The security of an
enterprise server region can be improved considerably by disabling unnecessary features. Recent releases of
Enterprise Server disable some features, such as remote service deployment, by default, but more can be done, depending on the customer's requirements.
Disabling features that are enabled by default
When
Enterprise Server is initially installed, and when a new
enterprise server region is created, they will use a default configuration, also known as the
out-of-the-box configuration. This configuration enables a number of features which are not required by all customers, for convenience and
backward compatibility.
Micro Focus recommends you disable features that are not required.
The features in question include:
- For MFDS:
- The MFDS Web administration interface ("Enterprise Server Administration"). The
Enterprise Server Common Web Administration (ESCWA) can be used instead. See the
Security chapter in
Enterprise Server Common Web Administration for more information.
- The "UDP broadcast" option (). This feature is used by MFDS when it is asked to resolve the address of a Micro Focus CCI service, such as Fileshare, and
it does not recognize the requested service name. If this option is enabled, MFDS will send a UDP broadcast search request
for the service to its local subnet, asking if any MFDS instance on the subnet has information for that service. (UDP broadcasts
do not traverse routers to other networks.) Most
enterprise server instance installations do not require this functionality.
- For regions:
- Disable or delete unnecessary listeners. A newly-created
enterprise server region will have a "Web" listener, which should already be disabled. This is used for COBOL Web Service and EJB deployment.
Micro Focus recommends deleting this listener in production environments. A newly-created MSS
enterprise server region might also have a "TN3270" listener, which should be disabled or deleted if it is not required.
- Additionally, for MSS
enterprise server regions:
- The default CICS resource definition file contains a number of groups for demonstration purposes. Remove these, particularly
from
enterprise server region in production environments. Remove or disable other definitions which are not required.
Disabling optional features that are no longer needed
An
Enterprise Server installation may have features enabled which are not enabled by default, either because it is, or was upgraded from, an older
product release or because they were enabled after installation. See
Hardening
enterprise server instance for more information. If any of the following are enabled, they should be reviewed and, if not required, disabled:
- For MFDS:
- Access on external network interfaces. This is an MFDS configuration option which lets clients connect to MFDS from remote
systems. If you are using
Enterprise Server Common Web Administration (ESCWA), MFDS is running on the same system as the
enterprise server region it defines, and no external clients need to make TCP connections to MFDS (for example, to use the
-l option of the cassub command), then it is safer to restrict MFDS to loopback connections only.
- For
enterprise server regions:
- If the
enterprise server region's
Configuration Information field contains an
[ES-Environment] section, remove any unneeded entries. Take notice of any environment settings which are significant for the OS or COBOL RTS,
such as PATH and COBPATH, and ensure their values are safe. For example, they should not contain any directories which an
unprivileged user might be able to write to.
- Disable tracing which is no longer required, as that can potentially reveal useful information to an attacker.
- Disable dynamic debugging support if feasible, particularly for
enterprise server regions in a production environment.
- Additionally, for MSS
enterprise server regions:
- Remove any unnecessary directories from the CICS transaction, map, and file paths.
- Disable EZ Socket support if it is not required.
- Remove any unnecessary directories from the JES program path.
- Remove any unused JES printer definitions.
- Remove any unnecessary directories from the IMS TM MFS and application paths.
- Disable PL/I support if it is not needed.
- In the CICS resource definitions used by the region, disable or remove any definitions that are not required. Be aware that
users might be able to bypass disabling of definitions if they have authority to install resource groups or perform other
administrative actions, so it is safest for
enterprise server regions in a production environment to use a CICS resource definition file that contains only the definitions needed by the production
application set.
- If the region is used for JES, remove unnecessary entries from the catalog.
- In the IMS configuration (if any) used by the
enterprise server region, ensure only the required definitions are present.