SECURITY NOTES FOR MedDream INSTALLATIONS RATIONALE: It is an old dilemma of using "security through obscurity". As a matter of fact, most MedDream installations tend to have a few security holes due to non-paranoid Web administrators. The very publication of this document makes every old/unmaintained MedDream installation an easy target. But, we must draw a line one day so that at least new installations are secure. 1. SEARCH ENGINES If MedDream is exposed to Internet, your installation might be found simply by searching for "MedDream" or "Softneta". (Rebranding is possible but most customers don't need it.) Afterwards an attacker can check for typical misconfigurations as explained later in this document. *Solution: set up the robots.txt file.* This file is always hosted as /robots.txt (at the website root). If MedDream is also hosted there, the following robots.txt will be sufficient: User-agent: * Disallow: / User-agent: AdsBot-Google Disallow: / A recommended read is http://www.robotstxt.org/robotstxt.html . 2. THE SUBDIRECTORY "log" This subdirectory may contain files php-YYYYMMDD.log with sensitive patient data. Logs are not enabled by default, but might be needed during troubleshooting which sometimes takes days. Also one might forget to remove them (or disable logging) afterwards. *Solution: disable Web access to this directory altogether.* When using Apache, this is achieved by the following .htaccess file in this directory: Order deny,allow Deny from all Apache 2.4+ requires a different syntax: Require all denied Reminder: If you need a restrictive AllowOverride directive on a related directory, its compatible values are "Limit Options" (first one allows Order/Deny, and the second one is for Options -Indexes in the next chapter). The equivalent for 2.4+ is "AuthConfig Options". 3. THE SUBDIRECTORY "temp" The subdirectory "temp" is accessed via Web when viewing DICOM MPEG2 (Transfer Syntax UID = 1.2.840.10008.1.2.4.100) files, and when downloading an .ISO/.burn file after Export function finishes. It might contain temporary files and subdirectories with randomized names and DICOM/JPG/FLV data inside; every such file might reveal sensitive patient information. Some of these files are left undeleted when MedDream crashes, and some are just impossible to delete on time. Scripts deleteTemp.* can be regularly called by the operating system's scheduler to minimize amount of rubbish, however the latter will not disappear completely. *Solution: disable Web listing of this directory.* When using Apache, this is achieved by the following .htaccess file in this directory: Options -Indexes Alternatively, the entire MedDream directory can be denied listing in the configuration block. Furthermore, if you do not intend to view MPEG2 or use the Export function (or MedDream doesn't support them in your configuration), then simply disable Web access to this directory altogether, as in Chapter 2. 4. DCM4CHEE 2.x Official installation instructions offer some defaults that sometimes are left unchanged. The default database name for 2.x is "pacsdb". You also might be tempted to call it "dcm4chee". For a knowledgeable attacker, both provide a clear suggestion which PACS is there and what to try next. After a mindless installation there also will be some default user accounts: a database user "pacs" with password "pacs". Perfectly suitable for MedDream; an internal user "admin" with password "admin" -- suitable for MedDream and DCM4CHEE's web interface; an internal user "user" with password "user" -- suitable for MedDream and DCM4CHEE's web interface. Any of these accounts can be used to access sensitive patient data. We suggest to change passwords for all three, as soon as possible after the installation. The first one is used by DCM4CHEE to connect to the database, therefore you will also need to update the file server/default/deploy/pacs-*-ds.xml (name depends on database used).