Security Concerns

Security Concerns

Security Concerns

Having problems? Check the troubleshooting checklist or the common tasks in Enfold Proxy or the FAQ.

Enfold Proxy (EP) is not a security or authentication tool. Its main job is to proxy URL, do load balancing and cache items. Although proxy definitions allow you to change the domain names by which Plone can be accessed and even to render them inaccessible as a fully qualified domain name (i.e., www.originalfunsite.com/events), the savvy hacker from outside will still be able to access these same URLs by typing in the IP address and port number (http://192.168.1.150:8080/Plone/events). Because the Zope client(s) operate on nonstandard ports, a company firewall should block these ports from the outside world.

Fortunately, access and authentication controls on IIS and Plone are more than sufficient to cover almost every security scenarios.

It is possible for Plone to offer security not only through Zope but also Windows authentication. Even with this, it is generally not recommended to allow public access to the ZMI application root (what is application root?) from a browser on a machine outside of the company's network. If Administrators needed to access the ZMI from home (for example), it would probably be safer to use Virtual Private Network (VPN) software to log in remotely to their office machine and access the ZMI from there (by typing a private host or I.P. address, along with the management port number -- http://mymachine:8080).

Setting up ZMI Access on a Separate Host

It is theoretically possible to configure a separate proxy definition (and separate IIS site) to allow public access to the Zope Management Interface (ZMI) login screen on port 80. But it is not recommended. The best way to login to Plone is to login directly to port 8080 (i.e., http://192.168.1.150:8080 ) instead of proxying it to port 80.

Setting up HTTPS Login for Login Only

Setting up HTTPS for your entire site is not practical because it slows IIS performance. However, you could set up HTTPS to manage initial user login. That requires three things.

First, you need to set HTTPS and SSL certificates for your specific IIS site. This task lies outside the scope of this document, but here is an excellent tutorial for how to configure SSL for IIS: (http://www.petri.co.il/configure_ssl_on_your_website_with_iis.htm).

Second, you need to verify that the IIS site handles both port 80 and port 443. (See the same tutorial).

Third, you need to set up a mechanism in Plone to switch to SSL when logging in and back to non-SSL after receiving an authenticated cookie. To do this, see the Plone how to guide about secure logins: http://plone.org/documentation/how-to/secure-login-without-plain-text-passwords

Using NTLM/LDAP for User Login

One benefit of using Plone and Enfold Proxy on a Windows platform is having the ability to authenticate automatically with Windows domains with the NTLM authentication protocol. Once again, Enfold Proxy does not deal with authentication, but IIS authenticates by checking that they are members of the Windows domain. Check Plone documentation for how to allow NTLM authentication. Two basic tips apply. First, use a cookie-based authentication profile to verify that Active Directory works before you try automatic Windows login. Second, for Enfold Proxy to work with NTLM, you must choose an authentication profile that includes the phrase "Trusted Proxy." See IIS & Enfold Proxy for more detailed information.

Instead of setting up a proxy definition to allow for public ZMI access, it would be easier (and more effective) to use NTLM authentication; if administrators are outside the Intranet, they would login to their machine remotely using VPN and then perform whatever ZMI administrative functions they need to do.

Troubleshooting Security Problems

EP's failures can often be traced to problems configuring security either in IIS or Plone (See How to diagnose configuration problems).