Reducing the attack surface

The security of an enterprise server region can be improved considerably by disabling unnecessary features. Recent releases of Enterprise Server disable some features, such as remote service deployment, by default, but more can be done, depending on the customer's requirements.

Disabling features that are enabled by default

When Enterprise Server is initially installed, and when a new enterprise server region is created, they will use a default configuration, also known as the out-of-the-box configuration. This configuration enables a number of features which are not required by all customers, for convenience and backward compatibility. Micro Focus recommends you disable features that are not required.

The features in question include:

  • On Windows, optional components and services the Enterprise Server installer adds and starts include:
    • Micro Focus EA Service Integration host for Enterprise Analyzer.
    • Services for Enterprise Server for .NET:
      • Micro Focus Event Monitor Service Shutdown Coordinator
      • Micro Focus SEE Administration Server
      • Micro Focus SEE Listener
      • Micro Focus SEE Monitor
      • Micro Focus SEE Service Bus Logon
    • Micro Focus XDB Server for the XDB database.

    For all of these, if the feature in question is not being used, the service should be stopped and disabled.

  • For MFDS:
    • The MFDS Web administration interface ("Enterprise Server Administration"). The Enterprise Server Common Web Administration (ESCWA) can be used instead. See the Security chapter in Enterprise Server Common Web Administration for more information.
    • The "UDP broadcast" option (Configure > Options > General). This feature is used by MFDS when it is asked to resolve the address of a Micro Focus CCI service, such as Fileshare, and it does not recognize the requested service name. If this option is enabled, MFDS will send a UDP broadcast search request for the service to its local subnet, asking if any MFDS instance on the subnet has information for that service. (UDP broadcasts do not traverse routers to other networks.) Most enterprise server instance installations do not require this functionality.
  • For regions:
    • Disable or delete unnecessary listeners. A newly-created enterprise server region will have a "Web" listener, which should already be disabled. This is used for COBOL Web Service and EJB deployment. Micro Focus recommends deleting this listener in production environments. A newly-created MSS enterprise server region might also have a "TN3270" listener, which should be disabled or deleted if it is not required.
  • Additionally, for MSS enterprise server regions:
    • The default CICS resource definition file contains a number of groups for demonstration purposes. Remove these, particularly from enterprise server region in production environments. Remove or disable other definitions which are not required.

Disabling optional features that are no longer needed

An Enterprise Server installation may have features enabled which are not enabled by default, either because it is, or was upgraded from, an older product release or because they were enabled after installation. See Hardening enterprise server instance for more information. If any of the following are enabled, they should be reviewed and, if not required, disabled:

  • For MFDS:
    • Access on external network interfaces. This is an MFDS configuration option which lets clients connect to MFDS from remote systems. If you are using Enterprise Server Common Web Administration (ESCWA), MFDS is running on the same system as the enterprise server region it defines, and no external clients need to make TCP connections to MFDS (for example, to use the -l option of the cassub command), then it is safer to restrict MFDS to loopback connections only.
  • For enterprise server regions:
    • If the enterprise server region's Configuration Information field contains an [ES-Environment] section, remove any unneeded entries. Take notice of any environment settings which are significant for the OS or COBOL RTS, such as PATH and COBPATH, and ensure their values are safe. For example, they should not contain any directories which an unprivileged user might be able to write to.
    • Disable tracing which is no longer required, as that can potentially reveal useful information to an attacker.
    • Disable dynamic debugging support if feasible, particularly for enterprise server regions in a production environment.
  • Additionally, for MSS enterprise server regions:
    • Remove any unnecessary directories from the CICS transaction, map, and file paths.
    • Disable EZ Socket support if it is not required.
    • Remove any unnecessary directories from the JES program path.
    • Remove any unused JES printer definitions.
    • Remove any unnecessary directories from the IMS TM MFS and application paths.
    • Disable PL/I support if it is not needed.
    • In the CICS resource definitions used by the region, disable or remove any definitions that are not required. Be aware that users might be able to bypass disabling of definitions if they have authority to install resource groups or perform other administrative actions, so it is safest for enterprise server regions in a production environment to use a CICS resource definition file that contains only the definitions needed by the production application set.
    • If the region is used for JES, remove unnecessary entries from the catalog.
    • In the IMS configuration (if any) used by the enterprise server region, ensure only the required definitions are present.
Parent topic: Hardening enterprise server region