Chris Brookes wrote: > Thanks for your assistance, I will give that a try. > >> I must say that the nature of your questions leaves me with some concern >> about the content of your guide... > > Hmmm, I wont bite but I will provide a little more information on what I am > doing.
www.owasp.org p > The guide is specifically being written for Tomcat on Windows, which in my > searching of the web there is very few resources available, and even fewer > that provide collated recommendations. > > As you may have guessed (and is eluded to in the response below) I am not an > expert at Tomcat or Java however I need to put together a guide that can be > delivered to infrastructure managers whose primary goal is to 'get it > working' without considering security. > > So as part of the information security team I have to provide recommendations > to those Infrastructure managers on how to secure the infrastructure (as well > as every other application and piece of infrastructure that is being > deployed). The majority of the guide is focused on management of the Tomcat > server. Things like running tomcat as an unprivileged user (and getting the > appropriate Windows permissions to allow that to work properly), Separation > of tomcat directories from program files, segregation of duties for Wep-app > content and Infrastructure admins, removing or limiting access to default or > manager applications, limiting access to sensitive (or dangerous) Windows > files and folders, etc, etc, etc. > > I also give some configuration advice based on research from the internet > such as: Setting up SSL to use an approved set of Ciphers, some configuration > options in server.xml and web.xml > > And most importantly for them, I am combining this into a single document > that they can follow, rather then having to rely on them to find the > information on the web. > > Again thanks for your assistance, I will give it a try when I can > > Chris > > > ---------------------------------------- >> From: chuck.caldar...@unisys.com >> To: users@tomcat.apache.org >> Date: Sun, 3 May 2009 21:19:08 -0500 >> Subject: RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager >> >>> From: Chris Brookes [mailto:cabb...@hotmail.com] >>> Subject: Tomcat 6.0.18 on Win32 - Enabling Security Manager >>> However, when I install Tomcat there is no such program as "catalina" >>> in the bin directory so I can't run it like that. >> The .bat scripts are only part of the .zip download, not the .exe (for >> unexplained reasons). One normally uses the startup.bat script to launch >> Tomcat, which does some necessary setup, then calls the catalina.bat script, >> which does the real work of getting Tomcat going. >> >>> Using the Tomcat monitor application there is a tab for startup and >>> there is an input box for arguments that by default contains 'start' >>> but if I try to add '-security' to this argument text box the service >>> fails to start at all. >> As it should. To use the Java tab in tomcat6w.exe, you must specify the >> appropriate JVM arguments, rather than the options for the scripts. In other >> words, set the following: >> >> -Djava.security.manager >> -Djava.security.policy= >> >> The standard Tomcat policy is located in Tomcat's conf/catalina.policy file, >> but you're free to specify whatever location you need. >> >>> I am writing a Tomcat 6 on Windows hardening guide >> I must say that the nature of your questions leaves me with some concern >> about the content of your guide... >> >> - Chuck >> >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >> MATERIAL and is thus for use only by the intended recipient. If you received >> this in error, please contact the sender and delete the e-mail and its >> attachments from all computers. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > _________________________________________________________________ > View photos of singles in your area Click Here > http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fdating%2Eninemsn%2Ecom%2Eau%2Fsearch%2Fsearch%2Easpx%3Fexec%3Dgo%26tp%3Dq%26gc%3D2%26tr%3D1%26lage%3D18%26uage%3D55%26cl%3D14%26sl%3D0%26dist%3D50%26po%3D1%26do%3D2%26trackingid%3D1046138%26r2s%3D1&_t=773166090&_r=Hotmail_Endtext&_m=EXT > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
