It is important to restrict administrative actions to those users who require that level of access. This is part of what is
referred to as the
Principle of Least Privilege: actors such as users and programs should be granted only the privileges necessary to perform their functions.
This is not only a matter of trust; it also protects the organization if a non-administrative account is compromised. Many
successful attacks involve gaining access to an ordinary account and then
elevating and
pivoting to gain additional access.
Administrative functions which should be controlled include:
- Administration UIs such as
ESCWA, MFDS, and ESMAC. These can be restricted using resource access control rules. Ensure you disable anonymous access to ESMAC.
See
Removing or changing default credentials for more information.
- Security data, which can potentially be altered using
enterprise server instance utilities such as
esfadmin, with third-party clients, or by manipulating data files directly. Configure security-data repositories such as LDAP servers
with security controls and set appropriate permissions on the files they use.
- CICS and IMS resource definitions. Set appropriate file permissions on the resource definition files such as
dfhdrdat. For CICS, enable controls on the CICS system APIs. See
Enabling additional controls for more information.
- System utilities and transactions which perform administrative actions, such as CICS CINS. Those that run within an
enterprise server region can be restricted using resource access control rules; those that run outside can have file permissions set.
- Where feasible, administrative actions in the OS relevant to
Enterprise Server should also be restricted. These include such actions as starting and stopping services on Windows, or killing processes
on UNIX.
Restricting access to ESMAC
In addition to setting security controls for ESMAC, it is necessary to disable anonymous access to ESMAC, as mentioned in
Removing or changing default credentials. In some older releases of
Enterprise Server, this could be performed by assigning a password to the mfuser account. In current releases of
Enterprise Server you must take additional steps.
To disable anonymous access to ESMAC:
- Assign a password to the mfuser user, or to whichever account is set as the default ESMAC user using the ES_USR_DFLT_ESMAC
environment variable.
- Set the environment variable ES_ESM_DISABLE_DFLTUSER_ESMAC. See
Configuring the Default ESMAC User in your product Help for more information. In addition or optionally, you can set the environment variable ES_DISABLE_DFLTUSR_SIGNON.
See
Security and Auditing Environment Variables in your product Help for more information.
Note: There is a difference in the spelling of DFLTUSER and DFLTUSR between these two variables.
These variables can be set in the global environment or in the
Configuration Information field, under a
[ES-Environment] configuration section for the
enterprise server region. For example:
[ES-Environment]
# Prevent anonymous access to ESMAC
ES_DISABLE_DFLTUSR_SIGNON=Y
ES_ESM_DISABLE_DFLTUSER_ESMAC=Y
The function of these two settings is subtly different. For most purposes they have the same effect, but ES_ESM_DISABLE_DFLTUSER_ESMAC
will also prevent signing on to ESMAC using the mfuser account, even with a password. It will also disable converting a blank
username to "mfuser", and the use of the
Default button on the ESMAC sign-on page. For maximum security,
Micro Focus recommends setting both of these variables.