KnowledgeTree Security Primer

From KnowledgeTree Document Management Made Simple

1 Introduction
2 KnowledgeTree Security Primer

Introduction

This discussion of KnowledgeTree security is a primer on KnowledgeTree security architecture and is not meant as a replacement for operating system, web server and database vendor-specific security familiarity.

We strongly urge system administrators to become familiar with their own operating system’s security best practices and those of the Apache Web Server and MySQL Database Server.

The Apache, MySQL and PHP implementations that are shipped with KnowledgeTree Professional and KnowledgeTree Open Source Stack Installer are by default configured to be relatively secure, balancing usability with security. Should you install KnowledgeTree Open Source from source code the onus is on you to correctly configure KnowledgeTree, your operating system, Apache, MySQL and PHP from the ground.

Important configuration for KnowledgeTree Open Source “Source Only” installers:
http://wiki.ktdms.com/Moving_files_out_of_the_web_root

Location of the KnowledgeTree Manual set, including Administration Manual:
http://www.ktdms.com/products/manuals-and-user-guides

[edit]

KnowledgeTree Security Primer

As with most enterprise applications, KnowledgeTree relies on a multi-layered approach to security. The physical environment, the network, the server operating system, the application “stack” and the application need to be appropriately secured to ensure that the security and the integrity of the document repository is maintained.

A discussion of physical, network and server operating system security is beyond the scope of this primer. We do suggest that you become familiar with best practices around these security areas and that you carry out an appropriate business case-driven threat analysis and mitigation project.

The sections below detail the KnowledgeTree architecture and how the differing elements of the stack may be secured.

KnowledgeTree Professional and KnowledgeTree Open Source Stack Install are shipped with a baseline security configuration set. It is suggested that you review these settings once you are familiar with the Apache, MySQL and PHP best practices to ascertain whether the defaults are suitable for your organisation.

[edit]

KnowledgeTree Authentication and Authorisation

KnowledgeTree's extensible authorisation architecture allows for the implementation of a variety of AuthenticationProvider plugin modules. By default KnowledgeTree ships with three AuthenticationProvider plugins:

Internal User Database
LDAP
Microsoft Active Directory (a specialised LDAP plugin which also facilitates group-based authorisation)

For information on KnowledgeTree's document security architecture (Groups, Roles, Users, Permissions), please review the Administrator's Manual and elsewhere on this wiki.

[edit]

Internal User Database

The Internal User Database AuthenticationProvider stores user credentials locally in the MySQL database.
All passwords are encrypted using a one-way encryption algorithm. Passwords can not be easily decrypted using conventional means and thus "lost" passwords can not be retrieved.

[edit]

Use of an LDAP or Microsoft Active Directory Server

Using an LDAP server such as OpenLDAP or Microsoft Active Directory allows enterprise security policies (password length and retention, account expiry etc) to be managed from a single location.
A suitably priviledged user is required to authenticate KnowledgeTree against the LDAP server and thus provide access to the LDAP server's directory. This user's credentials are saved to the database server when setting up KnowledgeTree's LDAP AuthenticationProvider. The user's password is not stored using a one-way encryption hash as the password needs to be used to respond to the LDAP server's challenge. It is therefore extremely important to secure your server appropriately as described below.

[edit]

Securing LDAP access

LDAP access is by default done over an unsecured channel. If you are not using IPSec, SSH or similar technologies between your Web Server and Directory Server, we strongly encourage you to enable LDAP over SSL from within KnowledgeTree (instructions to be available soon).

[edit]

Apache Web Server

We recommend setting up HTTP over SSL and thus ensuring all client-server communications are encrypted (see below).
We strongly urge KnowledgeTree Open Source Source Only installers to review the following:

http://wiki.ktdms.com/Moving_files_out_of_the_web_root

Apache security best practice documentation may be found here:

http://httpd.apache.org/docs/2.2/misc/security_tips.html

It may also be beneficial for you to review who has logical access to the Web server (i.e. does the Apache web server need to be visible to Internet? To your entire enterprise? or to a specific group of people). Adjust your network and/or operating system firewall rules accordingly.

[edit]

Apache SSL

HTTP over SSL encryption may be utilized to secure communication between the client web browser and the server. Please see Section 6.3.4.1 of Administrator’s Manual for more information on setting this up.

[edit]

MySQL Database Server

The MySQL Database Server shipped with KnowledgeTree Professional and Open Source Stack Install prompts you for a username and password combination. Please ensure that these are appropriately strong and keep them secure.
It may also be beneficial for you to review requires logical access to the MySQL server (i.e. does the MySQL server need to be visible to Internet? To your entire enterprise? or to a specific group of people or just the local KnowledgeTree application?). Adjust your network and/or operating system firewall rules accordingly.
If you move your MySQL server to a seperate server, it may be useful to encrypt communications between the Apache web server and the MySQL server. Please review the MySQL and your operating system's documentation for details on this.
MySQL security best practice documentation may be found here:

http://dev.mysql.com/doc/refman/5.1/en/security.html

[edit]