Removing unnecessary configuration objects

It is likely you will not use all of the features of Enterprise Server, and so you will not require many of the objects defined by the supplied configuration. These can be removed for greater security. Removing unnecessary configuration reduces the attack surface and decreases the amount of information available to attackers who can install the product and review the supplied configuration.

Servers, listeners, services, and handlers

You can use ESCWA to review these configuration objects and remove or disable them. Micro Focus recommends making a backup of the MFDS repository first using the export function.

Items to review include:

  • The ESDEMO sample server, and any servers created using the tutorials and demos included in the product, such as ESACCT (from the CICS tutorial) and ESSOAP (from the IMTK tutorial).
  • The Web listener in each server. The listener is used for the automated deployment of COBOL Web Services and EJBs, through the IDEs or the imtkmake utility. The Web listener and service deployment are potential security vulnerabilities. While recent Enterprise Server releases reduce the risk in the supplied configuration, Micro Focus recommends removing or disabling the listener on production systems (and using a scalable, reproducible, service-deployment process if necessary), and securing it on development systems. See Restricting remote program execution for more information.
  • Any other listeners which might not be needed by the enterprise server region. For example, non-MSS, and MSS enterprise server regions which are not used interactively, do not require a TN3270 listener. Some topics in the product Help suggest using a listener with the custom configuration type http-echo for testing; those listeners should be deleted or disabled when testing is complete.
  • The services in each server:
    • If automated service deployment is disabled (as recommended above), the Deployment service can be deleted or disabled.
    • Non-MSS enterprise server regions do not need the CICS and JES services.
    • Any services (and their associated packages) created from the tutorials and demos.
  • The handlers in each server:
    • MFRHSOAP and MFRHJSON can be disabled if the server is not being used for non-MSS COBOL Web Services. If it is only handling one type of service, SOAP or JSON, the other handler can be disabled.
    • MFRHJCL can be disabled for non-MSS, or MSS enterprise server regions which are not doing any JES processing.

    Do not disable the MFRHBINP handler, as this is used for various internal Enterprise Server functions.

CICS resource definitions

The CICS RDO file supplied with Enterprise Server contains numerous resource groups for optional features and demos. Micro Focus recommends you make a backup of this file (dfhdrdat) and remove any groups that are not required. Removing groups from your enterprise server region's startup list is only a partial mitigation because attackers might be able to install resources dynamically in a running enterprise server region.

Groups you should consider for removal include:

  • DFH$ACCT contains the CICS ACCT sample application.
  • DFH$APCT is a PL/I version of the ACCT sample.
  • DFH$IMQS contains a sample IBM MQ application.
  • DFH$IVP contains the resources for the Installation Verification Procedure (IVP), which is optional and no longer needed once you have confirmed Enterprise Server and CICS are working.
  • DFHCDDE, DFHCIPX, DFHNAMP, and DHFCNETB are vestigial support for old communications protocols which are no longer supported, and can be safely removed from all installations.
  • DFHCIVP contains definitions for testing CICS Distributed Program Link functionality.
  • DFHCTCP contains definitions for testing CICS inter-region communication (CTG / Universal Client) functionality.
  • DFHCWI contains a sample CICS Web Interface (CWI) application.
  • DFHCWS contains a sample CICS Web Services (CWS) application.
  • DFHELCG contains resources used with the Component Generator functionality.
  • DFHEZA contains resources required for the EZ Sockets functionality, and can be removed if you do not use this product feature.
  • DFHISC contains resources required for CICS Inter-System Communication, and can be removed if you do not use this feature.
  • DFHMQS contains resources required for IBM MQ connectivity, and can be removed if you do not use this feature.
  • DFHPIPE and DFHWEB contain resources required for CICS Web Services, and can be removed if you do not use this feature.
  • IMSGRP contains sample resources for CICS-IMS interaction.
  • MCOASM contains a sample program using the Assembler support functionality.
  • MCOGROUP contains the CMAP transaction, a utility transaction to display CICS BMS maps, which is generally only useful to developers.

LDAP security definitions

If you are using LDAP-based security through the External Security Facility (ESF) and the MLDAP ESM Module (mldap_esm), and you have imported (or plan to import) the sample security definitions from one of the LDIF files supplied with the product, such as es_default_ldap.ldf, then you will likely have many security definitions which are irrelevant to or too permissive for your requirements. Micro Focus recommends you back up your security rules and remove or edit rules as appropriate, for example, by exporting them to an LDIF file.

If your security configuration has the Allow unknown resources option enabled, then be cautious about removing rules, as this may in effect grant additional permissions. In this case, instead of removing rules, change their Access Control Lists to deny access to all users.

Note: The Allow unknown resources is not the default and Micro Focus strongly recommends against using it in a production environment.

LDAP definitions to consider for removal include:

  • As discussed in Removing or changing default credentials topic, Micro Focus recommends removing definitions for the supplied user accounts, or at least changing their passwords. Supplied user accounts include CICSUSER, JESUSER, IMSUSER, mfuser, SYSAD, PLTPISUR, and SAFU. In particular, the default administrator account SYSAD and the test account SAFU should be removed or disabled.
  • Any supplied user groups you are not using can be removed. For example, DEVGROUP and INTERCOM. You might want to replace the predefined SYSADM, OPERATOR, and ALLUSER groups with others that you specify for similar purposes.
  • The sample LDAP definitions include rules for a number of sample applications and other resources which might have been removed, as discussed above. Removing the security rules for them is also recommended. These include, for example, the rules in the TCICSTRN class container for ACCT and other transactions beginning with "AC", and the rule in the FCICSFCT container for ACCTFIL. One way to identify these rules is to open the es_default_ldap.ldf file in a text editor and search for "sample" and "demo".
  • Some CICS system transactions might not be used by some installations, and the rules for them in the TCICSTRN class container can be removed or edited to prevent execution of those transactions. For example, there are rules for the /IMS, CMAP, and CENV transactions, all of which might not be needed by your organization.
  • Certain system transactions are particularly risky from a security perspective and should be restricted to system administrators. These include the CENV, CPMT, CQIT, CRUN, and EZAC transactions. In addition, when practical restrict permissions to system transactions such as CFCR, CFLE, and CINS.
  • There are a number of rules for JES and IMS which can be removed if you are not using those features. For JES, these include the rules in classes beginning with "JES", such as JESJOBS and JESSPOOL. Micro Focus recommends keeping the rules in the SURROGAT and PHYSFILE classes. For IMS, these include the rules in the classes with names that end in "IMS" such as CIMS and TIMS.
Parent topic: Using and hardening the supplied configuration