Security and Macromedia Breeze
Trademarks
Afterburner, AppletAce, Attain, Attain Enterprise Learning System, Attain Essentials, Attain Objects for Dreamweaver,
Authorware, Authorware Attain, Authorware Interactive Studio, Authorware Star, Authorware Synergy, Backstage, Backstage
Designer, Backstage Desktop Studio, Backstage Enterprise Studio, Backstage Internet Studio, Contribute, Design in Motion,
Director, Director Multimedia Studio, Doc Around the Clock, Dreamweaver, Dreamweaver Attain, Drumbeat, Drumbeat 2000,
Extreme 3D, Fireworks, Flash, Fontographer, FreeHand, FreeHand Graphics Studio, Generator, Generator Developer's Studio,
Generator Dynamic Graphics Server, Knowledge Objects, Knowledge Stream, Knowledge Track, LikeMinds, Lingo, Live Effects,
MacRecorder Logo and Design, Macromedia, Macromedia Contribute, Macromedia Coursebuilder for Dreamweaver,
Macromedia M Logo & Design, Macromedia Flash, Macromedia Xres, Macromind, Macromind Action, MAGIC, Mediamaker,
Multimedia is the Message, Object Authoring, Power Applets, Priority Access, Roundtrip HTML, Scriptlets, SoundEdit,
ShockRave, Shockmachine, Shockwave, shockwave.com, Shockwave Remote, Shockwave Internet Studio, Showcase, Tools to
Power Your Ideas, Universal Media, Virtuoso, Web Design 101, Whirlwind and Xtra are trademarks of Macromedia, Inc. and
may be registered in the United States or in other jurisdictions including internationally. Other product names, logos, designs,
titles, words or phrases mentioned within this publication may be trademarks, servicemarks, or tradenames of Macromedia, Inc.
or other entities and may be registered in certain jurisdictions including internationally.
This guide contains links to third-party websites that are not under the control of Macromedia, and Macromedia is not
responsible for the content on any linked site. If you access a third-party website mentioned in this guide, then you do so at your
own risk. Macromedia provides these links only as a convenience, and the inclusion of the link does not imply that Macromedia
endorses or accepts any responsibility for the content on those third-party sites.
Apple Disclaimer
APPLE COMPUTER, INC. MAKES NO WARRANTIES, EITHER EXPRESS OR IMPLIED, REGARDING THE
ENCLOSED COMPUTER SOFTWARE PACKAGE, ITS MERCHANTABILITY OR ITS FITNESS FOR ANY
PARTICULAR PURPOSE. THE EXCLUSION OF IMPLIED WARRANTIES IS NOT PERMITTED BY SOME STATES.
THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. THIS WARRANTY PROVIDES YOU WITH SPECIFIC
LEGAL RIGHTS. THERE MAY BE OTHER RIGHTS THAT YOU MAY HAVE WHICH VARY FROM STATE TO
STATE.
Copyright © 2004 Macromedia, Inc. All rights reserved. This manual may not be copied, photocopied, reproduced,
translated, or converted to any electronic or machine-readable form in whole or in part without prior written approval of
Macromedia, Inc.
First Edition: January 2004
Macromedia, Inc.
600 Townsend St.
San Francisco, CA 94103
CONTENTS
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Security Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Infrastructure Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Solutions for a Secure Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Application-Level Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Physical Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Recommended Security Resources and References. . . . . . . . . . . . . . . . . . . . . . . . . 11
3
4 Contents
Security and Macromedia Breeze
Overview
This document is targeted towards system administrators and program managers interested in
ensuring security with Breeze. If you are installing Breeze for use on your intranet, it is
recommended that you review and implement the best practices outlined in this article. However,
if you are installing Breeze for use on the Internet, you must implement the best practices
outlined in this article. Failure to do so will compromise the security of your Breeze application
and the information contained within.
Macromedia Breeze is a server-based web application that integrates with a database to provide
a powerful solution for online training and conferencing. By hosting the Breeze application
on your intranet or the Internet, you are allowing users the flexibility to access information
anywhere, anytime.
By its very nature, any application that is run over a network, especially the Internet, has security
risks associated with it. Macromedia Breeze is no different. However, these security threats can be
minimized if careful consideration is taken towards implementing a security design for
Macromedia Breeze.
There are three levels of security that should be considered for Macromedia Breeze:
• Application-Level Security
• Physical Security
• Infrastructure Security
Breeze provides application-level security, which provides an ACL (Access Control List)-based
security model for controlling which users have access to features in the Breeze application.
Physical security has to deal with placing the actual server in a physically-secure location. The
third level, infrastructure security, which deals with securing the server and the network, is the
most important, yet most overlooked aspect of securing Breeze.
This white paper is divided into the following sections:
• Security Levels
• Examples
• Best Practices
• Additional References
5
Security Levels
When planning a security strategy, it is important to consider the various layers of a deployed
server environment, and devise a plan for each layer. Typically, a comprehensive security strategy
incorporates the following elements:
• Infrastructure Security
• Application-Level Security
• Physical Security
Infrastructure Security
Infrastructure security is by far the most important, but most overlooked, aspect of securing
Breeze. It is up to your IT team to provide a secure infrastructure for Breeze.
There are three parts to providing a secure infrastructure for Breeze:
• Network Security
• Breeze Web Server Security
• Database Server Security
The following sections describe a secure infrastructure. The security measures you implement
depend on whether your Breeze system consists of just a single server running in the DMZ or an
elaborate multi-server system running with different trusted zones.
Network Security
Breeze relies on several private TCP/IP services for its communications model. These services
open several ports and channels for private communication. These ports must be protected
from outside users. Breeze’s design requires the environment to provide security for these
communications. It is highly recommended that sensitive ports should be placed behind a
firewall that separates them from non-trusted machines.
Below is a list of ports that are used by Macromedia:
• Inbound ports (from the internet): 80, 443, 1935
• Outbound ports (to the database): 1433
• Outbound ports (to the mail server): 25
• Local ports (to/from other members in the cluster): 8505, 8510, 8520
If you intend to have users access Breeze on your intranet, it is recommended that you place your
Breeze servers and your Breeze database in a separate sub-network, separated by a firewall. This
configuration of the firewall should take into consideration the above ports and whether they
should be set as inbound or outbound.
However, if you intend to have users access Breeze on the Internet, it is extremely important that
you separate your Breeze servers from the Internet with a firewall. If you do not take the necessary
steps to secure your Breeze servers, you are leaving your valuable information available for anyone
to steal. For references to resources on network security, see “Recommended Security Resources
and References” on page 11.
6 Security and Macromedia Breeze
Breeze Web Server Security
Macromedia Breeze comes with its own built-in high-performance, secure web server. This web
server is based in part on Macromedia JRun Enterprise Server and has been designed specifically
to serve dynamic content for Breeze, including Breeze Live meetings, Breeze presentations, and
other rich media content. Because of Breeze’s special requirements, no other web servers should be
used with Breeze. This will only degrade performance for Macromedia Breeze.
More importantly, Breeze is designed for security. The built-in web server is shipped with a very
restrictive configuration which prohibits other web-based services from running on the same
machine. Also, because of its architecture, Breeze is not susceptible to exploits that have plagued
other web servers such as buffer overruns, etc. This makes Breeze a very secure environment in
which to host content.
Database Server Security
Whether or not you are hosting your database on the same server as Breeze, you must make sure
that your database is secure. Computers hosting a database should be in a physically secure
location. Databases should be installed in the secure zone of your corporate intranet and never
directly connected to the Internet. Back up all data regularly and store copies in a secure
off-site location.
The Microsoft security web site contains information that applies to both securing SQL
Server 2000 and the Breeze built-in database: www.microsoft.com/sql/techinfo/administration/
2000/security/
The following link provides a good starting point to making sure that your database is secure:
www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp
Note that Macromedia Breeze does not support Windows Authentication Mode. Only Mixed
Mode is supported.
In addition, if you are running the Breeze built-in database, you should note that the Breeze
built-in database uses ‘breeze’ as the password by default. It is highly recommended that you
change this password. To change the password, type the following at the command line:
osql -E -Q "sp_password @new='{new_password}',@loginame='sa'"
where {new_password} is a strong password.
Solutions for a Secure Infrastructure
Most Breeze configurations will fall into one of two configurations:
• A single server configuration
• A multiple server configuration.
This section discusses both setups and they provide examples on how to secure
these environments.
Security Levels 7
Single Server Configuration
The easiest solution for a dedicated, single-server Breeze system is to block all ports on the Breeze
box except 80, 1935 (and 443 for SSL-enabled servers). If the Windows server is carefully
updated by your IT department with the latest Microsoft security patches, a software firewall can
easily be configured to enable application security. An external hardware firewall appliance can
provide an extra layer of protection and also provides additional protection against operating
system flaws.
Example: Securing a Single Server Configuration
Assume that you are setting up Breeze Live and Breeze Presentation on a single server. In addition,
the database is also to be installed on this server. You want users to be able to access Breeze on
the Internet.
Securing Breeze on a single server consists of the following steps:
1 Install a firewall Since you are allowing users to access Breeze on the Internet, this means that
your Breeze server is open to an attack by hackers. By using a firewall, you can block access to
your servers and control what communications occur between the Internet and your servers.
2 Configure your firewall After installing your firewall, you want to configure your firewall
as follows:
■ Inbound ports (from the internet): 80, 443, 1935
■ Outbound ports (to the mail server): 25
Since the database is located on the same server as Breeze, you do not need to open up port
1433 on the firewall.
3 Install Breeze For information on installing Breeze, see the Breeze Installation Guide.
4 Verify that Breeze is working After installing Breeze, you should verify that Breeze is
working properly both from the Internet and from your local network. See the Breeze
Installation Guide for more information.
5 Test your firewall Now that you have your firewall installed and configured, you should
verify that your firewall is working correctly. Test the firewall by attempting to use the
blocked ports.
Multi-server Solutions
Multi-server solutions are inherently more complex and will vary from customer to customer. It is
very important that the customer understand how to secure their multi-server installation. The
following are suggestions for securing multi-server solutions.
• Private Networks The simplest solution for multi-server solutions in a single location is to
create an extra sub-network for the Breeze system. The network is bridged to the customer’s
network by a firewall device which allows only traffic to the web servers. This offers a high level
of security but can be expensive.
• Local Software Firewalls For Breeze servers located in a cluster but sharing a public
network with other customer servers, a software firewall may be appropriate on each individual
server. The simplest route is to allow free communication among the Breeze servers but allow
outside access only to the web servers.
• VPN Systems In multi-server installations where there are multiple Breeze systems in
different physical locations, customers may want to consider an encrypted channel to the
remote systems. This setup will probably be uncommon, but many software and hardware
vendors offer VPN technology to secure the communications to remote Breeze servers. Breeze
relies on this external security if data traffic must be encrypted.
8 Security and Macromedia Breeze
Application-Level Security
The Breeze application has a built-in ACL-based security model that lets you assign users
different permissions to access Breeze’s features. For example, you can control what users have
permissions to publish presentations by adding them to the Account Authors group. You can also
control which folders individual users can publish to.
Breeze has four primary groups that grant users access to specific features in the Breeze system. By
adding users to these groups, you can control what role a user has in your Breeze account.
These groups are:
Account Administrators Members of the Account Administrators group have access to all
functions within the Breeze account. They can create and manage users, manage content, create
and manage courses and create and manage meetings. Note that a member of the Account
Administrators group will still need to be a member of the Account Authors group in order to
publish content.
Account Authors Members of the Account Authors group have access to publishing features.
They can publish content to the Breeze system, including using the Breeze plug-in for PowerPoint
to publish presentations to Breeze.
Course Managers Members of the Course Managers group manage the Course Library
including creating courses, incorporating course content from Account Authors, enrolling users,
sending enrollee notifications, and setting up course reminders. They can also view content and
course reports.
Meeting Administrators Members of the Meeting Administrators are able to perform all
functions associated with creating meetings including setting up a meeting, inviting participants,
sending invitations and viewing reports.
In addition to adding users to groups to grant them rights to use features in the Breeze system,
you can also grant them permissions to access specific folders, content, courses and meetings. For
example, you can control whether or not a certain Account Author has permissions to publish to
a specific folder.
For more information on using Breeze’s application-level security features, please refer to the
Breeze presentation titled Setting Up Users, Groups, and Permissions at www.macromedia.com/go/
breeze_support. Instructions for setting permissions are available in the About Permissions
chapter of the Breeze Manager Help Guide. You can access the Breeze Manager Help Guide
through the Breeze Manager web application. To access the Breeze Manager, choose Start >
Programs > Macromedia > Macromedia Breeze 3 > Breeze Login Page.
Physical Security
Customers who store sensitive information on their servers should be aware of the physical
security of their systems. Breeze relies on the safety of the host system against intruders, so servers
should be kept secured where private and confidential data is at risk. Breeze is designed to take
advantage of native environmental features like file system encryption where available if
configured by the user.
Security Levels 9
Best Practices
Below is a checklist of best practices that will assist you in securing Breeze.
• Firewall Your Servers It is highly recommended to place Macromedia Breeze behind a
firewall, especially if you are intending for Breeze to be used on the Internet. By not placing
Breeze behind a firewall, you are leaving your server open for attacks. Even worse, your
sensitive information is unsecured and open for theft. All servers should sit behind a firewall,
which includes Breeze Application servers, Breeze Live servers and the database server.
• Run the Bare Minimum of Services You should only run the bare minimum services you
need for Breeze. This means that you should not run applications like a domain controller, a
web server or an FTP server on the same computer as Breeze. By reducing the number of
applications and services running on the computer hosting Breeze, you can minimize the
chances that an exploit in another application can be used to compromise your Breeze server.
• Perform OS Security Updates On Windows and other platforms, customers need to check
for platform security holes and apply required patches. Some of these issues are eliminated by a
good firewall. In general we recommend customers keep their Breeze systems patched with all
security updates approved by Microsoft or other appropriate platform vendor.
• Perform Database Security Updates Since your database may be another targeted
component of the Breeze solution, you need to check for database server security holes and
apply required patches. Like the operating system, some of these issues are eliminated by a
good firewall, but you should also keep up to date with the latest patches.
• Physical Security Customers who store sensitive information on their servers should be
aware of the physical security of their systems. Breeze relies on the safety of the host system
against intruders, so servers should be kept secured where private and confidential data is at
risk. Breeze is designed to take advantage of native environmental features like file system
encryption where available if configured by the user.
• Use Strong Passwords Breeze users are protected by passwords. We recommend that users,
and particularly administrators, choose strong passwords to keep their data safe. Breeze
enterprise installations often utilize external databases which may also require strong
password protection.
• Perform Security Audits We recommend users audit their systems periodically to ensure
that all security features installed by the user are still operating as expected. For example,
firewalls are easily tested using a port scanner for validation. Ongoing security checks help
guard against user error that can lead to misconfiguration over time.
10 Security and Macromedia Breeze
Recommended Security Resources and References
The following are sources of information and software which may aid the process of securing your
Breeze server(s).
• Network Security
SANS Institute (www.sans.org) The SANS Institute (System Administration, Networking,
and Security) is a cooperative research and education organization comprised of system
administrators, security professionals, and network administrators. They have great network
security courses, as well as certification in network security.
• SQL Server Security
Microsoft Security Site (www.microsoft.com/sql/techinfo/administration/2000/security/)
Microsoft site that provides information and resources on securing SQL Server 2000. The
information on this site also applies to the Breeze built-in database engine.
• Tools – Freeware
NMap (www.insecure.org/nmap/index.html) A powerful port-scanning program that
tells you what ports a system is listening on. It is freely available under the GNU Public
License (GPL).
Note: Please note that the effectiveness of any security measure is determined by various factors,
including but not limited to, the security measures provided by the server computer and by security
software installed by you. The Macromedia Breeze software is not intended to, and should not be
relied upon by you to, provide security against any unauthorized access to, or unintended or intended
disruptions or harm against, your server systems or any information stored or deployed by you on any
computer, including the server computer. Please refer to the disclaimer of warranty set forth in the
applicable license agreement provided with the Macromedia Breeze software.
Recommended Security Resources and References 11
12 Security and Macromedia Breeze
Loading...