Security and Macromedia Breeze Trademarks Afterburner, AppletAce, Attain, Attain Enterprise Learning System, Attain Essentials, Attain Objects for Dreamweaver, Authorware, Authorware Attain, Authorware Interactive Studio, Authorware Star, Authorware Synergy, Backstage, Backstage Designer, Backstage Desktop Studio, Backstage Enterprise Studio, Backstage Internet Studio, Contribute, Design in Motion, Director, Director Multimedia Studio, Doc Around the Clock, Dreamweaver, Dreamweaver Attain, Drumbeat, Drumbeat 2000, Extreme 3D, Fireworks, Flash, Fontographer, FreeHand, FreeHand Graphics Studio, Generator, Generator Developer's Studio, Generator Dynamic Graphics Server, Knowledge Objects, Knowledge Stream, Knowledge Track, LikeMinds, Lingo, Live Effects, MacRecorder Logo and Design, Macromedia, Macromedia Contribute, Macromedia Coursebuilder for Dreamweaver, Macromedia M Logo & Design, Macromedia Flash, Macromedia Xres, Macromind, Macromind Action, MAGIC, Mediamaker, Multimedia is the Message, Object Authoring, Power Applets, Priority Access, Roundtrip HTML, Scriptlets, SoundEdit, ShockRave, Shockmachine, Shockwave, shockwave.com, Shockwave Remote, Shockwave Internet Studio, Showcase, Tools to Power Your Ideas, Universal Media, Virtuoso, Web Design 101, Whirlwind and Xtra are trademarks of Macromedia, Inc. and may be registered in the United States or in other jurisdictions including internationally. Other product names, logos, designs, titles, words or phrases mentioned within this publication may be trademarks, servicemarks, or tradenames of Macromedia, Inc. or other entities and may be registered in certain jurisdictions including internationally. This guide contains links to third-party websites that are not under the control of Macromedia, and Macromedia is not responsible for the content on any linked site. If you access a third-party website mentioned in this guide, then you do so at your own risk. Macromedia provides these links only as a convenience, and the inclusion of the link does not imply that Macromedia endorses or accepts any responsibility for the content on those third-party sites. Apple Disclaimer APPLE COMPUTER, INC. MAKES NO WARRANTIES, EITHER EXPRESS OR IMPLIED, REGARDING THE ENCLOSED COMPUTER SOFTWARE PACKAGE, ITS MERCHANTABILITY OR ITS FITNESS FOR ANY PARTICULAR PURPOSE. THE EXCLUSION OF IMPLIED WARRANTIES IS NOT PERMITTED BY SOME STATES. THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. THIS WARRANTY PROVIDES YOU WITH SPECIFIC LEGAL RIGHTS. THERE MAY BE OTHER RIGHTS THAT YOU MAY HAVE WHICH VARY FROM STATE TO STATE. Copyright © 2004 Macromedia, Inc. All rights reserved. This manual may not be copied, photocopied, reproduced, translated, or converted to any electronic or machine-readable form in whole or in part without prior written approval of Macromedia, Inc. First Edition: January 2004 Macromedia, Inc. 600 Townsend St. San Francisco, CA 94103 CONTENTS Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Security Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Infrastructure Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Solutions for a Secure Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Application-Level Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Physical Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Recommended Security Resources and References. . . . . . . . . . . . . . . . . . . . . . . . . 11 3 4 Contents Security and Macromedia Breeze Overview This document is targeted towards system administrators and program managers interested in ensuring security with Breeze. If you are installing Breeze for use on your intranet, it is recommended that you review and implement the best practices outlined in this article. However, if you are installing Breeze for use on the Internet, you must implement the best practices outlined in this article. Failure to do so will compromise the security of your Breeze application and the information contained within. Macromedia Breeze is a server-based web application that integrates with a database to provide a powerful solution for online training and conferencing. By hosting the Breeze application on your intranet or the Internet, you are allowing users the flexibility to access information anywhere, anytime. By its very nature, any application that is run over a network, especially the Internet, has security risks associated with it. Macromedia Breeze is no different. However, these security threats can be minimized if careful consideration is taken towards implementing a security design for Macromedia Breeze. There are three levels of security that should be considered for Macromedia Breeze: · Application-Level Security · Physical Security · Infrastructure Security Breeze provides application-level security, which provides an ACL (Access Control List)-based security model for controlling which users have access to features in the Breeze application. Physical security has to deal with placing the actual server in a physically-secure location. The third level, infrastructure security, which deals with securing the server and the network, is the most important, yet most overlooked aspect of securing Breeze. This white paper is divided into the following sections: · · · · Security Levels Examples Best Practices Additional References 5 Security Levels When planning a security strategy, it is important to consider the various layers of a deployed server environment, and devise a plan for each layer. Typically, a comprehensive security strategy incorporates the following elements: · Infrastructure Security · Application-Level Security · Physical Security Infrastructure Security Infrastructure security is by far the most important, but most overlooked, aspect of securing Breeze. It is up to your IT team to provide a secure infrastructure for Breeze. There are three parts to providing a secure infrastructure for Breeze: · Network Security · Breeze Web Server Security · Database Server Security The following sections describe a secure infrastructure. The security measures you implement depend on whether your Breeze system consists of just a single server running in the DMZ or an elaborate multi-server system running with different trusted zones. Network Security Breeze relies on several private TCP/IP services for its communications model. These services open several ports and channels for private communication. These ports must be protected from outside users. Breeze's design requires the environment to provide security for these communications. It is highly recommended that sensitive ports should be placed behind a firewall that separates them from non-trusted machines. Below is a list of ports that are used by Macromedia: · · · · Inbound ports (from the internet): 80, 443, 1935 Outbound ports (to the database): 1433 Outbound ports (to the mail server): 25 Local ports (to/from other members in the cluster): 8505, 8510, 8520 If you intend to have users access Breeze on your intranet, it is recommended that you place your Breeze servers and your Breeze database in a separate sub-network, separated by a firewall. This configuration of the firewall should take into consideration the above ports and whether they should be set as inbound or outbound. However, if you intend to have users access Breeze on the Internet, it is extremely important that you separate your Breeze servers from the Internet with a firewall. If you do not take the necessary steps to secure your Breeze servers, you are leaving your valuable information available for anyone to steal. For references to resources on network security, see "Recommended Security Resources and References" on page 11. 6 Security and Macromedia Breeze Breeze Web Server Security Macromedia Breeze comes with its own built-in high-performance, secure web server. This web server is based in part on Macromedia JRun Enterprise Server and has been designed specifically to serve dynamic content for Breeze, including Breeze Live meetings, Breeze presentations, and other rich media content. Because of Breeze's special requirements, no other web servers should be used with Breeze. This will only degrade performance for Macromedia Breeze. More importantly, Breeze is designed for security. The built-in web server is shipped with a very restrictive configuration which prohibits other web-based services from running on the same machine. Also, because of its architecture, Breeze is not susceptible to exploits that have plagued other web servers such as buffer overruns, etc. This makes Breeze a very secure environment in which to host content. Database Server Security Whether or not you are hosting your database on the same server as Breeze, you must make sure that your database is secure. Computers hosting a database should be in a physically secure location. Databases should be installed in the secure zone of your corporate intranet and never directly connected to the Internet. Back up all data regularly and store copies in a secure off-site location. The Microsoft security web site contains information that applies to both securing SQL Server 2000 and the Breeze built-in database: www.microsoft.com/sql/techinfo/administration/ 2000/security/ The following link provides a good starting point to making sure that your database is secure: www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp Note that Macromedia Breeze does not support Windows Authentication Mode. Only Mixed Mode is supported. In addition, if you are running the Breeze built-in database, you should note that the Breeze built-in database uses `breeze' as the password by default. It is highly recommended that you change this password. To change the password, type the following at the command line: osql -E -Q "sp_password @new='{new_password}',@loginame='sa'" where {new_password} is a strong password. Solutions for a Secure Infrastructure Most Breeze configurations will fall into one of two configurations: · A single server configuration · A multiple server configuration. This section discusses both setups and they provide examples on how to secure these environments. Security Levels 7 Single Server Configuration The easiest solution for a dedicated, single-server Breeze system is to block all ports on the Breeze box except 80, 1935 (and 443 for SSL-enabled servers). If the Windows server is carefully updated by your IT department with the latest Microsoft security patches, a software firewall can easily be configured to enable application security. An external hardware firewall appliance can provide an extra layer of protection and also provides additional protection against operating system flaws. Example: Securing a Single Server Configuration Assume that you are setting up Breeze Live and Breeze Presentation on a single server. In addition, the database is also to be installed on this server. You want users to be able to access Breeze on the Internet. Securing Breeze on a single server consists of the following steps: 1 Install a firewall 2 3 4 5 Since you are allowing users to access Breeze on the Internet, this means that your Breeze server is open to an attack by hackers. By using a firewall, you can block access to your servers and control what communications occur between the Internet and your servers. Configure your firewall After installing your firewall, you want to configure your firewall as follows: Inbound ports (from the internet): 80, 443, 1935 Outbound ports (to the mail server): 25 Since the database is located on the same server as Breeze, you do not need to open up port 1433 on the firewall. Install Breeze For information on installing Breeze, see the Breeze Installation Guide. Verify that Breeze is working After installing Breeze, you should verify that Breeze is working properly both from the Internet and from your local network. See the Breeze Installation Guide for more information. Test your firewall Now that you have your firewall installed and configured, you should verify that your firewall is working correctly. Test the firewall by attempting to use the blocked ports. Multi-server Solutions Multi-server solutions are inherently more complex and will vary from customer to customer. It is very important that the customer understand how to secure their multi-server installation. The following are suggestions for securing multi-server solutions. · · · The simplest solution for multi-server solutions in a single location is to create an extra sub-network ...