MACROMEDIA Breeze User manual

Brand: MACROMEDIA

Model: Breeze

Type: User manual

This manual is also suitable for

MACROMEDIA Breeze empowers you to create, deliver, and manage online presentations, training programs, and virtual meetings. With its user-friendly interface, you can easily record, edit, and publish interactive content that can be accessed anytime, anywhere, on any device. Engage your audience with multimedia presentations, live broadcasts, interactive quizzes, polls, and discussions. Breeze seamlessly integrates with existing systems, allowing you to extend the reach of your content and track learner progress.

Security and Macromedia Breeze

Trademarks

Afterburner, AppletAce, Attain, Attain Enterprise Learning System, Attain Essentials, Attain Objects for Dreamweaver,

Authorware, Authorware Attain, Authorware Interactive Studio, Authorware Star, Authorware Synergy, Backstage, Backstage

Designer, Backstage Desktop Studio, Backstage Enterprise Studio, Backstage Internet Studio, Contribute, Design in Motion,

Director, Director Multimedia Studio, Doc Around the Clock, Dreamweaver, Dreamweaver Attain, Drumbeat, Drumbeat 2000,

Extreme 3D, Fireworks, Flash, Fontographer, FreeHand, FreeHand Graphics Studio, Generator, Generator Developer's Studio,

Generator Dynamic Graphics Server, Knowledge Objects, Knowledge Stream, Knowledge Track, LikeMinds, Lingo, Live Effects,

MacRecorder Logo and Design, Macromedia, Macromedia Contribute, Macromedia Coursebuilder for Dreamweaver,

Macromedia M Logo & Design, Macromedia Flash, Macromedia Xres, Macromind, Macromind Action, MAGIC, Mediamaker,

Multimedia is the Message, Object Authoring, Power Applets, Priority Access, Roundtrip HTML, Scriptlets, SoundEdit,

ShockRave, Shockmachine, Shockwave, shockwave.com, Shockwave Remote, Shockwave Internet Studio, Showcase, Tools to

Power Your Ideas, Universal Media, Virtuoso, Web Design 101, Whirlwind and Xtra are trademarks of Macromedia, Inc. and

may be registered in the United States or in other jurisdictions including internationally. Other product names, logos, designs,

titles, words or phrases mentioned within this publication may be trademarks, servicemarks, or tradenames of Macromedia, Inc.

or other entities and may be registered in certain jurisdictions including internationally.

This guide contains links to third-party websites that are not under the control of Macromedia, and Macromedia is not

responsible for the content on any linked site. If you access a third-party website mentioned in this guide, then you do so at your

own risk. Macromedia provides these links only as a convenience, and the inclusion of the link does not imply that Macromedia

endorses or accepts any responsibility for the content on those third-party sites.

Apple Disclaimer

APPLE COMPUTER, INC. MAKES NO WARRANTIES, EITHER EXPRESS OR IMPLIED, REGARDING THE

ENCLOSED COMPUTER SOFTWARE PACKAGE, ITS MERCHANTABILITY OR ITS FITNESS FOR ANY

PARTICULAR PURPOSE. THE EXCLUSION OF IMPLIED WARRANTIES IS NOT PERMITTED BY SOME STATES.

THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. THIS WARRANTY PROVIDES YOU WITH SPECIFIC

LEGAL RIGHTS. THERE MAY BE OTHER RIGHTS THAT YOU MAY HAVE WHICH VARY FROM STATE TO

STATE.

translated, or converted to any electronic or machine-readable form in whole or in part without prior written approval of

Macromedia, Inc.

First Edition: January 2004

Macromedia, Inc.

600 Townsend St.

San Francisco, CA 94103

CONTENTS

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Security Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Infrastructure Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Solutions for a Secure Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Application-Level Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Physical Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Recommended Security Resources and References. . . . . . . . . . . . . . . . . . . . . . . . . 11

4 Contents

Security and Macromedia Breeze

Overview

This document is targeted towards system administrators and program managers interested in

ensuring security with Breeze. If you are installing Breeze for use on your intranet, it is

recommended that you review and implement the best practices outlined in this article. However,

if you are installing Breeze for use on the Internet, you must implement the best practices

outlined in this article. Failure to do so will compromise the security of your Breeze application

and the information contained within.

Macromedia Breeze is a server-based web application that integrates with a database to provide

a powerful solution for online training and conferencing. By hosting the Breeze application

on your intranet or the Internet, you are allowing users the flexibility to access information

anywhere, anytime.

By its very nature, any application that is run over a network, especially the Internet, has security

risks associated with it. Macromedia Breeze is no different. However, these security threats can be

minimized if careful consideration is taken towards implementing a security design for

Macromedia Breeze.

There are three levels of security that should be considered for Macromedia Breeze:

• Application-Level Security

• Physical Security

• Infrastructure Security

Breeze provides application-level security, which provides an ACL (Access Control List)-based

security model for controlling which users have access to features in the Breeze application.

Physical security has to deal with placing the actual server in a physically-secure location. The

third level, infrastructure security, which deals with securing the server and the network, is the

most important, yet most overlooked aspect of securing Breeze.

This white paper is divided into the following sections:

• Security Levels

• Examples

• Best Practices

• Additional References

6 Security and Macromedia Breeze

Security Levels

When planning a security strategy, it is important to consider the various layers of a deployed

server environment, and devise a plan for each layer. Typically, a comprehensive security strategy

incorporates the following elements:

• Infrastructure Security

• Application-Level Security

• Physical Security

Infrastructure Security

Infrastructure security is by far the most important, but most overlooked, aspect of securing

Breeze. It is up to your IT team to provide a secure infrastructure for Breeze.

There are three parts to providing a secure infrastructure for Breeze:

• Network Security

• Breeze Web Server Security

• Database Server Security

The following sections describe a secure infrastructure. The security measures you implement

depend on whether your Breeze system consists of just a single server running in the DMZ or an

elaborate multi-server system running with different trusted zones.

Network Security

Breeze relies on several private TCP/IP services for its communications model. These services

open several ports and channels for private communication. These ports must be protected

from outside users. Breeze’s design requires the environment to provide security for these

communications. It is highly recommended that sensitive ports should be placed behind a

firewall that separates them from non-trusted machines.

Below is a list of ports that are used by Macromedia:

• Inbound ports (from the internet): 80, 443, 1935

• Outbound ports (to the database): 1433

• Outbound ports (to the mail server): 25

• Local ports (to/from other members in the cluster): 8505, 8510, 8520

If you intend to have users access Breeze on your intranet, it is recommended that you place your

Breeze servers and your Breeze database in a separate sub-network, separated by a firewall. This

configuration of the firewall should take into consideration the above ports and whether they

should be set as inbound or outbound.

However, if you intend to have users access Breeze on the Internet, it is extremely important that

you separate your Breeze servers from the Internet with a firewall. If you do not take the necessary

steps to secure your Breeze servers, you are leaving your valuable information available for anyone

to steal. For references to resources on network security, see “Recommended Security Resources

and References” on page 11.

Security Levels 7

Breeze Web Server Security

Macromedia Breeze comes with its own built-in high-performance, secure web server. This web

server is based in part on Macromedia JRun Enterprise Server and has been designed specifically

to serve dynamic content for Breeze, including Breeze Live meetings, Breeze presentations, and

other rich media content. Because of Breeze’s special requirements, no other web servers should be

used with Breeze. This will only degrade performance for Macromedia Breeze.

More importantly, Breeze is designed for security. The built-in web server is shipped with a very

restrictive configuration which prohibits other web-based services from running on the same

machine. Also, because of its architecture, Breeze is not susceptible to exploits that have plagued

other web servers such as buffer overruns, etc. This makes Breeze a very secure environment in

which to host content.

Database Server Security

Whether or not you are hosting your database on the same server as Breeze, you must make sure

that your database is secure. Computers hosting a database should be in a physically secure

location. Databases should be installed in the secure zone of your corporate intranet and never

directly connected to the Internet. Back up all data regularly and store copies in a secure

off-site location.

The Microsoft security web site contains information that applies to both securing SQL

Server 2000 and the Breeze built-in database: www.microsoft.com/sql/techinfo/administration/

2000/security/

The following link provides a good starting point to making sure that your database is secure:

www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp

Note that Macromedia Breeze does not support Windows Authentication Mode. Only Mixed

Mode is supported.

In addition, if you are running the Breeze built-in database, you should note that the Breeze

built-in database uses ‘breeze’ as the password by default. It is highly recommended that you

change this password. To change the password, type the following at the command line:

osql -E -Q "sp_password @new='{new_password}',@loginame='sa'"

where {new_password} is a strong password.

Solutions for a Secure Infrastructure

Most Breeze configurations will fall into one of two configurations:

• A single server configuration

• A multiple server configuration.

This section discusses both setups and they provide examples on how to secure

these environments.

8 Security and Macromedia Breeze

Single Server Configuration

The easiest solution for a dedicated, single-server Breeze system is to block all ports on the Breeze

box except 80, 1935 (and 443 for SSL-enabled servers). If the Windows server is carefully

updated by your IT department with the latest Microsoft security patches, a software firewall can

easily be configured to enable application security. An external hardware firewall appliance can

provide an extra layer of protection and also provides additional protection against operating

system flaws.

Example: Securing a Single Server Configuration

Assume that you are setting up Breeze Live and Breeze Presentation on a single server. In addition,

the database is also to be installed on this server. You want users to be able to access Breeze on

the Internet.

Securing Breeze on a single server consists of the following steps:

1 Install a firewall Since you are allowing users to access Breeze on the Internet, this means that

your Breeze server is open to an attack by hackers. By using a firewall, you can block access to

your servers and control what communications occur between the Internet and your servers.

2 Configure your firewall After installing your firewall, you want to configure your firewall

as follows:

■ Inbound ports (from the internet): 80, 443, 1935

■ Outbound ports (to the mail server): 25

Since the database is located on the same server as Breeze, you do not need to open up port

1433 on the firewall.

3 Install Breeze For information on installing Breeze, see the Breeze Installation Guide.

4 Verify that Breeze is working After installing Breeze, you should verify that Breeze is

working properly both from the Internet and from your local network. See the Breeze

Installation Guide for more information.

5 Test your firewall Now that you have your firewall installed and configured, you should

verify that your firewall is working correctly. Test the firewall by attempting to use the

blocked ports.

Multi-server Solutions

Multi-server solutions are inherently more complex and will vary from customer to customer. It is

very important that the customer understand how to secure their multi-server installation. The

following are suggestions for securing multi-server solutions.

• Private Networks The simplest solution for multi-server solutions in a single location is to

create an extra sub-network for the Breeze system. The network is bridged to the customer’s

network by a firewall device which allows only traffic to the web servers. This offers a high level

of security but can be expensive.

• Local Software Firewalls For Breeze servers located in a cluster but sharing a public

network with other customer servers, a software firewall may be appropriate on each individual

server. The simplest route is to allow free communication among the Breeze servers but allow

outside access only to the web servers.

• VPN Systems In multi-server installations where there are multiple Breeze systems in

different physical locations, customers may want to consider an encrypted channel to the

remote systems. This setup will probably be uncommon, but many software and hardware

vendors offer VPN technology to secure the communications to remote Breeze servers. Breeze

relies on this external security if data traffic must be encrypted.

Security Levels 9

Application-Level Security

The Breeze application has a built-in ACL-based security model that lets you assign users

different permissions to access Breeze’s features. For example, you can control what users have

permissions to publish presentations by adding them to the Account Authors group. You can also

control which folders individual users can publish to.

Breeze has four primary groups that grant users access to specific features in the Breeze system. By

adding users to these groups, you can control what role a user has in your Breeze account.

These groups are:

Account Administrators Members of the Account Administrators group have access to all

functions within the Breeze account. They can create and manage users, manage content, create

and manage courses and create and manage meetings. Note that a member of the Account

Administrators group will still need to be a member of the Account Authors group in order to

publish content.

Account Authors Members of the Account Authors group have access to publishing features.

They can publish content to the Breeze system, including using the Breeze plug-in for PowerPoint

to publish presentations to Breeze.

Course Managers Members of the Course Managers group manage the Course Library

including creating courses, incorporating course content from Account Authors, enrolling users,

sending enrollee notifications, and setting up course reminders. They can also view content and

course reports.

Meeting Administrators Members of the Meeting Administrators are able to perform all

functions associated with creating meetings including setting up a meeting, inviting participants,

sending invitations and viewing reports.

In addition to adding users to groups to grant them rights to use features in the Breeze system,

you can also grant them permissions to access specific folders, content, courses and meetings. For

example, you can control whether or not a certain Account Author has permissions to publish to

a specific folder.

For more information on using Breeze’s application-level security features, please refer to the

Breeze presentation titled Setting Up Users, Groups, and Permissions at www.macromedia.com/go/

breeze_support. Instructions for setting permissions are available in the About Permissions

chapter of the Breeze Manager Help Guide. You can access the Breeze Manager Help Guide

through the Breeze Manager web application. To access the Breeze Manager, choose Start >

Programs > Macromedia > Macromedia Breeze 3 > Breeze Login Page.

Physical Security

Customers who store sensitive information on their servers should be aware of the physical

security of their systems. Breeze relies on the safety of the host system against intruders, so servers

should be kept secured where private and confidential data is at risk. Breeze is designed to take

advantage of native environmental features like file system encryption where available if

configured by the user.

10 Security and Macromedia Breeze

Best Practices

Below is a checklist of best practices that will assist you in securing Breeze.

• Firewall Your Servers It is highly recommended to place Macromedia Breeze behind a

firewall, especially if you are intending for Breeze to be used on the Internet. By not placing

Breeze behind a firewall, you are leaving your server open for attacks. Even worse, your

sensitive information is unsecured and open for theft. All servers should sit behind a firewall,

which includes Breeze Application servers, Breeze Live servers and the database server.

• Run the Bare Minimum of Services You should only run the bare minimum services you

need for Breeze. This means that you should not run applications like a domain controller, a

web server or an FTP server on the same computer as Breeze. By reducing the number of

applications and services running on the computer hosting Breeze, you can minimize the

chances that an exploit in another application can be used to compromise your Breeze server.

• Perform OS Security Updates On Windows and other platforms, customers need to check

for platform security holes and apply required patches. Some of these issues are eliminated by a

good firewall. In general we recommend customers keep their Breeze systems patched with all

security updates approved by Microsoft or other appropriate platform vendor.

• Perform Database Security Updates Since your database may be another targeted

component of the Breeze solution, you need to check for database server security holes and

apply required patches. Like the operating system, some of these issues are eliminated by a

good firewall, but you should also keep up to date with the latest patches.

• Physical Security Customers who store sensitive information on their servers should be

aware of the physical security of their systems. Breeze relies on the safety of the host system

against intruders, so servers should be kept secured where private and confidential data is at

risk. Breeze is designed to take advantage of native environmental features like file system

encryption where available if configured by the user.

• Use Strong Passwords Breeze users are protected by passwords. We recommend that users,

and particularly administrators, choose strong passwords to keep their data safe. Breeze

enterprise installations often utilize external databases which may also require strong

password protection.

• Perform Security Audits We recommend users audit their systems periodically to ensure

that all security features installed by the user are still operating as expected. For example,

firewalls are easily tested using a port scanner for validation. Ongoing security checks help

guard against user error that can lead to misconfiguration over time.

Recommended Security Resources and References 11

Recommended Security Resources and References

The following are sources of information and software which may aid the process of securing your

Breeze server(s).

• Network Security

SANS Institute (www.sans.org) The SANS Institute (System Administration, Networking,

and Security) is a cooperative research and education organization comprised of system

administrators, security professionals, and network administrators. They have great network

security courses, as well as certification in network security.

• SQL Server Security

Microsoft Security Site (www.microsoft.com/sql/techinfo/administration/2000/security/)

Microsoft site that provides information and resources on securing SQL Server 2000. The

information on this site also applies to the Breeze built-in database engine.

• Tools – Freeware

NMap (www.insecure.org/nmap/index.html) A powerful port-scanning program that

tells you what ports a system is listening on. It is freely available under the GNU Public

License (GPL).

Note: Please note that the effectiveness of any security measure is determined by various factors,

including but not limited to, the security measures provided by the server computer and by security

software installed by you. The Macromedia Breeze software is not intended to, and should not be

relied upon by you to, provide security against any unauthorized access to, or unintended or intended

disruptions or harm against, your server systems or any information stored or deployed by you on any

computer, including the server computer. Please refer to the disclaimer of warranty set forth in the

applicable license agreement provided with the Macromedia Breeze software.

12 Security and Macromedia Breeze

MACROMEDIA Breeze User manual

Brand: MACROMEDIA

Model: Breeze

Type: User manual

This manual is also suitable for

Download PDF

report

MACROMEDIA Breeze User manual

This manual is also suitable for

MACROMEDIA Breeze User manual

Related papers

Other documents