You are on page 1of 55

 

Guide

Alfresco Security Best


Practices
 
Copyright  2014  by  Alfresco  and  others.  
Information   in   this   document   is   subject   to   change   without   notice.   No   part   of   this   document  
may  be  reproduced  or  transmitted  in  any  form  or  by  any  means,  electronic  or  mechanical,  for  
any   purpose,   without   the   express   written   permission   of   Alfresco.   The   trademarks,   service  
marks,   logos,   or   other   intellectual   property   rights   of   Alfresco   and   others   used   in   this  
documentation   ("Trademarks")   are   the   property   of   Alfresco   and   their   respective   owners.   The  
furnishing   of   this   document   does   not   give   you   license   to   these   patents,   trademarks,   copyrights,  
or   other   intellectual   property   except   as   expressly   provided   in   any   written   agreement   from  
Alfresco.  
The   United   States   export   control   laws   and   regulations,   including   the   Export   Administration  
Regulations   of   the   U.S.   Department   of   Commerce,   and   other   applicable   laws   and   regulations  
apply   to   this   documentation   which   prohibit   the   export   or   re-­‐export   of   content,   products,  
services,  and  technology  to  certain  countries  and  persons.  You  agree  to  comply  with  all  export  
laws,   regulations,   and   restrictions   of   the   United   States   and   any   foreign   agency   or   authority   and  
assume  sole  responsibility  for  any  such  unauthorized  exportation.  
You   may   not   use   this   documentation   if   you   are   a   competitor   of   Alfresco,   except   with   Alfresco's  
prior   written   consent.   In   addition,   you   may   not   use   the   documentation   for   purposes   of  
evaluating  its  functionality  or  for  any  other  competitive  purposes.  
This  copyright  applies  to  the  current  version  of  the  licensed  program.  

ii
Document History

VERSION DATE AUTHOR DESCRIPTION OF CHANGE

0.1 23-Jul-14 Toni de la Fuente Initial version


0.2 16-Sept-14 Toni de la Fuente Version to review
0.3 18-Sept-14 Toni de la Fuente Added Steve Rigby and Pete
Philips suggestions
0.4 23-Sept-14 Toni de la Fuente Added architecture info and
made corrections. Sent to
grammar review.
0.5 2-Oct-14 Toni de la Fuente Added Martin Kappel corrections
0.6 2-Oct-14 Toni de la Fuente Made Kimberly Watson grammar
and style corrections
1.0 2-Oct-14 Toni de la Fuente Version to release

iii
Table of contents
INTRODUCTION ............................................................................................................................. 1  
AUDIENCE .......................................................................................................................................... 1  
RELATED PUBLICATIONS ..................................................................................................................... 1  
HOW TO READ THIS GUIDE.................................................................................................................. 2  
DISCLAIMER AND SCOPE ..................................................................................................................... 2  
ALFRESCO SECURITY POLICY ............................................................................................................. 2  
Release of Security Notifications .................................................................................................................................... 3  
Severity Levels ............................................................................................................................................................... 3  
Reporting a Security Issue to Alfresco ........................................................................................................................... 4  
COMPONENTS TO CONSIDER ............................................................................................................... 4  
THE EXTERNAL AND INTERNAL PERSPECTIVE......................................................................... 5  
EXTERNAL THREATS ........................................................................................................................... 5  
Discovery, Information Gathering and Information Leaks .............................................................................................. 5  
Brute Force Username and Passwords Attacks ............................................................................................................. 7  
MITM Attacks ................................................................................................................................................................. 8  
DOS and DDOS ............................................................................................................................................................. 8  
Viruses ........................................................................................................................................................................... 9  
VULNERABILITIES ASSESSMENT ........................................................................................................... 9  
Public Vulnerabilities ...................................................................................................................................................... 9  
Other Vulnerabilities ..................................................................................................................................................... 10  

HARDENING THE NETWORK AND OPERATING SYSTEM ........................................................ 11  


NETWORK ........................................................................................................................................ 11  
OS SECURITY .................................................................................................................................. 11  
CONFIGURING YOUR FIREWALL ......................................................................................................... 12  
Inbound Ports ............................................................................................................................................................... 12  
Outbound ports ............................................................................................................................................................. 13  
Port Redirect ................................................................................................................................................................ 14  
DETERMINING MINIMUM PRIVILEGES .................................................................................................. 14  
ALFRESCO IMPLEMENTATION BEST PRACTICES ................................................................... 15  
STAY CURRENT ................................................................................................................................ 15  
DON NOT RUN THE APPLICATION SERVER AS ROOT ........................................................................... 15  
REPOSITORY LEVEL SECURITY .......................................................................................................... 15  
Enable SSL .................................................................................................................................................................. 15  
Understanding Roles and Permissions ........................................................................................................................ 19  
Custom Roles ............................................................................................................................................................... 20  
Audit ............................................................................................................................................................................. 20  
Reset Admin Password ................................................................................................................................................ 22  
Ticket Session Duration Control ................................................................................................................................... 22  
Disable Unneeded Services ......................................................................................................................................... 23  
Disable Guest User ...................................................................................................................................................... 23  
Review Sever Logs Periodically ................................................................................................................................... 23  
Change JMX Default Credentials ................................................................................................................................. 24  
Get Control of Deleted Content .................................................................................................................................... 24  
Node Creation .............................................................................................................................................................. 24  
Node Deletion ............................................................................................................................................................... 24  
Questions and Answers About Content Deletion ......................................................................................................... 26  
Wipe Content ................................................................................................................................................................ 28  
SHARE LEVEL SECURITY ................................................................................................................... 28  
Cross-Site Request Forgery (CSRF) Filters in Alfresco Share .................................................................................... 28  
Security Filters and Clickjacking Mitigation in Alfresco Share ...................................................................................... 29  
Iframes and Phishing Attack Mitigation in Alfresco Share ............................................................................................ 29  
Share HTML Processing Black/White List .................................................................................................................... 29  
Site Creation Control .................................................................................................................................................... 30  
Filter Document Actions by User or Role ..................................................................................................................... 30  
Filter workflow by role/group ........................................................................................................................................ 32  
Change default Share session timeout ........................................................................................................................ 32  

iv
ARCHITECTURE DEPLOYMENT BEST PRACTICES ................................................................. 33  
Frontends ..................................................................................................................................................................... 33  
Single tier ..................................................................................................................................................................... 34  
Two tiers ....................................................................................................................................................................... 35  
Three tiers .................................................................................................................................................................... 36  
AWS deployments ........................................................................................................................................................ 37  
BACKUP AND DISASTER RECOVERY ................................................................................................... 38  
MOBILE SECURITY ...................................................................................................................... 39  
FILE PROTECTION ............................................................................................................................ 39  
HTTPS ........................................................................................................................................... 39  
CERTIFICATE AUTHENTICATION ......................................................................................................... 39  
MDM .............................................................................................................................................. 39  
Alfresco for Good (iOS) ................................................................................................................................................ 39  
MobileIron (Android) ..................................................................................................................................................... 39  
Additional information ................................................................................................................................................... 40  

SECURITY COMPLIANCE AND STANDARDS............................................................................. 41  


DOD5015.2 .................................................................................................................................... 41  
OWASP.......................................................................................................................................... 41  
HIPAA ............................................................................................................................................ 43  
FISMA ............................................................................................................................................ 44  
FEDRAMP ...................................................................................................................................... 44  
ISO 27001 ...................................................................................................................................... 44  
PCI DATA SECURITY STANDARD ....................................................................................................... 44  
APPENDIX I: SECURITY CHECKLIST .......................................................................................... 46  
APPENDIX II: THIRD PARTY LIBRARIES INCLUDED IN ALFRESCO .......................................... 1  
 
 

5
Alfresco Security Best Practices

Introduction
This  guide  is  intended  to  fill  a  need  for  Alfresco  administrators  to  have  a  collection  of  tips  for  
enhancing   the   security   of   their   implementation.     If   you   are   concerned   about   the   security   of  
your  content,  this  guide  is  specifically  written  for  you.  
 
This  guide  addresses  the  security  of  an  Alfresco  implementation  from  two  different  views:  
• Threat   view:     We   will   identify   how   a   potential   attacker   could   exploit   security   issues   with  
the  installation;  
• Administrator   view:   We   will   discuss   how   an   administrator   can   prevent   and   protect   an  
installation.  

Audience
This   document   is   intended   for   the   Alfresco   Enterprise   customer   and   partner   network   with  
special  focus  on  technical  teams,  such  as  Enterprise  Architecture,  Development,  Support,  and  
Operations.   As   it   requires   a   deep   understanding   of   the   architecture,   components,   and  
technologies  involved  in  the  operations  of  the  Alfresco  platform.    The  ideal  reader  should  hold  
an   Alfresco   Certified   Engineer   (ACE)   or   Alfresco   Certified   Administrator   (ACA)   certification.  
More  details  on  the  certifications  can  be  found  at  http://university.alfresco.com.  

Related Publications
For  some  recommendations  an  official  link  will  be  provided.  Furthermore  here  is  a  list  of  source  
of  information  related  to  Alfresco  and  this  guide:  
• Alfresco  Security  Policy1    
• Alfresco  Cloud  Security  Policy2  
• Alfresco  in  the  Cloud  Security  White  Paper3  
• Alfresco  Backup  and  Disaster  Recovery  White  Paper4  
• Alfresco  Security  Best  Practices  talk  in  Alfresco  Devcon  20125  

                                                                                                           
 
1
 http://docs.alfresco.com/support/concepts/su-­‐external-­‐security-­‐policy.html  

2
 http://docs.alfresco.com/support/concepts/su-­‐external-­‐security-­‐policy-­‐cloud.html  
3
 http://www2.alfresco.com/l/1234/2012-­‐08-­‐07/374w8d/1234/151131/Alfresco_in_the_cloud_Security.pdf  
4
 http://bit.ly/1lvNkcz  
5
 http://bit.ly/1rBtOme  

 
 1  
Alfresco Security Best Practices

How to Read this Guide


This  guide  tries  to  accommodate  two  needs:    (1)  having  a  handy  reference  on  how  to  secure  the  
most   common   services   and   subsystems   in   Alfresco   and   (2)   providing   some   background   on  
Alfresco   security.     Understanding   the   Alfresco   internals   is   essential   if   the   reader   wants   to  
achieve  a  proper  application  hardening.  
Most  of  the  advice  and  best  practices  included  in  this  guide  are  based  on  Alfresco  One  version  
4.2.  

Disclaimer and Scope


This   guide   specifically   does   not   address   physical   security,   the   protection   of   software   and  
hardware   against   new   exploits,   basic   IT   security   housekeeping,   information   assurance  
techniques,   traffic   analysis   attacks,   issues   with   key   rollover   and   key   management,   securing  
client   PC’s   and   mobile   devices   (theft   or   loss),   proper   Operations   Security,   social   engineering  
attacks,  protection  against  tempest  attack  techniques,  jamming  the  encrypted  channel  or  other  
similar  attacks,  which  are  typically  employed  to  circumvent  strong  encryption.      

Alfresco Security Policy


When  a  security  issue  is  discovered,  Alfresco  will  do  the  following:  
1. Send  it  directly  to  the  subject  matter  expert  to  evaluate  the  scope  and  severity  of  the  
issue;  
2. Issue  one  or  more  versions,  whatever  is  required,  to  resolve  the  security  breach  as  soon  
as  possible;  
3. Inform  our  customers  and  partners  that  this  version  is  available.  
 
The   version(s)   where   a   particular   security   issue   is   resolved   will   depend   on   the   scope   and  
severity  of  the  issue,  and  may  include:  
1. A  maintenance  release  for  the  last  major  version;  
2. A  hot  fix  for  the  last  major  versions;  
3. Hot  fixes  for  older  maintained  versions.  
 
Example  1:     A  security  issue  is  discovered  in  Alfresco  v4.1.2,  which  is  unlikely  to  be  exploited.    
Alfresco  will:    
• Ensure  that  the  next  release,  Alfresco  4.1.3,  fixes  the  issue.  
 
Example  2:    A  security  issue  is  discovered  in  Alfresco  v4.1.2,  which  could  be  exploited.    Alfresco  
will:  
• Issue  a  hot  fix  for  Alfresco  v4.1.2  as  soon  as  possible;  
• Issue  a  hot  fix  for  Alfresco  v3.4,  if  applicable,  as  soon  as  possible;  
• Ensure  the  next  release,  Alfresco  v4.1.3,  fixes  the  issue.  
 

2    
Alfresco Security Best Practices

Example  3:     A  security  issue  is  discovered  in  Alfresco  v4.1.2,  which  is  being  exploited.    Alfresco  
will:  
• Issue  a  hot  fix  for  Alfresco  v4.1.2  as  soon  as  possible;  
• Issue  a  hot  fix  for  Alfresco  versions  3.0,  3.1,  3.2,  3.3,  3.4  and  4.0  as  soon  as  possible;  
• Ensure  the  next  release,  Alfresco  v4.1.3,  fixes  the  issue.  

Release of Security Notifications


When  a  security  issue  in  an  Alfresco  product  is  found  and  fixed,  Alfresco  notifies  customers  in  a  
number  of  ways:  
• If  this  is  a  blocker  issue  with  a  workaround,  Alfresco  sends  a  critical  security  alert  email  
to  all  customers  warning  of  the  issue  and  providing  the  workaround.    A    second  critical  
security  alert  will  then  be  sent  which  includes  details  for  the  fixed  version(s).  
• If  this  is  a  blocker  issue  without  a  workaround,  Alfresco  releases  the  version  containing  
the  fix  and  then  sends  a  critical  security  alert  email  to  all  customers.  
• For   all   other   severity   issues,   Alfresco   releases   the   version   containing   the   fix   and   then  
sends  a  security  alert  email  to  all  customers.  
For  all  issues,  there  will  be  a  security  notice  posted  within  the  support  portal  at  the  same  time  
the  version  with  the  fix  is  released.  

Severity Levels
Alfresco   classifies   security   vulnerabilities   by   severity,   on   a   case   by   case   basis,   using   common  
sense  and  the  examples  shown  here  as  a  guideline.  
High

A  vulnerability  is  classified  as  High  severity  if  any  of  the  following  hold  true:  
• Customer  data  can  be  compromised;  
• The  server  running  the  application  can  be  compromised;  
• A  Denial  of  Service  (DoS)  rendering  the  system  unavailable;  
• The   vulnerability   was   discovered   externally,   is   known   about   externally,   or   is   being  
actively  exploited.    
 
Medium 

A  vulnerability  is  classified  as  Medium  severity  if  any  of  the  following  hold  true:  
• It   would   otherwise   be   High   severity   but   it   was   discovered   internally   and/or   is   not  
believed  to  be  known  externally;  
• It  is  a  less  serious  vulnerability  such  as  a  XSS  or  CSRF.  
 
Low
• A  vulnerability  is  classified  as  Low  severity  for  vulnerabilities  which  only  pose  a  marginal  
or  insignificant  risk.    
 

 
 3  
Alfresco Security Best Practices

NOTE:  Alfresco  has  an  internal  SLA  to  resolve  vulnerabilities  based  on  the  severity  classification  
mentioned  above.  

Reporting a Security Issue to Alfresco


Please  report  all  security  issues  by  logging  a  support  case  via  the  support  portal.  If  you  do  not  
have   access   to   the   support   portal,   please   email   support@alfresco.com   to   ensure   that   the  
information  is  reported  to  Alfresco.    This  is  essential  so  that  the  security  issue  does  not  enter  
into  the  public  domain  prematurely.  

Components to Consider
As   has   been   stated   above   in   this   document,   there   are   different   components   that   may   affect  
application  security.  Below  is  a  list  of  components  that  need  to  be  considered,  from  the  physical  
environment  to  the  software:  
 
1. Facilities;  
2. Physical  security;  
3. Network  infrastructure;  
4. Virtual  and/or  physical  infrastructure;  
5. Network  configuration;  
6. Firewall;  
7. Operating  System;  
8. JVM  and  Application  Server;  
9. Alfresco;  
10. People;  
11. Process.  
   
This   guide   mostly   deals   with   Alfresco   security.     Additional   security   tips   and   guidelines   are  
included  for  components  that  are  directly  related  to  Alfresco  security  and  maintenance,  such  as    
JVM,  and  application  server,  operating  system,  and  firewall  security.  

4    
Alfresco Security Best Practices

The External and Internal Perspective


External Threats
If  an  Alfresco  installation  is  exposed  to  the  Internet  it  could  potentially  be  the  target  of  different  
types   of   attacks.   In   this   section   we   list   activities   that   can   be   used   by   an   attacker   to   discover  
information  pertaining  to  an  Alfresco  installation.    For  example,  this  information  might  include  
the  application  server,  operating  system  and  content  items.  

Discovery, Information Gathering and Information Leaks


Before  performing  an  intrusion,  an  attacker  may  need  to  gather  target  information  in  order  to  
enumerate  devices,  hostnames,  domains  or  subdomains,  ports,  protocols,  services,  applications  
and  even  usernames  or  passwords.    
 
As   Alfresco   is   mostly   an   Intranet   or   Extranet   service,   it   can   be   configured   to   be   connected  
directly   to   the   Internet.   In   this   case,   an   Alfresco   installation   may   be   discovered   using   many  
different   techniques.     Of   the   hundreds   of   tools   available   for   discovery   and   information  
gathering,  we  will  highlight  some  well-­‐known  resources  below:  
 
• Google  and  Bing:  With  a  simple  search  we  can  find  some  servers  that  are  exposed.  
https://www.google.com/?q=%222005-
2014+Alfresco+Software+Inc.+All+rights+reserved.%22

• Shodan6:     This   is   a   device   search   engine   based   on   using   ports   and   service   headers   or  
banner.  
https://www.shodan.io/search?query=%22alfresco%22+server+port%3A8080

• FOCA7:    This  is  a  graphic  tool  (Windows)  that  utilizes  the  Google  and  Bing  search  engines  
and   DNS   records   to   retrieve   metadata   from   the   documents   that   are   available   in   the  
target   domain.     It   searches   for   usernames,   software   versions   and   server   or   machine  
names.  
 
• Metagoofil:    This  is  a  command  line  tool  (Linux)  that  utilizes  the  Google  search  engine  to  
retrieve  metadata  from  the  documents  that  are  available  in  the  target  domain.    It  
searches  for  usernames,  software  versions  and  server  or  machine  names.  
 

                                                                                                           
 
6
 http://www.shodanhq.com/  
7
 http://www.informatica64.com/foca.aspx  

 
 5  
Alfresco Security Best Practices

• theharvester:     This   is   a   command   line   tool   (Linux)   that   looks   for   email   accounts,  
usernames,   hostname   and   subdomain   by   using   Google,   Bing,   LinkedIn,   Shodan   and  
more.  
 
• Maltego:    This  is  an  open  source  intelligence  and  forensics  application.    It  allows  you  to  
mine  and  gather  information  from  public  resources  and  then  represent  the  information  
in  a  meaningful  way.  
 
• Nmap   port   scanning:   It   is   used   to   determine   the   state   of   TCP   and   UDP   ports   for   the  
target  host,  among  other  network  protocols.  
 
• Other  manual  tasks:  
Banner  read  to  a  Tomcat  server:  
# echo -e "HEAD / HTTP/1.0\n\n" | nc 192.168.11.129 8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 2763
Date: Fri, 12 Sep 2014 22:06:59 GMT
Connection: close
 
Test  done  to  Alfresco  Share:  
# echo -e "HEAD /share/page/ HTTP/1.0\n\n" | nc 192.168.11.129 8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Content-Length: 39170
Date: Fri, 12 Sep 2014 22:09:36 GMT
Connection: close
 
In   addition   to   all   the   threats   described   above,   these   tools   are   also   useful   for   gathering  
information   from   files.   It   is   well   known   that   most   content   items   contain   information   about  
themselves   inside   their   own   files,   their   metadata.     Besides   the   file   name,   photos   will   have  
information  about  the  camera  and  even  geo-­‐localization.    MS  Office,  Open/LibreOffice  or  PDF  
documents   may   store   user   names,   network   resources,   email   address   and   other   useful  
information  for  a  potential  intrusion  test.    Some  of  these  properties  are  extracted  automatically  
by  Alfresco  in  order  to  populate  its  own  database,  but  the  properties  are  still  being  stored  in  
the  file  itself.    If  Alfresco  publishes  these  documents  externally  or  the  files  are  being  accessed  
from   portals,   emails,   etc.,   then   we   need   to   add   protection   in   order   to   prevent   information  
leaks.    
 

6    
Alfresco Security Best Practices

Protection
• Use   an   Intrusion   Detection   System   (IDS),   Intrusion   Prevention   System   (IPS),   Host   IDS,  
Advanced  Threat  Protection  Systems  and  Web  Application  Firewall  to  mitigate  some  of  
these  scans;  
• The  Alfresco  banner  can  be  removed  from  the  Alfresco  Share  login  page;  
• Filter  the  access  to  Alfresco  resources  through  a  specific  network  or  IP  address.  Refer  to  
the  Architecture  section  in  this  document;  
• Clean  document  metadata  before  distributing  them.    Alfresco  can  do  this  for  you  with  
an  easy  customization.  Tools  for  metadata  cleaning  include:  ExifTool,  OOMetaExtractor8,  
MS   Office   2003   &   XP9   or   BatchPurifier.     Demo   and   tools   are   available   on   the   Alfresco  
DevCon  2012  site10;  
• Remove   the   application   server   and   web   server   versions.   For   example,   the   default  
ErrorReportValve   includes   the   Tomcat   version   number   in   the   response   that   is   sent   to  
clients.   To   avoid   this,   custom   error   handling   can   be   configured   within   each   web  
application.     Alternatively,   you   can   explicitly   configure   an   ErrorReportValve   and   set   its  
showServerInfo  attribute  to  false.    The  version  number  can  also  be  changed  by  creating  
the   file   CATALINA_BASE/lib/org/apache/catalina/util/ServerInfo.properties   with   the  
following  content:  
 
server.info=My App Server

Brute Force Username and Passwords Attacks


Passwords   are   one   of   the   easiest   elements   that   can   be   attacked     in   order   to   gain   access   to   a  
system.     Case   in   point,   Alfresco   stores   usernames   and   passwords,   which   are   hashed   and   not  
stored   as   plain   text   anywhere   on   the   system.     In   most   corporate   environments,   Alfresco   is  
usually   connected   to   a   user   directory   like   LDAP   or   Active   Directory   which   would   be   responsible  
for  managing  passwords  or  controlling  any  kind  of  attack  against  them.      
Below  is  an  example  of  dictionary  based  cracking  to  a  WebDAV  service  with  the  Hydra  tool  (a  
very  fast  network  logon  cracker  which  support  many  different  services):  
# hydra -L usernames.txt -P passwords.txt -u -s 8080 -m 'http://127.0.0.1'
127.0.0.1 http-get

                                                                                                           
 
8
 http://www.codeplex.org/oometaextractor    

 http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e54edd43e-­‐42ca-­‐bc7b-­‐5446d34e5360    
9

10
 http://devcon.alfresco.com/speakers/toni-­‐de-­‐la-­‐fuente    

 
 7  
Alfresco Security Best Practices

Protection
• Implement  a  password  rotation  and  strength  policy11.  
• Implement   error   login   threshold   to   prevent   brute   force   or   dictionary   attacks,   and   a  
count   of   consecutive   password   failures.   This   is   on   your   LDAP   side   or   third   party  
authentication  system,  and  in  most  cases  can  be  prevented  by  configuration.    In  some  
well-­‐known   LDAP   servers   there   is   an   attribute   called   “pwdMaxFailure”   in   order   to  
control  this  behavior.    NOTE:    Prevent  against  DOS  attacks  by  locking  all  accounts.  

MITM Attacks
Man   in   the   middle   attacks   can   be   performed   in   many   different   ways   depending   on   the  
deployment   architecture.   For   instance,   having   a   four   tier   architecture   with   a   web   server   or   a  
load  balancer  in  front  of  Alfresco,  Index  Server  and  a  database  server.    An  MITM  attack  can  be  
performed  between  the  users  and  webserver,  the  webserver  and  Alfresco,  Alfresco  and  Index  
Server  and  finally  between  Alfresco  and  the  database  server.  The  way  to  prevent  these  types  of  
attacks  from  happening  is  to  use  encrypted  and  authenticated  communications.  

Protection
• A  secure  architecture  design  in  layers  and  with  protection;  
• Out   of   the   box   Alfresco   provides   encryption   and   authentication   between   Alfresco  
repository   and   Index   Server.     Authentication   is   also   provided   for   the   users   to   connect   to  
the  DB  but  encryption  is  not.    In  this  case,  it  is  extremely  important  to  consider  enabling  
encryption  at  least  for  the  end  user  communications;  
• Check   your   security   certificate   strength12   and   tweak   your   SSL   settings   until   you   get   an   A  
grade  or  above.  

DOS and DDOS


If   the   Alfresco   server   is   facing   the   Internet   there   is   a   risk   of   being   the   target   of   a   Denial   of  
Service  or  a  Distributed  Denial  of  Service  attack.    A  layer  of  protection  should  be  added  to  guard  
against  this.  

Protection
• Use  traditional  firewall  techniques  to  limit  the  attack  surface  for  potential  attackers.    
Deny  traffic  to  and  from  the  source  of  the  destination  of  the  attack.    Manage  the  list  of  
allowed  destination  servers  and  services.    Manage  the  list  of  allowed  sources  of  traffic,  
ports,  and  protocols.;
• Use  web  application  firewalls  to  inspect  web  packet  traffic;

                                                                                                           
 
11
 https://howsecureismypassword.net/  and  https://secure.packetizer.com/pwgen/  

 
12
 https://www.ssllabs.com/ssldb/analyze.html  

8    
Alfresco Security Best Practices

• Use  IDS/IPS  systems  to  prevent  statistical  or  behavioral  attacks  and  signature-­‐based  
algorithms  to  detect  network  attacks  and  Trojans;
• Get  control  of  ICMP  and  TCP  SYN  to  prevent  flooding;  
• Consider  using  vendor  solutions  like  AWS,  Akamai,  DOS  Arrest,  Incapsula,  etc.  
•  

Viruses
Since   viruses   can   be   found   in   most   kinds   of   content,   an   antivirus   solution   must   be   deployed  
throughout  all  infrastructure  tiers,  from  client  desktops  to  servers.    Alfresco  is  fully  compatible  
with  any  antivirus  software  that  executes  on  a  server  or  through  the  communication  layer.    This  
guarantees  that  no  infected  content  is  stored  or  accessible  through  the  platform.  

Protection
There  is  a  third  party  module  available  for  Alfresco  called  Alfviral13.    This  can  be  used  inside  the  
repository  to  trigger  an  analysis  of  a  given  content.    It  can  also  be  used  to  check  virus  signatures  
against  databases  like  VirusTotal  or  ClamAV  solutions.    The  use  of  Advanced  Threat  Protection  
Systems  are  also  recommended.  

Vulnerabilities Assessment
Public Vulnerabilities
Related  to  Alfresco  since  first  version  2005:  
1. SEC   Consult   SA-­‐20140716-­‐0   (MNT-­‐11793):     Multiple   SSRF   vulnerabilities.   FIXED   in   all  
major  versions;  
2. CVE-­‐2014-­‐2939:    Summary:    Multiple  cross-­‐site  scripting  (XSS)  vulnerabilities  in  Alfresco  
Enterprise  before    4.1.6.13  allow  remote  attackers  to  inject  arbitrary  web  script  or  HTML  
via   (1)   an   XHTML   document,   (2)   a   <%   tag,   or   (3)   the   taskId   parameter   to  
share/page/task-­‐edit.    Published:  6/2/2014  3:55:03  PM.    CVSS  Severity:  4.3  MEDIUM;  
3. CVE-­‐2014-­‐0125:     Moodle   integration   using   the   session   key   in   the   file   URL   allowing  
anyone   with   the   link   to   steal   the   identity   of   the   user   posting   content.Summary:  
repository/alfresco/lib.php   in   Moodle   through   2.3.11,   2.4.x   before   2.4.9,   2.5.x   before  
2.5.5,   and   2.6.x   before   2.6.2.   Places   a   session   key   in   a   URL,   which   allows   remote  
attackers   to   bypass   intended   Alfresco   Repository   file   restrictions   by   impersonating   a  
file's  owner.    Published:  3/24/2014  10:20:39  AM.  CVS  Severity:    5.8  MEDIUM;  
4. Bugtraq   ID   37578:     Joomla   Module   for   Alfresco   'id_pan'   Parameter   SQL   Injection  
Vulnerability  in  Joomla  not  in  Alfresco.  

                                                                                                           
 
13
 https://github.com/fegorama/alfviral    

 
 9  
Alfresco Security Best Practices

Other Vulnerabilities
These   were   discovered   due   to   internal   periodic   auditing   or   reported   by   customers   and   have  
been   FIXED   prior   to   the   publication   of   this   guide.       Includes   the   following   Alfresco   versions:    
3.4.X,  4.0.X,  4.1.X  and  4.2.X:  
1. CVE-­‐2014-­‐0050:  Apache  Commons  FileUpload  and  Apache  Tomcat  DoS;  
2. MNT-­‐10540:  Share:  Remote  code  execution.  User  has  to  be  logged;  
3. MNT-­‐10539:  Parsing  vulnerability  in  Xerces  (Apache  POI  and  Alfresco  code);  
4. MNT-­‐11793:  Port  scanning  internal  networks  (proxy  and  cmisbrowser)  .  

10    
Alfresco Security Best Practices

Hardening the Network and Operating System


Even  if  your  Alfresco  configuration  is  as  secure  as  possible,  a  non-­‐properly  configured  operating  
system  will  make  your  work  useless.    In  this  section,  we  will  consider  some  items  to  be  take  into  
account.  
In   some   cases   the   better   the   security   in   an   Operating   System   means   less   usability.     A   good   rule  
of  thumb  is  to  reduce  privileges  to  the  application  on  the  operating  system,  if  possible.  

Network
In any enterprise architecture we can find different network elements. All of them must be
configured to protect the existing network resources. The following should be considered for
inclusion in the Alfresco security customization of firewalls: IDS, IPS, Antivirus, Web Application
Firewall, and DoS/DDoS protection devices.

OS Security
Use  OS  Vendor  specific  security  recommendations  (for  all  supported  OS  in  Alfresco  One  4.2.3):  
 
• Red  Hat  Linux  6.414  
• Sun  Solaris  11.115  
• Ubuntu  12.04  LTS16  
• Suse  11.317  
• Microsoft  Windows  Server  201218  
• Microsoft  Windows  Server  2008  R219  
 
At   the   OS   level,   permissions   for   access   to   Alfresco   are   the   most   important   components   that  
must  be  applied.    This  is  in  order  to  allow  them  to  only  be  accessible  to  the  user  who  is  running  
Alfresco.    Change  file  permissions  to  allow  only  the  application  user  to  see  and  write  these  files  
and/or  directories  (i.e.  Linux:  chmod  0600  <path-­‐to-­‐file>):  “alfresco-­‐global.properties”  
• “dir_root/contentstore”  
                                                                                                           
 
14
 https://access.redhat.com/documentation/en-­‐US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/index.html    
15
 http://docs.oracle.com/cd/E23824_01/html/819-­‐3195/index.html    
16
 https://help.ubuntu.com/12.04/serverguide/security.html    
17
 https://www.suse.com/documentation/sles11/singlehtml/book_security/book_security.html    
18
 http://technet.microsoft.com/en-­‐us/library/jj898542.aspx    

 http://technet.microsoft.com/en-­‐us/library/gg236605.aspx    
19

 
 11  
Alfresco Security Best Practices

• “dir_root/solr”  or  “dir_root/lucene-­‐indexes”  


 

Configuring Your Firewall


Your  operating  system  firewall  is  a  powerful  line  of  defense  for  your  server.    Do  not  run  Alfresco  
without   it.     When   configuring   the   firewall,   you   can   use   the   same   rule   of   thumb   as   for   all   OS  
settings,   block   everything   and   then   add   privileges   one   at   a   time   until   you   have   allowed   the  
minimum  amount  of  access  required  for  your  scenario.      
When  determining  what  traffic  will  be  allowed,  be  sure  to  consider  both  inbound  and  outbound  
activity.    There   is   no   reason   to   allow   outbound   activity   via   interfaces   that   you   do   not   need.    
These   could   potentially   be   exploited   by   malicious   applications.     For   example,   outbound   HTTP  
requests  are  often  used  by  malware  programs  to  communicate  with  operators.  

Inbound Ports
Port  listed  below  can  be  considered  for  both  server  and  network  firewall.  

Protocol/Service   Port   TCP/UDP   IN/OUT   Active   Comments  


HTTP   8080   TCP   IN   Yes   WebDAV  included  
FTP   21   TCP   IN   Yes   Passive  mode  
SMTP   25   TCP   IN   No    
CIFS   137,138   UDP   IN   Yes    
CIFS   139,445   TCP   IN   Yes    
IMAP   143   or  TCP   IN   No    
993  
SharePoint    Protocol   7070   TCP   IN   Yes    
Tomcat  Admin   8005   TCP   IN   Yes   Unless  is  necessary,  do  not  open  this  port  at  the  
firewall  
Tomcat  AJP   8009   TCP   IN   Yes   Unless  is  necessary,  do  not  open  this  port  at  the  
firewall  
SOLR  Admin   8443   TCP   IN   Yes   If  used  to  admin  Solr,  cert  has  to  be  installed  in  
browser.  Otherwise  take  it  in  to  account  in  case  
of   using   a   dedicated   Index   Server.   Alfresco  
repository   server   must   have   access   to   this   port  
IN  and  OUT  
NFS   111,2049   TCP/UDP   IN   No   This  is  the  repository  service  NFS  as  VFS  
RMI   50500-­‐ TCP   IN   Yes   Used   for   JMX   management.   Unless   is   necessary,  
50507   do  not  open  this  port  at  the  firewall  
Hazelcast   5701   TCP   IN   No   Used   by   Hazelcast   to   exchange   information  
between  cluster  nodes  from  4.2    
JGroups   7800   TCP   IN   No   Cluster  discovery  between  nodes  before  4.2  
JGroups   7801-­‐ TCP   IN   No   Traffic   Ehcache   RMI   between   cluster   nodes  
7802   before  4.2.  

12    
Alfresco Security Best Practices

OpenOffice/JODconverter   8100   TCP   IN   Yes   It   works   in   localhost,   do   not   open   it   at   the  


firewall  
 

Outbound ports
It  is  just  as  important  to  control  all  outbound  traffic  as  it  is  to  control  inbound  traffic.    This  will  
prevent  some  intrusions  by  not  allowing  access  to  backdoors  or  malicious  remote  sites.  
Here   is   a   list   of   all   outbound   traffic   you   may   consider   opening,   depending   on   your   security  
policy  and  Alfresco  deployment:  

Protocol/Service   Port   TCP/UDP   IN/OUT   Active   Comments  


SMTP   25   TCP   OUT   No   If   you   want   Alfresco   to   send   notifications,  
invitations,   tasks,   etc.   the   open   this   port   from  
Alfresco  to  your  corporate  MTA.  
DB  –  PostgreSQL   5432   TCP   OUT   Yes*   It  depends  on  the  DB.  
DB  –  MySQL   3306   TCP   OUT   Yes*   It  depends  on  the  DB.  
DB  –  MS  SQL  Server   1433   TCP   OUT   Yes*   It  depends  on  the  DB.  
DB  –  Oracle   1521   TCP   OUT   Yes*   It  depends  on  the  DB.  
DB  –  DB2   50000   TCP   OUT   Yes*   It  depends  on  the  DB.  
LDAP  or  AD   396   TCP   OUT   No   If  needed  for  authentication  and  synchronization.  
LDAPS  or  AD   636   TCP   OUT   No   If  needed  for  authentication  and  synchronization.  
docs.google.com   443   TCP   OUT   No    
JGroups   7800-­‐ TCP   OUT   No   If  clustered  before  4.2,  only  between  nodes.  
7802  
Hazelcast   5701   TCP   IN   No   Used   by   hazelcast   to   exchange   information  
between   cluster   nodes   from   4.2,   only   between  
nodes.  
Remote  storage  NFS     111,2049   TCP/UDP   OUT   No   If  a  remote  NFS  drive  is  used  as  the  content  store.  
Remote  storage  CIFS   137,138   UDP   OUT   No   If  a  remote  CIFS  drive  is  used  as  the  content  store.  

139,145   TCP  
Amazon  S3   443   TCP   OUT   No   In   case   Alfresco   is   deployed   in   AWS   and   Amazon   S3  
is  used  as  the  content  store    
Alfresco  Transformation   80,443   or  TCP   OUT   No   In  case  a  remote  Alfresco  Transformation  Server  is  
Server   8080,844 used  
3  
Alfresco  FSTR   8080   TCP   OUT   No   In   case   of   using   a   remote   Alfresco   File   System  
Transfer  Receiver  
Alfresco  Remote  Server   8080   or  TCP   OUT   No   In   case   of   using   Alfresco   Replication   Service  
8443   between  Alfresco  servers  

 
 13  
Alfresco Security Best Practices

Kerberos   88   TCP/UDP   OUT   No   In  case  Kerberos  SSO  is  required  


Third  Party  SSO   443   TCP   OUT   No   Third  party  SSO  services  
DNS   53   UDP   OUT   Yes   Name  resolution  service  
Facebook,  Twitter,   80  or  443   TCP   OUT   No   In   case   of   using   Alfresco   Publishing   Framework   or  
LinkedIn,  Slideshare,   Site  blog  publishing  
Youtube,  Flickr,  Wordpress  
or  Typepad  
 

Port Redirect
When   Alfresco   is   not   running   as   root,   a   local   port   redirect   must   be   performed   in   order   to  
forward   all   incoming   traffic   from   the   standard   port   to   the   non-­‐standard   port   and   be   above  
1024.  
Here   is   an   example   of   local   port   redirect   for   iptables   and   FTP   port   configured   in   Alfresco   to  
listen  in  port  2121  TCP:  
iptables -t nat -A PREROUTING -p tcp --dport 21 -j REDIRECT --to-ports 2121
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED
-j ACCEPT

Determining Minimum Privileges


The   user   you   create   to   run   Alfresco   should   be   allowed   only   the   minimum   privileges   required   to  
run  the  application  server  as  required  by  your  scenario.    From  a  security  standpoint,  the  ideal  
user  will  only  have  permission  to  write  logs  and  read  files,  period.      
However,   many   users   may   find   it   necessary   or   convenient   to   allow   the   modification   of   start-­‐up  
scripts   and   configuration   files,   or   the   deployment   of   new   versions   for   patches   or  
hotfixes.    Whatever   configuration   you   use,   simply   make   sure   that   you   are   aware   of   the  
associated  risks.  
 

14    
Alfresco Security Best Practices

Alfresco Implementation Best Practices


Stay Current
Alfresco  is  a  product  in  continuous  evolution.    Our  customers  and  the  community  are  improving  
the   software   by   recommending   new   features,   finding   bugs   and   suggesting   solutions.   The  
easiest   way   to   improve   the   security   of   your   Alfresco   platform   is   to   keep   your   version   up   to  
date.    New   bug   fixes   and   security   patches   are   added   in   every   release.    Alfresco   also   notifies   the  
Enterprise  user  and  community  members  of  major  security  threats  and  patches  via  the  Support  
Portal,   email   and   forums.    Always   upgrade   to   the   latest   stable   version   of   Alfresco,   as   soon   as  
possible,  and  read  the  Release  Notes  to  be  aware  of  the  fixed  security  bugs.  

Don Not Run the Application Server as Root


As  it  has  been  stated  above,  when  running  any  Internet  or  intranet  service,  it  is  always  a  good  
idea   to   avoid   running   it   as   the   root   user,   if   possible.     When   installing   the   application   server,  
create  a  new  user  with  a  minimum  set  of  privileges  that  will  always  run  the  application  server  
for  you,  as  part  of  your  configuration  process.      
 
Note   that   restricting   privileges   in   this   fashion   can   introduce   problems   with   listening   to  
privileged   ports.    These   are   commonly   solved   in   Linux   by   using   the   iptables   tool   to   redirect  
ports  to  non-­‐privileged  ones.    See  more  in  the  next  section.  

Repository Level Security


Enable SSL
In  production  environments,  enabling  encryption  is  a  must.  In  this  section  we  will  see  how  to  
enable  encryption  in  the  most  used  Alfresco  interfaces.  

HTTP – HTTPS
There   are   different   methods   to   implement   SSL   for   the   HTTP   access   to   Alfresco   Repository  
(WebDAV,   API   and   Admin   Panel)   and   Alfresco   Share.   In   most   cases   all   methods   are   valid   for  
both  Alfresco  repository  and  Share  web  access.  
 
We   may   classify   three   different   methods   depending   on   the   Alfresco   work   load.       All   of   the  
methods  may  work  for  any  sizing  depending  on  the  system  tuning.    This  is  just  a  best  practice  
for   where   to   locate   the   SSL   end   point   to   avoid   SSL   CPU   consumption   that   may   affect   the  
Alfresco  performance.  
 
1. Low  or  reduced  load,  10-­‐100  concurrent  sessions;  

 
 15  
Alfresco Security Best Practices

a. Application  server  enabled  SSL:    depending  on  the  application  server  vendor,  this    
can  be  configured  in  different  ways  and  it  is  extensively  documented.    Here  is  a  
list  of  resources  to  enable  SSL  in  all  our  supported  application  servers:  
i. Apache  Tomcat20  
ii. JBOSS21  
iii. Weblogic22  
iv. Websphere23  
 
2. Medium  load,  100-­‐500  concurrent  sessions;  
a. Apache,  IIS  or  Nginx  enabled  SSL  in  a  frontend-­‐dedicated  server.  
 
3. High  load,  +500  concurrent  sessions;  
a. SSL  dedicated  hardware  appliance  or  other  third  party  solutions.  
 
Additionally,   if   Alfresco   Share   is   in   a   separate   layer   than   the   Alfresco   Repository,   you   may   want  
to   encrypt   any   traffic   that’s   in   between   both   of   them.   Once   HTTPS   is   enabled   in   both  
application   servers   then   just   change   the   Alfresco   Share   configuration   URLs   to   connect   the  
Alfresco   Repository   in   ${extensionRoot}/alfresco/web-­‐extension/share-­‐config-­‐custom.xml   and  
adapt  all  <endpoint-­‐url>  to  your  repository  HTTPS  URL.    
 
NOTE:   in   any   case   always   enable   HSTS   (HTTP   Strict   Transport   Security)   to   guarantee   HTTPS  
always.  

SharePoint Protocol
There  are  two  ways  to  approach  getting  the  Alfresco  SharePoint  Protocol  to  run  over  SSL  and  
avoid  having  to  modify  the  Windows  registry24  to  allow  non-­‐SSL  connections  from  MS  Office  (in  
both  Windows  and  Mac).  
 
• One  way  is  to  use  the  out  of  the  box  SSL  certificate  that  Alfresco  uses  for  
communications  between  itself  and  Solr,  which  is  not  recommended  for  production  
systems;  

                                                                                                           
 
20
 http://tomcat.apache.org/tomcat-­‐7.0-­‐doc/ssl-­‐howto.html    
21
 https://access.redhat.com/documentation/en-­‐
US/JBoss_Enterprise_Application_Platform/6/html/Administration_and_Configuration_Guide/Implement_SSL_Encryption_for_the_JBoss_Ente
rprise_Application_Platform_Web_Server1.html    
22
 http://docs.oracle.com/cd/E24329_01/web.1211/e24422/ssl.htm    
23
 http://www.ibm.com/developerworks/websphere/techjournal/1210_lansche/1210_lansche.html    
24
 http://support.microsoft.com/kb/2123563    

16    
Alfresco Security Best Practices

The  other  is  to  generate  a  new  certificate25  and  configure  Alfresco  to  use  it.    If  you  want  

to  use  a  custom  certificate,  this  is  the  option  to  use.    Next  steps  tested  on  Alfresco  4.2  
and  it  should  work  in  4.2  as  well  for  both  Enterprise  and  Community.    
 
There  are  instructions  on  how  to  enable  SSL  in  the  Alfresco  SharePoint  interface  on  the  official  
documentation  portal26.  
 

IMAP – IMAPS
To enable SSL to the IMAP protocol implemented by Alfresco to get access to the repository
from an email client follow the official documentation instructions27 or configuring the IMAP
subsystem in the Enterprise Admin Panel.

SMTP Inbound with TLS


Alfresco supports secure connections when it has SMTP inbound enabled. It can be set by
customizing the email subsystem28 through alfresco-global.properties with the option
“email.server.enableTLS=true” and configuring the Java keystore29 or in the Enterprise Admin
Console.

                                                                                                           
 
25
 http://docs.alfresco.com/4.2/tasks/SharePoint-­‐HTTPS-­‐setup.html    
26
 http://docs.alfresco.com/4.2/tasks/SharePoint-­‐SSL.html    
27
 http://docs.alfresco.com/4.2/concepts/IMAP-­‐subsystem-­‐props.html    
28
 http://docs.alfresco.com/4.2/concepts/email-­‐inboundsmtp-­‐props.html    
29
 http://docs.alfresco.com/4.2/concepts/troubleshoot-­‐inboundemail.html    

 
 17  
Alfresco Security Best Practices

SMTP Outbound with TLS


SSL-TLS configuration for external emails sent by Alfresco to users for notifications, invitations,
etc., depends on the remote server features, and it has to support secure connections.
Configuration examples may be found on the official documentation portal30 and in the
Enterprise Admin Panel as well.

                                                                                                           
 
30
 http://docs.alfresco.com/4.2/concepts/email-­‐outboundsmtp-­‐props.html    

18    
Alfresco Security Best Practices

FTP – FTPS
The  FTP  interface  implemented  by  Alfresco  can  also  be  configured  in  secure  mode  to  encrypt  
the   communication   between   client   and   server.   It   has   to   be   configured   by   the   alfresco-­‐
global.properties  file  by  following  instructions  in  the  official  documentation31.  

Connect to LDAP in Secure Mode with LDAPS


In  order  to  enable  SSL  communication  between  the  Alfresco  repository  and  an  LDAP  server,  it  
has  to  be  supported  by  the  remote  directory  server.    For  SSL  it  is  required  that  you  switch  the  
port  from  389  to  636.  
 
NOTE:   Ask   your   LDAP   or   Active   Directory   administrator   before   changing   any   Alfresco  
configurations.  

Hazelcast
This   is   not   usually   required   in   SSL   but   messages   communication   between   cluster   nodes   may   be  
encrypted32.  

Understanding Roles and Permissions


It   is   well   known   that   Alfresco   comes   with   a   complex   and   very   flexible   permissions   model.  
Alfresco  uses  roles  to  determine  what  a  user  can  and  cannot  do  within  a  site  and  the  content.    

                                                                                                           
 
31
 http://docs.alfresco.com/4.2/concepts/fileserv-­‐ftp-­‐props.html    
32
 http://hazelcast.org/docs/latest/manual/html/ssl.html#encryption    

 
 19  
Alfresco Security Best Practices

Each  role  is  associated  with  permissions.    Permissions  apply  to  dashboards33  and  to  content34.  
By  default,  permissions  applied  to  a  node  in  the  repository  inherits  it  if  it  is  not  deactivated.    

Custom Roles
Creating   a   new   role   may   be   a   common   task   when   we   are   working   with   custom   Alfresco  
deployments.    The  process  is  easy,  you  just  need  to  follow  some  steps35.    Just  bear  in  mind,  the  
most   important   file   where   default   roles   are   defined   is   located   in:    
TOMCAT_HOME/webapps/alfresco/WEB_INF/classes/alfresco/model/permissionDefinitions.  
xml  

Audit
The  Audit  Service  provides  a  configurable  record  of  actions  and  events.    It  collects  information  
and  stores  it  in  a  simple  database  form.    The  Audit  Service  includes  the  ability  to  audit  system  
and  user  events,  metadata  changes  and  data  stored  in  the  Alfresco  database.    In  order  to  have  
the  Audit  feature  enabled  in  Alfresco  you  need  to  add  the  following  values  in  the  alfresco-­‐
global.properties36  file::  
 
audit.enabled=true
audit.sync.enabled=true
audit.tagging.enabled=true
audit.alfresco-access.enabled=true
audit.alfresco-access.sub-actions.enabled=true
audit.cmischangelog.enabled=true

NOTE:  If  Alfresco  Cloud  Sync  is  used,  audit.enable  and  audit.sync.enabled  must  be  true.    
Any  information  related  to  auditory  is  in  the  Alfresco  database,  it  has  to  be  queried  through  the  
API.    
To  check  if  the  Audit  feature  is  enabled  in  Alfresco  and  what  is  being  audited:  
#curl -u admin:admin http://localhost:8080/alfresco/service/api/audit/control
{
"enabled" : true,
"applications":
[
{
"name": "Alfresco Sync Service",
"path" : "/sync",
"enabled" : true
}
                                                                                                           
 
33
 http://docs.alfresco.com/4.2/references/permissions_share_other.html    
34
 http://docs.alfresco.com/4.2/references/permissions_share_components.html    
35
 https://wiki.alfresco.com/wiki/Custom_Permissions_in_Share    
36
 http://docs.alfresco.com/4.2/tasks/audit-­‐enable.html    

20    
Alfresco Security Best Practices

,
{
"name": "Alfresco Tagging Service",
"path" : "/tagging",
"enabled" : true
}
,
{
"name": "RM",
"path" : "/RM",
"enabled" : true
}
]
}

Audit  authentication  has  to  be  enabled  by  renaming  the  file  
${extensionRoot}/alfresco/extension/audit/alfresco-­‐audit-­‐example-­‐login.xml.sample  to  
${extensionRoot}/alfresco/extension/audit/alfresco-­‐audit-­‐example-­‐login.xml   then   restart   and  
test  the  last  authentications  to  Alfresco  with  a  command  like  below:  
# curl -u admin:admin
"http://localhost:8080/alfresco/service/api/audit/query/AuditExampleLogin1"

or  to  see  how  many  failed  authentications  performed  by  the  admin  user:  
# curl -u admin:admin
"http://localhost:8080/alfresco/service/api/audit/query/AuditExampleLogin1?ve
rbose=true&user=admin"

More   queries   and   information   about   auditing   Alfresco   can   be   found   in   the   official  
documentation37.  

Get to Know Logged Users


Thanks to the Alfresco Support Tools38 module, available for the Enterprise Admin console, an
administrator can always check who is logged in the system.

                                                                                                           
 
37
 http://docs.alfresco.com/4.2/concepts/audit-­‐intro.html    
38
 https://addons.alfresco.com/addons/support-­‐tools-­‐admin-­‐console    

 
 21  
Alfresco Security Best Practices

Reset Admin Password


If  the  admin  password  is  missed  there  is  a  way  to  reset  it  to  “admin”  by  changing  the  database.  
First  of  all,  it  is  needed  to  search  the  admin  password  field:  
SELECT anp1.node_id, anp1.qname_id, anp1.string_value
FROM alf_node_properties anp1
INNER JOIN alf_qname aq1 ON aq1.id = anp1.qname_id
INNER JOIN alf_node_properties anp2 ON anp2.node_id = anp1.node_id
INNER JOIN alf_qname aq2 ON aq2.id = anp2.qname_id
WHERE aq1.local_name = 'password'
AND aq2.local_name = 'username'
AND anp2.string_value = 'admin';
+---------+----------+----------------------------------+
| node_id | qname_id | string_value |
+---------+----------+----------------------------------+
| 4 | 10 | 209c6174da490caeb422f3fa5a7ae634 |
+---------+----------+----------------------------------+
1 row in set (0.16 sec)
 
Note:     node_id   and   gname_id   for   later   modification.     Additionally,  
“209c6174da490caeb422f3fa5a7ae634”  is  the  MD4  hash  value  for  “admin”.    Now  it  can  be  set  
as  follows:  
UPDATE alf_node_properties
SET string_value='209c6174da490caeb422f3fa5a7ae634'
WHERE
node_id=THE_NODE_ID_ABOVE and qname_id=THE_QNAME_VALUE_ABOVE;  

Ticket Session Duration Control


In   case   of   third   a   party   application   connection,   you   may   need   a   ticket.     This   ticket   can   be  
queried  by  accessing    http://localhost:8080/alfresco/service/api/login?u=admin&pw=admin  
The  length  or  duration  of  this  authentication  ticket  can  be  configured  with:    
authentication.ticket.validDuration=PT1H
in  the  alfresco-­‐global.properties  file,  which  means  1  hour.    Remember  to  use  HTTPS  to  get  the  
ticket.    

22    
Alfresco Security Best Practices

Disable Unneeded Services


All   of   these   options   can   be   added   to   the   alfresco-­‐global.properties   file.     Unless   the   Alfresco  
Enterprise  Admin  Console  is  used  to  make  the  changes,  a  restart  is  required:  
 
• Enable/Disable  FTP:  
ftp.enabled=false
• Enable/Disable  CIFS:  
cifs.enabled=false
• Enable/Disable  IMAP:  
imap.server.enabled=false
• Enable/Disable  NFS:  
nfs.enabled=false
• Enable/Disable  Audit  (do  not  disable  it  if  Cloud  Sync  is  used):  
audit.enabled=true
• Enable  the  alfresco-­‐access  audit  application:  
audit.alfresco-access.enabled=true
audit.alfresco-access.sub-events.enabled=true
audit.cmischangelog.enabled=true
• Disable  Webdav:  
system.webdav.servlet.enabled=true
• Disable  Share  Point:  
  Uninstall  VTI  module.  
• Prevent  replication  from  the  server  configuration:  
replication.enabled=false
transferservice.receiver.enabled=false

Disable Guest User


• For  NTLM-­‐Default  (default  is  true):  
alfresco.authentication.allowGuestLogin=false
• For  pass-­‐through  (default  is  false):  
passthru.authentication.guestAccess=false
• For  LDAP/AD  (default  is  true):  
ldap.authentication.allowGuestLogin=false

Review Sever Logs Periodically


The   administrator   always   keeps   an   eye   on   the   server   logs   along   with   the   application   logs.  
Consider  using  a  central  logging  sever  to  easily  manage  logs  and  unload  the  server  I/O.  

 
 23  
Alfresco Security Best Practices

Change JMX Default Credentials


As   you   already   know,   Alfresco   One   can   be   accessed   using   JMX   for   configuration   (port   RMI  
50500   TCP),   this   access   is   authenticated   but   credentials   are   public   and   must   be   changed   in  
order  to  avoid  unauthorized  accesses39.    

Get Control of Deleted Content


In  terms  of  security  control,  it  is  imperative  to  know  how  Alfresco  works  when  a  content  item  is  
deleted   and   also   how   the   content   deletion   works   in   Records   Management   (RM).     Basic   content  
deletion  is  already  very  well  explained  in  a  Ixxus  blog  post40  but  there  are  some  differences  in  
the  database  schema  between  Alfresco  4.1  and  4.2  worth  noting,  such  as  the  “alf_node”  table  
has  a  field  named  “node_deleted”  in  versions  4.0  and  earlier.  
 
To   develop   a   deep   knowledge   about   Alfresco   security   and   also   how   to   configure   Alfresco  
backup   and   disaster   recovery41,   you   should   first   understand   how   the   Alfresco   repository  
manages  the  lifecycle  of  a  content  item.  

Node Creation
When  a  node  is  created,  regardless  how  it  is  uploaded  or  created  (via  the  API,  web  UI,  FTP,  CIFS,  
etc.)  Alfresco  will  do  the  following:  
 
1. Metadata  properties  are  stored  in  the  database  in  the  logical  store  
workspace://SpacesStore  (alf_node,  alf_content_url  among  others).  
2. The  file  itself  is  store  and  renamed  as  .bin  under  
alf_data/contentstore/YYYY/MM/DD/hh/mm/url-­‐id-­‐of-­‐the-­‐file.bin  
3. Next,  depending  on  the  indexing  you  choose,  its  index  entries  are  created  within  Lucene  
(alf_data/lucene-­‐indexes/workspace/SpacesStore)  or  Solr  
(alf_data/solr/workspace/SpacesStore).  
4. Finally,  in  most  cases,  a  content  thumbnail  is  created  as  a  child  of  the  file  created.  

Node Deletion
There  are  two  phases  to  node  deletion:  

Phase 1: A user or admin deletes a content item (sending it to the trashcan)


1. When  someone  deletes  a  content  item,  the  content  and  its  children  (eg.  thumbnails)  are  
moved  (archived)  in  the  DB  from  workspace://SpacesStore  to  archive://SpacesStore.  
Nothing  else  happens  in  the  DB.  

                                                                                                           
 
39
 http://docs.alfresco.com/4.2/tasks/jmx-­‐access.html    
40
 http://www.ixxus.com/blog/2011/09/alfresco-­‐node-­‐lifecycle    
41
 http://blyx.com/2013/12/04/my-­‐talk-­‐about-­‐alfresco-­‐backup-­‐and-­‐recovery-­‐tool-­‐in-­‐the-­‐alfresco-­‐summit/    

24    
Alfresco Security Best Practices

2. The  actual  content  “.bin”  file  remains  in  the  same  location  inside  the  contentstore  
directory.  
3. Finally,  the  indexes  are  moved  from  the  existing  location  to  the  corresponding  archive  
(alf_data/lucene-­‐indexes/archive/SpacesStore)  or  Solr  
(alf_data/solr/archive/SpacesStore)  depending  on  your  index  engine  selection.  
 
NOTE:     A   deleted   node   stays   in   the   trashcan   FOREVER,   unless   the   user   or   admin   either   empties  
the   trashcan   or   recovers   the   file.   This   default   behavior   can   be   changed   by   using   third   party  
modules   that   empty   the   trashcan   automatically   on   a   custom   schedule.   See   below   for   more  
information  on  these  modules.  
 
The  trashcan  may  be  found  at  these  locations:  
 
Alfresco  Share:    User  -­‐>  My  Profile  -­‐>  Trashcan  (admin  user  will  see  all  users  deleted  files,  since  
4.2  all  users  can  also  see  and  restore  their  own  deleted  files).  
Alfresco  Explorer:    User  Profile  -­‐>  Manage  Deleted  Items  (for  all  users).  

Phase 2: Any user or admin (or trashcan cleaner) empties the trashcan:
1. That  means  the  content  is  marked  as  an  “orphan”  and  after  a  pre-­‐determined  amount  
of   time   elapses,   the   orphaned   content   item   is   moved   from   the   alf_data/contentstore  
directory  to  alf_data/contentstore.deleted  directory.  
2. Internally   at   the   DB   level   a   timestamp   (UNIX   format)   is   added   to   the  
alf_content_url.orphan_time   field   where   an   internal   process   called  
contentStoreCleanerJobDetail  will  check  how  long  the  content  has  been  orphaned.    If  it  
is   more   than   14   days   old,   (system.content.orphanProtectDays   option)   the   .bin   file   is  
moved  to  contentstore.deleted.  
3. Finally,   another   process   will   purge   all   of   its   references   in   the   database   by   running  
nodeServiceCleanupJobDetail   and   once   the   index   knows   the   node   has   been   removed,  
the  indexes  will  be  purged  as  well.  
 
NOTE:     Alfresco   will   never   delete   content   in   the   alf_data/contentstore.deleted   folder.     It   has   to  
be   deleted   manually   or   by   a   scheduled   job   configured   by   the   system   administrator.     By   default,  
the   contentStoreCleanerJobDetail   runs   every   day   at   4AM   by   checking   the   age   of   an   orphan  
node.     If   it   exceeds   system.content.orphanProtectDays   (14   days)   it   is   moved   to  
contentstore.deleted.  
 
Additionally,   the   nodeServiceCleanupJobDetail   runs   every   day   at   9PM   and   purges   information  
related  to  nodes  that  were  deleted    from  the  database.  
 
Now,  that  we  understand  how  Alfresco  works  by  default,  let’s  learn  how  to  modify  Alfresco’s  
behavior  in  order  to  clean  the  trashcan  automatically.  

 
 25  
Alfresco Security Best Practices

There  are  several  third  party  modules  that  can  be  used  to  achieve  this,  but  I  recommend  the  
Alfresco  Trashcan  Cleaner42  by  Alfresco’s  very  own  Rui  Fernandes.  
Once  the  amp  is  installed,  you  can  use  this  sample  configuration  by  copying  it  to  the  alfresco-­‐
global.properties  file:  
 
trashcan.cron=0 30 * * * ?
trashcan.daysToKeep=7
trashcan.deleteBatchCount=1000

The  options  above  configure  the  cleaner  to  run  every  hour  on  the  half  hour  and  it  will  remove  
content  from  the  trashcan  and  mark  it  as  an  orphan  if  it  has  been  in  the  trashcan  for  more  than  
7   days.   It   will   do   this   in   batches   of   1000   deletions   every   time   it   runs.   To   delete   from   the  
trashcan  without  waiting  any  grace  period  set  the  trashcan.daysToKeep  property  value  to  -­‐1.  

Questions and Answers About Content Deletion


Can   I   configure   Alfresco   to   avoid   using   contentstore.deleted   and   ensure   it   really   deletes   a   file  
after  the  trashcan  is  cleaned?  
Yes,   this   is   possible   by   setting   system.content.eagerOrphanCleanup=true   in   the   alfresco-­‐
global.properties   file,   and   once   the   trashcan   is   emptied,   the   file   will   not   be   moved   to  
contentstore.deleted   but   it   will   be   deleted   from   the   file   system   (contentstore).     After   that,  
nodeServiceCleanupJobDetail  will  purge  any  related  information  from  the  database.  
 
What  is  the  recommended  configuration  for  a  production  server?  
This  is  something  you  have  to  figure  out  based  on  your  backup  and  disaster  recovery  strategy43.    
If   you   have   a   proper   backup   strategy,   you   can   offer   your   users   a   grace   period   of   30   days   to  
recover  their  own  deleted  documents  from  the  trashcan.    After  the  grace  period,  delete  them  
simultaneously   from   the   trashcan   and   the   file   system.     This   can   be   achieved   by   installing   the  
previously   mentioned   trashcan-­‐cleaner   and   with   this   configuration   in   the   alfresco-­‐
global.properties  file:  
 
system.content.eagerOrphanCleanup=false
trashcan.cron=0 30 * * * ?
trashcan.daysToKeep=30
trashcan.deleteBatchCount=1000
 
What   about   Alfresco   Records   Management,   does   it   work   in   the   same   way?     How   a   record  
destruction  works?  
In  the  Records  Management  world  you  don’t  tend  to  delete  documents  as  often  as  it  is  done  in  
Document  Management.    When  a  content  item  is  deleted  from  the  RM  file  plan,  it  is  considered  

                                                                                                           
 
42
 https://code.google.com/p/alfresco-­‐trashcan-­‐cleaner/  
43
 http://blyx.com/2013/12/04/my-­‐talk-­‐about-­‐alfresco-­‐backup-­‐and-­‐recovery-­‐tool-­‐in-­‐the-­‐alfresco-­‐summit/.  

26    
Alfresco Security Best Practices

to  be  a  regular  delete  operation.    This  is  rarely  used  and  only  done  by  RM  admins  when  there  is  
some  justifiable  reason,  such  as  correcting  a  mistake  that  requires  a  record  to  be  removed.  
The  only  difference  is  that  the  deleted  record  bypasses  the  archive  store,  hence  it  never  goes  to  
the   trashcan,   and   it   is   marked   as   an   orphan   once   it   is   deleted.     Then   it   will   be   moved   to  
contentstore.deleted  after  orphanProtectDays  or  it  is  truly  deleted  if  eagerOrphanCleanup  is  set  
as  true.  
 
Destruction  of  a  record  works  in  the  same  way  that  a  record  is  removed.    This  will  by-­‐pass  the  
archive   and   immediately   trigger   the   clean-­‐up   (eagerOrphanCleanup)   process   so   the   content  
does  not  stay  in  the  file  system  contentstore  or  contentstore.deleted.  
 
As   far   as   the   meta-­‐data   goes,   there   are   two   options;   the   first   is   that   all   the   meta-­‐data   (and  
hence  the  node  itself)  are  completely  deleted.    The  alternate  method  cleans  out  all  the  content  
but  the  node  remains  with  only  the  meta-­‐data  (called  ghosting).    In  Alfresco  RM  versions  prior  
to   2.2,   this   was   a   global   configuration   value   (rm.ghosting.enabled=true).     In   2.2   it   can   be  
defined   on   the   destroy   step   of   the   disposition   schedule:   “Maintain   record   metadata   after  
destroy”.  
 

 
 27  
Alfresco Security Best Practices

Figure 1: Content deletion diagram

Wipe Content
As  we  have  seen,  Alfresco  offers  different  ways  to  delete  content.    It  is  important  to  remember,  
even   if   Alfresco   completely   deletes   content,   like   when   using   the   destroy   option   in   RM   or   by  
using   eagerOrphanCleanup,   Alfresco   will   not   wipe   the   removed   content   from   the   physical  
storage.     It   therefore   can   be   recovered   by   file   system   recovery   tools.     Wiping   a   deleted   content  
item   may   vary   depending   on   multiple   factors,   from   file   system   type   to   hardware   configuration,  
etc.     If   you   want   to   guarantee   a   real   physical   wipe   of   a   file   in   your   file   system,   third   party  
software   must   be   used   to   “zero   out”   the   corresponding   disk   sectors.     The   specific   tools   depend  
on  the  operating  system  type,  hardware,  etc.  

Share Level Security


Cross-Site Request Forgery (CSRF) Filters in Alfresco Share
Based   on   the   OWASP   project   definition,   Cross-­‐Site   Request   Forgery   (CSRF)   is   a   type   of   attack  
that  occurs  when  a  malicious  web  site,  email,  blog,  instant  message,  or  program  causes  a  user’s  
web  browser  to  perform  an  unwanted  action  on  a  trusted  site  for  which  the  user  is  currently  
authenticated.    

28    
Alfresco Security Best Practices

 
You   can   configure  CSRFPolicy  in   Alfresco   Share   to   prevent   CSRF   attacks   that   allow   malicious  
requests  to  be  unknowingly  loaded  by  a  user.  
 
You  can  configure  the  CSRF  filter  to  run  with  third  party  plugins  and  to  stop  specific  repository  
services  from  being  accessible  directly  through  the  Share  proxy.  
 
See  official  documentation  for  apply  the  prevention  procedure44.  

Security Filters and Clickjacking Mitigation in Alfresco Share


As  per  OWASP  definition,  clickjacking,  also  known  as  a  "UI  redress  attack",  is  when  an  attacker  
uses  multiple  transparent  or  opaque  layers  to  trick  a  user  into  clicking  on  a  button  or  link  on  
another   page   when   they   were   intending   to   click   on   the   top   level   page.   Thus,   the   attacker   is  
"hijacking"   clicks   meant   for   their   page   and   routing   them   to   another   page,   most   likely   owned   by  
another  application,  domain,  or  both.  
 
You   can   configure   a   security   filter,  SecurityHeadersPolicy   that   mitigates   clickjacking   attacks   in  
Alfresco  Share.  
 
See  official  documentation  for  apply  the  prevention  procedure45.  

Iframes and Phishing Attack Mitigation in Alfresco Share


You   can   configure  IFramePolicy  to   protect   users   against   a   phishing   attack,   which   attempts   to  
acquire  information  such  as  user  names  or  passwords  by  simulating  a  trustworthy  entity.  
 
Alfresco   allows   you   to   control   which   domain   pages   or   content   are   included   in   Share   to   create   a  
whitelist   of   allowed   domains.   A   whitelist   is   a   list   of   email   addresses   or   IP   addresses   that   are  
considered  to  be  safe  for  use  within  your  organization.    
 
See  official  documentation  for  apply  the  prevention  procedure46.  

Share HTML Processing Black/White List


Alfresco   Share   has   a   number   of   features   to   protect   against   XSS   attacks.   One   of   the  
most  aggressive  features  is  the  automatic  processing  of  3rd  party  HTML  (wiki,  blog,  forum)  to  
“sanitize”  or  “strip”  out  unwanted  HTML  tags  and  attributes  before  rendering  in  the  page.    

                                                                                                           
 
44
 http://docs.alfresco.com/4.2/concepts/csfr-­‐policy.html  
45
 http://docs.alfresco.com/4.2/concepts/security-­‐policy.html  
46
 http://docs.alfresco.com/4.2/concepts/iframe-­‐policy.html  

 
 29  
Alfresco Security Best Practices

Since   Alfresco   3.4.9,   4.0.2   and   newer,   it   is   possible   to   fully   configure   the   black/white   list   of  
HTML  tags  and  attributes  that  the  HTML  stripping  process  will  use.    The  default  black/white  list  
Is   available   in   {TOMCAT_HOME}/webapps/share/WEB-­‐INF/classes/alfresco/slingshot-­‐
application-­‐context.xml.     It   can   be   overridden   with   a   file   called   custom-­‐slingshot-­‐application-­‐
context.xml,   which   is   generally   found   in  {TOMCAT_HOME}/shared/classes/alfresco/web-­‐
extension.    More  information  is  available  in  the  Alfresco  corporate  blog47.  

Site Creation Control


In   some   circumstances,   you   may   need   to   prevent   users   other   than   administrators   or   specific  
group  members,  from  creating  sites.    There  are  different  ways  to  accomplish  this  using    public  
resources48.    

Filter Document Actions by User or Role


You   may   restrict   the   visibility   of   document   action   item   for   different   Share   site/user   role   by  
modifying:  
• {TOMCAT_HOME}/webapps/share/WEB-­‐INF/classes/alfresco/site-­‐
webscripts/org/alfresco/components/document-­‐details/document-­‐
actions.get.config.xml  
• {TOMCAT_HOME}/shared/classes/alfresco/web-­‐extension/site-­‐
webscripts/org/alfresco/components/document-­‐details/document-­‐
actions.get.config.xml  
 
For   example,   to   set   document   action   “Delete”   visible   to   “admin”   user   only,   you   need   to   modify  
the  action  you  want  to  hide  from  anyone  but  the  admin,  by  adding  'permission="admin"'.  For  
example,  modify  in  document-­‐actions.get.config.xml  file  from:  
 
<action type="action-link" id="onActionDelete" permission="delete"
label="actions.document.delete" />

to:  
 
<action type="action-link" id="onActionDelete" permission="admin"
label="actions.document.delete" />
 
Additionally,   you   may   use   the   tables   below   as   reference   when   there   is   a   requirement   for  
customize  document  action  per  site  role.    For  example,  add,  remove,  or  hide  visibility  of  certain  
document  action(s)  for  certain  site  role(s)  in  permission="<symbol>".  
 
Site  role-­‐based  Visibility  

                                                                                                           
 
47
 http://blogs.alfresco.com/wp/kevinr/2012/06/19/configuring-­‐the-­‐share-­‐html-­‐processing-­‐blackwhite-­‐list/    
48
 https://forums.alfresco.com/forum/end-­‐user-­‐discussions/alfresco-­‐share/disable-­‐create-­‐site-­‐link-­‐42-­‐community-­‐01102013-­‐1306  

30    
Alfresco Security Best Practices

Symbol   Site  Role  

#   Admin/Site  Manager  

*   Collaborator  

%   Contributor/Consumer  

 
<actionSet  id="document">:    Default  OOTB  permission  level  for  Document  Action  components.  
Information   is   extracted   from   Enterprise   3.4.6,   File:   {TOMCAT_HOME}/webapps/share/WEB-­‐
INF/classes/alfresco/site-­‐webscripts/org/alfresco/components/document-­‐details/document-­‐
actions.get.config.xml:  
Action  Name   Action  id   Permission   Corresponding  label  name   Visible  
to  

Download   id="onActionDownload"    <global,   no   specific   label="actions.document.d %;*;#  


permission  required>   ownload"  

View  in  Browser   id="onActionView"    <global,   no   specific   label="actions.document.v %;*;#  


permission  required>   iew"  

Edit  Metadata   id="onActionDetails"   permission="edit"   label="actions.document.e *;#  


dit-­‐metadata"  

?   id="onActionSimpleAppr permission="simple-­‐ label="actions.document.si n/a  


ove"   approve"   mple-­‐approve"  

?   id="onActionSimpleReje permission="simple-­‐ label="actions.document.si n/a  


ct"   reject"   mple-­‐reject"  

Upload   New   id="onActionUploadNew permission="edit"   label="actions.document.u *;#  


Version   Version"   pload-­‐new-­‐version"  

Inline  Edit   id="onActionInlineEdit"   permission="edit,inline-­‐ label="actions.document.i *;#  


edit"   nline-­‐edit"  

Edit  Online   id="onActionEditOnline"   permission="edit,online label="actions.document.e *;#  


-­‐edit"   dit-­‐online"  

Edit  Offline   id="onActionEditOffline"   permission="edit,~goog label="actions.document.e *;#  


ledocs-­‐edit"   dit-­‐offline"  

?   id="onActionCheckoutT permission="edit,googl label="actions.document.c *;#  


oGoogleDocs"   edocs-­‐edit"   heckout-­‐google"  

Copy  to…   id="onActionCopyTo"   <global,   no   specific   label="actions.document.c %;*;#  

 
 31  
Alfresco Security Best Practices

permission  required>   opy-­‐to"  

Move  to…   id="onActionMoveTo"   permission="delete"   label="actions.document. #  


move-­‐to"  

Delete   id="onActionDelete"   permission="delete"   label="actions.document.d #  


Document   elete"  

Start  Workflow   id="onActionAssignWork <global,   no   specific   label="actions.document.a %;*;#  


flow"   permission  required>   ssign-­‐workflow"  

Manage   id="onActionManagePer permission="permission label="actions.document. #  


Permission   missions"   s"   manage-­‐permissions"  

Manage  Aspect   id="onActionManageAsp permission="edit"   label="actions.document. *;#  


ects"   manage-­‐aspects"  

Filter workflow by role/group


Alfresco   Share   doesn’t   have   the   ability   to   filter   or   control   the   list   of   workflows   showed   to   an  
user   or   group,   by   default   all   available   workflows   are   shown   to   any   user.   There   is   different   ways  
to   get   this   done,   based   on   filters   in   share-­‐config-­‐custom.xml   and   also   third   party   developments  
to  control  workflow  list49.  

Change default Share session timeout


It   may   be   needed   to   reduce   or   increase   the   default   session   timeout   for   Alfresco   Share   user  
cookies   which   is   60   minutes.   Edit   {TOMCAT_HOME}/webapps/share/WEB-­‐INF/web.xml  and  
change  next  lines,  a  restart  is  needed:  
<session-config>
<session-timeout>60</session-timeout>
</session-config>

                                                                                                           
 
49
 https://addons.alfresco.com/addons/workflow-­‐permissions  

32    
Alfresco Security Best Practices

Architecture deployment best practices


Sample   architecture   diagrams   and   protection   tips   for   Alfresco   installed   on-­‐premises   and   in  
AWS.  

Frontends
In  this  section  we  will  see  a  tip  about  how  to  protect  some  resources  in  Alfresco  using  custom  
frontend  server  like  Apache,  Nginx  or  HAProxy.  
 
Good   practice   is   to   protect   always   front   Share   and   Alfresco   with   a   web   server  
(Apache/Nginx/HAProxy),  and  run  the  application  server  to  only  be  accessed  by  the  web  server.    
If  this  is  all  on  one  node,  then  have  the  application  server  only  listen  on  localhost  then  the  web  
server  forward  to  localhost.  If  this  is  on  a  multi-­‐tiered  environment  then  only  allow  access  to  
the  Share  and  Alfresco  tier  from  the  web  node  tier  via  iptables.  
 
In   order   to   force   all   Alfresco   cookies   to   be   secure   instead   of   httponly   use   a   web   server   to  
rewrite  the  cookies.  Example  of  HAProxy  configuration  to  do  it:  
# Set all cookies to be Secure.
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if !secured_cookie

Protect Alfresco API URL and proxy (Apache, Nginx, etc.)


Webscript  URLs  should  be  accessed  only  by  localhost  applications  (Alfresco  Explorer  and  Share)  
and   known   third   party   applications.   To   deny   access   from   all   other   networks   (to   Alfresco   tier  
data   Webscripts,   you   can   do   the   same   for   Share   if   needed),   you   need   to   set   a   frontend   web  
server  as  follows:  
 
Apache:  
<Location /alfresco/service/*>
Order allow,deny
Allow from 1.2.3.4
Allow from 1.2.3.5
</Location>

<Location /share/service/*>
Order allow,deny
Allow from 1.2.3.4
Allow from 1.2.3.5
</Location>

<Location /alfresco/proxy>
Order allow,deny
Allow from 1.2.3.4
Allow from 1.2.3.5
</Location>

 
 33  
Alfresco Security Best Practices

<Location /alfresco/cmisbrowser>
Order allow,deny
Allow from 1.2.3.4
Allow from 1.2.3.5
</Location>

Nginx:  
location ~ ^/(alfresco|share)/service/ {
allow 1.2.3.4;
allow 1.2.3.5;
deny all;
}

location ~ ^/alfresco/proxy {
allow 1.2.3.4;
allow 1.2.3.5;
deny all;
}

location ~ ^/alfresco/cmisbrowser {
allow 1.2.3.4;
allow 1.2.3.5;
deny all;
}

Where  1.2.3.4  and  1.2.3.5  are  our  applications  or  networks.  

Single tier
Alfresco  installed  all  in  one  server  and  using  external  database  and  storage  for  content  store,  
use  always  dedicated  network  interfaces,  i.e.  3  nics  being  service,  backend  and  administration  
and  backup:  

34    
Alfresco Security Best Practices

Two tiers
 

 
 35  
Alfresco Security Best Practices

Three tiers
 

 
Another  real  world  diagram  with  details:  
 

36    
Alfresco Security Best Practices

 
 

AWS deployments
Example  of  multi  tier  deployment  and  different  layers  of  security:  

 
 37  
Alfresco Security Best Practices

Backup and Disaster recovery


Please   refer   to   the   existing   Backup   and   Disaster   Recovery   White   Paper   presented   in   the  
Alfresco  Summit  201350.  

                                                                                                           
 
50
 https://summit.alfresco.com/cmis/views/workspace%253A%252F%252FSpacesStore%252F2a6f08b9-­‐e026-­‐4674-­‐b81a-­‐cac234491d9f    

38    
Alfresco Security Best Practices

Mobile Security
File Protection
Encrypts   files   stored   on   this   device   when   it   is   locked.   Has   to   be   enabled   in   the   mobile  
application  settings.  It  is  only  available  in  Alfresco  Mobile  if  it  is  connected  to  an  Alfresco  One  
server  or  Alfresco  in  the  Cloud.  

HTTPS
Enable   HTTPS   connection   if   available   on   the   server   side.   Alfresco   in   the   Cloud   has   HTTPS  
support  by  default.  

Certificate Authentication
Enable  certificate  authentication  from  the  mobile  client  side  is  available.  

MDM
At  the  moment  this  guide  is  written,  there  is  one  solution  to  implement  MDM  with  Alfresco:  

Alfresco for Good (iOS)


Alfresco   for   Good   mobile   app   provides   a   secure   connection,   secure   storage   and   policy  
enforcement   when   accessing   business   critical   documents   stored   in   Alfresco   One   on   premise  
from  anywhere.  Alfresco  for  Good  1.0  includes  the  following  features:  
• Secure  access  to  on  premise  Alfresco  repository  based  on  existing  user  privileges  
• Full  access  to  repository  structure  including  collaboration  sites  
• Easy  favoring  and  joining  of  sites  
• Activity  feed  for  repository  
• File  exchange  via  Good  For  Enterprise  
• Local  storage  of  files  for  offline  viewing  
NOTE:  Existing  version  is  only  compatible  with  iOS  7.  

MobileIron (Android)
Alfresco   and   MobileIron   provide   an   end   to   end   secure   solution   to   access   critical   content   stored  
on  premise,  in  the  cloud  or  both  as  well  as  run  key  workflows  to  make  things  happen  on  the  go.  
Alfresco   is   an   enterprise   grade   solution   that   can   reliably   mobilize   hundreds   to   millions   of  
documents.  Alfresco  is  open,  so  you  can  retain  control  and  customizable  so  you  can  build  the  
solutions  you  need.  
• Secure  access  to  Alfresco  One  repository  based  on  existing  user  privileges  
• Full  access  to  repository  structure  including  collaboration  sites  
• Activity  feed    

 
 39  
Alfresco Security Best Practices

• File  exchange  within  the  MobileIron  ecosystem  


• Local  sync  of  files  for  offline  viewing  of  up  to  date  files  
• Initiate  or  take  part  in  workflows  such  as  “Review  and  Approve”  
NOTE:  Alfresco  is  working  for  a  new  MobileIron  app  for  Android  and  iOS.  Not  release  date  at  
this  moment.  

Additional information
For   enterprise   Android   users,   Alfresco   Mobile   1.4   is   available   in   the   Samsung   KNOX   store.  
Working  with  other  MDM  vendors  like  Symantec  Sealed  (Android)  and  Citrix  Worx.  

40    
Alfresco Security Best Practices

Security Compliance and Standards


A   very   common   question   about   Alfresco   and   security   is   related   to   standards.   In   this   section   we  
will  see  a  review  about  some  standards  related  to  security  and  how  Alfresco  can  address  with  
them.   For   more   information   about   other   standards   and   security   in   Alfresco   Cloud   please   visit  
this51  site.  

DOD5015.2
Alfresco  Records  Management  is  certified  to  the  DoD  5015.02  base  line  standard,  the  Alfresco  
RM  solutions  has  been  implemented  on  top  of  a  flexible  records  management  metadata  model,  
allowing  other  standards  (such  as  MoReq2010,  NOARK,  etc.)  to  be  supported.52  
From  the  security  stand  point;  Alfresco  RM  has  additional  security  features  like:  
• Specific  roles  related  to  RM  tasks  
• Web  based  role  manager  to  view,  modify  or  delete  existing  roles  and  create  new  ones  
• Web  based  audit  tool  to  make  reports  about  any  action  on  any  record,  folder,  category  
in  the  File  Plan  
• Users,  groups  and  roles  reports  
• Different   behavior   for   record   deletion   and   record   destroy   than   deletion   in   DM.   See  
section  about  deletion  in  this  document.  

OWASP
In   Alfresco   we   use   the   OWASP   guides   extensively   in   development   and   have   a   tool,   which   scans  
all   code   nightly   and   ensures   compliance   with   OWASP   top   ten.   Here   a   list   of   comments   about  
the  OWASP  top  1053:  
1. A1   -­‐   Injection:   Alfresco   uses   prepared   non-­‐dynamic   statements   and   variable   binding  
using  the  ORM  framework  'myBatis',  which  prevents  SQL  injection.  Alfresco  Share  uses  a  
white-­‐list   to   strip   potential   danger   from   submitted   content   with   mime-­‐types   of  
Javascript  or  HTML.  Note:  For  HTML  content  submission,  unsafe  content  is  stripped  on  
display,  not  storage.  Summary:  OOTB  Alfresco  is  secured  against  injection  attacks  
2. A2   -­‐   Broken   Authentication   and   Session   Management:   This   is   normally   an   issue   in  
home-­‐grown   authentication   frameworks,   but   all   Alfresco   custom   development   and  
configuration  passes  through  its  own  authentication  framework  which  is  based  on  the  
Spring   Security   (Acegi)   framework.   Summary:   OOTB   Alfresco   has   a   robust  
authentication  and  session  management  subsystem,  however  there  may  be  weaknesses  
                                                                                                           
 
51
 http://www.alfresco.com/products/cloud/security-­‐data-­‐privacy    
52
 http://blogs.alfresco.com/wp/understanding-­‐the-­‐facts-­‐dod-­‐5015-­‐certification    
53
 https://www.owasp.org/index.php/Top_10_2013-­‐Top_10    

 
 41  
Alfresco Security Best Practices

if  the  following  processes  are  not  followed:  1)  Only  use  SSL  encryption  for  all  access;  2)  
Integrate   with   LDAP   memberships   services   (or   if   using   Alfresco   native   user  
management:   Enable   an   additional   Alfresco   customisation   for   password-­‐expiry   and  
complexity   requirements);   3)   Potential   to   permanently   disable   'invite   external   user'  
capabilities.  
3. A3-­‐Cross-­‐Site  Scripting  (XSS):  See  'Configuring  the  Share  HTML  processing  black/white  
list'54.  Summary:  OOTB  Alfresco  is  secured  against  XSS  attacks.  Pre  go-­‐live  checks  must  
ensure   that   configuration   changes   have   not   disabled   this   security   feature.   Check  
vulnerability  list  in  this  document  and  new  XSS  threats.  
4. A4-­‐Insecure   Direct   Object   References:   Content-­‐object   access   is   only   allowed   through  
the   Alfresco   API   which   ACL   checks   all   content-­‐based   requests   against   the   current  
authenticated   session   user.   Summary:   OOTB   Alfresco   is   secured   against   direct   access  
and  the  manipulation  of  reference.  
5. A5-­‐Security   Misconfiguration:   Default   passwords   are   stored   for   JMX   or   installation  
passwords   stored   as   well.   Summary:   OOTB   Alfresco   does   not   encrypt   initial   admin  
password,  JMX  read  and  write  password  and  DB  connection  password.  In  case  of  using  
Alfresco  internal  DB  for  users,  their  passwords  are  stored  in  MD4.    
6. A6-­‐Sensitive   Data   Exposure:   We   do   not   typically   store   user-­‐sensitive   information   in  
Alfresco.   Summary:   OOTB   Alfresco   is   secure   from   exposure   of   sensitive   data.   This  
assumes   correct   ACL/permission   application   and   that   the   server   has   not   been  
compromised  allowing  direct  access  to  the  underlying  file-­‐system.  
7. A7-­‐Missing   Function   Level   Access   Control:   Alfresco   enforces   'roles'   and   group-­‐
membership   to   define   the   function   access   that   a   user   may   have.   Summary:   OOTB  
Alfresco  is  secured  against  function  level  access  control.  Security  ACL  checks  against  role  
and  group  occurs  on  the  server  not  just  to  hide  or  expose  UI  elements.  
8. A8-­‐Cross-­‐Site   Request   Forgery   (CSRF):   See   'Introducing   the   CSRFPolicy   in   Alfresco  
Share'55.  OOTB  Alfresco  is  secured  against  CSRF  attacks.  Pre  go-­‐live  checks  must  ensure  
that  configuration  changes  have  not  disabled  this  security  feature.  
9. A9-­‐Using   Components   with   Known   Vulnerabilities:   According   to   the   Alfresco   public  
JIRA,   there   are   no   known   exploitable   components   used   by   Alfresco.   An   audit   is   required  
to  every  third  party  component  should  be  done  to  confirm  this.  Alfresco  recommends  
the   latest   security   patched   version   of   Alfresco   and   its   supported   components,   as   well   of  
OS,   Java,   Application   Server   and   DB   server.   Summary:   OOTB   Alfresco   is   secure,   at   the  
time   of   writing.   Best   practice   should   include   the   patching   of   dependent   components  
with   the   latest   security   patches   as   they   become   available.   Typical   components   to  
consider   for   an   ongoing   patch   policy:   Operating   System   RHEL/CentOS/Win2008R2;  
Database   MySQL/Oracle/MSSQL;   Java   updates;   third-­‐party   out-­‐of-­‐process   command-­‐
line  tools  (anything  outside  the  JVM  sandbox  such  as  Open  Office  /  ImageMagick,  etc.).  
                                                                                                           
 
54
 http://blogs.alfresco.com/wp/kevinr/2012/06/19/configuring-­‐the-­‐share-­‐html-­‐processing-­‐blackwhite-­‐list/  
 http://blogs.alfresco.com/wp/ewinlof/2013/03/11/introducing-­‐the-­‐new-­‐csrf-­‐filter-­‐in-­‐alfresco-­‐share/  
55

42    
Alfresco Security Best Practices

10. A10-­‐Unvalidated   Redirects   and   Forwards:   Alfresco   allows   the   display   of   user-­‐defined  
hyperlinks,   potentially   to   external   websites,   but   these   are   not   forwards   or   re-­‐directs.  
Alfresco   Share   does   allow   the   arbitrary   embedding   of   IFrames   within   the   UI,   either  
through  the  'web  view'  dashlet,  or  within  custom  developed  code,  and  this  does  need  
protection.   This   risk   is   mitigated   with   the   introduction   of   the   'IFramepolicy'.   See  
'Introducing  the  IFramePolicy  in  Alfresco  Share'56.  The  default  configuration  allows  any  
page   to   be   iframed.   Summary:   OOTB   Alfresco   is   not   secure   against   non-­‐validated  
redirection.  However  a  simple  configuration  change  enforces  the  security.  
The  Alfresco  software  engineers  take  care  about  OWASP  security  standard  by  using  a  software  
plugin57  that  defines  a  list  of  vulnerabilities  that  can  occur  in  any  software  project.  It  provides  
rules   engines   to   find   violations   that   can   be   matched   with   a   lot   of   OWASP   vulnerabilities,  
allowing  us  to  know  the  security  level  reached.  

HIPAA
The   US   Government   “Health   Insurance   Portability   and   Accountability   Act”   can   be   applied   or  
adopted  by  Alfresco  taking  into  account  considerations  below:    
 
• Audit  everything  (who  accessed,  when  accessed  and  what).  Alfresco  does  it  and  stores  
all  in  the  DB.  
• Encrypt   PHI,   is   not   a   requirement   but   to   avoid   reporting   in   case   of   information   lost  
(backup   tape   for   example).   Alfresco   does   it   with   encrypted   metadata   by   using   the  
property  called  “d:encrypted”  in  the  data  model,  and  encrypting  the  backup  as  well.  
• Encrypt  Content  (encryption  at  rest),  as  normal  recommendation  the  backup  should  be  
encrypted.  
• For   index   a   best   practice   is   to   encrypt   the   backup   or   don’t   do   backup   to   avoid   losing  
backup  tape  and  have  to  report  it.  Indexing  can  be  re-­‐build  in  case  of  need.  
• Disable  Quick  Share  feature  in  Share.  
• Enable  HTTPS.  
• Optionally:   retention   policies   (it   may   vary   depending   on   every   US   State)   and   can   be  
implemented  with  Alfresco  RM.  

                                                                                                           
 
56
 http://blogs.alfresco.com/wp/ewinlof/2013/03/12/introducing-­‐the-­‐iframepolicy-­‐in-­‐alfresco-­‐share/    
57
 http://www.excentia.es/plugins/owasp/caracteristicas_en.html    

   

 
 43  
Alfresco Security Best Practices

FISMA
FISMA   compliance   is   a   mandate   against   the   operating   environment   where   Alfresco   may   be  
deployed.  The  application  is  not  subject  to  any  specific  certification,  but  may  be  monitored  as  
part  of  a  FISMA  security  plan.  

FedRAMP
The  Federal  Risk  and  Authorization  Management  Program  (FedRAMP)  is  a  unified,  government-­‐
wide  risk   management  program   focused   on   large  outsourced  and   multi-­‐agency   systems.  
FedRAMP   has   been   established   to   provide   a   standard   approach   to  Assessing   and   Authorizing  
(A&A)  cloud   computing  services   and   products.   FedRAMP   allows   joint   authorizations   and  
continuous  security   and   monitoring   services   for   Government   and   Commercial  cloud  
computing  systems  intended  for  multi-­‐agency  use.  
 
Alfresco's  traditional  products  (Alfresco  One,  Activiti,  etc.)  are  not  directly  subject  to  FedRAMP  
authorization,  rather,  the  customer  is  responsible  for  validating  that  their  Alfresco  deployment  
specifically   complies   with   the   different   FedRAMP   requirements.   This   applies   to   both   on-­‐prem  
and  cloud-­‐hosted  deployments.  
 
At   the   moment,   Alfresco   has   not   made   any   specific   commitment   to   obtain   FedRAMP  
authorization  for  Alfresco  in  the  Cloud  or  any  future  SaaS  products.  

ISO 27001
ISO   27001   is   an   international   standard   published   by   the   International   Standardization  
Organization  (ISO),  and  it  describes  how  to  manage  information  security  in  a  company.  
 
Alfresco   application   is   not   subject   to   this   certification   but   it   may   be   used   as   main   repository   for  
document   centralization   and   management   for   creation,   review   and   approval,   distribution,  
categorization,  usage  and  updates  of  the  documents  and  records.    

PCI Data Security Standard


This   section   is   a   quick   point   approach   to   highlight   some   of   PCI-­‐DSS   requirements   and   how  
Alfresco  may  assist  in  compliance.  
 
• Alfresco   uses   standard   TCP/IP   connectivity   with   common   protocols   such   as   https  
(encrypted  for  security)  allowing  organizations  to  easily  integrate  with  existing  firewalls  
and  other  intrusion  detection/prevention  services.  
• Alfresco   provides   default   database   names   and   accounts   for   simple   deployment.   These  
are  usually  setup  upon  first  launch  of  Alfresco.  However,  in  order  to  recognize  the  needs  
of   such   requirements   as   PCI-­‐DSS,   these   can   be   simply   overridden   through   a  
configuration  file  change,  allowing  the  organization  to  create  uniquely  named  databases  
and   database   accounts.   We   have   well   documented   methods   to   how   to   perform   this  

44    
Alfresco Security Best Practices

task.  Integration  with  enterprise  database  systems  allow  for  DBAs  to  enable  encrypted  
writes  directly  into  database  tables  without  modifying  Alfresco  in  any  way.  
• Alfresco’s   Records   Management   Module   allows   for   compliance   management   for   data  
retention,   such   as   retention   and   disposition   schedules,   auditing   of   access   to   records,  
destruction  and  data  deletion  as  well  as  event  triggers,  eDiscovery  and  so  forth.  
• Alfresco  can  be  configured  to  use  strong  SSL  encryption  for  https  connections,  allowing  
for   encryption   of   data   inflight   once   authorized   access   to   that   data   has   been   approved  
via  Alfresco’s  Authentication,  Authorization  and  Permissions  Management  subsystems.  
• Alfresco  stores  files  as  their  native  data  streams  and  metadata  in  the  database.  This  can  
be  integrated  with  standard  corporate  Antivirus  applications  to  ensure  compliance.  
• As  has  been  already  said  in  this  guide,  Alfresco  takes  security  very  seriously  and  has  a  
rigorous   vulnerability   detection   program   working   with   third   party   security   organizations  
to   perform   penetration   testing.   Alfresco   has   a   process   in   place   to   then   quickly   patch,  
test,  release  and  inform  Alfresco  One  customers  of  any  breaches.  
• Alfresco  provides  a  complete  authentication  and  authorization  subsystem  along  with  a  
granular   permissions   management   system   that   can   be   integrated   with   corporate  
directory  services  to  enable  secure  user  access  only  to  data  they  have  been  authorized  
to   see.   Management   can   be   performed   at   the   individual   user   level   or   by   group  
membership   –   this   allows   an   organization   to   easily   develop   role-­‐based   access   to   data  
and  content.  
• All  users  have  a  unique  ID  -­‐  whether  that  granted  by  the  corporate  directory  service,  or  
internally  for  users  that  are  not  part  of  the  directory  structure.  Alfresco  has  a  complete  
auditing  subsystem  that  can  be  incorporated  into  enterprise  reporting  applications.  
• Alfresco   provides   a   complete   auditing   subsystem   that   tracks   reads   and   writes   to   all  
content  and  metadata  within  the  repository.  This  auditing  mechanism  can  be  integrated  
with   enterprise   reporting   tools,   or   custom   interfaces   (eg   web)   and   delivery   methods  
(email,  RSS  feeds,  etc)  can  be  built  and  maintained.  
 
 
 
 
 

 
 45  
Alfresco Security Best Practices

Appendix I: Security Checklist


Alfresco  Security  Check  List  
This  is  a  list  of  basics  checks  to  perform  in  any  Alfresco  production  deployment.  In  case  of  cluster,  these  checks  should  be  
passed  to  all  nodes.  Please  read  this  document  before  in  order  to  understand  all  checks  below:  
Server  Name:  ____________________________________   ! Backup  and  Disaster  Recovery  software  
Server  IP  Address:  ________________________________   configured  and  tested  for  indexes,  db,  
! Last  Service  Pack  /  Hot  fix  of  the  Alfresco  existing   contentstore,  installation,  configuration  and  
version  installed   customization  files  
! Changed  default  admin  password   ! Deleted  files  under  control  
! If  Linux,  run  the  application  server  as  non  root   ! The  trashcan  has  to  be  emptied  
user   manually  or  install  trashcancleaner  
! Changed  the  default  JMX  passwords  for   ! Configured  Alfresco  to  delete  files  from  
controlRole  and  monitorRole   file  system  when  the  trashcan  is  
! Switched  to  SSL  all  required  services  using  a   emptied  (eagerCleaner)  
custom/owned  certificate  (not  default  cert):   ! A  shell  script  to  delete  
! HTTP  /  Webdav  /  API   contentstore.deleted  once  a  week  
! Enable  HSTS   ! Local  and  network  firewalls  are  properly  
! Force  secure  cookies   configured  for  both  inbound  and  outbound  
! SharePoint  Protocol   traffic  
! IMAP   ! Monitoring  services  availability  through  JMX  
! FTP   with  solutions  like  Hyperic,  Nagios  or  JMelody  
! SMTP  INBOUND   ! Encryption  at  rest  is  enabled  (available  in  
! SMTP  OUTBOUND   Alfresco  One  5.0)  
! Solr  (SSL  by  default),  if  in  separate  tier   ! Passwords  in  properties  files  are  encrypted  
! If  clustered:  JGroups  or  Hazelcast   (available  in  Alfresco  One  5.0)  
(optional)   ! Check  “file-­‐servers-­‐custom.xml”  permissions  if  
! Alfresco  JDBC  to  DB  communication   Kerberos  is  configured  
(optional)   ! Check  FSTR  configuration  files  permissions  if  is  
! Check  certificate  strength     configured  (it  has  password  inside)  
! Change  file  permissions  to  allow  only  the   ! Embedded  metadata  is  still  in  every  file,  clean  
application  user  to  see  and  write  these  files   this  before  content  leaves  Alfresco,  to  prevent  
and/or  directories  (i.e.  Linux:  chmod  0600  <path-­‐ information  leaks  through  metadata    
to-­‐file>):     ! API,  services  and  Share  proxy  accesses  are  
! “alfresco-­‐global.properties”   protected  
! “dir_root/contentstore”   ! In  case  of  integration  with  third  party  
! “dir_root/solr”  or  “dir_root/lucene-­‐ applications,  establish  a  dedicated  Alfresco  
indexes”   authenticated  user  versus  using  the  admin  user  
! Alfresco  and  application  server  logs  are  all  in  the   ! CSRF  is  enabled  in  Alfresco  Share  (default)  
same  directory,  with  the  proper  security   ! Alfresco  Share  IFramePolicy  is  configured  as  
permissions  and  logs  rotation  configured  (app   “deny”  
server  logs,  alfresco.log,  share.log,  solr.log)   ! Enable   SecurityHeadersPolicy,   in   Share   that  
! If  Alfresco  is  connected  to  internet  remove  the   mitigates  clickjacking  attacks    
Alfresco  banner  in  the  Share  login  page   ! Configure   HTML   processing   black/white   lists  
! If  LDAP,  AD  or  third  party  authentication  is   (optional)  
enabled,  any  communication  between  Alfresco   ! Custom  error  page  created  at  web  server  or  
and  the  authentication  server  is  through  SSL  (i.e.   application  server  level  (optional)  
636  TCP  for  LDAPS).   ! Use  a  network  IDS  on  top  of  Alfresco  server  
! If  Alfresco  Replication  Service  is  needed:     (optional)  
! Use  HTTPS     ! Use  a  Web  Application  Firewall  on  top  of  
! Do  not  replicate  with  “admin”  user   Alfresco  (optional)  
! Disabled  unneeded  services   ! Use  an  antivirus  solution  at  the  server  side  or  
! Enabled  audit  if  required   through  communication  and  an  Advanced  Threat  
! Disabled  guest  user   Protection  System  (optional)

46    
Alfresco Security Best Practices

Appendix II: Third Party Libraries included in Alfresco


Alfresco embeds third party libraries in the product and it is important to consider them for
Security and Compliance reasons.
Third Party Software (as of 4.2.x)
• Apache  1.1  variant  License   o hazelcast  http://www.hazelcast.com/index.jsp    
o Xpp3   o ibatis  http://ibatis.apache.org/    
http://www.extreme.indiana.edu/xgws/xsoap/x o jakarta-­‐oro  http://jakarta.apache.org/oro/    
pp/     o Jackson  
• Apache  1.1  -­‐  License   http://wiki.fasterxml.com/JacksonDownload    
o Avalon  framework   o Jcr  http://jackrabbit.apache.org/    
http://avalon.apache.org/framework/     o joda-­‐time  http://joda-­‐time.sourceforge.net/    
o Spring  Modules  http://springmodules.java.net/     o jstl  http://tomcat.apache.org/taglibs/standard/    
• Apache  2.0  -­‐  License   o livetribe  http://livetribe.codehaus.org/    
o Abdera   o log4j  http://logging.apache.org/log4j    
http://projects.apache.org/projects/abdera.html     o lucene  http://lucene.apache.org    
o Acegi   o metadata-­‐extractor  
http://sourceforge.net/projects/acegisecurity/     http://code.google.com/p/metadata-­‐extractor/    
o Activiti  http://www.activiti.org/index.html     o myfaces  http://myfaces.apache.org/    
o Alfresco  Open  CMIS   o naming  http://tomcat.apache.org    
http://code.google.com/a/apache-­‐ o Neethi  http://ws.apache.org/commons/neethi/    
extras.org/p/alfresco-­‐opencmis-­‐extension/     o opensaml  http://www.opensaml.org/  
o Ant  http://ant.apache.org/     o OpenSSL  http://www.openssl.org/  
o Axiom  http://ws.apache.org/axiom/     o pdfbox  http://pdfbox.apache.org/  
o Axis  https://axis.apache.org/axis/     o POI  http://poi.apache.org/legal.html  
o Batik  http://xmlgraphics.apache.org/batik/     o Spring  Framework  
o Bcel   http://www.springsource.com/download/comm
http://commons.apache.org/proper/commons-­‐ unity?sid=453581  
bcel/     o Quartz  resolver  http://quartz-­‐scheduler.org/    
o Bsf   o Rome  https://rometools.jira.com/wiki/    
http://commons.apache.org/proper/commons-­‐ o shale  http://shale.apache.org/    
bsf/     o Spring.net  http://www.springframework.net/    
o Boilerpipe   o STAX  http://camel.apache.org/stax.html    
https://code.google.com/p/boilerpipe/     o XML  Commons  Apache  
o Catalina  http://tomcat.apache.org     http://xml.apache.org/commons/    
o cglib  http://cglib.sourceforge.net/   o Xalan-­‐j  http://xml.apache.org/xalan-­‐j/      
o Apache  Chemistry  http://www.apache.org/   o Xerces2-­‐j  http://xerces.apache.org/xerces2-­‐j    
o Apache-­‐mime   o XML  Beans  
http://james.apache.org/mime4j/index.html     http://xmlbeans.apache.org/news.html    
o Apache  CXF  http://cxf.apache.org/     o XML  Graphics  http://xmlgraphics.apache.org/    
o ehcache  http://ehcache.sourceforge.net/     o SMTP  
o Fast  Infoset  Project  https://fi.java.net/     http://subethasmtp.tigris.org/project_license.ht
o fop  http://xmlgraphics.apache.org/fop/     ml    
o Google  Data  Java  Client  Library   o Apache  Tika  
http://code.google.com/p/gdata-­‐java-­‐client/     o wss4j  http://ws.apache.org/wss4j/    
o Geronimo  http://geronimo.apache.org/     o WoodStox  http://woodstox.codehaus.org/    
o Greenmail   o commons-­‐resolver  
http://www.icegreen.com/greenmail/readme.ht http://svn.apache.org/viewvc/xml/commons/tag
ml     s/xml-­‐commons-­‐resolver-­‐
o Groovy  http://groovy.codehaus.org/     1_2/LICENSE?view=markup    
o guess  encoding   o RPC  http://ws.apache.org/xmlrpc/project-­‐
http://docs.codehaus.org/display/GUESSENC/Ho info.html    
me    

 
 1  
Alfresco Security Best Practices

o XML  Schema   o TrueLicense  http://truelicense.java.net/  


http://ws.apache.org/commons/XmlSchema     o truezip  http://truezip.java.net/  
o Xmlsec  http://santuario.apache.org/     • Free  Software  
o  Solr  http://lucene.apache.org/solr/     o icu4j  http://icu-­‐project.org/  
o vorbis  https://github.com/Gagravarr/VorbisJava     o json  http://www.json.org/java/  
• BSD  License   o netcdf  
o Antlr  v3  http://www.antlr.org     http://www.unidata.ucar.edu/software/netcdf/c
o ASM  http://asm.ow2.org/     opyright.html    
o Bubbling  http://www.bubbling-­‐library.com/     • GPL  Affero  GPL  
o CSS  Boilerplate  http://code.google.com/p/css-­‐ o GhostScript  http://www.ghostscript.com/    
boilerplate/       • GPL  V2  
o dom4j  http://dom4j.sourceforge.net/     o ncurses  http://www.gnu.org/software/ncurses/    
o fontbox  http://xmlgraphics.apache.org/fop/     o libiconv  http://www.gnu.org/software/libiconv/    
o FreeMarker  http://freemarker.sourceforge.net/   o libstdc++  http://gcc.gnu.org/libstdc++/    
o jibx-­‐*  http://jibx.sourceforge.net     • GPL  V3  
o jta  http://java.sun.com/products/jta/       o SWF  Tools  http://wiki.swftools.org      
o libfreetype  http://www.freetype.org/     • Imagemagick  
o libgif  http://giflib.sourceforge.net/     o Imagemagick  
o libjpeg  http://libjpeg.sourceforge.net/     http://www.imagemagick.org/script/license.php    
o libpng  http://www.libpng.org/     • LGPL  2.1  
o libtiff  http://www.libtiff.org/     o hibernate  http://www.hibernate.org/  
o libz  http://zlib.net/       o htmlparser  http://htmlparser.sourceforge.net/    
o nunit  http://www.nunit.org/   o JBPM  http://www.opensource.org/licenses/lgpl-­‐
o One-­‐Jar  http://sourceforge.net/projects/one-­‐jar     license.php    
o PostgreSQL  http://www.postgresql.org   o Jgroups  http://www.jgroups.org/    
o STAX  Utils  http://stax-­‐utils.java.net/       o jid3lib  http://jid3lib.java.net/    
o Tuckey  URL  rewriter   o jug-­‐lgpl  
http://tuckey.org/urlrewrite/manual/3.0/introdu http://mvnrepository.com/artifact/org.safehaus.
ction.html     jug/jug/2.0.0      
o Xmpcore   o libwmf  
http://www.adobe.com/devnet/xmp.html     http://wvware.sourceforge.net/libwmf.html    
o Xstream  YUI   o PDF  Renderer  http://java.net/projects/pdf-­‐
http://xstream.codehaus.org/license.html     renderer    
o YUI  http://yuilibrary.com/     o TinyMCE  
• CDDL   http://tinymce.moxiecode.com/tinymce/docs/lic
o JaxB  http://jaxb.java.net/   ense.html    
o jaxrpc  http://jax-­‐rpc.java.net/   • LGPL  3.0  
o JAXWS  http://jax-­‐ws.java.net/   o jayrock  http://jayrock.berlios.de/    
o mail  http://glassfish.java.net/javaee5/mail/   o Jmagick  
o MIME  pull  http://mimepull.java.net/   http://sourceforge.net/projects/jmagick/    
o SAAJ  http://saaj.java.net/   o JODConverter  
o StAXExtendedAPI  http://stax-­‐ex.java.net/   http://jodconverter.sourceforge.net/    
o xml-­‐apis  http://jaxp.java.net/     o jTDS  Project  
• Commercial  license   http://jtds.sourceforge.net/license.html    
o Bitrockinstaller  http://bitrock.com/     o Jut.jar  
• CPL  1.0  License   http://www.openoffice.org/licenses/lgpl_license
o htmlparser  http://htmlparser.sourceforge.net/   .html    
o  Junit  http://sourceforge.net/projects/junit/   o OpenOffice  
o  wsdl4j  http://sourceforge.net/projects/wsdl4j     http://www.openoffice.org/license.html    
• Creative  Commons  Attribute  License   • Microsoft  Redistributable  
o JSTextReader  AS3   o Microsoft  Visual  C++  2008  Redistributable  
http://creativecommons.org/licenses/by/3.0/us/ Package  
legalcode     • MIT  License  
• Dojo  Licensing,  BSD  &  Academic     o bcmail-­‐jdk  http://www.bouncycastle.org/    
o Dojotoolkit  http://dojotoolkit.org/     o bcprov-­‐jdk  http://www.bouncycastle.org/    
• Eclipse  Public  License   o facebook  http://code.google.com/p/facebook-­‐
o Wikipedia   java-­‐api/    
http://sourceforge.net/projects/plog4u/   o Jutf7  http://jutf7.sourceforge.net/license.html    

2    
Alfresco Security Best Practices

o Mockito    
http://www.opensource.org/licenses/mit-­‐ • Apache2  
license.php     o acegi  commons  
o SLF4J  http://www.slf4j.org/license.html     http://sourceforge.net/projects/acegisecurity/    
o Mootools  http://docs.mootools.net/     o dbcp  http://jakarta.apache.org/commons/  
• MPL   o Apache  CXF  http://cxf.apache.org/    
o rhino-­‐js  http://www.mozilla.org/rhino/     o Greenmail  
o juniversalcharsetdet   http://www.icegreen.com/greenmail/readme.ht
http://juniversalchardet.googlecode.com/     ml    
• ODMG  License   o jslideshare  
http://www.odbms.org/ODMG/OG/wrayjohnson.asp http://code.google.com/p/jslideshare/    
x   o pdfbox  http://pdfbox.apache.org/      
o odmg  http://www.odmg.org/wrayjohnson.htm     o POI  http://poi.apache.org/legal.html  
• Oracle  Binary  Code  License  Agreement     o mybatis  http://code.google.com/p/mybatis/    
o activation   o quartz  http://quartz-­‐scheduler.org/    
http://www.oracle.com/technetwork/java/jaf11-­‐ o Apache  Tika    
139815.html     http://lucene.apache.org/tika/license.html    
o Oracle  JDK   o TrueLicense  https://truelicense.dev.java.net/    
http://www.oracle.com/technetwork/java/javas o wss4j  http://ws.apache.org/wss4j/      
e/terms/license/index.html     o Spring  Surf  
• Public  Domain  License   http://www.springsource.com/download/comm
o AOP  Alliance  http://aopalliance.sourceforge.net/     unity    
o hrtlib  http://www.javaworld.com/javaqa/2003-­‐ • Artistic  (BSD  style)  
01/01-­‐qa-­‐0110-­‐timing.html     o chiba  http://sourceforge.net/projects/chiba    
o XZ  http://tukaani.org/xz/java.html     • BSD  
• Sun  Public  License   o FreeMarker  http://freemarker.sourceforge.net/    
o BSH  http://www.beanshell.org/     o YUI  http://developer.yahoo.com/yui/    
• XAM   o jibx  http://jibx.sourceforge.net/jibx-­‐license.html    
o XAM  Connector   • LGPL  3.0  
http://www.emc.com/products/detail/software/ o JODConverter  
centera-­‐sdk-­‐xam.htm     http://jodconverter.sourceforge.net/  
  • LGPL  2.1  
Alfresco  has  modified  the  source  code  of  the  following   o hibernate  http://www.hibernate.org/    
third  party  libraries.  Below  is  the  list  of  modified  modules   o PDF  Renderer  http://java.net/projects/pdf-­‐
and  corresponding  licenses.  The  svn  diff  files  with  the   renderer    
details  of  the  changes  can  be  found  in  the  following   • MPL  
location:  root/projects/3rd-­‐party/src.   o rhino-­‐js  http://www.mozilla.org/rhino/    

 
 3