to the support portal, please email [email protected] to ensure that the information is reported to Alfresco. This is essential so that the security issue does not enter into the public domain prematurely.
Components to Consider As has been stated above in this document, there are different components that may affect application security. Below is a list of components that need to be considered, from the physical environment to the software: 1. Facilities; 2. Physical security; 3. Network infrastructure; 4. Virtual and/or physical infrastructure; 5. Network configuration; 6. Firewall; 7. Operating System; 8. JVM and Application Server; 9. Alfresco; 10. People; 11. Process. This guide mostly deals with Alfresco security. Additional security tips and guidelines are included for components that are directly related to Alfresco security and maintenance, such as JVM, and application server, operating system, and firewall security.
4
Alfresco Security Best Practices
The External and Internal Perspective External Threats If an Alfresco installation is exposed to the Internet it could potentially be the target of different types of attacks. In this section we list activities that can be used by an attacker to discover information pertaining to an Alfresco installation. For example, this information might include the application server, operating system and content items.
Discovery, Information Gathering and Information Leaks Before performing an intrusion, an attacker may need to gather target information in order to enumerate devices, hostnames, domains or subdomains, ports, protocols, services, applications and even usernames or passwords. As Alfresco is mostly an Intranet or Extranet service, it can be configured to be connected directly to the Internet. In this case, an Alfresco installation may be discovered using many different techniques. Of the hundreds of tools available for discovery and information gathering, we will highlight some well-‐known resources below: • Google and Bing: With a simple search we can find some servers that are exposed. https://www.google.com/?q=%2220052014+Alfresco+Software+Inc.+All+rights+reserved.%22
• Shodan6: This is a device search engine based on using ports and service headers or banner. https://www.shodan.io/search?query=%22alfresco%22+server+port%3A8080
• FOCA7: This is a graphic tool (Windows) that utilizes the Google and Bing search engines and DNS records to retrieve metadata from the documents that are available in the target domain. It searches for usernames, software versions and server or machine names. • Metagoofil: This is a command line tool (Linux) that utilizes the Google search engine to retrieve metadata from the documents that are available in the target domain. It searches for usernames, software versions and server or machine names. 6
http://www.shodanhq.com/
7
http://www.informatica64.com/foca.aspx
5
Alfresco Security Best Practices
• theharvester: This is a command line tool (Linux) that looks for email accounts, usernames, hostname and subdomain by using Google, Bing, LinkedIn, Shodan and more. • Maltego: This is an open source intelligence and forensics application. It allows you to mine and gather information from public resources and then represent the information in a meaningful way. • Nmap port scanning: It is used to determine the state of TCP and UDP ports for the target host, among other network protocols. • Other manual tasks: Banner read to a Tomcat server: # echo -e "HEAD / HTTP/1.0\n\n" | nc 192.168.11.129 8080 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Length: 2763 Date: Fri, 12 Sep 2014 22:06:59 GMT Connection: close
Test done to Alfresco Share: # echo -e "HEAD /share/page/ HTTP/1.0\n\n" | nc 192.168.11.129 8080 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Cache-Control: no-cache Content-Type: text/html;charset=utf-8 Content-Language: en-US Content-Length: 39170 Date: Fri, 12 Sep 2014 22:09:36 GMT Connection: close
In addition to all the threats described above, these tools are also useful for gathering information from files. It is well known that most content items contain information about themselves inside their own files, their metadata. Besides the file name, photos will have information about the camera and even geo-‐localization. MS Office, Open/LibreOffice or PDF documents may store user names, network resources, email address and other useful information for a potential intrusion test. Some of these properties are extracted automatically by Alfresco in order to populate its own database, but the properties are still being stored in the file itself. If Alfresco publishes these documents externally or the files are being accessed from portals, emails, etc., then we need to add protection in order to prevent information leaks.
6
Alfresco Security Best Practices
Protection •
• • •
•
Use an Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Host IDS, Advanced Threat Protection Systems and Web Application Firewall to mitigate some of these scans; The Alfresco banner can be removed from the Alfresco Share login page; Filter the access to Alfresco resources through a specific network or IP address. Refer to the Architecture section in this document; Clean document metadata before distributing them. Alfresco can do this for you with an easy customization. Tools for metadata cleaning include: ExifTool, OOMetaExtractor8, MS Office 2003 & XP9 or BatchPurifier. Demo and tools are available on the Alfresco DevCon 2012 site10; Remove the application server and web server versions. For example, the default ErrorReportValve includes the Tomcat version number in the response that is sent to clients. To avoid this, custom error handling can be configured within each web application. Alternatively, you can explicitly configure an ErrorReportValve and set its showServerInfo attribute to false. The version number can also be changed by creating the file CATALINA_BASE/lib/org/apache/catalina/util/ServerInfo.properties with the following content: server.info=My App Server
Brute Force Username and Passwords Attacks Passwords are one of the easiest elements that can be attacked in order to gain access to a system. Case in point, Alfresco stores usernames and passwords, which are hashed and not stored as plain text anywhere on the system. In most corporate environments, Alfresco is usually connected to a user directory like LDAP or Active Directory which would be responsible for managing passwords or controlling any kind of attack against them. Below is an example of dictionary based cracking to a WebDAV service with the Hydra tool (a very fast network logon cracker which support many different services): # hydra -L usernames.txt -P passwords.txt -u -s 8080 -m 'http://127.0.0.1' 127.0.0.1 http-get
8 9
http://www.codeplex.org/oometaextractor http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e54edd43e-‐42ca-‐bc7b-‐5446d34e5360
10
http://devcon.alfresco.com/speakers/toni-‐de-‐la-‐fuente
7
Alfresco Security Best Practices
Protection • •
Implement a password rotation and strength policy11. Implement error login threshold to prevent brute force or dictionary attacks, and a count of consecutive password failures. This is on your LDAP side or third party authentication system, and in most cases can be prevented by configuration. In some well-‐known LDAP servers there is an attribute called “pwdMaxFailure” in order to control this behavior. NOTE: Prevent against DOS attacks by locking all accounts.
MITM Attacks Man in the middle attacks can be performed in many different ways depending on the deployment architecture. For instance, having a four tier architecture with a web server or a load balancer in front of Alfresco, Index Server and a database server. An MITM attack can be performed between the users and webserver, the webserver and Alfresco, Alfresco and Index Server and finally between Alfresco and the database server. The way to prevent these types of attacks from happening is to use encrypted and authenticated communications. Protection • •
•
A secure architecture design in layers and with protection; Out of the box Alfresco provides encryption and authentication between Alfresco repository and Index Server. Authentication is also provided for the users to connect to the DB but encryption is not. In this case, it is extremely important to consider enabling encryption at least for the end user communications; Check your security certificate strength12 and tweak your SSL settings until you get an A grade or above.
DOS and DDOS If the Alfresco server is facing the Internet there is a risk of being the target of a Denial of Service or a Distributed Denial of Service attack. A layer of protection should be added to guard against this. Protection •
•
Use traditional firewall techniques to limit the attack surface for potential attackers. Deny traffic to and from the source of the destination of the attack. Manage the list of allowed destination servers and services. Manage the list of allowed sources of traffic, ports, and protocols.; Use web application firewalls to inspect web packet traffic;
11
https://howsecureismypassword.net/ and https://secure.packetizer.com/pwgen/
12
https://www.ssllabs.com/ssldb/analyze.html
8
Alfresco Security Best Practices
• • • •
Use IDS/IPS systems to prevent statistical or behavioral attacks and signature-‐based algorithms to detect network attacks and Trojans; Get control of ICMP and TCP SYN to prevent flooding; Consider using vendor solutions like AWS, Akamai, DOS Arrest, Incapsula, etc.
Viruses Since viruses can be found in most kinds of content, an antivirus solution must be deployed throughout all infrastructure tiers, from client desktops to servers. Alfresco is fully compatible with any antivirus software that executes on a server or through the communication layer. This guarantees that no infected content is stored or accessible through the platform. Protection There is a third party module available for Alfresco called Alfviral13. This can be used inside the repository to trigger an analysis of a given content. It can also be used to check virus signatures against databases like VirusTotal or ClamAV solutions. The use of Advanced Threat Protection Systems are also recommended.
Vulnerabilities Assessment Public Vulnerabilities Related to Alfresco since first version 2005: 1. SEC Consult SA-‐20140716-‐0 (MNT-‐11793): Multiple SSRF vulnerabilities. FIXED in all major versions; 2. CVE-‐2014-‐2939: Summary: Multiple cross-‐site scripting (XSS) vulnerabilities in Alfresco Enterprise before 4.1.6.13 allow remote attackers to inject arbitrary web script or HTML via (1) an XHTML document, (2) a