Yeah the OWASP guide was pretty good, there was one there for Tomcat 5.5, that was part of the base for my guide along with a couple of other key resources The DISA Tomcat checklist titled "Web Checklist Tomcat Version 6 Release 1.5" at http://iase.disa.mil/stigs/checklist/ was also pretty good. As far as enabling security manager is concerned, my guide does say that the rules in catalina.policy need to be assessed against the business requirements of the application and that the default catalina.policy provides limited protection which needs to be assessed on an application by application basis. Thanks for the tip on Database connections with security manager Chris
> Date: Mon, 4 May 2009 10:20:13 +0100 > From: p...@pidster.com > To: users@tomcat.apache.org > Subject: Re: Tomcat 6.0.18 on Win32 - Enabling Security Manager > > Chris Brookes wrote: >> Thanks for your assistance, I will give that a try. >> >>> I must say that the nature of your questions leaves me with some concern >>> about the content of your guide... >> >> Hmmm, I wont bite but I will provide a little more information on what I am >> doing. > > www.owasp.org > > p > > > >> The guide is specifically being written for Tomcat on Windows, which in my >> searching of the web there is very few resources available, and even fewer >> that provide collated recommendations. >> >> As you may have guessed (and is eluded to in the response below) I am not an >> expert at Tomcat or Java however I need to put together a guide that can be >> delivered to infrastructure managers whose primary goal is to 'get it >> working' without considering security. >> >> So as part of the information security team I have to provide >> recommendations to those Infrastructure managers on how to secure the >> infrastructure (as well as every other application and piece of >> infrastructure that is being deployed). The majority of the guide is focused >> on management of the Tomcat server. Things like running tomcat as an >> unprivileged user (and getting the appropriate Windows permissions to allow >> that to work properly), Separation of tomcat directories from program files, >> segregation of duties for Wep-app content and Infrastructure admins, >> removing or limiting access to default or manager applications, limiting >> access to sensitive (or dangerous) Windows files and folders, etc, etc, etc. >> >> I also give some configuration advice based on research from the internet >> such as: Setting up SSL to use an approved set of Ciphers, some >> configuration options in server.xml and web.xml >> >> And most importantly for them, I am combining this into a single document >> that they can follow, rather then having to rely on them to find the >> information on the web. >> >> Again thanks for your assistance, I will give it a try when I can >> >> Chris >> >> >> ---------------------------------------- >>> From: chuck.caldar...@unisys.com >>> To: users@tomcat.apache.org >>> Date: Sun, 3 May 2009 21:19:08 -0500 >>> Subject: RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager >>> >>>> From: Chris Brookes [mailto:cabb...@hotmail.com] >>>> Subject: Tomcat 6.0.18 on Win32 - Enabling Security Manager >>>> However, when I install Tomcat there is no such program as "catalina" >>>> in the bin directory so I can't run it like that. >>> The .bat scripts are only part of the .zip download, not the .exe (for >>> unexplained reasons). One normally uses the startup.bat script to launch >>> Tomcat, which does some necessary setup, then calls the catalina.bat >>> script, which does the real work of getting Tomcat going. >>> >>>> Using the Tomcat monitor application there is a tab for startup and >>>> there is an input box for arguments that by default contains 'start' >>>> but if I try to add '-security' to this argument text box the service >>>> fails to start at all. >>> As it should. To use the Java tab in tomcat6w.exe, you must specify the >>> appropriate JVM arguments, rather than the options for the scripts. In >>> other words, set the following: >>> >>> -Djava.security.manager >>> -Djava.security.policy= >>> >>> The standard Tomcat policy is located in Tomcat's conf/catalina.policy >>> file, but you're free to specify whatever location you need. >>> >>>> I am writing a Tomcat 6 on Windows hardening guide >>> I must say that the nature of your questions leaves me with some concern >>> about the content of your guide... >>> >>> - Chuck >>> >>> >>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >>> MATERIAL and is thus for use only by the intended recipient. If you >>> received this in error, please contact the sender and delete the e-mail and >>> its attachments from all computers. >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> _________________________________________________________________ >> View photos of singles in your area Click Here >> http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fdating%2Eninemsn%2Ecom%2Eau%2Fsearch%2Fsearch%2Easpx%3Fexec%3Dgo%26tp%3Dq%26gc%3D2%26tr%3D1%26lage%3D18%26uage%3D55%26cl%3D14%26sl%3D0%26dist%3D50%26po%3D1%26do%3D2%26trackingid%3D1046138%26r2s%3D1&_t=773166090&_r=Hotmail_Endtext&_m=EXT >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > _________________________________________________________________ Looking to move somewhere new this winter? Let ninemsn property help http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Edomain%2Ecom%2Eau%2F%3Fs%5Fcid%3DFDMedia%3ANineMSN%5FHotmail%5FTagline&_t=774152450&_r=Domain_tagline&_m=EXT --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
