Thanks for your assistance, I will give that a try. > I must say that the nature of your questions leaves me with some concern > about the content of your guide...
Hmmm, I wont bite but I will provide a little more information on what I am doing. The guide is specifically being written for Tomcat on Windows, which in my searching of the web there is very few resources available, and even fewer that provide collated recommendations. As you may have guessed (and is eluded to in the response below) I am not an expert at Tomcat or Java however I need to put together a guide that can be delivered to infrastructure managers whose primary goal is to 'get it working' without considering security. So as part of the information security team I have to provide recommendations to those Infrastructure managers on how to secure the infrastructure (as well as every other application and piece of infrastructure that is being deployed). The majority of the guide is focused on management of the Tomcat server. Things like running tomcat as an unprivileged user (and getting the appropriate Windows permissions to allow that to work properly), Separation of tomcat directories from program files, segregation of duties for Wep-app content and Infrastructure admins, removing or limiting access to default or manager applications, limiting access to sensitive (or dangerous) Windows files and folders, etc, etc, etc. I also give some configuration advice based on research from the internet such as: Setting up SSL to use an approved set of Ciphers, some configuration options in server.xml and web.xml And most importantly for them, I am combining this into a single document that they can follow, rather then having to rely on them to find the information on the web. Again thanks for your assistance, I will give it a try when I can Chris ---------------------------------------- > From: chuck.caldar...@unisys.com > To: users@tomcat.apache.org > Date: Sun, 3 May 2009 21:19:08 -0500 > Subject: RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager > >> From: Chris Brookes [mailto:cabb...@hotmail.com] >> Subject: Tomcat 6.0.18 on Win32 - Enabling Security Manager > >> However, when I install Tomcat there is no such program as "catalina" >> in the bin directory so I can't run it like that. > > The .bat scripts are only part of the .zip download, not the .exe (for > unexplained reasons). One normally uses the startup.bat script to launch > Tomcat, which does some necessary setup, then calls the catalina.bat script, > which does the real work of getting Tomcat going. > >> Using the Tomcat monitor application there is a tab for startup and >> there is an input box for arguments that by default contains 'start' >> but if I try to add '-security' to this argument text box the service >> fails to start at all. > > As it should. To use the Java tab in tomcat6w.exe, you must specify the > appropriate JVM arguments, rather than the options for the scripts. In other > words, set the following: > > -Djava.security.manager > -Djava.security.policy= > > The standard Tomcat policy is located in Tomcat's conf/catalina.policy file, > but you're free to specify whatever location you need. > >> I am writing a Tomcat 6 on Windows hardening guide > > I must say that the nature of your questions leaves me with some concern > about the content of your guide... > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > _________________________________________________________________ View photos of singles in your area Click Here http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fdating%2Eninemsn%2Ecom%2Eau%2Fsearch%2Fsearch%2Easpx%3Fexec%3Dgo%26tp%3Dq%26gc%3D2%26tr%3D1%26lage%3D18%26uage%3D55%26cl%3D14%26sl%3D0%26dist%3D50%26po%3D1%26do%3D2%26trackingid%3D1046138%26r2s%3D1&_t=773166090&_r=Hotmail_Endtext&_m=EXT --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
