Alfresco is one of the most famous document management system in the world. In addition to its user-friendly design and easy-to-use features, Alfresco is also recommended for its strong security. However like in case of all software tools, your Alfresco implementation is only as strong as its configuration. For a secure Alfresco you need an air-tight defense from all possible points of attack. So in this blog we are going to talk about securing your Alfresco installation.
Now even before we begin, I cannot list down all the possible configurations as most of them come under the broad topic of ‘best practices’. Instead I am going to focus on the security related considerations. In addition, in most practical solutions every Alfresco installation is linked to other tools like portals, intranets, business intelligence tools, CMS, ECM and CRM, so it’s advisable to secure integrated tools as well. Also, if you have installed clusters of Alfresco, you should checking the security of all nodes becomes mandatory.
Checking All the Passwords
The most important aspects of security are passwords that can be used to access the documents. Your passwords are your first line of defense so use as strong a password as possible. There are thousands of way that you can strengthen your passwords. Do not ignore them since they can be the difference between staying protected or compromising your security.
- Change all the default passwords of the Alfresco installation.
- Change the default JMX passwords associated with controlRole and monitorRole parameters.
- Check whether the passwords stored in Properties files are encrypted or not.
- Check the passwords and security of all connected API, Services, and Shared proxies.
Checking the permissions
Alfresco is very flexible in terms of enforcing role-based-access. Therefore you have to be careful who you give access to and what. Here are 9 most important permission considerations
- If you are using linux, make sure that you are using non-root user for running application servers.
- Change the permissions at alfresco-global.properties, dir_root/contentstore, dir_root/solr, and dir_root/lucene-indexes to allow access of only application users.
- Disable guest users.
- If you are using Kerberos, check the ‘file-servers-custom.xml’ file’s permissions.
- Check the configuration and passwords of FTSR files.
- If you are going to integrate Alfresco with third party tools (and we know that you are going to do that 😉 ) create a dedicated user to them allow access to Alfresco instead of giving them access via admin user.
- Unless and until your project specifically require them, set the Alfresco Share’s iFramePolicy to ‘deny’.
- Recheck the permissions and configurations of Alfresco log directories. All Alfresco logs and application server logs are usually stored in the same directory so it’s imperative that you secure it.
- Alfresco is full of services and features. It’s recommended to disable all unneeded services to ensure best performance from Alfresco both from general, work and security point of view.
Important configurations to check after every installation
Passwords and permissions are not the only way to tighten security. There are some vital configuration settings you need to make sure are set properly for a secure environment.
- Remove the Alfresco icon from the login page and if possible change the styling. Figuring out the underlying system is the first step of any attack and login pages are the most common ways to figure out the system. Also, change the default login URLs to further ensure security.
- Enable SSL for all major services. If you are using any third party authentication, run all authentication requests between Alfresco and server through an SSL secure server.
- Whenever you are replicating Alfresco services, use HTTPS services only. Also either use a pre-created user or create a new dedicated user for the same instead of using admin user.
- Maintain a black/white list to configure HTML processing. It may seem unnecessary in the beginning, but if you are going to scale your project then they can turn out to be very useful.
- Configure your SecurityHeaderPolicy values and enable the services to secure yourself from clickjacking attacks.
- Create and maintain custom error message pages. Every tool has their own distinct error pages and thus they are again used to figure out the underlying system. Custom error pages not only give your application a distinct touch, but it also confuses the potential attacker in estimating the system.
- Enable auditing to check the performance of your system.
- Metadata can also be used to compromise security so always set proper permissions for metadata files as well. Whenever you are migrating the content of the system, do not leave any metadata files in the system. They can be used to compromise security.
- Enable encryption in your Alfresco system.
- Always monitor JMX services. You can use third party tools for this task like Hyperic, Nagios, or JMelody.
Third party firewalls also play a major role in securing your application environment. You have to setup and configure the firewalls to maintain secure inbound and outbound traffic. A server-side and application-side firewall or an antivirus solution can secure your application from many threats. But they have to be mitigated based on their requirement, use, and of course cost.
Consult the experts when in doubt
If you have any doubts related to security of your Alfresco implementation, you can consult Alfresco experts for a security check up. We have been working on Alfresco since 2006 and are one of the premier Alfresco development and consultancy services firm in the globe.