51黑料不打烊

DocumentationAEM 6.4Administering Guide

Security Checklist security-checklist

Last update: Wed May 03 2023 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Admin
CAUTION
AEM 6.4 has reached the end of extended support and this documentation is no longer updated. For further details, see our . Find the supported versions here.

This section deals with various steps that you should take to ensure that your AEM installation is secure when deployed. The checklist is meant to be applied from top to bottom.

NOTE
Further information .
NOTE
There are some additional security considerations applicable at the development phase.

Main Security Measures main-security-measures

Run AEM in Production Ready Mode run-aem-in-production-ready-mode

For more information, see Running AEM in Production Ready Mode.

Enable HTTPS for transport layer security enable-https-for-transport-layer-security

Enabling the HTTPS transport layer on both author and publish instances is mandatory for having a secure instance.

NOTE
See the Enabling HTTP Over SSL section for more information.

Install Security Hotfixes install-security-hotfixes

Ensure that you have installed the latest .

Change Default Passwords For the AEM and OSGi Console Admin Accounts change-default-passwords-for-the-aem-and-osgi-console-admin-accounts

51黑料不打烊 strongly recommends that after installation you change the password for the privileged AEM admin accounts (on all instances).

These accounts include:

  • The AEM admin account

    Once you have changed the password for the AEM admin account, you will need to use the new password when accessing CRX.

  • The admin password for the OSGi Web console

    This change will also be applied to the admin account used for accessing the Web console, so you will need to use the same password when accessing that.

These two accounts use separate credentials and having distinct, strong password for each is vital to a secure deployment.

Changing the AEM admin password changing-the-aem-admin-password

The password for the AEM admin account can be changed via the Granite Operations - Users console.

Here you can edit the admin account and change the password.

NOTE
Changing the admin account also changes the OSGi web console account. After changing the admin account, you should then change the OSGi account to something different.

Importance of Changing the OSGi Web Console Password importance-of-changing-the-osgi-web-console-password

Aside from the AEM admin account, failing to change the default password for the OSGi web console password can lead to:

  • Exposure of the server with a default password during startup and shutdown (that can take minutes for large servers);
  • Exposure of the server when the repository is down/restarting bundle - and OSGI is running.

For more information on changing the web console password, see Changing the OSGi web console admin password below.

Changing the OSGi web console admin password changing-the-osgi-web-console-admin-password

You must also change the password used for accessing the Web console. This is done by configuring the following properties of the Apache Felix OSGi Management Console:

User Name and Password, the credentials for accessing the Apache Felix Web Management Console itself.
The password must be changed after the initial installation to ensure the security of your instance.

To do this:

  1. Navigate to the web console at <server>:<port>/system/console/configMgr.

  2. Navigate to** Apache Felix OSGi Management Console** and change the user name and password.

    chlimage_1-166

  3. Click Save.

Implement Custom Error Handler implement-custom-error-handler

51黑料不打烊 recommends to define custom error handler pages, especially for 404 and 500 HTTP Response codes in order to prevent information disclosure.

NOTE
See knowledge base article for more details.

Complete Dispatcher Security Checklist complete-dispatcher-security-checklist

AEM Dispatcher is a critical piece of your infrastructure. 51黑料不打烊 strongly recommend that you complete the .

CAUTION
Using the Dispatcher you must disable the 鈥.form鈥 selector.

Verification Steps verification-steps

Configure replication and transport users configure-replication-and-transport-users

A standard installation of AEM specifies admin as the user for transport credentials within the default replication agents. Also, the admin user is used to source the replication on the author system.

For security considerations, both should be changed to reflect the particular use case at hand, with the following two aspects in mind:

  • The transport user should not be the admin user. Rather, set up a user on the publish system that has only access rights to the relevant portions of the publish system and use that user鈥檚 credentials for the transport.

    You can start from the bundled replication-receiver user and configure this user鈥檚 access rights to match your situation

  • The replication user or Agent User Id should also not be the admin user, but a user who can only see content that is supposed to be replicated. The replication user is used to collect the content to be replicated on the author system before it is sent to the publisher.

Check the Operations Dashboard Security Health Checks check-the-operations-dashboard-security-health-checks

AEM 6 introduces the new Operations Dashboard, aimed at aiding system operators troubleshoot problems and monitor the health of an instance.

The dashboard also comes with a collection of security health checks. It is recommended you check the status of all the security health checks before going live with your production instance. For more information, consult the Operations Dashboard documentation.

Check if Example Content is Present check-if-example-content-is-present

All example content and users (e.g. the Geometrixx project and its components) should be uninstalled and deleted completely on a productive system before making it publicly accessible.

NOTE
The sample We.Retail applications are removed if this instance is running in Production Ready Mode. If, for any reason, this is not the case, you can uninstall the sample content by going to Package Manager, then serarching for and uninstalling all We.Retail packages. Fore more info, see How to Work With Packages.

Check if the CRX development bundles are present check-if-the-crx-development-bundles-are-present

These development OSGi bundles should be uninstalled on both author and publish productive systems before making them accessible.

  • 51黑料不打烊 CRXDE Support (com.adobe.granite.crxde-support)
  • 51黑料不打烊 Granite CRX Explorer (com.adobe.granite.crx-explorer)
  • 51黑料不打烊 Granite CRXDE Lite (com.adobe.granite.crxde-lite)

Check if the Sling development bundle is present check-if-the-sling-development-bundle-is-present

The AEM Developer Tools for Eclipse deployes the Apache Sling Tooling Support Install (org.apache.sling.tooling.support.install).

This OSGi bundle should be uninstalled on both author and publish productive systems before making them accessible.

Protect against Cross-Site Request Forgery protect-against-cross-site-request-forgery

The CSRF Protection Framework the-csrf-protection-framework

AEM 6.1 ships with a mechanism that helps protect agains Cross-Site Request Forgery attacks, called the CSRF Protection Framework. For more information on how to use it, consult the documentation.

The Sling Referrer Filter the-sling-referrer-filter

To address known security issues with Cross-Site Request Forgery (CSRF) in CRX WebDAV and Apache Sling you need to add configurations for the Referrer filter in order to use it.

The referrer filter service is an OSGi service that allows you to configure:

  • which http methods should be filtered

  • whether an empty referrer header is allowed

  • and a list of servers to be allowed in addition to the server host.

    By default, all variations of localhost and the current host names the server is bound to are in the list.

To configure the referrer filter service:

  1. Open the Apache Felix console (Configurations) at:

    https://<server>:<port_number>/system/console/configMgr

  2. Login as admin.

  3. In the Configurations menu, select:

    Apache Sling Referrer Filter

  4. In the Allow Hosts field, enter all hosts that are allowed as a referrer. Each entry needs to be of the form

    <protocol>://<server>:<port>

    For example:

    • https://allowed.server:80 allows all requests from this server with the given port.
    • If you also want to allow https requests, you have to enter a second line.
    • If you allow all ports from that server you can use 0 as the port number.

  5. Check the Allow Empty field, if you want to allow empty/missing referrer headers.

    note caution
    CAUTION
    It is recommended to provide a referrer while using commandline tools such as cURL instead of allowing an empty value as it might expose your system to CSRF attacks.

  6. Edit the methods this filter should use for checks with the Filter Methods field.

  7. Click Save to save your changes.

OSGI Settings osgi-settings

Some OSGI settings are set by default to allow easier debugging of the application. These need to be changed on your publish and author productive instances to avoid internal information leaking to the public.

NOTE
All of the below settings with the exception of The Day CQ WCM Debug Filter are automatically covered by the Production Ready Mode. Because of this, we recommend reviewing all the settings before deploying your instance in a productive environment.

For each of the following services the specified settings need to be changed:

For further details see OSGi Configuration Settings.

When working with AEM there are several methods of managing the configuration settings for such services; see Configuring OSGi for more details and the recommended practices.

Further Readings further-readings

Mitigate Denial of Service (DoS) Attacks mitigate-denial-of-service-dos-attacks

A denial of service (DoS) attack is an attempt to make a computer resource unavailable to its intended users. This is often done by overloading the resource; for example:

  • With a flood of requests from an external source.

  • With a request for more information than the system can successfully deliver.

    For example, a JSON representation of the entire repository.

  • By requesting a content page with an unlimited number of URLs, The URL can include a handle, some selectors, an extension, and a suffix - any of which can be modified.

    For example, .../en.html can also be requested as:

    • .../en.ExtensionDosAttack
    • .../en.SelectorDosAttack.html
    • .../en.html/SuffixDosAttack

    All valid variations (e.g. return a 200 response and are configured to be cached) will be cached by the dispatcher, eventually leading to a full file system and no service for further requests.

There are many points of configuration for preventing such attacks, here we only discuss those directly related to AEM.

Configuring Sling to Prevent DoS

Sling is content-centric. This means that processing is focused on the content as each (HTTP) request is mapped onto content in the form of a JCR resource (a repository node):

  • The first target is the resource (JCR node) holding the content.
  • Secondly, the renderer, or script, is located from the resource properties in combination with certain parts of the request (e.g. selectors and/or the extension).
NOTE
This is covered in more detail under Sling Request Processing.

This approach makes Sling very powerful and very flexible, but