Check with operational users what kind of files they upload to the server using Campaign Client Console or web interface. As a reminder, business needs can be:
Add all of them in serverConf/shared/datastore/@uploadAllowlist (valid java regular expression). Learn more in this page.
Adobe Campaign does not restrict the file size. But you can do it by configuring IIS/Apache. Learn more in this section.
Please refer to this page for more information.
By default, all dynamic pages are automatically relayed to the local Tomcat server of the machine whose Web module is started. You can choose to not relay some of them. If you are not using some Adobe Campaign modules (such as webapp, interaction, some jsp) you can remove them from relay rules.
Out of the box, we have forced the capability to display end user resources using http (httpAllowed=“true”). As these pages can display some PII (such as email content, address), redeem coupon, offer, you should force HTTPS again on these paths.
If you are using different host names (one public and one for operators), you can also prevent the relaying of some resources needed by operators over the public DNS name.
Three connection protection modes exist:
<urlPermission action="warn" debugTrace="true"> <url dnsSuffix="abc.company1.com" urlRegEx=".*" /> <url dnsSuffix="def.partnerA_company1.com" urlRegEx=".*" /> <url dnsSuffix="xyz.partnerB_company1.com" urlRegEx=".*" /> </urlPermission>
New clients will use the blocking mode. If they want to allow a new URL, they need to contact their administrator to add it to the allowlist.
Existing customers coming from a migration can use the warning mode for a while. Meanwhile they need to analyze the outbound traffic before authorizing the URLS.
Several commands are included in the denylist and cannot be executed using the execCommand function. An extra-security is provided by a dedicated Unix user to execute external commands. For hosted installations, this restriction is automatically applied. For on-premise installations, you can manually set up this restriction by following the instructions from this page. In addition, Script and External task workflow activities are not available (newly installed instances).
You can add extra HTTP headers for all pages (for more information, refer to this page):
You can add some additional headers such as HSTS, X-FRAME-OPTIONS, CSP…
You have to test them in a test environment before applying them in production.
Adobe Campaign can be broken by adding certain headers.
Adobe Campaign lets you set a plain password in the
<dbcnx .../> element. Do not use this feature.
By default, Adobe Campaign does not stick a session to a specific IP, but you can active it to prevent the session from being stolen. To do it, in the serverConf.xml file, set the checkIPConsistent attribute to true in the
By default, Adobe Campaign’s MTA does not use a secured connection to send content to the SMTP server. You have to enable this feature (may reduce delivery speed). To do this, set enableTLS to true in the
<smtp ...> node.
You can reduce the lifetime of a session in the authentication node (sessionTimeOutSec attribute).