Skip to main content
Version: 13.0

Security Checklist

The following chapter addresses security relevant settings and configuration options which are not or cannot in all cases be covered by the default configuration of the ADOIT web client and are therefore listed in the checklist below.

General Recommendations

  1. The server hardware of the ADOIT web client should be located in a safe environment (not physically accessible to everyone).

  2. It should be ensured that the operating system hosting the ADOIT web client is up-to-date on installation day and is updated regularly in the future.

  3. It should be ensured that the version of Java with which the Apache Tomcat web server is run is the latest version of your Java main release (latest Java 8 or 11 version) and is updated regularly in the future.

Secure the Apache Tomcat Web Server

  1. Remove all web applications from <Tomcat installation>/webapps” (docs, examples, ROOT,...) which are not needed.

  2. Remove the files <Tomcat installation>/conf/Catalina/localhost/host-manager.xml” and <Tomcat installation>/conf/ Catalina/localhost/manager.xml” if they are available.

  3. Disable the Tomcat shutdown port. In <Tomcat Installation>/conf/server.xml” in the first tag <Server> change the port to -1, e.g. <Server port=”-1” shutdown=”SHUTDOWN>.

  4. Add a server identifier to the connector. In <Tomcat installation>/conf/server.xml” search for the <Connector> tag which defines the port on which the ADOIT web client is accessible and add a property server=”Tomcat”, e.g. <Connector port=”8000” server=”Tomcat”/>.

For further information on securing the Apache Tomcat web server refer to the Open Web Application Security Project (OWASP) available on https://www.owasp.org/index.php/Securing_tomcat.

Access Requirements for the Technical Operation

The user rights of the users running the Apache Tomcat web server and ADOIT application server services should be restricted to as few rights as possible. The following rights represent the minimum required to run the services.

ADOIT Application Server Permissions

The user running the ADOIT application server service needs:

  • Write permissions in the temporary directory (%TEMP%).

  • Write permissions in the directory in which the log files are configured to be written (see "Configure ADOIT Application Server").

  • Read and execute permissions in the ADOIT Application Server installation directory.

Apache Tomcat Web Server Permissions

The user running the Apache Tomcat web server service needs:

  • Write permissions in the temporary directory (%TEMP%).

  • Write permissions in the ADOIT web application directory (<Tomcat installation>/webapps/ADOIT13_0“) and all its subdirectories.

  • Write permissions in the directory in which the log files are configured to be written. By default, the logging output is written to the folder "<Tomcat installation>/logs".

  • Read permissions in the Apache Tomcat installation directory.

Do not run Apache Tomcat with local administrator rights and do not run Apache Tomcat with domain user rights if they are not needed. If you are running Apache Tomcat with a domain user the access rights should be restricted to the minimum.

ADOIT Rich Client Permissions

A user running an ADOIT rich client needs:

  • Write permissions in the temporary directory (%TEMP%).

  • Read and execute permissions in the ADOIT installation directory.

Secure Configuration of the ADOIT Web Client

Secure passwords

The passwords listed below should be changed to strong passwords:

  • The default passwords of Apache Tomcat in the file "<Tomcat installation>/conf/tomcat-users.xml" (see "Configure Apache Tomcat Web Server").

  • The passwords for all test accounts, admin users, etc.

The following are general recommendations for creating strong passwords.

Strong passwords should:

  • Have at least 8 characters.

  • Contain upper as well as lower case alphabetic characters (e.g. A-Z, a-z).

  • Contain at least one numeric character (e.g. 0-9).

  • Contain at least one special character (e.g. @#§\$%&\^!()_+~-=).

Strong passwords should not:

  • Spell a word or series of words that can easily be found in a dictionary or are directly related to the company.

  • Spell a word with a number added to the beginning or the end.

  • Be based on any personal information that can be guessed easily (e.g. family name, pet, birthday, etc.).