Alfresco security best practices CHECK LIST ONLY
1 like10,125 views
This document provides a checklist of basic security checks that should be performed for any Alfresco production deployment, including checking for latest software updates, changing default passwords, enabling SSL for key services, restricting file permissions, enabling auditing if required, disabling unneeded services, and ensuring proper backup, disaster recovery, and monitoring is configured. The checklist covers over 50 specific configuration items to review across the Alfresco installation and configuration.
Alfresco security best practices CHECK LIST ONLY
- 1. Alfresco Security Best Practices 46! ! Appendix I: Security Checklist Alfresco(Security(Check(List( This!is!a!list!of!basics!checks!to!perform!in!any!Alfresco!production!deployment.!In!case!of!cluster,!these!checks!should!be! passed!to!all!nodes.!Please!read!this!document!before!in!order!to!understand!all!checks!below:! Server!Name:!____________________________________! Server!IP!Address:!________________________________! ! Last!Service!Pack!/!Hot!fix!of!the!Alfresco!existing! version!installed! ! Changed!default!admin!password! ! If!Linux,!run!the!application!server!as!non!root! user! ! Changed!the!default!JMX!passwords!for! controlRole!and!monitorRole! ! Switched!to!SSL!all!required!services!using!a! custom/owned!certificate!(not!default!cert):! ! HTTP!/!Webdav!/!API! ! Enable!HSTS! ! Force!secure!cookies! ! SharePoint!Protocol! ! IMAP! ! FTP! ! SMTP!INBOUND! ! SMTP!OUTBOUND! ! Solr!(SSL!by!default),!if!in!separate!tier! ! If!clustered:!JGroups!or!Hazelcast! (optional)! ! Alfresco!JDBC!to!DB!communication! (optional)! ! Check!certificate!strength!! ! Change!file!permissions!to!allow!only!the! application!user!to!see!and!write!these!files! and/or!directories!(i.e.!Linux:!chmod!0600!<pathL toLfile>):!! ! “alfrescoLglobal.properties”! ! “dir_root/contentstore”! ! “dir_root/solr”!or!“dir_root/luceneL indexes”! ! Alfresco!and!application!server!logs!are!all!in!the! same!directory,!with!the!proper!security! permissions!and!logs!rotation!configured!(app! server!logs,!alfresco.log,!share.log,!solr.log)! ! If!Alfresco!is!connected!to!internet!remove!the! Alfresco!banner!in!the!Share!login!page! ! If!LDAP,!AD!or!third!party!authentication!is! enabled,!any!communication!between!Alfresco! and!the!authentication!server!is!through!SSL!(i.e.! 636!TCP!for!LDAPS).! ! If!Alfresco!Replication!Service!is!needed:!! ! Use!HTTPS!! ! Do!not!replicate!with!“admin”!user! ! Disabled!unneeded!services! ! Enabled!audit!if!required! ! Disabled!guest!user! ! Backup!and!Disaster!Recovery!software! configured!and!tested!for!indexes,!db,! contentstore,!installation,!configuration!and! customization!files! ! Deleted!files!under!control! ! The!trashcan!has!to!be!emptied! manually!or!install!trashcancleaner! ! Configured!Alfresco!to!delete!files!from! file!system!when!the!trashcan!is! emptied!(eagerCleaner)! ! A!shell!script!to!delete! contentstore.deleted!once!a!week! ! Local!and!network!firewalls!are!properly! configured!for!both!inbound!and!outbound! traffic! ! Monitoring!services!availability!through!JMX! with!solutions!like!Hyperic,!Nagios!or!JMelody! ! Encryption!at!rest!is!enabled!(available!in! Alfresco!One!5.0)! ! Passwords!in!properties!files!are!encrypted! (available!in!Alfresco!One!5.0)! ! Check!“fileMserversMcustom.xml”!permissions!if! Kerberos!is!configured! ! Check!FSTR!configuration!files!permissions!if!is! configured!(it!has!password!inside)! ! Embedded!metadata!is!still!in!every!file,!clean! this!before!content!leaves!Alfresco,!to!prevent! information!leaks!through!metadata!! ! API,!services!and!Share!proxy!accesses!are! protected! ! In!case!of!integration!with!third!party! applications,!establish!a!dedicated!Alfresco! authenticated!user!versus!using!the!admin!user! ! CSRF!is!enabled!in!Alfresco!Share!(default)! ! Alfresco!Share!IFramePolicy!is!configured!as! “deny”! ! Enable! SecurityHeadersPolicy,! in! Share! that! mitigates!clickjacking!attacks!! ! Configure! HTML! processing! black/white! lists! (optional)! ! Custom!error!page!created!at!web!server!or! application!server!level!(optional)! ! Use!a!network!IDS!on!top!of!Alfresco!server! (optional)! ! Use!a!Web!Application!Firewall!on!top!of! Alfresco!(optional)! ! Use!an!antivirus!solution!at!the!server!side!or! through!communication!and!an!Advanced!Threat! Protection!System!(optional)