miércoles, 29 de noviembre de 2006

Testing Security FatWire 6 (administrator.pdf)

Copiado de la documentación de FatWire, en concreto del manual de administración. Me ha venido bien para una auditoría.

Security Tests for All Systems
After you have implemented your security measures, test your systems.
Security Tests for All Systems
Complete the following steps on your development, management, and delivery systems:


  1. Try to log in to the database with Content Server Explorer using the default user
    accounts:

    • - DefaultReader
      If you can log in using SomeReader as the password, the
      secure.CatalogManager and secure.TreeManager properties are set to
      false. Change them to true.
    • - ContentServer
      If you can log in using FutureTense as the password, change the password
      immediately.
    • - editor
      If you can log in using xceleditor as the password, change the password
      immediately.
    • - fwadmin
      If you can log in using xceladmin as the password, change the password
      immediately.

  2. Verify that the sample site users do not exist on the management or delivery systems.
  3. Verify that you cannot log in as ContentServer/FutureTense using a CatalogManager
    http://servername/pathToservlet/
    CatalogManager?ftcmd=login&username=ContentServer&password=
    FutureTense
  4. Verify that you cannot flush the entire cache as ContentServer/FutureTense using a
    CacheServer URL:
    Note
    Do not remove this directory from the application server. Remove
    it from the web server only.
    http://servername/pathToservlet/
    CacheServer?all=true&authusername=ContentServer&authpassword=Fu
    tureTense
  5. Verify that you cannot log in to the application server as the default administrator user.
  6. Verify that you cannot log in to the database as the default administrator user.
  7. Verify that you cannot log in to the web server as the default administrator user.

Additional Security Tests for the Delivery System

In addition to the preceding six steps, complete the following tasks to test your security
setup on the delivery system:

  1. Verify that you removed the developer forms from the web server:
    http://yourhost/futuretense_cs/Dev
    If the futuretense_cs directory is present, delete it and then set the
    cs.wrapper property to false.
  2. Verify that you cannot log in to CS-Direct:
    http://yourhost/Xcelerate/LoginPage.html
    If you can log in, change the names of the LoginPage and LoginPost pages.
  3. Verify that you mapped URLs for all servlets other than ContentServer, BlobServer,
    CookieServer, and Satellite to display a “404 Page Not Found” message. If you can
    send a request to any other servlet, you should map that URL to an error page
    immediately.