Security and privacy checklist get-started-security-privacy
This section will introduce you to the key elements to check regarding security and privacy. Some configurations can only be performed by on-premise customers.
Privacy
Privacy configuration and hardening is a key element of security optimization. Here are some best practices to follow regarding privacy:
- Protect your customer PII by using HTTPS instead of HTTP
- Use PII view restriction to protect privacy and prevent data from being misused.
- Make sure that encrypted passwords are restricted.
- Protect the pages that might contain personal information such as mirror pages, web applications, etc.
Access management
Access management is an important part of security hardening. Here are some of the main best practices:
- Create enough security groups
- Check that each operator has the appropriate access rights
- Avoid using the admin operator and avoid having too many operators in the admin group
Scripting and coding guidelines
When developing in Adobe Campaign (workflows, Javascript, JSSP, etc.), always follow these guidelines:
-
Scripting: try to avoid SQL statements, use parameterized functions instead of string concatenation, avoid SQL injection by adding the SQL functions to use to the allowlist.
-
Secure the data model: use named rights to limit operator actions, add system filters (sysFilter)
-
Add captchas in web applications: learn how to add captchas in your public landing pages and subscription pages.
Network, database and SSL/TLS
A very important thing to check when deploying an on-premise type of architecture is the networking configuration.
It is also imperative that you follow your database engine security.
Server configuration
Configuration has to be performed on all servers. The configuration files are of the type serverConf.xml and config-<instance>.xml
. Here are the key elements that need to be verified:
-
Security zones: Configure security zones so that they directly take into account the IP addresses of clients of a proxy.
-
File upload protection: limit the types of files that can be uploaded to the Adobe Campaign server using a new uploadAllowList attribute. This can be used in the server configuration file.
-
Relay: fine tune the relay configuration by deactivating the relay rules for unused modules/applications.
-
Outgoing connection protection and Command restriction (server-side)
-
You can also add extra HTTP headers, activate checkIPConsistent, enableTLS, sessionTimeOutSec, etc. Refer to the Campaign server configuration documentation and the Server configuration file description for more information.
Web-server configuration
Several best practices should be followed when configuring your web-server (Apache/IIS):
- Disable old SSL version and ciphers
- Remove the TRACE method
- Remove the banner
- Limit query size to prevent important files from being uploaded