| Author |
Message |
![[Post New]](/Sysforums/templates/default/images/icon_minipost_new.gif) 18/03/2010 16:46:33
|
UserInterface
SysAider
Joined: 13/03/2010
Messages: 38
Offline
|
Is everyone aware that there domain password is sitting in plain text within an XML file on there server??
Thought you might like to know that your system is not as secure as one might like.
This is especially the case if your machine is accessible from the internet (DMZ)
This message was edited 1 time. Last update was at 18/03/2010 16:50:08
|
|
|
|
18/03/2010 17:07:40
|
Brian Martin
Elite SysAider
Joined: 11/02/2009
Messages: 181
Location: Knoxville, TN
Offline
|
Are you talking in regards to AD integration?
If so, best practice is to use a service account with limited rights and not a domain admin account for this connection.
|
- Brian Martin
Unofficial SysAid Wiki - Most common issues and their solutions can be found here.
|
|
|
18/03/2010 17:10:47
|
Scott the Admin
SysAider
Joined: 28/01/2010
Messages: 10
Location: Oxford, MI
Offline
|
I'm just venturing a guess here but...
Did you enter your domain administrator credentials in SysAid for something such as LDAP integration?
This is why you create a user account with only the permissions required to make LDAP queries (read-only) and use that account in SysAid and not your domain Admin account.
I rarely, and I mean rarely, use my domain admin account for anything. Promoting Domain Controllers, Changing FSMO roles, etc.
Using it to grant software access to our AD is against our security policy.
Again, just a guess here.
|
Never underestimate the power of stupid people in large groups. |
|
|
18/03/2010 18:16:20
|
UserInterface
SysAider
Joined: 13/03/2010
Messages: 38
Offline
|
Sorry should have said that I have resolved our problem with this but wanted to make sure that others knew that this was the case... I only discovered it because a support person opened it up in front of me..
That meant that I had to change our domain admin password again..
If you don't know the password is there you would assume that it would be encrypted as it is a simple thing to do and most products of this size would have this enabled by default..
|
|
|
|
19/03/2010 03:04:32
|
Obelix
SysAid Wiz
Joined: 12/06/2008
Messages: 903
Offline
|
Any passwords regardless of the role no matter how limited they are, should NOT be on plain sight for unauthorized users to view.
|
|
|
19/03/2010 10:20:20
|
Evan
Super SysAider
Joined: 24/12/2008
Messages: 75
Offline
|
We use a service account, but I am still curious which XML file.
I am also curious if this will be corrected.
-Evan
|
|
|
19/03/2010 12:13:46
|
itayH
SysAid Customer Relations
Joined: 23/09/2009
Messages: 1092
Offline
|
Hi all,
Sorry for the misunderstanding...
We usually suggest to use a user with read only right for the LDAP integration.
@ Evan @ I think that this is not the place for questions like that for everyone to see the answer.
This message was edited 1 time. Last update was at 31/05/2010 09:39:13
|
Best Regards,
Itay |
|
|
19/03/2010 22:20:15
|
UserInterface
SysAider
Joined: 13/03/2010
Messages: 38
Offline
|
I think that this is exactly the place to discuss such.. how else do we make sure that this gets fixed asap..
|
|
|
|
21/03/2010 05:44:15
|
itayH
SysAid Customer Relations
Joined: 23/09/2009
Messages: 1092
Offline
|
It's probably not the best way to handle a security threat by telling everyone how to hack your system. But that just me thinking.
You contact us for more info.
|
Best Regards,
Itay |
|
|
21/03/2010 06:14:13
|
Oded M
VP Product
Joined: 28/05/2008
Messages: 892
Offline
|
Hi All,
Just a clarification:
The LDAP password that appears in the XML file is encrypted and has been this way since it has been fixed in release 5.6.
UserInterface , I suggest you contact our support with more details, so what you see can be further investigated
Oded
This message was edited 1 time. Last update was at 21/03/2010 06:15:16
|
|
|
21/03/2010 18:26:01
|
UserInterface
SysAider
Joined: 13/03/2010
Messages: 38
Offline
|
Oded M wrote:Hi All,
Just a clarification:
The LDAP password that appears in the XML file is encrypted and has been this way since it has been fixed in release 5.6.
UserInterface , I suggest you contact our support with more details, so what you see can be further investigated
Oded
I have 6.5.08, and am telling you that it is not encrypted in side that file. It is in plain text.
|
|
|
|
21/03/2010 18:30:47
|
UserInterface
SysAider
Joined: 13/03/2010
Messages: 38
Offline
|
itayH wrote:It's probably not the best way to handle a security threat by telling everyone how to hack your system. But that just me thinking.
You contact us for more info.
I contacted you and you told me that it is not a threat due to these reasons
A. You have to have access to the server machine itself in order to view the file, usually, if you have that ability, you are probably an Administrator on that system and therefore should be able to see the DB password if needed.
B. If you managed to get access to the server by some unthinkable way, you are still probably not a SysAid user and will not know where to look for such information and the probability is that even if you see the ServerConf file you will not know what you are looking at
This not the response that should have been given to me. I think that everyone here will agree to what you say but it is a moot point. The point is that if someone gains access to any of our servers through any means, I do not want any passwords in plain text on my system.. This is why I would like a patch for this asap..
|
|
|
|
21/05/2010 20:05:32
|
HealthCare Support Staff
SysAider
Joined: 21/05/2010
Messages: 10
Offline
|
I agree. please make this a feature request. No plain text passwords stored on sysaid servers or clients.
|
|
|
23/05/2010 09:21:14
|
Joseph Zargari
VP Customer Relations
Joined: 26/03/2006
Messages: 516
Offline
|
Hey guys,
I wanted to jump into the conversation with some news:
1. The LDAP information that appears in the serverConf.xml file is not being looked at by the SysAid Server. This information is securely saved in the database. It is showing in the serverConf.xml file for historical reasons. If you setup a new installation of SysAid, it should not store that information in that file. Existing customers that have that information in their serverConf.xml file, could safely remove all lines from <LDAPConf> until </LDAPConf>.
2. The password for the database connection <dbPassword>, which was also stored in clear text, is now (7.0) encrypted in the serverConf.xml file.
I'll keep my eyes on this post, so if anyone has a question...
Joseph
|
|
|
31/05/2010 09:06:04
|
Lev
SysAid Mod
Joined: 18/08/2008
Messages: 508
Location: Haifa, Israel
Offline
|
Joseph Zargari wrote:Hey guys,
I wanted to jump into the conversation with some news:
1. The LDAP information that appears in the serverConf.xml file is not being looked at by the SysAid Server. This information is securely saved in the database. It is showing in the serverConf.xml file for historical reasons. If you setup a new installation of SysAid, it should not store that information in that file. Existing customers that have that information in their serverConf.xml file, could safely remove all lines from <LDAPConf> until </LDAPConf>.
2. The password for the database connection <dbPassword>, which was also stored in clear text, is now (7.0) encrypted in the serverConf.xml file.
I'll keep my eyes on this post, so if anyone has a question...
Joseph
Dear Joseph
Can you think of a good reason not telling your clients this info earlier?
If there was a security issue and it was fixed in new install and upgraded users needed to do any action I would expect Ilient to tell about it ....
Just my 2 cents.
Lev
|
DONT !!! DONT TOUCH THE KEYBOARD !!! |
|
|
![[Up]](/Sysforums/templates/default/images/icon_up.gif){kind=icon}
![[WWW]](/Sysforums/templates/default/images/icon_www.gif){kind=icon}
