Alfresco Security Best Practices: Guide

Guide
Alfresco Security Best

Practices

Copyright 2014 by Alfresco and others.
Information in this document is subject to change without notice. No part of this document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, for
any purpose, without the express written permission of Alfresco. The trademarks, service
marks, logos, or other intellectual property rights of Alfresco and others used in this
documentation ("Trademarks") are the property of Alfresco and their respective owners. The
furnishing of this document does not give you license to these patents, trademarks, copyrights,
or other intellectual property except as expressly provided in any written agreement from
Alfresco.
The United States export control laws and regulations, including the Export Administration
Regulations of the U.S. Department of Commerce, and other applicable laws and regulations
apply to this documentation which prohibit the export or re-‐export of content, products,
services, and technology to certain countries and persons. You agree to comply with all export
laws, regulations, and restrictions of the United States and any foreign agency or authority and
assume sole responsibility for any such unauthorized exportation.
You may not use this documentation if you are a competitor of Alfresco, except with Alfresco's
prior written consent. In addition, you may not use the documentation for purposes of
evaluating its functionality or for any other competitive purposes.
This copyright applies to the current version of the licensed program.
ii
Document History
VERSION DATE AUTHOR DESCRIPTION OF CHANGE
0.1 23-Jul-14 Toni de la Fuente Initial version

0.2 16-Sept-14 Toni de la Fuente Version to review
0.3 18-Sept-14 Toni de la Fuente Added Steve Rigby and Pete
Philips suggestions
0.4 23-Sept-14 Toni de la Fuente Added architecture info and
made corrections. Sent to
grammar review.
0.5 2-Oct-14 Toni de la Fuente Added Martin Kappel corrections
0.6 2-Oct-14 Toni de la Fuente Made Kimberly Watson grammar
and style corrections
1.0 2-Oct-14 Toni de la Fuente Version to release
iii
Table of contents
INTRODUCTION ............................................................................................................................. 1
AUDIENCE .......................................................................................................................................... 1
RELATED PUBLICATIONS ..................................................................................................................... 1
HOW TO READ THIS GUIDE.................................................................................................................. 2
DISCLAIMER AND SCOPE ..................................................................................................................... 2
ALFRESCO SECURITY POLICY ............................................................................................................. 2
Release of Security Notifications .................................................................................................................................... 3
Severity Levels ............................................................................................................................................................... 3
Reporting a Security Issue to Alfresco ........................................................................................................................... 4
COMPONENTS TO CONSIDER ............................................................................................................... 4
THE EXTERNAL AND INTERNAL PERSPECTIVE......................................................................... 5
EXTERNAL THREATS ........................................................................................................................... 5
Discovery, Information Gathering and Information Leaks .............................................................................................. 5
Brute Force Username and Passwords Attacks ............................................................................................................. 7
MITM Attacks ................................................................................................................................................................. 8
DOS and DDOS ............................................................................................................................................................. 8
Viruses ........................................................................................................................................................................... 9
VULNERABILITIES ASSESSMENT ........................................................................................................... 9
Public Vulnerabilities ...................................................................................................................................................... 9
Other Vulnerabilities ..................................................................................................................................................... 10
HARDENING THE NETWORK AND OPERATING SYSTEM ........................................................ 11

NETWORK ........................................................................................................................................ 11
OS SECURITY .................................................................................................................................. 11
CONFIGURING YOUR FIREWALL ......................................................................................................... 12
Inbound Ports ............................................................................................................................................................... 12
Outbound ports ............................................................................................................................................................. 13
Port Redirect ................................................................................................................................................................ 14
DETERMINING MINIMUM PRIVILEGES .................................................................................................. 14
ALFRESCO IMPLEMENTATION BEST PRACTICES ................................................................... 15
STAY CURRENT ................................................................................................................................ 15
DON NOT RUN THE APPLICATION SERVER AS ROOT ........................................................................... 15
REPOSITORY LEVEL SECURITY .......................................................................................................... 15
Enable SSL .................................................................................................................................................................. 15
Understanding Roles and Permissions ........................................................................................................................ 19
Custom Roles ............................................................................................................................................................... 20
Audit ............................................................................................................................................................................. 20
Reset Admin Password ................................................................................................................................................ 22
Ticket Session Duration Control ................................................................................................................................... 22
Disable Unneeded Services ......................................................................................................................................... 23
Disable Guest User ...................................................................................................................................................... 23
Review Sever Logs Periodically ................................................................................................................................... 23
Change JMX Default Credentials ................................................................................................................................. 24
Get Control of Deleted Content .................................................................................................................................... 24
Node Creation .............................................................................................................................................................. 24
Node Deletion ............................................................................................................................................................... 24
Questions and Answers About Content Deletion ......................................................................................................... 26
Wipe Content ................................................................................................................................................................ 28
SHARE LEVEL SECURITY ................................................................................................................... 28
Cross-Site Request Forgery (CSRF) Filters in Alfresco Share .................................................................................... 28
Security Filters and Clickjacking Mitigation in Alfresco Share ...................................................................................... 29
Iframes and Phishing Attack Mitigation in Alfresco Share ............................................................................................ 29
Share HTML Processing Black/White List .................................................................................................................... 29
Site Creation Control .................................................................................................................................................... 30
Filter Document Actions by User or Role ..................................................................................................................... 30
Filter workflow by role/group ........................................................................................................................................ 32
Change default Share session timeout ........................................................................................................................ 32
iv
ARCHITECTURE DEPLOYMENT BEST PRACTICES ................................................................. 33
Frontends ..................................................................................................................................................................... 33
Single tier ..................................................................................................................................................................... 34
Two tiers ....................................................................................................................................................................... 35
Three tiers .................................................................................................................................................................... 36
AWS deployments ........................................................................................................................................................ 37
BACKUP AND DISASTER RECOVERY ................................................................................................... 38
MOBILE SECURITY ...................................................................................................................... 39
FILE PROTECTION ............................................................................................................................ 39
HTTPS ........................................................................................................................................... 39
CERTIFICATE AUTHENTICATION ......................................................................................................... 39
MDM .............................................................................................................................................. 39
Alfresco for Good (iOS) ................................................................................................................................................ 39
MobileIron (Android) ..................................................................................................................................................... 39
Additional information ................................................................................................................................................... 40
SECURITY COMPLIANCE AND STANDARDS............................................................................. 41

DOD5015.2 .................................................................................................................................... 41
OWASP.......................................................................................................................................... 41
HIPAA ............................................................................................................................................ 43
FISMA ............................................................................................................................................ 44
FEDRAMP ...................................................................................................................................... 44
ISO 27001 ...................................................................................................................................... 44
PCI DATA SECURITY STANDARD ....................................................................................................... 44
APPENDIX I: SECURITY CHECKLIST .......................................................................................... 46
APPENDIX II: THIRD PARTY LIBRARIES INCLUDED IN ALFRESCO .......................................... 1

5
Alfresco Security Best Practices
Introduction
This guide is intended to fill a need for Alfresco administrators to have a collection of tips for
enhancing the security of their implementation. If you are concerned about the security of
your content, this guide is specifically written for you.

This guide addresses the security of an Alfresco implementation from two different views:
• Threat view: We will identify how a potential attacker could exploit security issues with
the installation;
• Administrator view: We will discuss how an administrator can prevent and protect an
installation.
Audience
This document is intended for the Alfresco Enterprise customer and partner network with
special focus on technical teams, such as Enterprise Architecture, Development, Support, and
Operations. As it requires a deep understanding of the architecture, components, and
technologies involved in the operations of the Alfresco platform. The ideal reader should hold
an Alfresco Certified Engineer (ACE) or Alfresco Certified Administrator (ACA) certification.
More details on the certifications can be found at http://university.alfresco.com.
Related Publications
For some recommendations an official link will be provided. Furthermore here is a list of source
of information related to Alfresco and this guide:
• Alfresco Security Policy1
• Alfresco Cloud Security Policy2
• Alfresco in the Cloud Security White Paper3
• Alfresco Backup and Disaster Recovery White Paper4
• Alfresco Security Best Practices talk in Alfresco Devcon 20125

1
http://docs.alfresco.com/support/concepts/su-‐external-‐security-‐policy.html
2
http://docs.alfresco.com/support/concepts/su-‐external-‐security-‐policy-‐cloud.html
3
http://www2.alfresco.com/l/1234/2012-‐08-‐07/374w8d/1234/151131/Alfresco_in_the_cloud_Security.pdf
4
http://bit.ly/1lvNkcz
5
http://bit.ly/1rBtOme

1
How to Read this Guide

This guide tries to accommodate two needs: (1) having a handy reference on how to secure the
most common services and subsystems in Alfresco and (2) providing some background on
Alfresco security. Understanding the Alfresco internals is essential if the reader wants to
achieve a proper application hardening.
Most of the advice and best practices included in this guide are based on Alfresco One version
4.2.
Disclaimer and Scope

This guide specifically does not address physical security, the protection of software and
hardware against new exploits, basic IT security housekeeping, information assurance
techniques, traffic analysis attacks, issues with key rollover and key management, securing
client PC’s and mobile devices (theft or loss), proper Operations Security, social engineering
attacks, protection against tempest attack techniques, jamming the encrypted channel or other
similar attacks, which are typically employed to circumvent strong encryption.
Alfresco Security Policy

When a security issue is discovered, Alfresco will do the following:
1. Send it directly to the subject matter expert to evaluate the scope and severity of the
issue;
2. Issue one or more versions, whatever is required, to resolve the security breach as soon
as possible;
3. Inform our customers and partners that this version is available.

The version(s) where a particular security issue is resolved will depend on the scope and
severity of the issue, and may include:
1. A maintenance release for the last major version;
2. A hot fix for the last major versions;
3. Hot fixes for older maintained versions.

Example 1: A security issue is discovered in Alfresco v4.1.2, which is unlikely to be exploited.
Alfresco will:
• Ensure that the next release, Alfresco 4.1.3, fixes the issue.

Example 2: A security issue is discovered in Alfresco v4.1.2, which could be exploited. Alfresco
will:
• Issue a hot fix for Alfresco v4.1.2 as soon as possible;
• Issue a hot fix for Alfresco v3.4, if applicable, as soon as possible;
• Ensure the next release, Alfresco v4.1.3, fixes the issue.

2
Example 3: A security issue is discovered in Alfresco v4.1.2, which is being exploited. Alfresco
will:
• Issue a hot fix for Alfresco v4.1.2 as soon as possible;
• Issue a hot fix for Alfresco versions 3.0, 3.1, 3.2, 3.3, 3.4 and 4.0 as soon as possible;
• Ensure the next release, Alfresco v4.1.3, fixes the issue.
Release of Security Notifications

When a security issue in an Alfresco product is found and fixed, Alfresco notifies customers in a
number of ways:
• If this is a blocker issue with a workaround, Alfresco sends a critical security alert email
to all customers warning of the issue and providing the workaround. A second critical
security alert will then be sent which includes details for the fixed version(s).
• If this is a blocker issue without a workaround, Alfresco releases the version containing
the fix and then sends a critical security alert email to all customers.
• For all other severity issues, Alfresco releases the version containing the fix and then
sends a security alert email to all customers.
For all issues, there will be a security notice posted within the support portal at the same time
the version with the fix is released.
Severity Levels
Alfresco classifies security vulnerabilities by severity, on a case by case basis, using common
sense and the examples shown here as a guideline.
High 
A vulnerability is classified as High severity if any of the following hold true:
• Customer data can be compromised;
• The server running the application can be compromised;
• A Denial of Service (DoS) rendering the system unavailable;
• The vulnerability was discovered externally, is known about externally, or is being
actively exploited.

Medium  
A vulnerability is classified as Medium severity if any of the following hold true:
• It would otherwise be High severity but it was discovered internally and/or is not
believed to be known externally;
• It is a less serious vulnerability such as a XSS or CSRF.

Low
• A vulnerability is classified as Low severity for vulnerabilities which only pose a marginal
or insignificant risk.

3
NOTE: Alfresco has an internal SLA to resolve vulnerabilities based on the severity classification
mentioned above.
Reporting a Security Issue to Alfresco

Please report all security issues by logging a support case via the support portal. If you do not
have access to the support portal, please email support@alfresco.com to ensure that the
information is reported to Alfresco. This is essential so that the security issue does not enter
into the public domain prematurely.
Components to Consider
As has been stated above in this document, there are different components that may affect
application security. Below is a list of components that need to be considered, from the physical
environment to the software:

1. Facilities;
2. Physical security;
3. Network infrastructure;
4. Virtual and/or physical infrastructure;
5. Network configuration;
6. Firewall;
7. Operating System;
8. JVM and Application Server;
9. Alfresco;
10. People;
11. Process.

This guide mostly deals with Alfresco security. Additional security tips and guidelines are
included for components that are directly related to Alfresco security and maintenance, such as
JVM, and application server, operating system, and firewall security.
4
The External and Internal Perspective

External Threats
If an Alfresco installation is exposed to the Internet it could potentially be the target of different
types of attacks. In this section we list activities that can be used by an attacker to discover
information pertaining to an Alfresco installation. For example, this information might include
the application server, operating system and content items.
Discovery, Information Gathering and Information Leaks

Before performing an intrusion, an attacker may need to gather target information in order to
enumerate devices, hostnames, domains or subdomains, ports, protocols, services, applications
and even usernames or passwords.

As Alfresco is mostly an Intranet or Extranet service, it can be configured to be connected
directly to the Internet. In this case, an Alfresco installation may be discovered using many
different techniques. Of the hundreds of tools available for discovery and information
gathering, we will highlight some well-‐known resources below:

• Google and Bing: With a simple search we can find some servers that are exposed.
https://www.google.com/?q=%222005-
2014+Alfresco+Software+Inc.+All+rights+reserved.%22
• Shodan6: This is a device search engine based on using ports and service headers or
banner.
https://www.shodan.io/search?query=%22alfresco%22+server+port%3A8080
• FOCA7: This is a graphic tool (Windows) that utilizes the Google and Bing search engines
and DNS records to retrieve metadata from the documents that are available in the
target domain. It searches for usernames, software versions and server or machine
names.

• Metagoofil: This is a command line tool (Linux) that utilizes the Google search engine to
retrieve metadata from the documents that are available in the target domain. It
searches for usernames, software versions and server or machine names.

6
http://www.shodanhq.com/
7
http://www.informatica64.com/foca.aspx

5
• theharvester: This is a command line tool (Linux) that looks for email accounts,
usernames, hostname and subdomain by using Google, Bing, LinkedIn, Shodan and
more.

• Maltego: This is an open source intelligence and forensics application. It allows you to
mine and gather information from public resources and then represent the information
in a meaningful way.

• Nmap port scanning: It is used to determine the state of TCP and UDP ports for the
target host, among other network protocols.

• Other manual tasks:
Banner read to a Tomcat server:
# echo -e "HEAD / HTTP/1.0\n\n" | nc 192.168.11.129 8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 2763
Date: Fri, 12 Sep 2014 22:06:59 GMT
Connection: close

Test done to Alfresco Share:
# echo -e "HEAD /share/page/ HTTP/1.0\n\n" | nc 192.168.11.129 8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Content-Length: 39170
Date: Fri, 12 Sep 2014 22:09:36 GMT
Connection: close

In addition to all the threats described above, these tools are also useful for gathering
information from files. It is well known that most content items contain information about
themselves inside their own files, their metadata. Besides the file name, photos will have
information about the camera and even geo-‐localization. MS Office, Open/LibreOffice or PDF
documents may store user names, network resources, email address and other useful
information for a potential intrusion test. Some of these properties are extracted automatically
by Alfresco in order to populate its own database, but the properties are still being stored in
the file itself. If Alfresco publishes these documents externally or the files are being accessed
from portals, emails, etc., then we need to add protection in order to prevent information
leaks.

6
Protection
• Use an Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Host IDS,
Advanced Threat Protection Systems and Web Application Firewall to mitigate some of
these scans;
• The Alfresco banner can be removed from the Alfresco Share login page;
• Filter the access to Alfresco resources through a specific network or IP address. Refer to
the Architecture section in this document;
• Clean document metadata before distributing them. Alfresco can do this for you with
an easy customization. Tools for metadata cleaning include: ExifTool, OOMetaExtractor8,
MS Office 2003 & XP9 or BatchPurifier. Demo and tools are available on the Alfresco
DevCon 2012 site10;
• Remove the application server and web server versions. For example, the default
ErrorReportValve includes the Tomcat version number in the response that is sent to
clients. To avoid this, custom error handling can be configured within each web
application. Alternatively, you can explicitly configure an ErrorReportValve and set its
showServerInfo attribute to false. The version number can also be changed by creating
the file CATALINA_BASE/lib/org/apache/catalina/util/ServerInfo.properties with the
following content:

server.info=My App Server
Brute Force Username and Passwords Attacks

Passwords are one of the easiest elements that can be attacked in order to gain access to a
system. Case in point, Alfresco stores usernames and passwords, which are hashed and not
stored as plain text anywhere on the system. In most corporate environments, Alfresco is
usually connected to a user directory like LDAP or Active Directory which would be responsible
for managing passwords or controlling any kind of attack against them.
Below is an example of dictionary based cracking to a WebDAV service with the Hydra tool (a
very fast network logon cracker which support many different services):
# hydra -L usernames.txt -P passwords.txt -u -s 8080 -m 'http://127.0.0.1'
127.0.0.1 http-get

8
http://www.codeplex.org/oometaextractor
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e54edd43e-‐42ca-‐bc7b-‐5446d34e5360
9
10
http://devcon.alfresco.com/speakers/toni-‐de-‐la-‐fuente

7
Protection
• Implement a password rotation and strength policy11.
• Implement error login threshold to prevent brute force or dictionary attacks, and a
count of consecutive password failures. This is on your LDAP side or third party
authentication system, and in most cases can be prevented by configuration. In some
well-‐known LDAP servers there is an attribute called “pwdMaxFailure” in order to
control this behavior. NOTE: Prevent against DOS attacks by locking all accounts.
MITM Attacks
Man in the middle attacks can be performed in many different ways depending on the
deployment architecture. For instance, having a four tier architecture with a web server or a
load balancer in front of Alfresco, Index Server and a database server. An MITM attack can be
performed between the users and webserver, the webserver and Alfresco, Alfresco and Index
Server and finally between Alfresco and the database server. The way to prevent these types of
attacks from happening is to use encrypted and authenticated communications.
Protection
• A secure architecture design in layers and with protection;
• Out of the box Alfresco provides encryption and authentication between Alfresco
repository and Index Server. Authentication is also provided for the users to connect to
the DB but encryption is not. In this case, it is extremely important to consider enabling
encryption at least for the end user communications;
• Check your security certificate strength12 and tweak your SSL settings until you get an A
grade or above.
DOS and DDOS

If the Alfresco server is facing the Internet there is a risk of being the target of a Denial of
Service or a Distributed Denial of Service attack. A layer of protection should be added to guard
against this.
Protection
• Use traditional firewall techniques to limit the attack surface for potential attackers.
Deny traffic to and from the source of the destination of the attack. Manage the list of
allowed destination servers and services. Manage the list of allowed sources of traffic,
ports, and protocols.;
• Use web application firewalls to inspect web packet traffic;

11
https://howsecureismypassword.net/ and https://secure.packetizer.com/pwgen/

12
https://www.ssllabs.com/ssldb/analyze.html
8
• Use IDS/IPS systems to prevent statistical or behavioral attacks and signature-‐based
algorithms to detect network attacks and Trojans;
• Get control of ICMP and TCP SYN to prevent flooding;
• Consider using vendor solutions like AWS, Akamai, DOS Arrest, Incapsula, etc.
•
Viruses
Since viruses can be found in most kinds of content, an antivirus solution must be deployed
throughout all infrastructure tiers, from client desktops to servers. Alfresco is fully compatible
with any antivirus software that executes on a server or through the communication layer. This
guarantees that no infected content is stored or accessible through the platform.
Protection
There is a third party module available for Alfresco called Alfviral13. This can be used inside the
repository to trigger an analysis of a given content. It can also be used to check virus signatures
against databases like VirusTotal or ClamAV solutions. The use of Advanced Threat Protection
Systems are also recommended.
Vulnerabilities Assessment
Public Vulnerabilities
Related to Alfresco since first version 2005:
1. SEC Consult SA-‐20140716-‐0 (MNT-‐11793): Multiple SSRF vulnerabilities. FIXED in all
major versions;
2. CVE-‐2014-‐2939: Summary: Multiple cross-‐site scripting (XSS) vulnerabilities in Alfresco
Enterprise before 4.1.6.13 allow remote attackers to inject arbitrary web script or HTML
via (1) an XHTML document, (2) a <% tag, or (3) the taskId parameter to
share/page/task-‐edit. Published: 6/2/2014 3:55:03 PM. CVSS Severity: 4.3 MEDIUM;
3. CVE-‐2014-‐0125: Moodle integration using the session key in the file URL allowing
anyone with the link to steal the identity of the user posting content.Summary:
repository/alfresco/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before
2.5.5, and 2.6.x before 2.6.2. Places a session key in a URL, which allows remote
attackers to bypass intended Alfresco Repository file restrictions by impersonating a
file's owner. Published: 3/24/2014 10:20:39 AM. CVS Severity: 5.8 MEDIUM;
4. Bugtraq ID 37578: Joomla Module for Alfresco 'id_pan' Parameter SQL Injection
Vulnerability in Joomla not in Alfresco.

13
https://github.com/fegorama/alfviral

9
Other Vulnerabilities
These were discovered due to internal periodic auditing or reported by customers and have
been FIXED prior to the publication of this guide. Includes the following Alfresco versions:
3.4.X, 4.0.X, 4.1.X and 4.2.X:
1. CVE-‐2014-‐0050: Apache Commons FileUpload and Apache Tomcat DoS;
2. MNT-‐10540: Share: Remote code execution. User has to be logged;
3. MNT-‐10539: Parsing vulnerability in Xerces (Apache POI and Alfresco code);
4. MNT-‐11793: Port scanning internal networks (proxy and cmisbrowser) .
10
Hardening the Network and Operating System

Even if your Alfresco configuration is as secure as possible, a non-‐properly configured operating
system will make your work useless. In this section, we will consider some items to be take into
account.
In some cases the better the security in an Operating System means less usability. A good rule
of thumb is to reduce privileges to the application on the operating system, if possible.
Network
In any enterprise architecture we can find different network elements. All of them must be
configured to protect the existing network resources. The following should be considered for
inclusion in the Alfresco security customization of firewalls: IDS, IPS, Antivirus, Web Application
Firewall, and DoS/DDoS protection devices.
OS Security
Use OS Vendor specific security recommendations (for all supported OS in Alfresco One 4.2.3):

• Red Hat Linux 6.414
• Sun Solaris 11.115
• Ubuntu 12.04 LTS16
• Suse 11.317
• Microsoft Windows Server 201218
• Microsoft Windows Server 2008 R219

At the OS level, permissions for access to Alfresco are the most important components that
must be applied. This is in order to allow them to only be accessible to the user who is running
Alfresco. Change file permissions to allow only the application user to see and write these files
and/or directories (i.e. Linux: chmod 0600 <path-‐to-‐file>): “alfresco-‐global.properties”
• “dir_root/contentstore”

14
https://access.redhat.com/documentation/en-‐US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/index.html
15
http://docs.oracle.com/cd/E23824_01/html/819-‐3195/index.html
16
https://help.ubuntu.com/12.04/serverguide/security.html
17
https://www.suse.com/documentation/sles11/singlehtml/book_security/book_security.html
18
http://technet.microsoft.com/en-‐us/library/jj898542.aspx
http://technet.microsoft.com/en-‐us/library/gg236605.aspx
19

11
• “dir_root/solr” or “dir_root/lucene-‐indexes”

Configuring Your Firewall

Your operating system firewall is a powerful line of defense for your server. Do not run Alfresco
without it. When configuring the firewall, you can use the same rule of thumb as for all OS
settings, block everything and then add privileges one at a time until you have allowed the
minimum amount of access required for your scenario.
When determining what traffic will be allowed, be sure to consider both inbound and outbound
activity. There is no reason to allow outbound activity via interfaces that you do not need.
These could potentially be exploited by malicious applications. For example, outbound HTTP
requests are often used by malware programs to communicate with operators.
Inbound Ports
Port listed below can be considered for both server and network firewall.
Protocol/Service Port TCP/UDP IN/OUT Active Comments

HTTP 8080 TCP IN Yes WebDAV included
FTP 21 TCP IN Yes Passive mode
SMTP 25 TCP IN No
CIFS 137,138 UDP IN Yes
CIFS 139,445 TCP IN Yes
IMAP 143 or TCP IN No
993
SharePoint Protocol 7070 TCP IN Yes
Tomcat Admin 8005 TCP IN Yes Unless is necessary, do not open this port at the
firewall
Tomcat AJP 8009 TCP IN Yes Unless is necessary, do not open this port at the
firewall
SOLR Admin 8443 TCP IN Yes If used to admin Solr, cert has to be installed in
browser. Otherwise take it in to account in case
of using a dedicated Index Server. Alfresco
repository server must have access to this port
IN and OUT
NFS 111,2049 TCP/UDP IN No This is the repository service NFS as VFS
RMI 50500-‐ TCP IN Yes Used for JMX management. Unless is necessary,
50507 do not open this port at the firewall
Hazelcast 5701 TCP IN No Used by Hazelcast to exchange information
between cluster nodes from 4.2
JGroups 7800 TCP IN No Cluster discovery between nodes before 4.2
JGroups 7801-‐ TCP IN No Traffic Ehcache RMI between cluster nodes
7802 before 4.2.
12
OpenOffice/JODconverter 8100 TCP IN Yes It works in localhost, do not open it at the

firewall

Outbound ports
It is just as important to control all outbound traffic as it is to control inbound traffic. This will
prevent some intrusions by not allowing access to backdoors or malicious remote sites.
Here is a list of all outbound traffic you may consider opening, depending on your security
policy and Alfresco deployment:
Protocol/Service Port TCP/UDP IN/OUT Active Comments

SMTP 25 TCP OUT No If you want Alfresco to send notifications,
invitations, tasks, etc. the open this port from
Alfresco to your corporate MTA.
DB – PostgreSQL 5432 TCP OUT Yes* It depends on the DB.
DB – MySQL 3306 TCP OUT Yes* It depends on the DB.
DB – MS SQL Server 1433 TCP OUT Yes* It depends on the DB.
DB – Oracle 1521 TCP OUT Yes* It depends on the DB.
DB – DB2 50000 TCP OUT Yes* It depends on the DB.
LDAP or AD 396 TCP OUT No If needed for authentication and synchronization.
LDAPS or AD 636 TCP OUT No If needed for authentication and synchronization.
docs.google.com 443 TCP OUT No
JGroups 7800-‐ TCP OUT No If clustered before 4.2, only between nodes.
7802
Hazelcast 5701 TCP IN No Used by hazelcast to exchange information
between cluster nodes from 4.2, only between
nodes.
Remote storage NFS 111,2049 TCP/UDP OUT No If a remote NFS drive is used as the content store.
Remote storage CIFS 137,138 UDP OUT No If a remote CIFS drive is used as the content store.
139,145 TCP
Amazon S3 443 TCP OUT No In case Alfresco is deployed in AWS and Amazon S3
is used as the content store
Alfresco Transformation 80,443 or TCP OUT No In case a remote Alfresco Transformation Server is
Server 8080,844 used
3
Alfresco FSTR 8080 TCP OUT No In case of using a remote Alfresco File System
Transfer Receiver
Alfresco Remote Server 8080 or TCP OUT No In case of using Alfresco Replication Service
8443 between Alfresco servers

13
Kerberos 88 TCP/UDP OUT No In case Kerberos SSO is required

Third Party SSO 443 TCP OUT No Third party SSO services
DNS 53 UDP OUT Yes Name resolution service
Facebook, Twitter, 80 or 443 TCP OUT No In case of using Alfresco Publishing Framework or
LinkedIn, Slideshare, Site blog publishing
Youtube, Flickr, Wordpress
or Typepad

Port Redirect
When Alfresco is not running as root, a local port redirect must be performed in order to
forward all incoming traffic from the standard port to the non-‐standard port and be above
1024.
Here is an example of local port redirect for iptables and FTP port configured in Alfresco to
listen in port 2121 TCP:
iptables -t nat -A PREROUTING -p tcp --dport 21 -j REDIRECT --to-ports 2121
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED
-j ACCEPT
Determining Minimum Privileges

The user you create to run Alfresco should be allowed only the minimum privileges required to
run the application server as required by your scenario. From a security standpoint, the ideal
user will only have permission to write logs and read files, period.
However, many users may find it necessary or convenient to allow the modification of start-‐up
scripts and configuration files, or the deployment of new versions for patches or
hotfixes. Whatever configuration you use, simply make sure that you are aware of the
associated risks.

14
Alfresco Implementation Best Practices

Stay Current
Alfresco is a product in continuous evolution. Our customers and the community are improving
the software by recommending new features, finding bugs and suggesting solutions. The
easiest way to improve the security of your Alfresco platform is to keep your version up to
date. New bug fixes and security patches are added in every release. Alfresco also notifies the
Enterprise user and community members of major security threats and patches via the Support
Portal, email and forums. Always upgrade to the latest stable version of Alfresco, as soon as
possible, and read the Release Notes to be aware of the fixed security bugs.
Don Not Run the Application Server as Root

As it has been stated above, when running any Internet or intranet service, it is always a good
idea to avoid running it as the root user, if possible. When installing the application server,
create a new user with a minimum set of privileges that will always run the application server
for you, as part of your configuration process.

Note that restricting privileges in this fashion can introduce problems with listening to
privileged ports. These are commonly solved in Linux by using the iptables tool to redirect
ports to non-‐privileged ones. See more in the next section.
Repository Level Security

Enable SSL
In production environments, enabling encryption is a must. In this section we will see how to
enable encryption in the most used Alfresco interfaces.
HTTP – HTTPS
There are different methods to implement SSL for the HTTP access to Alfresco Repository
(WebDAV, API and Admin Panel) and Alfresco Share. In most cases all methods are valid for
both Alfresco repository and Share web access.

We may classify three different methods depending on the Alfresco work load. All of the
methods may work for any sizing depending on the system tuning. This is just a best practice
for where to locate the SSL end point to avoid SSL CPU consumption that may affect the
Alfresco performance.

1. Low or reduced load, 10-‐100 concurrent sessions;

15
a. Application server enabled SSL: depending on the application server vendor, this
can be configured in different ways and it is extensively documented. Here is a
list of resources to enable SSL in all our supported application servers:
i. Apache Tomcat20
ii. JBOSS21
iii. Weblogic22
iv. Websphere23

2. Medium load, 100-‐500 concurrent sessions;
a. Apache, IIS or Nginx enabled SSL in a frontend-‐dedicated server.

3. High load, +500 concurrent sessions;
a. SSL dedicated hardware appliance or other third party solutions.

Additionally, if Alfresco Share is in a separate layer than the Alfresco Repository, you may want
to encrypt any traffic that’s in between both of them. Once HTTPS is enabled in both
application servers then just change the Alfresco Share configuration URLs to connect the
Alfresco Repository in ${extensionRoot}/alfresco/web-‐extension/share-‐config-‐custom.xml and
adapt all <endpoint-‐url> to your repository HTTPS URL.

NOTE: in any case always enable HSTS (HTTP Strict Transport Security) to guarantee HTTPS
always.
SharePoint Protocol
There are two ways to approach getting the Alfresco SharePoint Protocol to run over SSL and
avoid having to modify the Windows registry24 to allow non-‐SSL connections from MS Office (in
both Windows and Mac).

• One way is to use the out of the box SSL certificate that Alfresco uses for
communications between itself and Solr, which is not recommended for production
systems;

20
http://tomcat.apache.org/tomcat-‐7.0-‐doc/ssl-‐howto.html
21
https://access.redhat.com/documentation/en-‐
US/JBoss_Enterprise_Application_Platform/6/html/Administration_and_Configuration_Guide/Implement_SSL_Encryption_for_the_JBoss_Ente
rprise_Application_Platform_Web_Server1.html
22
http://docs.oracle.com/cd/E24329_01/web.1211/e24422/ssl.htm
23
http://www.ibm.com/developerworks/websphere/techjournal/1210_lansche/1210_lansche.html
24
http://support.microsoft.com/kb/2123563
16
The other is to generate a new certificate25 and configure Alfresco to use it. If you want
•
to use a custom certificate, this is the option to use. Next steps tested on Alfresco 4.2
and it should work in 4.2 as well for both Enterprise and Community.

There are instructions on how to enable SSL in the Alfresco SharePoint interface on the official
documentation portal26.

IMAP – IMAPS
To enable SSL to the IMAP protocol implemented by Alfresco to get access to the repository
from an email client follow the official documentation instructions27 or configuring the IMAP
subsystem in the Enterprise Admin Panel.
SMTP Inbound with TLS

Alfresco supports secure connections when it has SMTP inbound enabled. It can be set by
customizing the email subsystem28 through alfresco-global.properties with the option
“email.server.enableTLS=true” and configuring the Java keystore29 or in the Enterprise Admin
Console.

25
http://docs.alfresco.com/4.2/tasks/SharePoint-‐HTTPS-‐setup.html
26
http://docs.alfresco.com/4.2/tasks/SharePoint-‐SSL.html
27
http://docs.alfresco.com/4.2/concepts/IMAP-‐subsystem-‐props.html
28
http://docs.alfresco.com/4.2/concepts/email-‐inboundsmtp-‐props.html
29
http://docs.alfresco.com/4.2/concepts/troubleshoot-‐inboundemail.html

17
SMTP Outbound with TLS

SSL-TLS configuration for external emails sent by Alfresco to users for notifications, invitations,
etc., depends on the remote server features, and it has to support secure connections.
Configuration examples may be found on the official documentation portal30 and in the
Enterprise Admin Panel as well.

30
http://docs.alfresco.com/4.2/concepts/email-‐outboundsmtp-‐props.html
18
FTP – FTPS
The FTP interface implemented by Alfresco can also be configured in secure mode to encrypt
the communication between client and server. It has to be configured by the alfresco-‐
global.properties file by following instructions in the official documentation31.
Connect to LDAP in Secure Mode with LDAPS

In order to enable SSL communication between the Alfresco repository and an LDAP server, it
has to be supported by the remote directory server. For SSL it is required that you switch the
port from 389 to 636.

NOTE: Ask your LDAP or Active Directory administrator before changing any Alfresco
configurations.
Hazelcast
This is not usually required in SSL but messages communication between cluster nodes may be
encrypted32.
Understanding Roles and Permissions

It is well known that Alfresco comes with a complex and very flexible permissions model.
Alfresco uses roles to determine what a user can and cannot do within a site and the content.

31
http://docs.alfresco.com/4.2/concepts/fileserv-‐ftp-‐props.html
32
http://hazelcast.org/docs/latest/manual/html/ssl.html#encryption

19
Each role is associated with permissions. Permissions apply to dashboards33 and to content34.
By default, permissions applied to a node in the repository inherits it if it is not deactivated.
Custom Roles
Creating a new role may be a common task when we are working with custom Alfresco
deployments. The process is easy, you just need to follow some steps35. Just bear in mind, the
most important file where default roles are defined is located in:
TOMCAT_HOME/webapps/alfresco/WEB_INF/classes/alfresco/model/permissionDefinitions.
xml
Audit
The Audit Service provides a configurable record of actions and events. It collects information
and stores it in a simple database form. The Audit Service includes the ability to audit system
and user events, metadata changes and data stored in the Alfresco database. In order to have
the Audit feature enabled in Alfresco you need to add the following values in the alfresco-‐
global.properties36 file::

audit.enabled=true
audit.sync.enabled=true
audit.tagging.enabled=true
audit.alfresco-access.enabled=true
audit.alfresco-access.sub-actions.enabled=true
audit.cmischangelog.enabled=true
NOTE: If Alfresco Cloud Sync is used, audit.enable and audit.sync.enabled must be true.
Any information related to auditory is in the Alfresco database, it has to be queried through the
API.
To check if the Audit feature is enabled in Alfresco and what is being audited:
#curl -u admin:admin http://localhost:8080/alfresco/service/api/audit/control
{
"enabled" : true,
"applications":
[
{
"name": "Alfresco Sync Service",
"path" : "/sync",
"enabled" : true
}

33
http://docs.alfresco.com/4.2/references/permissions_share_other.html
34
http://docs.alfresco.com/4.2/references/permissions_share_components.html
35
https://wiki.alfresco.com/wiki/Custom_Permissions_in_Share
36
http://docs.alfresco.com/4.2/tasks/audit-‐enable.html
20
,
{
"name": "Alfresco Tagging Service",
"path" : "/tagging",
"enabled" : true
}
,
{
"name": "RM",
"path" : "/RM",
"enabled" : true
}
]
}
Audit authentication has to be enabled by renaming the file
${extensionRoot}/alfresco/extension/audit/alfresco-‐audit-‐example-‐login.xml.sample to
${extensionRoot}/alfresco/extension/audit/alfresco-‐audit-‐example-‐login.xml then restart and
test the last authentications to Alfresco with a command like below:
# curl -u admin:admin
"http://localhost:8080/alfresco/service/api/audit/query/AuditExampleLogin1"
or to see how many failed authentications performed by the admin user:
# curl -u admin:admin
"http://localhost:8080/alfresco/service/api/audit/query/AuditExampleLogin1?ve
rbose=true&user=admin"
More queries and information about auditing Alfresco can be found in the official
documentation37.
Get to Know Logged Users

Thanks to the Alfresco Support Tools38 module, available for the Enterprise Admin console, an
administrator can always check who is logged in the system.

37
http://docs.alfresco.com/4.2/concepts/audit-‐intro.html
38
https://addons.alfresco.com/addons/support-‐tools-‐admin-‐console

21
Reset Admin Password

If the admin password is missed there is a way to reset it to “admin” by changing the database.
First of all, it is needed to search the admin password field:
SELECT anp1.node_id, anp1.qname_id, anp1.string_value
FROM alf_node_properties anp1
INNER JOIN alf_qname aq1 ON aq1.id = anp1.qname_id
INNER JOIN alf_node_properties anp2 ON anp2.node_id = anp1.node_id
INNER JOIN alf_qname aq2 ON aq2.id = anp2.qname_id
WHERE aq1.local_name = 'password'
AND aq2.local_name = 'username'
AND anp2.string_value = 'admin';
+---------+----------+----------------------------------+
| node_id | qname_id | string_value |
+---------+----------+----------------------------------+
| 4 | 10 | 209c6174da490caeb422f3fa5a7ae634 |
+---------+----------+----------------------------------+
1 row in set (0.16 sec)

Note: node_id and gname_id for later modification. Additionally,
“209c6174da490caeb422f3fa5a7ae634” is the MD4 hash value for “admin”. Now it can be set
as follows:
UPDATE alf_node_properties
SET string_value='209c6174da490caeb422f3fa5a7ae634'
WHERE
node_id=THE_NODE_ID_ABOVE and qname_id=THE_QNAME_VALUE_ABOVE;
Ticket Session Duration Control

In case of third a party application connection, you may need a ticket. This ticket can be
queried by accessing http://localhost:8080/alfresco/service/api/login?u=admin&pw=admin
The length or duration of this authentication ticket can be configured with:
authentication.ticket.validDuration=PT1H
in the alfresco-‐global.properties file, which means 1 hour. Remember to use HTTPS to get the
ticket.
22
Disable Unneeded Services

All of these options can be added to the alfresco-‐global.properties file. Unless the Alfresco
Enterprise Admin Console is used to make the changes, a restart is required:

• Enable/Disable FTP:
ftp.enabled=false
• Enable/Disable CIFS:
cifs.enabled=false
• Enable/Disable IMAP:
imap.server.enabled=false
• Enable/Disable NFS:
nfs.enabled=false
• Enable/Disable Audit (do not disable it if Cloud Sync is used):
audit.enabled=true
• Enable the alfresco-‐access audit application:
audit.alfresco-access.enabled=true
audit.alfresco-access.sub-events.enabled=true
audit.cmischangelog.enabled=true
• Disable Webdav:
system.webdav.servlet.enabled=true
• Disable Share Point:
Uninstall VTI module.
• Prevent replication from the server configuration:
replication.enabled=false
transferservice.receiver.enabled=false
Disable Guest User

• For NTLM-‐Default (default is true):
alfresco.authentication.allowGuestLogin=false
• For pass-‐through (default is false):
passthru.authentication.guestAccess=false
• For LDAP/AD (default is true):
ldap.authentication.allowGuestLogin=false
Review Sever Logs Periodically

The administrator always keeps an eye on the server logs along with the application logs.
Consider using a central logging sever to easily manage logs and unload the server I/O.

23
Change JMX Default Credentials

As you already know, Alfresco One can be accessed using JMX for configuration (port RMI
50500 TCP), this access is authenticated but credentials are public and must be changed in
order to avoid unauthorized accesses39.
Get Control of Deleted Content

In terms of security control, it is imperative to know how Alfresco works when a content item is
deleted and also how the content deletion works in Records Management (RM). Basic content
deletion is already very well explained in a Ixxus blog post40 but there are some differences in
the database schema between Alfresco 4.1 and 4.2 worth noting, such as the “alf_node” table
has a field named “node_deleted” in versions 4.0 and earlier.

To develop a deep knowledge about Alfresco security and also how to configure Alfresco
backup and disaster recovery41, you should first understand how the Alfresco repository
manages the lifecycle of a content item.
Node Creation
When a node is created, regardless how it is uploaded or created (via the API, web UI, FTP, CIFS,
etc.) Alfresco will do the following:

1. Metadata properties are stored in the database in the logical store
workspace://SpacesStore (alf_node, alf_content_url among others).
2. The file itself is store and renamed as .bin under
alf_data/contentstore/YYYY/MM/DD/hh/mm/url-‐id-‐of-‐the-‐file.bin
3. Next, depending on the indexing you choose, its index entries are created within Lucene
(alf_data/lucene-‐indexes/workspace/SpacesStore) or Solr
(alf_data/solr/workspace/SpacesStore).
4. Finally, in most cases, a content thumbnail is created as a child of the file created.
Node Deletion
There are two phases to node deletion:
Phase 1: A user or admin deletes a content item (sending it to the trashcan)

1. When someone deletes a content item, the content and its children (eg. thumbnails) are
moved (archived) in the DB from workspace://SpacesStore to archive://SpacesStore.
Nothing else happens in the DB.

39
http://docs.alfresco.com/4.2/tasks/jmx-‐access.html
40
http://www.ixxus.com/blog/2011/09/alfresco-‐node-‐lifecycle
41
http://blyx.com/2013/12/04/my-‐talk-‐about-‐alfresco-‐backup-‐and-‐recovery-‐tool-‐in-‐the-‐alfresco-‐summit/
24
2. The actual content “.bin” file remains in the same location inside the contentstore
directory.
3. Finally, the indexes are moved from the existing location to the corresponding archive
(alf_data/lucene-‐indexes/archive/SpacesStore) or Solr
(alf_data/solr/archive/SpacesStore) depending on your index engine selection.

NOTE: A deleted node stays in the trashcan FOREVER, unless the user or admin either empties
the trashcan or recovers the file. This default behavior can be changed by using third party
modules that empty the trashcan automatically on a custom schedule. See below for more
information on these modules.

The trashcan may be found at these locations:

Alfresco Share: User -‐> My Profile -‐> Trashcan (admin user will see all users deleted files, since
4.2 all users can also see and restore their own deleted files).
Alfresco Explorer: User Profile -‐> Manage Deleted Items (for all users).
Phase 2: Any user or admin (or trashcan cleaner) empties the trashcan:
1. That means the content is marked as an “orphan” and after a pre-‐determined amount
of time elapses, the orphaned content item is moved from the alf_data/contentstore
directory to alf_data/contentstore.deleted directory.
2. Internally at the DB level a timestamp (UNIX format) is added to the
alf_content_url.orphan_time field where an internal process called
contentStoreCleanerJobDetail will check how long the content has been orphaned. If it
is more than 14 days old, (system.content.orphanProtectDays option) the .bin file is
moved to contentstore.deleted.
3. Finally, another process will purge all of its references in the database by running
nodeServiceCleanupJobDetail and once the index knows the node has been removed,
the indexes will be purged as well.

NOTE: Alfresco will never delete content in the alf_data/contentstore.deleted folder. It has to
be deleted manually or by a scheduled job configured by the system administrator. By default,
the contentStoreCleanerJobDetail runs every day at 4AM by checking the age of an orphan
node. If it exceeds system.content.orphanProtectDays (14 days) it is moved to
contentstore.deleted.

Additionally, the nodeServiceCleanupJobDetail runs every day at 9PM and purges information
related to nodes that were deleted from the database.

Now, that we understand how Alfresco works by default, let’s learn how to modify Alfresco’s
behavior in order to clean the trashcan automatically.

25
There are several third party modules that can be used to achieve this, but I recommend the
Alfresco Trashcan Cleaner42 by Alfresco’s very own Rui Fernandes.
Once the amp is installed, you can use this sample configuration by copying it to the alfresco-‐
global.properties file:

trashcan.cron=0 30 * * * ?
trashcan.daysToKeep=7
trashcan.deleteBatchCount=1000
The options above configure the cleaner to run every hour on the half hour and it will remove
content from the trashcan and mark it as an orphan if it has been in the trashcan for more than
7 days. It will do this in batches of 1000 deletions every time it runs. To delete from the
trashcan without waiting any grace period set the trashcan.daysToKeep property value to -‐1.
Questions and Answers About Content Deletion

Can I configure Alfresco to avoid using contentstore.deleted and ensure it really deletes a file
after the trashcan is cleaned?
Yes, this is possible by setting system.content.eagerOrphanCleanup=true in the alfresco-‐
global.properties file, and once the trashcan is emptied, the file will not be moved to
contentstore.deleted but it will be deleted from the file system (contentstore). After that,
nodeServiceCleanupJobDetail will purge any related information from the database.

What is the recommended configuration for a production server?
This is something you have to figure out based on your backup and disaster recovery strategy43.
If you have a proper backup strategy, you can offer your users a grace period of 30 days to
recover their own deleted documents from the trashcan. After the grace period, delete them
simultaneously from the trashcan and the file system. This can be achieved by installing the
previously mentioned trashcan-‐cleaner and with this configuration in the alfresco-‐
global.properties file:

system.content.eagerOrphanCleanup=false
trashcan.cron=0 30 * * * ?
trashcan.daysToKeep=30
trashcan.deleteBatchCount=1000

What about Alfresco Records Management, does it work in the same way? How a record
destruction works?
In the Records Management world you don’t tend to delete documents as often as it is done in
Document Management. When a content item is deleted from the RM file plan, it is considered

42
https://code.google.com/p/alfresco-‐trashcan-‐cleaner/
43
http://blyx.com/2013/12/04/my-‐talk-‐about-‐alfresco-‐backup-‐and-‐recovery-‐tool-‐in-‐the-‐alfresco-‐summit/.
26
to be a regular delete operation. This is rarely used and only done by RM admins when there is
some justifiable reason, such as correcting a mistake that requires a record to be removed.
The only difference is that the deleted record bypasses the archive store, hence it never goes to
the trashcan, and it is marked as an orphan once it is deleted. Then it will be moved to
contentstore.deleted after orphanProtectDays or it is truly deleted if eagerOrphanCleanup is set
as true.

Destruction of a record works in the same way that a record is removed. This will by-‐pass the
archive and immediately trigger the clean-‐up (eagerOrphanCleanup) process so the content
does not stay in the file system contentstore or contentstore.deleted.

As far as the meta-‐data goes, there are two options; the first is that all the meta-‐data (and
hence the node itself) are completely deleted. The alternate method cleans out all the content
but the node remains with only the meta-‐data (called ghosting). In Alfresco RM versions prior
to 2.2, this was a global configuration value (rm.ghosting.enabled=true). In 2.2 it can be
defined on the destroy step of the disposition schedule: “Maintain record metadata after
destroy”.

27
Figure 1: Content deletion diagram
Wipe Content
As we have seen, Alfresco offers different ways to delete content. It is important to remember,
even if Alfresco completely deletes content, like when using the destroy option in RM or by
using eagerOrphanCleanup, Alfresco will not wipe the removed content from the physical
storage. It therefore can be recovered by file system recovery tools. Wiping a deleted content
item may vary depending on multiple factors, from file system type to hardware configuration,
etc. If you want to guarantee a real physical wipe of a file in your file system, third party
software must be used to “zero out” the corresponding disk sectors. The specific tools depend
on the operating system type, hardware, etc.
Share Level Security

Cross-Site Request Forgery (CSRF) Filters in Alfresco Share
Based on the OWASP project definition, Cross-‐Site Request Forgery (CSRF) is a type of attack
that occurs when a malicious web site, email, blog, instant message, or program causes a user’s
web browser to perform an unwanted action on a trusted site for which the user is currently
authenticated.
28

You can configure CSRFPolicy in Alfresco Share to prevent CSRF attacks that allow malicious
requests to be unknowingly loaded by a user.

You can configure the CSRF filter to run with third party plugins and to stop specific repository
services from being accessible directly through the Share proxy.

See official documentation for apply the prevention procedure44.
Security Filters and Clickjacking Mitigation in Alfresco Share

As per OWASP definition, clickjacking, also known as a "UI redress attack", is when an attacker
uses multiple transparent or opaque layers to trick a user into clicking on a button or link on
another page when they were intending to click on the top level page. Thus, the attacker is
"hijacking" clicks meant for their page and routing them to another page, most likely owned by
another application, domain, or both.

You can configure a security filter, SecurityHeadersPolicy that mitigates clickjacking attacks in
Alfresco Share.

Iframes and Phishing Attack Mitigation in Alfresco Share

You can configure IFramePolicy to protect users against a phishing attack, which attempts to
acquire information such as user names or passwords by simulating a trustworthy entity.

Alfresco allows you to control which domain pages or content are included in Share to create a
whitelist of allowed domains. A whitelist is a list of email addresses or IP addresses that are
considered to be safe for use within your organization.

Share HTML Processing Black/White List

Alfresco Share has a number of features to protect against XSS attacks. One of the
most aggressive features is the automatic processing of 3rd party HTML (wiki, blog, forum) to
“sanitize” or “strip” out unwanted HTML tags and attributes before rendering in the page.

44
http://docs.alfresco.com/4.2/concepts/csfr-‐policy.html
45
http://docs.alfresco.com/4.2/concepts/security-‐policy.html
46
http://docs.alfresco.com/4.2/concepts/iframe-‐policy.html

29
Since Alfresco 3.4.9, 4.0.2 and newer, it is possible to fully configure the black/white list of
HTML tags and attributes that the HTML stripping process will use. The default black/white list
Is available in {TOMCAT_HOME}/webapps/share/WEB-‐INF/classes/alfresco/slingshot-‐
application-‐context.xml. It can be overridden with a file called custom-‐slingshot-‐application-‐
context.xml, which is generally found in {TOMCAT_HOME}/shared/classes/alfresco/web-‐
extension. More information is available in the Alfresco corporate blog47.
Site Creation Control

In some circumstances, you may need to prevent users other than administrators or specific
group members, from creating sites. There are different ways to accomplish this using public
resources48.
Filter Document Actions by User or Role

You may restrict the visibility of document action item for different Share site/user role by
modifying:
• {TOMCAT_HOME}/webapps/share/WEB-‐INF/classes/alfresco/site-‐
webscripts/org/alfresco/components/document-‐details/document-‐
actions.get.config.xml
• {TOMCAT_HOME}/shared/classes/alfresco/web-‐extension/site-‐
webscripts/org/alfresco/components/document-‐details/document-‐
actions.get.config.xml

For example, to set document action “Delete” visible to “admin” user only, you need to modify
the action you want to hide from anyone but the admin, by adding 'permission="admin"'. For
example, modify in document-‐actions.get.config.xml file from:

<action type="action-link" id="onActionDelete" permission="delete"
label="actions.document.delete" />
to:

<action type="action-link" id="onActionDelete" permission="admin"
label="actions.document.delete" />

Additionally, you may use the tables below as reference when there is a requirement for
customize document action per site role. For example, add, remove, or hide visibility of certain
document action(s) for certain site role(s) in permission="<symbol>".

Site role-‐based Visibility

47
http://blogs.alfresco.com/wp/kevinr/2012/06/19/configuring-‐the-‐share-‐html-‐processing-‐blackwhite-‐list/
48
https://forums.alfresco.com/forum/end-‐user-‐discussions/alfresco-‐share/disable-‐create-‐site-‐link-‐42-‐community-‐01102013-‐1306
30
Symbol Site Role
# Admin/Site Manager
* Collaborator
% Contributor/Consumer

<actionSet id="document">: Default OOTB permission level for Document Action components.
Information is extracted from Enterprise 3.4.6, File: {TOMCAT_HOME}/webapps/share/WEB-‐
INF/classes/alfresco/site-‐webscripts/org/alfresco/components/document-‐details/document-‐
actions.get.config.xml:
Action Name Action id Permission Corresponding label name Visible
to
Download id="onActionDownload" <global, no specific label="actions.document.d %;*;#

permission required> ownload"
View in Browser id="onActionView" <global, no specific label="actions.document.v %;*;#

permission required> iew"
Edit Metadata id="onActionDetails" permission="edit" label="actions.document.e *;#

dit-‐metadata"
? id="onActionSimpleAppr permission="simple-‐ label="actions.document.si n/a

ove" approve" mple-‐approve"
? id="onActionSimpleReje permission="simple-‐ label="actions.document.si n/a

ct" reject" mple-‐reject"
Upload New id="onActionUploadNew permission="edit" label="actions.document.u *;#

Version Version" pload-‐new-‐version"
Inline Edit id="onActionInlineEdit" permission="edit,inline-‐ label="actions.document.i *;#

edit" nline-‐edit"
Edit Online id="onActionEditOnline" permission="edit,online label="actions.document.e *;#

-‐edit" dit-‐online"
Edit Offline id="onActionEditOffline" permission="edit,~goog label="actions.document.e *;#

ledocs-‐edit" dit-‐offline"
? id="onActionCheckoutT permission="edit,googl label="actions.document.c *;#

oGoogleDocs" edocs-‐edit" heckout-‐google"
Copy to… id="onActionCopyTo" <global, no specific label="actions.document.c %;*;#

31
permission required> opy-‐to"
Move to… id="onActionMoveTo" permission="delete" label="actions.document. #

move-‐to"
Delete id="onActionDelete" permission="delete" label="actions.document.d #

Document elete"
Start Workflow id="onActionAssignWork <global, no specific label="actions.document.a %;*;#

flow" permission required> ssign-‐workflow"
Manage id="onActionManagePer permission="permission label="actions.document. #

Permission missions" s" manage-‐permissions"
Manage Aspect id="onActionManageAsp permission="edit" label="actions.document. *;#

ects" manage-‐aspects"
Filter workflow by role/group

Alfresco Share doesn’t have the ability to filter or control the list of workflows showed to an
user or group, by default all available workflows are shown to any user. There is different ways
to get this done, based on filters in share-‐config-‐custom.xml and also third party developments
to control workflow list49.
Change default Share session timeout

It may be needed to reduce or increase the default session timeout for Alfresco Share user
cookies which is 60 minutes. Edit {TOMCAT_HOME}/webapps/share/WEB-‐INF/web.xml and
change next lines, a restart is needed:
<session-config>
<session-timeout>60</session-timeout>
</session-config>

49
https://addons.alfresco.com/addons/workflow-‐permissions
32
Architecture deployment best practices

Sample architecture diagrams and protection tips for Alfresco installed on-‐premises and in
AWS.
Frontends
In this section we will see a tip about how to protect some resources in Alfresco using custom
frontend server like Apache, Nginx or HAProxy.

Good practice is to protect always front Share and Alfresco with a web server
(Apache/Nginx/HAProxy), and run the application server to only be accessed by the web server.
If this is all on one node, then have the application server only listen on localhost then the web
server forward to localhost. If this is on a multi-‐tiered environment then only allow access to
the Share and Alfresco tier from the web node tier via iptables.

In order to force all Alfresco cookies to be secure instead of httponly use a web server to
rewrite the cookies. Example of HAProxy configuration to do it:
# Set all cookies to be Secure.
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if !secured_cookie
Protect Alfresco API URL and proxy (Apache, Nginx, etc.)

Webscript URLs should be accessed only by localhost applications (Alfresco Explorer and Share)
and known third party applications. To deny access from all other networks (to Alfresco tier
data Webscripts, you can do the same for Share if needed), you need to set a frontend web
server as follows:

Apache:
<Location /alfresco/service/*>
Order allow,deny
Allow from 1.2.3.4
Allow from 1.2.3.5
</Location>
<Location /share/service/*>
Order allow,deny
Allow from 1.2.3.4
Allow from 1.2.3.5
</Location>
<Location /alfresco/proxy>
Order allow,deny
Allow from 1.2.3.4
Allow from 1.2.3.5
</Location>

33
<Location /alfresco/cmisbrowser>
Order allow,deny
Allow from 1.2.3.4
Allow from 1.2.3.5
</Location>
Nginx:
location ~ ^/(alfresco|share)/service/ {
allow 1.2.3.4;
allow 1.2.3.5;
deny all;
}
location ~ ^/alfresco/proxy {
allow 1.2.3.4;
allow 1.2.3.5;
deny all;
}
location ~ ^/alfresco/cmisbrowser {
allow 1.2.3.4;
allow 1.2.3.5;
deny all;
}
Where 1.2.3.4 and 1.2.3.5 are our applications or networks.
Single tier
Alfresco installed all in one server and using external database and storage for content store,
use always dedicated network interfaces, i.e. 3 nics being service, backend and administration
and backup:
34
Two tiers

35
Three tiers

Another real world diagram with details:

36

AWS deployments
Example of multi tier deployment and different layers of security:

37
Backup and Disaster recovery

Please refer to the existing Backup and Disaster Recovery White Paper presented in the
Alfresco Summit 201350.

50
https://summit.alfresco.com/cmis/views/workspace%253A%252F%252FSpacesStore%252F2a6f08b9-‐e026-‐4674-‐b81a-‐cac234491d9f
38
Mobile Security
File Protection
Encrypts files stored on this device when it is locked. Has to be enabled in the mobile
application settings. It is only available in Alfresco Mobile if it is connected to an Alfresco One
server or Alfresco in the Cloud.
HTTPS
Enable HTTPS connection if available on the server side. Alfresco in the Cloud has HTTPS
support by default.
Certificate Authentication
Enable certificate authentication from the mobile client side is available.
MDM
At the moment this guide is written, there is one solution to implement MDM with Alfresco:
Alfresco for Good (iOS)

Alfresco for Good mobile app provides a secure connection, secure storage and policy
enforcement when accessing business critical documents stored in Alfresco One on premise
from anywhere. Alfresco for Good 1.0 includes the following features:
• Secure access to on premise Alfresco repository based on existing user privileges
• Full access to repository structure including collaboration sites
• Easy favoring and joining of sites
• Activity feed for repository
• File exchange via Good For Enterprise
• Local storage of files for offline viewing
NOTE: Existing version is only compatible with iOS 7.
MobileIron (Android)
Alfresco and MobileIron provide an end to end secure solution to access critical content stored
on premise, in the cloud or both as well as run key workflows to make things happen on the go.
Alfresco is an enterprise grade solution that can reliably mobilize hundreds to millions of
documents. Alfresco is open, so you can retain control and customizable so you can build the
solutions you need.
• Secure access to Alfresco One repository based on existing user privileges
• Full access to repository structure including collaboration sites
• Activity feed

39
• File exchange within the MobileIron ecosystem

• Local sync of files for offline viewing of up to date files
• Initiate or take part in workflows such as “Review and Approve”
NOTE: Alfresco is working for a new MobileIron app for Android and iOS. Not release date at
this moment.
Additional information
For enterprise Android users, Alfresco Mobile 1.4 is available in the Samsung KNOX store.
Working with other MDM vendors like Symantec Sealed (Android) and Citrix Worx.
40
Security Compliance and Standards

A very common question about Alfresco and security is related to standards. In this section we
will see a review about some standards related to security and how Alfresco can address with
them. For more information about other standards and security in Alfresco Cloud please visit
this51 site.
DOD5015.2
Alfresco Records Management is certified to the DoD 5015.02 base line standard, the Alfresco
RM solutions has been implemented on top of a flexible records management metadata model,
allowing other standards (such as MoReq2010, NOARK, etc.) to be supported.52
From the security stand point; Alfresco RM has additional security features like:
• Specific roles related to RM tasks
• Web based role manager to view, modify or delete existing roles and create new ones
• Web based audit tool to make reports about any action on any record, folder, category
in the File Plan
• Users, groups and roles reports
• Different behavior for record deletion and record destroy than deletion in DM. See
section about deletion in this document.
OWASP
In Alfresco we use the OWASP guides extensively in development and have a tool, which scans
all code nightly and ensures compliance with OWASP top ten. Here a list of comments about
the OWASP top 1053:
1. A1 -‐ Injection: Alfresco uses prepared non-‐dynamic statements and variable binding
using the ORM framework 'myBatis', which prevents SQL injection. Alfresco Share uses a
white-‐list to strip potential danger from submitted content with mime-‐types of
Javascript or HTML. Note: For HTML content submission, unsafe content is stripped on
display, not storage. Summary: OOTB Alfresco is secured against injection attacks
2. A2 -‐ Broken Authentication and Session Management: This is normally an issue in
home-‐grown authentication frameworks, but all Alfresco custom development and
configuration passes through its own authentication framework which is based on the
Spring Security (Acegi) framework. Summary: OOTB Alfresco has a robust
authentication and session management subsystem, however there may be weaknesses

51
http://www.alfresco.com/products/cloud/security-‐data-‐privacy
52
http://blogs.alfresco.com/wp/understanding-‐the-‐facts-‐dod-‐5015-‐certification
53
https://www.owasp.org/index.php/Top_10_2013-‐Top_10

41
if the following processes are not followed: 1) Only use SSL encryption for all access; 2)
Integrate with LDAP memberships services (or if using Alfresco native user
management: Enable an additional Alfresco customisation for password-‐expiry and
complexity requirements); 3) Potential to permanently disable 'invite external user'
capabilities.
3. A3-‐Cross-‐Site Scripting (XSS): See 'Configuring the Share HTML processing black/white
list'54. Summary: OOTB Alfresco is secured against XSS attacks. Pre go-‐live checks must
ensure that configuration changes have not disabled this security feature. Check
vulnerability list in this document and new XSS threats.
4. A4-‐Insecure Direct Object References: Content-‐object access is only allowed through
the Alfresco API which ACL checks all content-‐based requests against the current
authenticated session user. Summary: OOTB Alfresco is secured against direct access
and the manipulation of reference.
5. A5-‐Security Misconfiguration: Default passwords are stored for JMX or installation
passwords stored as well. Summary: OOTB Alfresco does not encrypt initial admin
password, JMX read and write password and DB connection password. In case of using
Alfresco internal DB for users, their passwords are stored in MD4.
6. A6-‐Sensitive Data Exposure: We do not typically store user-‐sensitive information in
Alfresco. Summary: OOTB Alfresco is secure from exposure of sensitive data. This
assumes correct ACL/permission application and that the server has not been
compromised allowing direct access to the underlying file-‐system.
7. A7-‐Missing Function Level Access Control: Alfresco enforces 'roles' and group-‐
membership to define the function access that a user may have. Summary: OOTB
Alfresco is secured against function level access control. Security ACL checks against role
and group occurs on the server not just to hide or expose UI elements.
8. A8-‐Cross-‐Site Request Forgery (CSRF): See 'Introducing the CSRFPolicy in Alfresco
Share'55. OOTB Alfresco is secured against CSRF attacks. Pre go-‐live checks must ensure
that configuration changes have not disabled this security feature.
9. A9-‐Using Components with Known Vulnerabilities: According to the Alfresco public
JIRA, there are no known exploitable components used by Alfresco. An audit is required
to every third party component should be done to confirm this. Alfresco recommends
the latest security patched version of Alfresco and its supported components, as well of
OS, Java, Application Server and DB server. Summary: OOTB Alfresco is secure, at the
time of writing. Best practice should include the patching of dependent components
with the latest security patches as they become available. Typical components to
consider for an ongoing patch policy: Operating System RHEL/CentOS/Win2008R2;
Database MySQL/Oracle/MSSQL; Java updates; third-‐party out-‐of-‐process command-‐
line tools (anything outside the JVM sandbox such as Open Office / ImageMagick, etc.).

54
http://blogs.alfresco.com/wp/kevinr/2012/06/19/configuring-‐the-‐share-‐html-‐processing-‐blackwhite-‐list/
http://blogs.alfresco.com/wp/ewinlof/2013/03/11/introducing-‐the-‐new-‐csrf-‐filter-‐in-‐alfresco-‐share/
55
42
10. A10-‐Unvalidated Redirects and Forwards: Alfresco allows the display of user-‐defined
hyperlinks, potentially to external websites, but these are not forwards or re-‐directs.
Alfresco Share does allow the arbitrary embedding of IFrames within the UI, either
through the 'web view' dashlet, or within custom developed code, and this does need
protection. This risk is mitigated with the introduction of the 'IFramepolicy'. See
'Introducing the IFramePolicy in Alfresco Share'56. The default configuration allows any
page to be iframed. Summary: OOTB Alfresco is not secure against non-‐validated
redirection. However a simple configuration change enforces the security.
The Alfresco software engineers take care about OWASP security standard by using a software
plugin57 that defines a list of vulnerabilities that can occur in any software project. It provides
rules engines to find violations that can be matched with a lot of OWASP vulnerabilities,
allowing us to know the security level reached.
HIPAA
The US Government “Health Insurance Portability and Accountability Act” can be applied or
adopted by Alfresco taking into account considerations below:

• Audit everything (who accessed, when accessed and what). Alfresco does it and stores
all in the DB.
• Encrypt PHI, is not a requirement but to avoid reporting in case of information lost
(backup tape for example). Alfresco does it with encrypted metadata by using the
property called “d:encrypted” in the data model, and encrypting the backup as well.
• Encrypt Content (encryption at rest), as normal recommendation the backup should be
encrypted.
• For index a best practice is to encrypt the backup or don’t do backup to avoid losing
backup tape and have to report it. Indexing can be re-‐build in case of need.
• Disable Quick Share feature in Share.
• Enable HTTPS.
• Optionally: retention policies (it may vary depending on every US State) and can be
implemented with Alfresco RM.

56
http://blogs.alfresco.com/wp/ewinlof/2013/03/12/introducing-‐the-‐iframepolicy-‐in-‐alfresco-‐share/
57
http://www.excentia.es/plugins/owasp/caracteristicas_en.html

43
FISMA
FISMA compliance is a mandate against the operating environment where Alfresco may be
deployed. The application is not subject to any specific certification, but may be monitored as
part of a FISMA security plan.
FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is a unified, government-‐
wide risk management program focused on large outsourced and multi-‐agency systems.
FedRAMP has been established to provide a standard approach to Assessing and Authorizing
(A&A) cloud computing services and products. FedRAMP allows joint authorizations and
continuous security and monitoring services for Government and Commercial cloud
computing systems intended for multi-‐agency use.

Alfresco's traditional products (Alfresco One, Activiti, etc.) are not directly subject to FedRAMP
authorization, rather, the customer is responsible for validating that their Alfresco deployment
specifically complies with the different FedRAMP requirements. This applies to both on-‐prem
and cloud-‐hosted deployments.

At the moment, Alfresco has not made any specific commitment to obtain FedRAMP
authorization for Alfresco in the Cloud or any future SaaS products.
ISO 27001
ISO 27001 is an international standard published by the International Standardization
Organization (ISO), and it describes how to manage information security in a company.

Alfresco application is not subject to this certification but it may be used as main repository for
document centralization and management for creation, review and approval, distribution,
categorization, usage and updates of the documents and records.
PCI Data Security Standard

This section is a quick point approach to highlight some of PCI-‐DSS requirements and how
Alfresco may assist in compliance.

• Alfresco uses standard TCP/IP connectivity with common protocols such as https
(encrypted for security) allowing organizations to easily integrate with existing firewalls
and other intrusion detection/prevention services.
• Alfresco provides default database names and accounts for simple deployment. These
are usually setup upon first launch of Alfresco. However, in order to recognize the needs
of such requirements as PCI-‐DSS, these can be simply overridden through a
configuration file change, allowing the organization to create uniquely named databases
and database accounts. We have well documented methods to how to perform this
44
task. Integration with enterprise database systems allow for DBAs to enable encrypted
writes directly into database tables without modifying Alfresco in any way.
• Alfresco’s Records Management Module allows for compliance management for data
retention, such as retention and disposition schedules, auditing of access to records,
destruction and data deletion as well as event triggers, eDiscovery and so forth.
• Alfresco can be configured to use strong SSL encryption for https connections, allowing
for encryption of data inflight once authorized access to that data has been approved
via Alfresco’s Authentication, Authorization and Permissions Management subsystems.
• Alfresco stores files as their native data streams and metadata in the database. This can
be integrated with standard corporate Antivirus applications to ensure compliance.
• As has been already said in this guide, Alfresco takes security very seriously and has a
rigorous vulnerability detection program working with third party security organizations
to perform penetration testing. Alfresco has a process in place to then quickly patch,
test, release and inform Alfresco One customers of any breaches.
• Alfresco provides a complete authentication and authorization subsystem along with a
granular permissions management system that can be integrated with corporate
directory services to enable secure user access only to data they have been authorized
to see. Management can be performed at the individual user level or by group
membership – this allows an organization to easily develop role-‐based access to data
and content.
• All users have a unique ID -‐ whether that granted by the corporate directory service, or
internally for users that are not part of the directory structure. Alfresco has a complete
auditing subsystem that can be incorporated into enterprise reporting applications.
• Alfresco provides a complete auditing subsystem that tracks reads and writes to all
content and metadata within the repository. This auditing mechanism can be integrated
with enterprise reporting tools, or custom interfaces (eg web) and delivery methods
(email, RSS feeds, etc) can be built and maintained.

45
Appendix I: Security Checklist

Alfresco Security Check List
This is a list of basics checks to perform in any Alfresco production deployment. In case of cluster, these checks should be
passed to all nodes. Please read this document before in order to understand all checks below:
Server Name: ____________________________________ ! Backup and Disaster Recovery software
Server IP Address: ________________________________ configured and tested for indexes, db,
! Last Service Pack / Hot fix of the Alfresco existing contentstore, installation, configuration and
version installed customization files
! Changed default admin password ! Deleted files under control
! If Linux, run the application server as non root ! The trashcan has to be emptied
user manually or install trashcancleaner
! Changed the default JMX passwords for ! Configured Alfresco to delete files from
controlRole and monitorRole file system when the trashcan is
! Switched to SSL all required services using a emptied (eagerCleaner)
custom/owned certificate (not default cert): ! A shell script to delete
! HTTP / Webdav / API contentstore.deleted once a week
! Enable HSTS ! Local and network firewalls are properly
! Force secure cookies configured for both inbound and outbound
! SharePoint Protocol traffic
! IMAP ! Monitoring services availability through JMX
! FTP with solutions like Hyperic, Nagios or JMelody
! SMTP INBOUND ! Encryption at rest is enabled (available in
! SMTP OUTBOUND Alfresco One 5.0)
! Solr (SSL by default), if in separate tier ! Passwords in properties files are encrypted
! If clustered: JGroups or Hazelcast (available in Alfresco One 5.0)
(optional) ! Check “file-‐servers-‐custom.xml” permissions if
! Alfresco JDBC to DB communication Kerberos is configured
(optional) ! Check FSTR configuration files permissions if is
! Check certificate strength configured (it has password inside)
! Change file permissions to allow only the ! Embedded metadata is still in every file, clean
application user to see and write these files this before content leaves Alfresco, to prevent
and/or directories (i.e. Linux: chmod 0600 <path-‐ information leaks through metadata
to-‐file>): ! API, services and Share proxy accesses are
! “alfresco-‐global.properties” protected
! “dir_root/contentstore” ! In case of integration with third party
! “dir_root/solr” or “dir_root/lucene-‐ applications, establish a dedicated Alfresco
indexes” authenticated user versus using the admin user
! Alfresco and application server logs are all in the ! CSRF is enabled in Alfresco Share (default)
same directory, with the proper security ! Alfresco Share IFramePolicy is configured as
permissions and logs rotation configured (app “deny”
server logs, alfresco.log, share.log, solr.log) ! Enable SecurityHeadersPolicy, in Share that
! If Alfresco is connected to internet remove the mitigates clickjacking attacks
Alfresco banner in the Share login page ! Configure HTML processing black/white lists
! If LDAP, AD or third party authentication is (optional)
enabled, any communication between Alfresco ! Custom error page created at web server or
and the authentication server is through SSL (i.e. application server level (optional)
636 TCP for LDAPS). ! Use a network IDS on top of Alfresco server
! If Alfresco Replication Service is needed: (optional)
! Use HTTPS ! Use a Web Application Firewall on top of
! Do not replicate with “admin” user Alfresco (optional)
! Disabled unneeded services ! Use an antivirus solution at the server side or
! Enabled audit if required through communication and an Advanced Threat
! Disabled guest user Protection System (optional)
46
Appendix II: Third Party Libraries included in Alfresco

Alfresco embeds third party libraries in the product and it is important to consider them for
Security and Compliance reasons.
Third Party Software (as of 4.2.x)
• Apache 1.1 variant License o hazelcast http://www.hazelcast.com/index.jsp
o Xpp3 o ibatis http://ibatis.apache.org/
http://www.extreme.indiana.edu/xgws/xsoap/x o jakarta-‐oro http://jakarta.apache.org/oro/
pp/ o Jackson
• Apache 1.1 -‐ License http://wiki.fasterxml.com/JacksonDownload
o Avalon framework o Jcr http://jackrabbit.apache.org/
http://avalon.apache.org/framework/ o joda-‐time http://joda-‐time.sourceforge.net/
o Spring Modules http://springmodules.java.net/ o jstl http://tomcat.apache.org/taglibs/standard/
• Apache 2.0 -‐ License o livetribe http://livetribe.codehaus.org/
o Abdera o log4j http://logging.apache.org/log4j
http://projects.apache.org/projects/abdera.html o lucene http://lucene.apache.org
o Acegi o metadata-‐extractor
http://sourceforge.net/projects/acegisecurity/ http://code.google.com/p/metadata-‐extractor/
o Activiti http://www.activiti.org/index.html o myfaces http://myfaces.apache.org/
o Alfresco Open CMIS o naming http://tomcat.apache.org
http://code.google.com/a/apache-‐ o Neethi http://ws.apache.org/commons/neethi/
extras.org/p/alfresco-‐opencmis-‐extension/ o opensaml http://www.opensaml.org/
o Ant http://ant.apache.org/ o OpenSSL http://www.openssl.org/
o Axiom http://ws.apache.org/axiom/ o pdfbox http://pdfbox.apache.org/
o Axis https://axis.apache.org/axis/ o POI http://poi.apache.org/legal.html
o Batik http://xmlgraphics.apache.org/batik/ o Spring Framework
o Bcel http://www.springsource.com/download/comm
http://commons.apache.org/proper/commons-‐ unity?sid=453581
bcel/ o Quartz resolver http://quartz-‐scheduler.org/
o Bsf o Rome https://rometools.jira.com/wiki/
http://commons.apache.org/proper/commons-‐ o shale http://shale.apache.org/
bsf/ o Spring.net http://www.springframework.net/
o Boilerpipe o STAX http://camel.apache.org/stax.html
https://code.google.com/p/boilerpipe/ o XML Commons Apache
o Catalina http://tomcat.apache.org http://xml.apache.org/commons/
o cglib http://cglib.sourceforge.net/ o Xalan-‐j http://xml.apache.org/xalan-‐j/
o Apache Chemistry http://www.apache.org/ o Xerces2-‐j http://xerces.apache.org/xerces2-‐j
o Apache-‐mime o XML Beans
http://james.apache.org/mime4j/index.html http://xmlbeans.apache.org/news.html
o Apache CXF http://cxf.apache.org/ o XML Graphics http://xmlgraphics.apache.org/
o ehcache http://ehcache.sourceforge.net/ o SMTP
o Fast Infoset Project https://fi.java.net/ http://subethasmtp.tigris.org/project_license.ht
o fop http://xmlgraphics.apache.org/fop/ ml
o Google Data Java Client Library o Apache Tika
http://code.google.com/p/gdata-‐java-‐client/ o wss4j http://ws.apache.org/wss4j/
o Geronimo http://geronimo.apache.org/ o WoodStox http://woodstox.codehaus.org/
o Greenmail o commons-‐resolver
http://www.icegreen.com/greenmail/readme.ht http://svn.apache.org/viewvc/xml/commons/tag
ml s/xml-‐commons-‐resolver-‐
o Groovy http://groovy.codehaus.org/ 1_2/LICENSE?view=markup
o guess encoding o RPC http://ws.apache.org/xmlrpc/project-‐
http://docs.codehaus.org/display/GUESSENC/Ho info.html
me

1
o XML Schema o TrueLicense http://truelicense.java.net/

http://ws.apache.org/commons/XmlSchema o truezip http://truezip.java.net/
o Xmlsec http://santuario.apache.org/ • Free Software
o Solr http://lucene.apache.org/solr/ o icu4j http://icu-‐project.org/
o vorbis https://github.com/Gagravarr/VorbisJava o json http://www.json.org/java/
• BSD License o netcdf
o Antlr v3 http://www.antlr.org http://www.unidata.ucar.edu/software/netcdf/c
o ASM http://asm.ow2.org/ opyright.html
o Bubbling http://www.bubbling-‐library.com/ • GPL Affero GPL
o CSS Boilerplate http://code.google.com/p/css-‐ o GhostScript http://www.ghostscript.com/
boilerplate/ • GPL V2
o dom4j http://dom4j.sourceforge.net/ o ncurses http://www.gnu.org/software/ncurses/
o fontbox http://xmlgraphics.apache.org/fop/ o libiconv http://www.gnu.org/software/libiconv/
o FreeMarker http://freemarker.sourceforge.net/ o libstdc++ http://gcc.gnu.org/libstdc++/
o jibx-‐* http://jibx.sourceforge.net • GPL V3
o jta http://java.sun.com/products/jta/ o SWF Tools http://wiki.swftools.org
o libfreetype http://www.freetype.org/ • Imagemagick
o libgif http://giflib.sourceforge.net/ o Imagemagick
o libjpeg http://libjpeg.sourceforge.net/ http://www.imagemagick.org/script/license.php
o libpng http://www.libpng.org/ • LGPL 2.1
o libtiff http://www.libtiff.org/ o hibernate http://www.hibernate.org/
o libz http://zlib.net/ o htmlparser http://htmlparser.sourceforge.net/
o nunit http://www.nunit.org/ o JBPM http://www.opensource.org/licenses/lgpl-‐
o One-‐Jar http://sourceforge.net/projects/one-‐jar license.php
o PostgreSQL http://www.postgresql.org o Jgroups http://www.jgroups.org/
o STAX Utils http://stax-‐utils.java.net/ o jid3lib http://jid3lib.java.net/
o Tuckey URL rewriter o jug-‐lgpl
http://tuckey.org/urlrewrite/manual/3.0/introdu http://mvnrepository.com/artifact/org.safehaus.
ction.html jug/jug/2.0.0
o Xmpcore o libwmf
http://www.adobe.com/devnet/xmp.html http://wvware.sourceforge.net/libwmf.html
o Xstream YUI o PDF Renderer http://java.net/projects/pdf-‐
http://xstream.codehaus.org/license.html renderer
o YUI http://yuilibrary.com/ o TinyMCE
• CDDL http://tinymce.moxiecode.com/tinymce/docs/lic
o JaxB http://jaxb.java.net/ ense.html
o jaxrpc http://jax-‐rpc.java.net/ • LGPL 3.0
o JAXWS http://jax-‐ws.java.net/ o jayrock http://jayrock.berlios.de/
o mail http://glassfish.java.net/javaee5/mail/ o Jmagick
o MIME pull http://mimepull.java.net/ http://sourceforge.net/projects/jmagick/
o SAAJ http://saaj.java.net/ o JODConverter
o StAXExtendedAPI http://stax-‐ex.java.net/ http://jodconverter.sourceforge.net/
o xml-‐apis http://jaxp.java.net/ o jTDS Project
• Commercial license http://jtds.sourceforge.net/license.html
o Bitrockinstaller http://bitrock.com/ o Jut.jar
• CPL 1.0 License http://www.openoffice.org/licenses/lgpl_license
o htmlparser http://htmlparser.sourceforge.net/ .html
o Junit http://sourceforge.net/projects/junit/ o OpenOffice
o wsdl4j http://sourceforge.net/projects/wsdl4j http://www.openoffice.org/license.html
• Creative Commons Attribute License • Microsoft Redistributable
o JSTextReader AS3 o Microsoft Visual C++ 2008 Redistributable
http://creativecommons.org/licenses/by/3.0/us/ Package
legalcode • MIT License
• Dojo Licensing, BSD & Academic o bcmail-‐jdk http://www.bouncycastle.org/
o Dojotoolkit http://dojotoolkit.org/ o bcprov-‐jdk http://www.bouncycastle.org/
• Eclipse Public License o facebook http://code.google.com/p/facebook-‐
o Wikipedia java-‐api/
http://sourceforge.net/projects/plog4u/ o Jutf7 http://jutf7.sourceforge.net/license.html
2
o Mockito
http://www.opensource.org/licenses/mit-‐ • Apache2
license.php o acegi commons
o SLF4J http://www.slf4j.org/license.html http://sourceforge.net/projects/acegisecurity/
o Mootools http://docs.mootools.net/ o dbcp http://jakarta.apache.org/commons/
• MPL o Apache CXF http://cxf.apache.org/
o rhino-‐js http://www.mozilla.org/rhino/ o Greenmail
o juniversalcharsetdet http://www.icegreen.com/greenmail/readme.ht
http://juniversalchardet.googlecode.com/ ml
• ODMG License o jslideshare
http://www.odbms.org/ODMG/OG/wrayjohnson.asp http://code.google.com/p/jslideshare/
x o pdfbox http://pdfbox.apache.org/
o odmg http://www.odmg.org/wrayjohnson.htm o POI http://poi.apache.org/legal.html
• Oracle Binary Code License Agreement o mybatis http://code.google.com/p/mybatis/
o activation o quartz http://quartz-‐scheduler.org/
http://www.oracle.com/technetwork/java/jaf11-‐ o Apache Tika
139815.html http://lucene.apache.org/tika/license.html
o Oracle JDK o TrueLicense https://truelicense.dev.java.net/
http://www.oracle.com/technetwork/java/javas o wss4j http://ws.apache.org/wss4j/
e/terms/license/index.html o Spring Surf
• Public Domain License http://www.springsource.com/download/comm
o AOP Alliance http://aopalliance.sourceforge.net/ unity
o hrtlib http://www.javaworld.com/javaqa/2003-‐ • Artistic (BSD style)
01/01-‐qa-‐0110-‐timing.html o chiba http://sourceforge.net/projects/chiba
o XZ http://tukaani.org/xz/java.html • BSD
• Sun Public License o FreeMarker http://freemarker.sourceforge.net/
o BSH http://www.beanshell.org/ o YUI http://developer.yahoo.com/yui/
• XAM o jibx http://jibx.sourceforge.net/jibx-‐license.html
o XAM Connector • LGPL 3.0
http://www.emc.com/products/detail/software/ o JODConverter
centera-‐sdk-‐xam.htm http://jodconverter.sourceforge.net/
• LGPL 2.1
Alfresco has modified the source code of the following o hibernate http://www.hibernate.org/
third party libraries. Below is the list of modified modules o PDF Renderer http://java.net/projects/pdf-‐
and corresponding licenses. The svn diff files with the renderer
details of the changes can be found in the following • MPL
location: root/projects/3rd-‐party/src. o rhino-‐js http://www.mozilla.org/rhino/

3

Alfresco Security Best Practices: Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Alfresco Security Best Practices: Guide

Uploaded by

Copyright:

Available Formats

Alfresco Security Best

VERSION DATE AUTHOR DESCRIPTION OF CHANGE

0.1 23-Jul-14 Toni de la Fuente Initial version

HARDENING THE NETWORK AND OPERATING SYSTEM ........................................................ 11

SECURITY COMPLIANCE AND STANDARDS............................................................................. 41

How to Read this Guide

Disclaimer and Scope

Alfresco Security Policy

Release of Security Notifications

Reporting a Security Issue to Alfresco

The External and Internal Perspective

Discovery, Information Gathering and Information Leaks

Brute Force Username and Passwords Attacks

DOS and DDOS

Hardening the Network and Operating System

• “dir_root/solr” or “dir_root/lucene-­‐indexes”

Configuring Your Firewall

Protocol/Service Port TCP/UDP IN/OUT Active Comments

OpenOffice/JODconverter 8100 TCP IN Yes It works in localhost, do not open it at the

Protocol/Service Port TCP/UDP IN/OUT Active Comments

Kerberos 88 TCP/UDP OUT No In case Kerberos SSO is required

Determining Minimum Privileges

Alfresco Implementation Best Practices

Don Not Run the Application Server as Root

Repository Level Security

SMTP Inbound with TLS

SMTP Outbound with TLS

Connect to LDAP in Secure Mode with LDAPS

Understanding Roles and Permissions

Get to Know Logged Users

Reset Admin Password

Ticket Session Duration Control

Disable Unneeded Services

Disable Guest User

Review Sever Logs Periodically

Change JMX Default Credentials

Get Control of Deleted Content

Phase 1: A user or admin deletes a content item (sending it to the trashcan)

Questions and Answers About Content Deletion

Figure 1: Content deletion diagram

Share Level Security

Security Filters and Clickjacking Mitigation in Alfresco Share

Iframes and Phishing Attack Mitigation in Alfresco Share

Share HTML Processing Black/White List

Site Creation Control

Filter Document Actions by User or Role

Symbol Site Role

Download id="onActionDownload" <global, no specific label="actions.document.d %;*;#

View in Browser id="onActionView" <global, no specific label="actions.document.v %;*;#

Edit Metadata id="onActionDetails" permission="edit" label="actions.document.e *;#

? id="onActionSimpleAppr permission="simple-­‐ label="actions.document.si n/a

? id="onActionSimpleReje permission="simple-­‐ label="actions.document.si n/a

Upload New id="onActionUploadNew permission="edit" label="actions.document.u *;#

Inline Edit id="onActionInlineEdit" permission="edit,inline-­‐ label="actions.document.i *;#

Edit Online id="onActionEditOnline" permission="edit,online label="actions.document.e *;#

Edit Offline id="onActionEditOffline" permission="edit,~goog label="actions.document.e *;#

? id="onActionCheckoutT permission="edit,googl label="actions.document.c *;#

Copy to… id="onActionCopyTo" <global, no specific label="actions.document.c %;*;#

permission required> opy-­‐to"

Move to… id="onActionMoveTo" permission="delete" label="actions.document. #

Delete id="onActionDelete" permission="delete" label="actions.document.d #

Start Workflow id="onActionAssignWork <global, no specific label="actions.document.a %;*;#

Manage id="onActionManagePer permission="permission label="actions.document. #

• “dir_root/solr” or “dir_root/lucene-‐indexes”

? id="onActionSimpleAppr permission="simple-‐ label="actions.document.si n/a

? id="onActionSimpleReje permission="simple-‐ label="actions.document.si n/a

Inline Edit id="onActionInlineEdit" permission="edit,inline-‐ label="actions.document.i *;#

permission required> opy-‐to"