Latest posts for the topic "Major security hole - Domain Administrator Password"

Major security hole - Domain Administrator Password

UserInterface — GMT

Is everyone aware that there domain password is sitting in plain text within an XML file on there server??

Thought you might like to know that your system is not as secure as one might like.

This is especially the case if your machine is accessible from the internet (DMZ)

Major security hole - Domain Administrator Password

Brian Martin — GMT

Are you talking in regards to AD integration?

If so, best practice is to use a service account with limited rights and not a domain admin account for this connection.

Re:Major security hole - Domain Administrator Password

Scott the Admin — GMT

I'm just venturing a guess here but...

Did you enter your domain administrator credentials in SysAid for something such as LDAP integration?

This is why you create a user account with only the permissions required to make LDAP queries (read-only) and use that account in SysAid and not your domain Admin account.

I rarely, and I mean rarely, use my domain admin account for anything. Promoting Domain Controllers, Changing FSMO roles, etc.

Using it to grant software access to our AD is against our security policy.

Again, just a guess here.

Re:Major security hole - Domain Administrator Password

UserInterface — GMT

Sorry should have said that I have resolved our problem with this but wanted to make sure that others knew that this was the case... I only discovered it because a support person opened it up in front of me..
That meant that I had to change our domain admin password again..

If you don't know the password is there you would assume that it would be encrypted as it is a simple thing to do and most products of this size would have this enabled by default..

Major security hole - Domain Administrator Password

Obelix — GMT

Any passwords regardless of the role no matter how limited they are, should NOT be on plain sight for unauthorized users to view.

Re:Major security hole - Domain Administrator Password

Evan — GMT

We use a service account, but I am still curious which XML file.

I am also curious if this will be corrected.

-Evan

Re:Major security hole - Domain Administrator Password

itayH — GMT

Hi all,

Sorry for the misunderstanding...

We usually suggest to use a user with read only right for the LDAP integration.

@ Evan @ I think that this is not the place for questions like that for everyone to see the answer.

Re:Major security hole - Domain Administrator Password

UserInterface — GMT

I think that this is exactly the place to discuss such.. how else do we make sure that this gets fixed asap..

Re:Major security hole - Domain Administrator Password

itayH — GMT

It's probably not the best way to handle a security threat by telling everyone how to hack your system. But that just me thinking.

You contact us for more info.

Re:Major security hole - Domain Administrator Password

Oded M — GMT

Hi All,

Just a clarification:

The LDAP password that appears in the XML file is encrypted and has been this way since it has been fixed in release 5.6.

UserInterface , I suggest you contact our support with more details, so what you see can be further investigated

Oded

Re:Major security hole - Domain Administrator Password

UserInterface — GMT

[quote=Oded M]Hi All,

Just a clarification:

The LDAP password that appears in the XML file is encrypted and has been this way since it has been fixed in release 5.6.

UserInterface , I suggest you contact our support with more details, so what you see can be further investigated

Oded

[/quote]

I have 6.5.08, and am telling you that it is not encrypted in side that file. It is in plain text.

Re:Major security hole - Domain Administrator Password

UserInterface — GMT

[quote=itayH]It's probably not the best way to handle a security threat by telling everyone how to hack your system. But that just me thinking.

You contact us for more info.[/quote]

I contacted you and you told me that it is not a threat due to these reasons

A. You have to have access to the server machine itself in order to view the file, usually, if you have that ability, you are probably an Administrator on that system and therefore should be able to see the DB password if needed.

B. If you managed to get access to the server by some unthinkable way, you are still probably not a SysAid user and will not know where to look for such information and the probability is that even if you see the ServerConf file you will not know what you are looking at

This not the response that should have been given to me. I think that everyone here will agree to what you say but it is a moot point. The point is that if someone gains access to any of our servers through any means, I do not want any passwords in plain text on my system.. This is why I would like a patch for this asap..

Re:Major security hole - Domain Administrator Password

HealthCare Support Staff — GMT

I agree. please make this a feature request. No plain text passwords stored on sysaid servers or clients.

Re:Major security hole - Domain Administrator Password

Joseph Zargari — GMT

Hey guys,

I wanted to jump into the conversation with some news:

1. The LDAP information that appears in the serverConf.xml file is not being looked at by the SysAid Server. This information is securely saved in the database. It is showing in the serverConf.xml file for historical reasons. If you setup a new installation of SysAid, it should not store that information in that file. Existing customers that have that information in their serverConf.xml file, could safely remove all lines from until .

2. The password for the database connection , which was also stored in clear text, is now (7.0) encrypted in the serverConf.xml file.

I'll keep my eyes on this post, so if anyone has a question...
Joseph

Re:Major security hole - Domain Administrator Password

Lev — GMT

[quote=Joseph Zargari]Hey guys,

I wanted to jump into the conversation with some news:

1. The LDAP information that appears in the serverConf.xml file is not being looked at by the SysAid Server. This information is securely saved in the database. It is showing in the serverConf.xml file for historical reasons. If you setup a new installation of SysAid, it should not store that information in that file. Existing customers that have that information in their serverConf.xml file, could safely remove all lines from until .

2. The password for the database connection , which was also stored in clear text, is now (7.0) encrypted in the serverConf.xml file.

I'll keep my eyes on this post, so if anyone has a question...
Joseph[/quote]

Dear Joseph

Can you think of a good reason not telling your clients this info earlier?
If there was a security issue and it was fixed in new install and upgraded users needed to do any action I would expect Ilient to tell about it ....
Just my 2 cents.

Lev

Re:Major security hole - Domain Administrator Password

Joseph Zargari — GMT

Hey Lev,

Basically, we never looked at this as a security issue. Since SysAid usually runs on a server, the serverConf.xml file should not be accessible for domain users to see (limited by NTFS permissions).
The password showing on the configuration file was more of a cosmetic issue.

Jospeh.

Re:Major security hole - Domain Administrator Password

@@@ — GMT

I hate to dig up an old ticket but the responses to peoples questions in this thread are inadequate.

We are being told to use a service account with read-only privileges, however for password services you ask that we use a domain administrator account. what is the correct answer? Domain admin or read-only user?

Re:Major security hole - Domain Administrator Password

Joseph Zargari — GMT

Hi @@@,
SysAid requires read-only permissions to import user data from AD and perform authentication. It requires a domain admin account if you are also implementing Password Services.

I hope this answers your question.
Joseph.

Re:Major security hole - Domain Administrator Password

Tarphon — GMT

So did you ever notify your customers or do they only find out when they stumble across this post? Storing any password in plaintext is poor security and if you didn’t think this was an issue or worth notifying your clients about then what other “non-issues” are lurking out there for us to find?

Unacceptable.

Re:Major security hole - Domain Administrator Password

Joseph Zargari — GMT

Hi Tarphon,

Since this post started, this was already corrected. SysAid doesn't store any password in plain text in the config files, definitely not the domain admin's one.

We take security very seriously when we come to plan, design and develop our products. We spend great deal of efforts and resources making SysAid more secure.
Surely, things can go wrong - but we are always ready to respond quickly when a security breach is found.

Thanks,
Joseph.