Enportal/5.5/admin/system administration/security: Difference between revisions

imported>Jason.nicholls
No edit summary
imported>Jason.nicholls
No edit summary
Line 40: Line 40:
# Concurrent user sessions. By default a user can be logged in multiple times, however this can be changed so that only one session can exist for a given user. This really depends on your organizations usage and security policies.
# Concurrent user sessions. By default a user can be logged in multiple times, however this can be changed so that only one session can exist for a given user. This really depends on your organizations usage and security policies.
# use the enPortal CRS to virtually harden proxied web applications. This may be to completely restrict the content that's exposed to users or even to require authentication when the web application doesn't support it.
# use the enPortal CRS to virtually harden proxied web applications. This may be to completely restrict the content that's exposed to users or even to require authentication when the web application doesn't support it.
#* By default user and domain credentials are echoed in HTTP responses (but not the password). Some security analysis tools will identify this as a security vulnerability, and users can disable this functionality by editing/adding <tt>[INSTALL_HOME]/server/webapps/enportal/WEB-INF/config/custom.properties</tt> and adding the line <tt>jsp.usercookies=false</tt>.
# XSS and Vulnerability Tool Hardening:
# XSS and Vulnerability Tool Hardening:
#* [[enportal/5.5/admin/user_administration/security/xss_rules|Managing XSS Rules]]
#* enPortal core components are protected by performing input validation and a configurable set of rules checks all client requests (query, headers, body) for malicious matches.
#* The CRS can be used to provide protection to proxied web applications. Some default handlers are included with enPortal but disabled by default.
#* Refer to the [[enportal/5.5/admin/user_administration/security/xss_rules|Managing XSS Rules]] page for more information.
#* By default, some trust is associated with HTTP requests whose Referer tags indicate local origination. This is conifgurable via <i>Rule 77</i> in <tt>[INSTALL_HOME]/server/webapps/enportal/WEB-INF/config/config.properties</tt> which is enabled by default. However, while browsers do not allow changing the Referer dynamically without the user intentionally setting a new value, the Referer in the HTTP request is spoofed by most security attack tools and would yield failed test results if local origin Referers are trusted. Although all XSS issues (that are known) have been dealt with on the response side and thus should not pose a security risk, if there is a need to employ multiple layers of security against XSS attacks, it may be required to comment this rule, which will cause all requests (regardless of Referer) to be checked for XSS attacks via <i>Rule 99 below</i>. Disabling <i>Rule 77</i> may result in some minimal loss of functionality, including:
#* By default, some trust is associated with HTTP requests whose Referer tags indicate local origination. This is conifgurable via <i>Rule 77</i> in <tt>[INSTALL_HOME]/server/webapps/enportal/WEB-INF/config/config.properties</tt> which is enabled by default. However, while browsers do not allow changing the Referer dynamically without the user intentionally setting a new value, the Referer in the HTTP request is spoofed by most security attack tools and would yield failed test results if local origin Referers are trusted. Although all XSS issues (that are known) have been dealt with on the response side and thus should not pose a security risk, if there is a need to employ multiple layers of security against XSS attacks, it may be required to comment this rule, which will cause all requests (regardless of Referer) to be checked for XSS attacks via <i>Rule 99 below</i>. Disabling <i>Rule 77</i> may result in some minimal loss of functionality, including:
#** RegEx Evaluator channel (<tt>/system/proxy/Regex Evaluator</tt>) will not be able to handle grouping characters (). The input, pattern, and replace fields will not be able to handle any entered text that is matched by the regex pattern. <tt>[\'\"].*[;]|[<>\(\)]</tt>
#** RegEx Evaluator channel (<tt>/system/proxy/Regex Evaluator</tt>) will not be able to handle grouping characters (). The input, pattern, and replace fields will not be able to handle any entered text that is matched by the regex pattern. <tt>[\'\"].*[;]|[<>\(\)]</tt>
Line 53: Line 56:
#*** Expression Evaluator
#*** Expression Evaluator
#*** Display name for menu (folder) and channels
#*** Display name for menu (folder) and channels
#* By default user and domain credentials are echoed in HTTP responses (but not the password). Some security analysis tools will identify this as a security vulnerability, and users can disable this functionality by editing/adding <tt>[INSTALL_HOME]/server/webapps/enportal/WEB-INF/config/custom.properties</tt> and adding the line <tt>jsp.usercookies=false</tt>.
 
#* CRS XSS Rules: <tt>handleXSS.xml</tt> is created and placed in <tt>[INSTALL_HOME]/server/webapps/enportal/WEB-INF/xmlroot/server/crs/runtimehandlers</tt> directory. This file can be assigned to a channel or to the Proxy class of pim packages for specific integration need. Or it can be moved to <tt>[INSTALL_HOME]/server/webapps/enportal/WEB-INF/xmlroot/server/crs/defaulthandlers</tt> directory for system wide checking.
#* CRS XSS Rules: <tt>handleXSS.xml</tt> is created and placed in <tt>[INSTALL_HOME]/server/webapps/enportal/WEB-INF/xmlroot/server/crs/runtimehandlers</tt> directory. This file can be assigned to a channel or to the Proxy class of pim packages for specific integration need. Or it can be moved to <tt>[INSTALL_HOME]/server/webapps/enportal/WEB-INF/xmlroot/server/crs/defaulthandlers</tt> directory for system wide checking.
# SSL Browser Caching
# SSL Browser Caching
#* By default, Appboard now marks all content (excpet for images, CSS, or Javascript) as non-cacheable, which is a suggestion to browsers not to retain such content for efficiency purposes. There is a property (<i>request.ssl.cache</i>, specified in WEB-INF/config/config.properties) which can be toggled to "true" and will cause XML, HTML, and SWF content to be cached, as well. Setting this to "true" may slightly increase client performance with the increased risk of possibly sensitive content being retained by browsers.
#* By default, Appboard now marks all content (excpet for images, CSS, or Javascript) as non-cacheable, which is a suggestion to browsers not to retain such content for efficiency purposes. There is a property (<i>request.ssl.cache</i>, specified in WEB-INF/config/config.properties) which can be toggled to "true" and will cause XML, HTML, and SWF content to be cached, as well. Setting this to "true" may slightly increase client performance with the increased risk of possibly sensitive content being retained by browsers.

Revision as of 08:39, 25 September 2014


Overview

The overall security of, and provided by, Edge Technologies products is very important to us and our customers. This is fulfilled via development processes, staying abreast of known vulnerabilities, and listening to our customers when security concerns are raised.

Our software is deployed in many different scenarios such as Internet facing portals, internal corporate usage, and secure environments with multi-factor authentication. One key reason for this is the ability of enPortal to harden proxied web applications such as restricting who and what someone can access - something the proxied web application cannot do itself. enPortal has even been used to address known vulnerabilities in proxied web applications such as Cross-site scripting (XSS) if the vendor of that application isn't able to address it.


Security Patches

If Edge becomes aware of a vulnerability in a component used by our products, or within the product itself, depending on the severity we will either produce a patch for existing deployments or address the issue in the subsequent product release.

To report security concerns or issues regarding known vulnerability please contact Support.

Passwords & Secrets

enPortal and AppBoard need to store passwords or secrets for a number of different purposes:

  • user authentication (if not using an external auth provider such as LDAP)
  • Single-Sign-On (SSO) tokens for proxied web applications (if not using auth pass-through)
  • access credentials if using an external configuration database
  • access credentials for AppBoard Data Sources

By default all these passwords and secrets are stored encrypted using 128-bit AES (approved by NIST). Best practices are to create a new encryption key after installing the product.

Features & Recommendations

Edge Technologies enPortal and AppBoard have a common code base and the following set of features and recommendations apply to both unless otherwise indicated. Although we endeavour to provide a secure configuration out-of-the-box, due to interoperability and some items relying on specific configuration, it is recommended to be familiar with all the security related features and determine what suits your organization best.

  1. Run as non-root on Linux/UNIX systems. This is the default configuration. Running as root is possible, for instance to bind to port < 1024, however in this case it's recommended to use JSVC which can be used to bind to the port and give up privileges, or some external mechanism to act as the end point such as a load balancer which talks to the server on a port > 1024.
  2. enable SSL/TLS (HTTPS). The products ship with a self-signed certificate to enable for easy testing, however this certificate should be replaced as soon as possible.
  3. Ensure the latest supported version of Java is used on the server.
  4. Implement system-wide or domain-specific password policies to ensure end-users have secure passwords.
  5. Use multi-factor authentication. For example, we have customers using CAC that makes use of HTTPS client authentication. Other options are possible via our extensible authentication handlers.
  6. Change the default encryption key as mentioned in the Passwords & Secrets section above.
  7. Disable the default accounts. Administrator privileges can be assigned to other users as needed (/portalAdministration role)
  8. Customize the login page. This can be used to disable form pre-fill or to provide/remove content as deemed necessary.
  9. Restrict access to the host. Clients only require access to the single listening port of the server - and this should be the only port open to the clients. The server itself will need access to the proxied web applications (enPortal) and any data sources (AppBoard).
  10. Concurrent user sessions. By default a user can be logged in multiple times, however this can be changed so that only one session can exist for a given user. This really depends on your organizations usage and security policies.
  11. use the enPortal CRS to virtually harden proxied web applications. This may be to completely restrict the content that's exposed to users or even to require authentication when the web application doesn't support it.
    • By default user and domain credentials are echoed in HTTP responses (but not the password). Some security analysis tools will identify this as a security vulnerability, and users can disable this functionality by editing/adding [INSTALL_HOME]/server/webapps/enportal/WEB-INF/config/custom.properties and adding the line jsp.usercookies=false.
  12. XSS and Vulnerability Tool Hardening:
    • enPortal core components are protected by performing input validation and a configurable set of rules checks all client requests (query, headers, body) for malicious matches.
    • The CRS can be used to provide protection to proxied web applications. Some default handlers are included with enPortal but disabled by default.
    • Refer to the Managing XSS Rules page for more information.
    • By default, some trust is associated with HTTP requests whose Referer tags indicate local origination. This is conifgurable via Rule 77 in [INSTALL_HOME]/server/webapps/enportal/WEB-INF/config/config.properties which is enabled by default. However, while browsers do not allow changing the Referer dynamically without the user intentionally setting a new value, the Referer in the HTTP request is spoofed by most security attack tools and would yield failed test results if local origin Referers are trusted. Although all XSS issues (that are known) have been dealt with on the response side and thus should not pose a security risk, if there is a need to employ multiple layers of security against XSS attacks, it may be required to comment this rule, which will cause all requests (regardless of Referer) to be checked for XSS attacks via Rule 99 below. Disabling Rule 77 may result in some minimal loss of functionality, including:
      • RegEx Evaluator channel (/system/proxy/Regex Evaluator) will not be able to handle grouping characters (). The input, pattern, and replace fields will not be able to handle any entered text that is matched by the regex pattern. [\'\"].*[;]|[<>\(\)]
      • Channel creation wizard will not be able to create Parameters that is matched by the regex pattern. [\'\"].*[;]|[<>\(\)]
      • The following configuration items could conceivably be affected if the user input happens to match the regex pattern ([\'\"].*[;]|[<>\(\)])
        • SSO token for passwords
        • Portal user passwords
        • XMLImport file name
        • Proxied channel parameters
        • Regex Evaluator
        • Expression Evaluator
        • Display name for menu (folder) and channels
    • CRS XSS Rules: handleXSS.xml is created and placed in [INSTALL_HOME]/server/webapps/enportal/WEB-INF/xmlroot/server/crs/runtimehandlers directory. This file can be assigned to a channel or to the Proxy class of pim packages for specific integration need. Or it can be moved to [INSTALL_HOME]/server/webapps/enportal/WEB-INF/xmlroot/server/crs/defaulthandlers directory for system wide checking.
  1. SSL Browser Caching
    • By default, Appboard now marks all content (excpet for images, CSS, or Javascript) as non-cacheable, which is a suggestion to browsers not to retain such content for efficiency purposes. There is a property (request.ssl.cache, specified in WEB-INF/config/config.properties) which can be toggled to "true" and will cause XML, HTML, and SWF content to be cached, as well. Setting this to "true" may slightly increase client performance with the increased risk of possibly sensitive content being retained by browsers.