Home    Forums    Feature Requests    Beta Issues    SysAid Resources    Documentation    Support    Do It Yourself
Hello Guest,  Login   
        
DOWNLOAD FREE EDITION
    
     Recent Topics    Hottest Topics    Online Members    Member Listing    Advanced Search
Major security hole - Domain Administrator Password  XML
Forum Index » SysAid Installation & Beyond
 
Author Message
UserInterface
SysAider

SysAider from release 6.5 Australia Pathfinder
Joined: 13/03/2010
Messages: 38
Offline

Is everyone aware that there domain password is sitting in plain text within an XML file on there server??

Thought you might like to know that your system is not as secure as one might like.

This is especially the case if your machine is accessible from the internet (DMZ)

This message was edited 1 time. Last update was at 18/03/2010 16:50:08



Brian Martin
Elite SysAider

SysAider from release 5.6 United States Pathfinder SysAid Certified Meet me in Vegas - SysAid technology Conference - 28-30/4/2010
Joined: 11/02/2009
Messages: 181
Location: Knoxville, TN
Offline

Are you talking in regards to AD integration?

If so, best practice is to use a service account with limited rights and not a domain admin account for this connection.

- Brian Martin

Unofficial SysAid Wiki - Most common issues and their solutions can be found here.
[WWW] aim icon
Scott the Admin
SysAider


SysAider from release 6 United States
Joined: 28/01/2010
Messages: 10
Location: Oxford, MI
Offline

I'm just venturing a guess here but...

Did you enter your domain administrator credentials in SysAid for something such as LDAP integration?

This is why you create a user account with only the permissions required to make LDAP queries (read-only) and use that account in SysAid and not your domain Admin account.

I rarely, and I mean rarely, use my domain admin account for anything. Promoting Domain Controllers, Changing FSMO roles, etc.

Using it to grant software access to our AD is against our security policy.

Again, just a guess here.

Never underestimate the power of stupid people in large groups.
UserInterface
SysAider

SysAider from release 6.5 Australia Pathfinder
Joined: 13/03/2010
Messages: 38
Offline

Sorry should have said that I have resolved our problem with this but wanted to make sure that others knew that this was the case... I only discovered it because a support person opened it up in front of me..
That meant that I had to change our domain admin password again..

If you don't know the password is there you would assume that it would be encrypted as it is a simple thing to do and most products of this size would have this enabled by default..


Obelix
SysAid Wiz


SysAider from release 3.1 Indonesia Pathfinder
Joined: 12/06/2008
Messages: 908
Offline

Any passwords regardless of the role no matter how limited they are, should NOT be on plain sight for unauthorized users to view.
Evan
Super SysAider

SysAider from release 5.6 United States
Joined: 24/12/2008
Messages: 86
Offline

We use a service account, but I am still curious which XML file.

I am also curious if this will be corrected.

-Evan
itayH
SysAid Customer Relations


Joined: 23/09/2009
Messages: 1092
Offline

Hi all,

Sorry for the misunderstanding...

We usually suggest to use a user with read only right for the LDAP integration.

@ Evan @ I think that this is not the place for questions like that for everyone to see the answer.

This message was edited 1 time. Last update was at 31/05/2010 09:39:13


Best Regards,
Itay
UserInterface
SysAider

SysAider from release 6.5 Australia Pathfinder
Joined: 13/03/2010
Messages: 38
Offline

I think that this is exactly the place to discuss such.. how else do we make sure that this gets fixed asap..


itayH
SysAid Customer Relations


Joined: 23/09/2009
Messages: 1092
Offline

It's probably not the best way to handle a security threat by telling everyone how to hack your system. But that just me thinking.

You contact us for more info.

Best Regards,
Itay
Oded M
VP Product


Joined: 28/05/2008
Messages: 1061
Offline

Hi All,

Just a clarification:

The LDAP password that appears in the XML file is encrypted and has been this way since it has been fixed in release 5.6.

UserInterface , I suggest you contact our support with more details, so what you see can be further investigated

Oded



This message was edited 1 time. Last update was at 21/03/2010 06:15:16

UserInterface
SysAider

SysAider from release 6.5 Australia Pathfinder
Joined: 13/03/2010
Messages: 38
Offline

Oded M wrote:Hi All,

Just a clarification:

The LDAP password that appears in the XML file is encrypted and has been this way since it has been fixed in release 5.6.

UserInterface , I suggest you contact our support with more details, so what you see can be further investigated

Oded





I have 6.5.08, and am telling you that it is not encrypted in side that file. It is in plain text.


UserInterface
SysAider

SysAider from release 6.5 Australia Pathfinder
Joined: 13/03/2010
Messages: 38
Offline

itayH wrote:It's probably not the best way to handle a security threat by telling everyone how to hack your system. But that just me thinking.

You contact us for more info.


I contacted you and you told me that it is not a threat due to these reasons

A. You have to have access to the server machine itself in order to view the file, usually, if you have that ability, you are probably an Administrator on that system and therefore should be able to see the DB password if needed.

B. If you managed to get access to the server by some unthinkable way, you are still probably not a SysAid user and will not know where to look for such information and the probability is that even if you see the ServerConf file you will not know what you are looking at

This not the response that should have been given to me. I think that everyone here will agree to what you say but it is a moot point. The point is that if someone gains access to any of our servers through any means, I do not want any passwords in plain text on my system.. This is why I would like a patch for this asap..


HealthCare Support Staff
SysAider


SysAider from release 6.5 United States
Joined: 21/05/2010
Messages: 10
Offline

I agree. please make this a feature request. No plain text passwords stored on sysaid servers or clients.
Joseph Zargari
VP Customer Relations


Meet me in Vegas - SysAid technology Conference - 28-30/4/2010
Joined: 26/03/2006
Messages: 604
Offline

Hey guys,

I wanted to jump into the conversation with some news:

1. The LDAP information that appears in the serverConf.xml file is not being looked at by the SysAid Server. This information is securely saved in the database. It is showing in the serverConf.xml file for historical reasons. If you setup a new installation of SysAid, it should not store that information in that file. Existing customers that have that information in their serverConf.xml file, could safely remove all lines from <LDAPConf> until </LDAPConf>.

2. The password for the database connection <dbPassword>, which was also stored in clear text, is now (7.0) encrypted in the serverConf.xml file.

I'll keep my eyes on this post, so if anyone has a question...
Joseph
Lev
SysAid Mod


SysAider from release 5.5 Israel Pathfinder
Joined: 18/08/2008
Messages: 512
Location: Haifa, Israel
Offline

Joseph Zargari wrote:Hey guys,

I wanted to jump into the conversation with some news:

1. The LDAP information that appears in the serverConf.xml file is not being looked at by the SysAid Server. This information is securely saved in the database. It is showing in the serverConf.xml file for historical reasons. If you setup a new installation of SysAid, it should not store that information in that file. Existing customers that have that information in their serverConf.xml file, could safely remove all lines from <LDAPConf> until </LDAPConf>.

2. The password for the database connection <dbPassword>, which was also stored in clear text, is now (7.0) encrypted in the serverConf.xml file.

I'll keep my eyes on this post, so if anyone has a question...
Joseph


Dear Joseph

Can you think of a good reason not telling your clients this info earlier?
If there was a security issue and it was fixed in new install and upgraded users needed to do any action I would expect Ilient to tell about it ....
Just my 2 cents.

Lev

DONT !!! DONT TOUCH THE KEYBOARD !!!
Forum Index » SysAid Installation & Beyond
Go to:   
Help Desk Software
Free Help Desk Software
Free Asset Management Software
SysAid Helpdesk Software
Web Based Help Desk Software
SysAid Help Desk Forum
General IT Discussion Forum
SysAid CSS Customer Service Software
Customer Support Software
   SysAid Technologies Ltd.
   Toll-Free phone center (U.S.): 1-800-686-7047
   Offices - U.S.617-231-0124
   Israel:+972-3-533-3675
   Email:helpdesk@sysaid.com
   Optimized by SEO Israel
   SysAid logos and other SysAid Technologies marks
   are trademarks or registered trademarks of
   SysAid Technologies Ltd.
   All Rights Reserved by SysAid Technologies Ltd.
   2002-2011
   Live Support Hours
   07:00 AM - 09:30 PM (UK)
   03:00 AM - 05:30 PM (EDT)

   We provide worldwide services, and we do our best
   to match the working times of customers from
   different time zones.

   SysAid Help Desk Software and Asset Management Software
Privacy Policy © Terms Of Use