|
This section describes techniques you can use during the
LiveCycle installation process to reduce security vulnerabilities.
In some cases, these techniques use options that are part of the
installation process. The following table describes these techniques.
Issue
|
Description
|
|---|
Privileges
|
Use the least amount of privileges necessary
to install the software. Log in to your computer by using an account
that is not in the Administrators group. On Windows, you can use
the Run As command to run the LiveCycle installer as an administrative
user. On UNIX and Linux systems, use a command such as sudo to
install the software.
|
Software source
|
Do not download or run LiveCycle from untrusted
sources.
Malicious programs can contain code to violate security
in several ways, including data theft, modification and deletion,
and denial of service. Install LiveCycle from the Adobe DVD or only from
a trusted source.
|
Disk partitions
|
Place LiveCycle on a dedicated disk partition.
Disk segmentation is a process that keeps specific data on your
server on separate physical disks for added security. Arranging
data in this way reduces the risk of directory traversal attacks.
Plan to create a partition that is separate from the system partition
on which you can install the LiveCycle content directory. (On Windows,
the system partition contains the system32 directory, or boot partition.)
|
Components
|
Evaluate existing services and disable or
uninstall any that are not required. Do not install unnecessary
components and services.
The default installation of an application
server might include services that are not necessary for your use.
You should disable all unnecessary services prior to deployment
to minimize points of entry for an attack. For example, on JBoss,
you can comment out unnecessary services in the META-INF/jboss-service.xml
descriptor file.
|
Cross-domain policy file
|
The presence of a crossdomain.xml file
on the server may immediately weaken that server. It is recommended
that you make the list of domains as restrictive as possible. Do
not place the crossdomain.xml file that was used
during development into production when using Guides (deprecated).
For a guide that uses web services, if the service is on the same
server that served up the guide, a crossdomain.xml file
is not needed at all. But if the service is on another server, or
if clusters are involved, the presence of a crossdomain.xml file
would be needed. Refer to http://kb2.adobe.com/cps/142/tn_14213.html,
for more information on the crossdomain.xml file.
|
Operating System security settings
|
If you need to use 192-bit or 256-bit XML
encryption on Solaris platforms, ensure that you install pkcs11_softtoken_extra.so instead
of pkcs11_softtoken.so.
|
|
|
|
