As installed, Enterprise Server includes various default user accounts, some of which have documented or obvious passwords. The sample LDAP security configuration contains more of these. Well-known credentials are a serious security risk, so region hardening should include removing or disabling these accounts, or at least changing the passwords.
The following discussion assumes ESF with LDAP-based security is being used by all enterprise server instance components.
MFDS initially installs a set of user accounts at various permissions levels. These accounts are named administrator, adddelete, modify, and schemaadmin. It also adds the SYSAD user if it does not already exist; it is also defined in the es_default_ldap*.ldf LDIF files used to populate the LDAP repository with CAS security data. All of these have passwords which match their usernames.
Micro Focus strongly recommends removing these accounts and creating only the MFDS user accounts required for your organization's use. Typically, this will be at least one account which is a member of the #AllUser and #DSAdmin groups; this would be the MFDS full-access administration account, equivalent to schemaadmin. Some organizations will also want MFDS accounts with fewer permissions. See your product Help for more information regarding MFDS default groups and permissions.
Alternatively, change the passwords for these accounts. Changing passwords is not as secure as disabling or deleting accounts which are not required, and replacing well-known account names with ones which are not known to attackers, but this still offers a significant security improvement.
MFDS also installs a set of accounts for use by other enterprise server instance components. These accounts are used by default by those components, and effectively represent an unsecured installation. They are mf_cs, used by Communications Processes; mf_dep, used for COBOL Web service and EJB deployment; and mf_mdsa, used by CAS.
The mf_cs and mf_mdsa accounts are only used when an enterprise server instance region is started without specifying a username and password. It is best to disable these accounts, and for extra security change their passwords as well, and always start regions using credentials.
The mf_dep account is used by the mfdepinst program, which installs COBOL Web services and EJBs to enterprise server regions from CAR files. mfdepinst needs to connect to MFDS and add service and package objects as part of the installation process; by default, it uses the mf_dep account. Different credentials can be specified in the .mfdeploy file or on the mfdepinst command line. Customers not using COBOL Web services or EJBs might disable this account or change its password if required, which will also prevent use of mfdepinst to create service and package objects unless suitable credentials are provided.
Enterprise Server LDAP-based security is typically initialized using one of the es_default_ldap* LDIF files supplied with the product. Those files install a handful of sample user accounts: mfuser (with no password), SAFU (password "test"), SAFUIMS (password "test"), and SYSAD (password "SYSAD"). As with the default MFDS user accounts, these should be deleted or disabled, with customer-appropriate accounts created as necessary. SYSAD is intended as an administrative account and can be used as a template for creating other administrators.
If it is not practical to remove these accounts, change their passwords.
The mfuser account plays a special role. It is the default user for ESMAC, and for region startup and shutdown if credentials are not supplied when starting and stopping the region. Micro Focus strongly recommends setting a password for the mfuser account.
Additional steps are required to disable anonymous access to ESMAC. See Restricting administrative access for more information. Micro Focus strongly recommends disabling anonymous access to ESMAC.
CAS also installs and uses a number of system accounts, which are not intended for direct use by users. They are: