Various configuration changes can improve the security of an
enterprise server region. These are separate from hardening the environment in which
Enterprise Server is running, and hardening the applications which are running under
Enterprise Server; those are dealt with in other sections of this document.
These changes are organized into the following areas:
- Reducing the attack surface
- Disabling features that are not required for a particular instance, and restricting access to ones which are, makes the
attack surface available to the attacker smaller. An attacker has fewer opportunities to find vulnerabilities in the system.
- Enabling additional controls
- The stock configuration for
Enterprise Server External Security Facility does not enable all the supported security checks, in order to maintain backward compatibility.
Enhanced security can be achieved by enabling additional security controls.
- Removing or changing default credentials
- The template
enterprise server region, and associated components such as MFDS, have various default user accounts, some of which have corresponding passwords.
Change these to prevent attackers from using them.
- Restricting administrative access
- Restrict which users can perform administrative tasks such as altering region configuration and defining CICS resources.
See the topic
Restricting remote program execution and the chapter
Using and hardening the supplied configuration for more information.