Secure Adobe Connect servers and database
Learn how to secure your Adobe Connect servers and related databases, network, and clusters. Create service accounts to run Adobe Connect more securely.
Adobe Connect relies on several private TCP/IP services for its communications. These services open several ports and channels that must be protected from outside users. Adobe Connect requires that you place sensitive ports behind a firewall. The firewall should support stateful packet inspection (not only packet-filtering). On the firewall, deny all services by default except those explicitly permitted. The firewall must be at least a dual-home (two or more network interfaces) firewall. This architecture helps prevent unauthorized users from bypassing the security of the firewall.
The easiest solution for securing Adobe Connect is to block all ports on the server except 80, 1935, and 443. An external hardware firewall appliance provides a layer of protection against gaps in the operating system. You can configure layers of hardware-based firewalls to form DMZs. If the server is updated by your IT department with the latest Microsoft security patches, a software-based firewall can be configured to enable extra security.
If you intend to have users access Adobe Connect on your Intranet, place the Adobe Connect servers and the Adobe Connect database in a separate subnet, separated by a firewall. The internal network segment where Adobe Connect is installed should use private IP addresses (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) to make it more difficult for an attacker to route traffic to a public IP and from the network address translated internal IP. For more information, see RFC 1918. This configuration of the firewall should consider all Adobe Connect ports and whether they are configured for inbound or outbound traffic.
Database server security
Whether you are hosting your database on the same server as Adobe Connect, make sure that your database is secure. Computers hosting a database should be in a physically secure location. Extra precautions include the following:
Install the database in the secure zone of your intranet.
Never connect the database directly to the Internet.
Back up all data regularly and store copies in a secure off-site location.
Install the latest patches for your database server.
Use SQL trusted connections.
For information on securing SQL Server, see the Microsoft SQL security website.
Create service accounts
Creating a service account for Adobe Connect lets you run Adobe Connect more securely. Adobe recommends creating a service account and a SQL Server Express Edition service account for Adobe Connect. For more information, see the Microsoft articles “How to change the SQL Server or SQL Server Agent service account without using SQL Enterprise Manager in SQL Server 2000 or SQL Server Configuration Manager in SQL Server 2008” and The Services and Service Accounts Security and Planning Guide.
Create a service account
Create a local account called ConnectService that doesn’t include any default groups.
Set the Adobe Connect Service service, the Adobe Media Administration Server service, and the Adobe Media Server (AMS) service to this new account.
Set “Full Control” for the following registry key:
Set “Full Control” on the NTFS folders in the root Adobe Connect folder path (C:\Connect, by default).
Subfolders and files must have the same permissions. For clusters, modify the corresponding paths on each computer node.
Set the following logon rights for the ConnectService account:
Log on as a service—SeServiceLogonRight
Create an SQL Server Express Edition service account
Create a local account called ConnectSqlService that doesn’t include any default groups.
Change the SQL Server Express Edition Service Account from LocalSystem to ConnectSqlService.
Set “Full Control” for ConnectSqlService for the following registry keys:
HKEY_LOCAL_MACHINE\Software\Clients\Mail HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\80 HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\[databaseInstanceName]
For clusters, follow this step on every node in the cluster. Full Control permission applies to all the child keys of a named database instance
Set “Full Control” for ConnectSqlService on the database folders. Subfolders and files must also have the same permissions. For clusters, modify the corresponding paths on each computer node.
Set the following user rights for the ConnectSqlService service:
Act as part of the operating system—SeTcbPrivilege Bypass traverse checking—SeChangeNotify Lock pages in memory—SeLockMemory Log on as a batch job—SeBatchLogonRight Log on as a service—SeServiceLogonRight Replace a process level token—SeAssignPrimaryTokenPrivilege
Securing single-server installations
The following workflow summarizes the process of setting up and securing Adobe Connect on a single computer. It assumes that the database is installed on the same computer, and that users access Adobe Connect on the Internet.
Install a firewall.
Since you are allowing users to connect to Adobe Connect through the Internet, the server is open to an attack by hackers. By using a firewall, you can block access to the server and control the communications that occur between the Internet and the server.
Configure the firewall.
After installing your firewall, configure it as follows:
Ports for Arkadin or InterCall telephony adaptors: 9080 or 9443.
Inbound ports (from the Internet): 80, 443, 1935.
Outbound ports (to the mail server): 25.
Use the TCP/IP protocol only.
Since the database is on the same server as Adobe Connect, do not open port 1434 on the firewall.
Install Adobe Connect.
Verify that the Adobe Connect applications are working.
After installing Adobe Connect, verify that it is working properly both from the Internet and from your local network.
Test the firewall.
After you have installed and configured the firewall, verify that your firewall is working correctly. Test the firewall by attempting to use the blocked ports.
Clusters (multi-server) systems are inherently more complex than single-server configurations. An Adobe Connect cluster can be located at a data center or geographically distributed across multiple network operation centers. You can install and configure servers hosting Adobe Connect in multiple locations and synchronize them through database replication.
On the clusters, use Microsoft SQL Server Enterprise Edition and not the embedded, Standard Edition of the database.
The following are important suggestions for securing clusters:
The simplest solution for clusters in a single location is to create an extra subnet for the Adobe Connect system. This approach offers a high level of security.
Local software firewalls
For Adobe Connect servers that are located in a cluster but share a public network with other servers, a software firewall may be appropriate on each individual server.
In multiserver installations hosting Adobe Connect in different physical locations, consider using an encrypted channel to communicate with the remote servers. Many software and hardware vendors offer VPN technology to secure the communications to remote servers. Adobe Connect relies on this external security if data traffic must be encrypted.