Secure realms
The AM installation process creates the Top Level Realm (/), which contains AM default configuration data. This realm cannot be deleted or renamed, since it is the root of the realm hierarchy in AM.
Consider the following list of security best practices related to realms:
- Disable module-based authentication
-
Module-based authentication lets users authenticate using the
module=module-namelogin parameter, therefore bypassing multi-factor authentication if multiple modules are configured in a chain with the sameauthLevel.To disable module-based authentication, go to Realms > Realm Name > Authentication > Settings > Security, and clear the Module Based Authentication check box.
- Create strong authentication trees
-
Ensure your users log in to AM using sensible authentication trees, such as trees that enforce multi-factor authentication.
- Configure sensible default authentication services
-
By default, users that log in to the console make use of the chain or tree configured in the Organization Authentication Configuration property for the realm. To locate this property, go to Realms > Realm Name > Authentication > Settings > Core.
Be extra careful when setting your default authentication tree or chain.
If you leave the default authentication service as the
ldapServicechain, users can still post their username and password to the authentication endpoint to retrieve a session, regardless of the services configured for authentication.For example, consider a deployment where you disable module-based authentication but retain the default authentication chain,
ldapService. If you set up two-factor authentication, your users can still access their accounts without performing the correct two-factor authentication chain login sequence by using the defaultldapServicechain.When you are ready to go to production, set the default authentication tree or chain to your most secure tree or chain. Don’t leave it set to
ldapService.Ensure that you change the default for all realms, including the Top Level Realm.
- Prevent access to the Top Level Realm
-
If most of your privileged accounts reside in the Top Level Realm, consider blocking authentication endpoints that allow access to the Top Level Realm.
For more information, refer to Best practice for blocking the top level realm in a proxy for AM.
The demo user
When you install AM for evaluation, using the embedded DS server, a demo user is created.
This is a regular account with no administrative permissions and is intended for test and demo purposes.
You should remove this user from production environments.
To remove the demo account, go to Realms > Top Level Realm > Identities,
choose the demo account, and click Delete.