When hardening an
Enterprise Server installation, review the following steps. Consult the topics in this document and related ones in your product Help for more
information:
- Options which reduce security
- Disable options which reduce security, such as
Allow unknown users and
Allow unknown resources.
- Predictable behavior
- It is best when security systems behave in a consistent and predictable way that is easy to understand. Where possible, avoid
configurations which might produce unexpected results. If you use multiple Security Managers, enable group federation. Avoid
options which introduce additional complexity such as
check TLQ first; if you need to use them, avoid further configuration which might behave differently when those options are enabled. For
example, with
check TLQ first, the best practice is to not have any DATASET resource access rules which begin with a wildcard.
- Strong passwords
- If user authentication is being performed with the MLDAP ESM Module and
Micro Focus password hashes, use the password-strength configuration options such as
minimum length and
complexity to require strong passwords. Consider whether password expiration and history (to prevent password reuse) are appropriate
for you. Use the MF-A2 (Argon2) password hash type, and if your organization has older password hashes, enable password migration.
If
Micro Focus password hashes are not used, password strength is determined by OS or third-party components which are outside the scope of this document.
- Verify throttling
- Enable the verify-throttling feature in the security configuration. Set its threshold to a value that your organization can
tolerate. Generally the task latency in each SEP is high enough that at most a dozen or so signons might occur within the
one-second window used by verify throttling.
- Auditing
- Consider enabling auditing in order to maintain an audit trail of security-related activity. This can be used for forensic
analysis after a breach is suspected, and as a source of information for breach-detection systems.
- Caching
- Determine which is more important to the organization: performance and reliability, or immediate recognition of security changes.
For the former, enable caching; for the latter, disable it, in both the security configuration and any Security Managers which
use the MLDAP ESM Module.
- Passtokens
- ESF passtokens are a relatively strong mechanism, but disabling them offers security benefits. Passtokens are used for seamless
transition between the MFDS and ESMAC user interfaces; use
ESCWA instead to avoid this use case. They are also used for DCAS, but relatively few organizations use that feature.
If passtokens are used, use the
SecretFile configuration option to set a site-specific or machine-specific secret for passtoken generation.
- Secure LDAP
- Use LDAP-over-TLS if possible.
- Default credentials
- As with all default credentials, the best security practice is to not use the default credentials for connecting to an LDAP
server.
- Account lockout
- If Micro Focus users are used with the MLDAP ESM Module, enable the
signon attempts setting for account lockout, to prevent guessing passwords.
- Tracing
- Avoid leaving tracing enabled, particularly in production systems, as it might provide attackers with useful information.