Handling
AEM Security
There are various steps that you should take to ensure that your AEM
installation is secure when deployed.
Ensure following Security guidelines:
1. Run AEM In Production ready mode
With AEM 6.1, Adobe introduces the new "nosamplecontent" runmode aimed at automating
the steps required to prepare an AEM instance for deployment in a production
environment.
The new runmode will not only automatically configure the instance to adhere to the security best practices described in the security checklist, but will also remove all the sample project(wknd) and configurations in the process.
Note: Running AEM in Production Ready Mode will effectively disable access to CRXDE Lite. If you need it for debugging purposes you have to enable it.
2. Enabling the HTTPS transport layer
Enabling the HTTPS transport layer on both author and publish instances
is mandatory for having a secure instance.
3. Install security Hotfixes
Ensure that you have installed the latest Security Hotfixes
provided by Adobe.
4. Change default password for AEM Instance and
OSGI Console
Adobe strongly recommends that after installation you change the
password for the privileged AEM (on all instances) including below accounts:
·
The AEM admin account
Once you have changed the password for the AEM admin account,
you will need to use the new password when accessing CRX.
·
The admin password
for the OSGi Web console
This change will also be applied to the admin account used for
accessing the Web console, so you will need to use the same password when
accessing that.
Note:
·
These two accounts use separate credentials and having distinct,
strong password for each is vital to a secure deployment.
·
Changing the admin account also changes the OSGi web console
account. After changing the admin account, you should then change the OSGi
account to something different.
How to Change AEM
Password
· http://localhost:4502/security/users.html (Touch UI) or
· http://localhost:4502/useradmin (Classic UI)
Here you can edit the admin account and change the password and other information.
Note: Changing the admin
account also changes the OSGi web console account. After changing the admin
account, you should then change the OSGi
account to something different.
Importance
of Changing the OSGi Web Console Password:
·
Exposure of the server with a default password during startup
and shutdown (that can take minutes for large servers);
·
Exposure of the server when the repository is down/restarting
bundle - and OSGI is running.
How to Change OSGI
console password
You must also change the password used for
accessing the Web console.
This is done by configuring the following
properties of the Apache Felix OSGi Management Console:
`
The password must be changed after the initial
installation to ensure the security of your instance.
To do this:
·
Navigate to the web console at localhost:4502/system/console/configMgr .
·
Search for Apache Felix
OSGi Management Console and change the user
name and password.
· Click save.
5. Implement Custom Error handler
Adobe recommends to define custom error
handler pages, especially for 404 and 500 HTTP Response codes in order to
prevent information disclosure.
6. Complete Dispatcher security checklist
AEM Dispatcher is a critical piece of your
infrastructure. Adobe strongly recommend that you complete the dispatcher
security checklist.
7. Complete replication and transport user
The replication user is used to collect the
content to be replicated on the author system before it is sent to the
publisher.
The transport user should not be the
admin user. Rather, set up a user on the publish system that has only access
rights to the relevant portions of the publish system and use that user's
credentials for the transport.
8. Check the operations Dashboard security health
checks
AEM 6 introduces the new Operations Dashboard,
aimed at aiding system operators troubleshoot problems and monitor the health
of an instance.
It can be viewed at:
http://localhost:4502/libs/granite/operations/content/healthreports/healthreportlist.html
The dashboard also comes with a collection of
security health checks.
It is
recommended you check the status of all the security health checks before going
live with your production instance.
More information to manage health check
dashboard can be checked at:
9. Delete any sample content
All example content and users (e.g. the
Geometrixx project and its components) should
be uninstalled and deleted completely on a
productive system before making it publicly accessible.
10. Check and uninstall if
Sling development bundle is there
The AEM
Developer Tools for Eclipse deployes the Apache Sling Tooling Support
Install (org.apache.sling.tooling.support.install).
This OSGi bundle should be uninstalled on both
author and publish productive systems before making them accessible.
11. CSRF
protection framework
AEM 6.1 ships with a mechanism that helps
protect agains Cross-Site Request Forgery attacks, called the CSRF Protection Framework, check and
configure it in OSGI Configuratons.
12. Configure sling
referral filter
To address known security issues
withCross-Site Request Forgery (CSRF) in
CRX WebDAV and Apache Sling you need to add configurations for the Referrer
filter in order to use it.
The referrer filter service is an OSGi service
that allows you to configure:
·
Which http methods should be filtered.
·
Whether an empty referrer header is allowed.
·
and a white list of
servers to be allowed in addition to the server host.
By default, all variations of localhost and
the current host names the server is bound to are in the white list.
Steps
to configure the referrer filter service:
1.
Open the Apache Felix console ( Configurations ) at:
https://localhost:4502/system/console/configMgr
2.
Login as admin.
In the Configurations menu, select:
Apache Sling Referrer Filter
In the Allow Hosts field, enter all hosts that are
allowed as a referrer. Each entry needs to be of the form
<protocol>://<server>:<port>
For example:
https://allowed.server:80 (allows all requests from this
server with the given port.)
If you also want to allow https requests, you have to enter a
second line.
If you allow all ports from that server you can
use 0 as the port number.
3.
Check the Allow Empty field, if you want to allow
empty/missing referrer headers.
4.
Edit the methods this filter should use for checks with
the Filter Methods field.
5.
Click Save to save your changes.
13. Need to
change some OSGI Settings
Some OSGI settings are set by default to allow easier
debugging of the application. These need to be changed on your publish and
author productive instances to avoid internal information leaking to the
public.
For
each of the following services the specified settings need to be changed:
So, Navigate to http://localhost:4502/system/console/configMgr and search for following configurations to make changes.
·
Adobe Granite HTML Library Manager :
o
enable Minify (to
remove CRLF and whitespace characters).
o
enable Gzip (to allow
files to be gzipped and accessed with one request).
o
disable Debug
o
disable Timing
·
Day CQ WCM Debug Filter :
o
uncheck Enable
·
Day CQ WCM Filter :
o
on publish only, set WCM Mode to
"disabled"
·
Apache Sling Java Script Handler :
o
disable Generate Debug Info
·
Apache Sling JSP Script Handler :
o
disable Generate Debug Info
o
disable Mapped Content
14. Mitigate DOS (Denial of service) Attack
A
denial of service (DoS) attack is an attempt to make a computer resource
unavailable to its intended users.
This
is often done by overloading the resource; for example:
·
With
a flood of requests from an external source.
·
With
a request for more information than the system can successfully deliver.
For example, a JSON representation
of the entire repository.
·
By
requesting a content page with an unlimited number of URLs, The URL can include a handle, some
selectors, an extension, and a suffix - any of which can be modified.
For example, .../en.html can also be requested as:
o .../en.ExtensionDosAttack
o .../en.SelectorDosAttack.html
o .../en.html/SuffixDosAttack
All valid
variations (e.g. return a 200 response and
are configured to be cached) will be cached
by the dispatcher, eventually leading to a full file system and no service
for further requests.
Configuring
Sling to Prevent DoS
Sling
is content-centric.
This means that processing is focused on the content as each (HTTP) request is
mapped onto content in the form of a JCR resource (a repository node):
·
The
first target is the resource (JCR node) holding the content.
·
Secondly,
the renderer, or script, is located from the resource properties in combination
with certain parts of the request (e.g. selectors and/or the extension).
15. Use Firewall to
filter access to instance
The use of
an operating system level firewall is necessary in order to filter access to
points of your instance that might lead to denial of service attacks if left
unprotected.
16. Disabling WebDAV
Access
WebDAV should be disabled on both the author and publish environments. This
can be done by stopping the
appropriate OSGi bundles.
1.
Open to the Felix Management Console running
on:
http://localhost:4503/system/console/bundles.
2.
In the list of bundles, find the bundle named:
Apache Sling Simple WebDAV
Access to repositories (org.apache.sling.jcr.webdav)
3.
Click the stop button (in the Actions column) to stop this
bundle.
4.
Again in the list of bundles, find the bundle named:
Apache Sling DavEx Access to
repositories
(org.apache.sling.jcr.davex)
5.
Click the stop button to stop this bundle.
17. Perform a
Penetration Test
Adobe strongly recommends to perform a penetration test of your
AEM infrastructure before going on production
No comments:
Post a Comment