It is likely you will not use all of the features of
Enterprise Server, and so you will not require many of the objects defined by the supplied configuration. These can be removed for greater
security. Removing unnecessary configuration reduces the attack surface and decreases the amount of information available
to attackers who can install the product and review the supplied configuration.
Servers, listeners, services, and handlers
You can use
ESCWA to review these configuration objects and remove or disable them.
Micro Focus recommends making a backup of the MFDS repository first using the export function.
Items to review include:
CICS resource definitions
The CICS RDO file supplied with
Enterprise Server contains numerous resource groups for optional features and demos.
Micro Focus recommends you make a backup of this file (dfhdrdat) and remove any groups that are not required. Removing groups from your
enterprise server region's startup list is only a partial mitigation because attackers might be able to install resources dynamically in a running
enterprise server region.
Groups you should consider for removal include:
- DFH$ACCT contains the CICS ACCT sample application.
- DFH$APCT is a PL/I version of the ACCT sample.
- DFH$IMQS contains a sample IBM MQ application.
- DFH$IVP contains the resources for the Installation Verification Procedure (IVP), which is optional and no longer needed once
you have confirmed Enterprise Server and CICS are working.
- DFHCDDE, DFHCIPX, DFHNAMP, and DHFCNETB are vestigial support for old communications protocols which are no longer supported,
and can be safely removed from all installations.
- DFHCIVP contains definitions for testing CICS Distributed Program Link functionality.
- DFHCTCP contains definitions for testing CICS inter-region communication (CTG / Universal Client) functionality.
- DFHCWI contains a sample CICS Web Interface (CWI) application.
- DFHELCG contains resources used with the Component Generator functionality.
- DFHEZA contains resources required for the EZ Sockets functionality, and can be removed if you do not use this product feature.
- DFHISC contains resources required for CICS Inter-System Communication, and can be removed if you do not use this feature.
- DFHMQS contains resources required for IBM MQ connectivity, and can be removed if you do not use this feature.
- IMSGRP contains sample resources for CICS-IMS interaction.
- MCOASM contains a sample program using the Assembler support functionality.
- MCOGROUP contains the CMAP transaction, a utility transaction to display CICS BMS maps, which is generally only useful to
developers.
LDAP and VSAM security definitions
If you are using LDAP-based or file-based security through the External Security Facility (ESF) and the
MLDAP ESM Module (mldap_esm) or
VSAM ESM Module (vsam_esm), and you have imported (or plan to import) the sample security definitions from one of the LDIF or YAML files supplied with
the product, such as
es_default_ldap.ldf, then you will likely have many security definitions which are irrelevant or too permissive for your requirements.
Micro Focus recommends you back up your security rules and remove or edit rules as appropriate, for example, by exporting them to an
LDIF or YAML file.
If your security configuration has the
Allow unknown resources option enabled, then be cautious about removing rules, as this may in effect grant additional permissions. In this case,
instead of removing rules, change their Access Control Lists (ACL) to deny access to all users.
Note: The
Allow unknown resources is not the default and
Micro Focus strongly recommends against using it in a production environment.
Security definitions to consider for removal include:
- As discussed in the
Removing or changing default credentials topic,
Micro Focus recommends removing definitions for the supplied user accounts, or at least changing their passwords. Supplied user accounts
include CICSUSER, JESUSER, IMSUSER, mfuser, SYSAD, PLTPISUR, and SAFU. In particular, the default administrator account SYSAD
and the test account SAFU should be removed or disabled, or have their passwords changed.
- Any supplied user groups you are not using can be removed. For example, DEVGROUP and INTERCOM. You might want to replace the
predefined SYSADM, OPERATOR, and ALLUSER groups with others that you specify for similar purposes.
- The sample security definitions include rules for a number of sample applications and other resources which might have been
removed, as discussed above. Removing the security rules for them is also recommended. These include, for example, the rules
in the TCICSTRN class container for ACCT and other transactions beginning with "AC", and the rule in the FCICSFCT container
for ACCTFIL. One way to identify these rules is to open the
es_default_ldap.ldf file in a text editor and search for "sample" and "demo".
- Some CICS system transactions might not be used by some installations, and the rules for them in the TCICSTRN class container
can be removed or edited to prevent execution of those transactions. For example, there are rules for the IMS, CMAP, and CENV
transactions, all of which might not be needed by your organization.
- Certain system transactions are particularly risky from a security perspective and should be restricted to system administrators.
These include the CENV, CPMT, CQIT, CRUN, and EZAC transactions. In addition, when practical restrict permissions to system
transactions such as CFCR, CFLE, and CINS.
- There are a number of rules for JES and IMS which can be removed if you are not using those features. For JES, these include
the rules in classes beginning with "JES", such as JESJOBS and JESSPOOL.
Micro Focus recommends keeping the rules in the SURROGAT and PHYSFILE classes. For IMS, these include the rules in the classes with names
that end in "IMS" such as CIMS and TIMS.