Major security hole - Domain Administrator Password
 
Author
Message
SysAider
38
 
Is everyone aware that there domain password is sitting in plain text within an XML file on there server??

Thought you might like to know that your system is not as secure as one might like.

This is especially the case if your machine is accessible from the internet (DMZ)

This message was edited 1 time. Last update was at Mar. 18, 2010 04:50 PM


Elite SysAider
181
 
Are you talking in regards to AD integration?

If so, best practice is to use a service account with limited rights and not a domain admin account for this connection.
- Brian Martin

Unofficial SysAid Wiki - Most common issues and their solutions can be found here.
SysAider
10
 
I'm just venturing a guess here but...

Did you enter your domain administrator credentials in SysAid for something such as LDAP integration?

This is why you create a user account with only the permissions required to make LDAP queries (read-only) and use that account in SysAid and not your domain Admin account.

I rarely, and I mean rarely, use my domain admin account for anything. Promoting Domain Controllers, Changing FSMO roles, etc.

Using it to grant software access to our AD is against our security policy.

Again, just a guess here.
Never underestimate the power of stupid people in large groups.
SysAider
38
 
Sorry should have said that I have resolved our problem with this but wanted to make sure that others knew that this was the case... I only discovered it because a support person opened it up in front of me..
That meant that I had to change our domain admin password again..

If you don't know the password is there you would assume that it would be encrypted as it is a simple thing to do and most products of this size would have this enabled by default..

SysAid Wiz
909
 
Any passwords regardless of the role no matter how limited they are, should NOT be on plain sight for unauthorized users to view.
Super SysAider
95
 
We use a service account, but I am still curious which XML file.

I am also curious if this will be corrected.

-Evan
SysAid Customer Relations
1092
 
Hi all,

Sorry for the misunderstanding...

We usually suggest to use a user with read only right for the LDAP integration.

@ Evan @ I think that this is not the place for questions like that for everyone to see the answer.

This message was edited 1 time. Last update was at May. 31, 2010 09:39 AM

Best Regards,
Itay
SysAider
38
 
I think that this is exactly the place to discuss such.. how else do we make sure that this gets fixed asap..

SysAid Customer Relations
1092
 
It's probably not the best way to handle a security threat by telling everyone how to hack your system. But that just me thinking.

You contact us for more info.
Best Regards,
Itay
VP Product
1080
 
Hi All,

Just a clarification:

The LDAP password that appears in the XML file is encrypted and has been this way since it has been fixed in release 5.6.

UserInterface , I suggest you contact our support with more details, so what you see can be further investigated

Oded



This message was edited 1 time. Last update was at Mar. 21, 2010 06:15 AM

SysAider
38
 
Oded M wrote:Hi All,

Just a clarification:

The LDAP password that appears in the XML file is encrypted and has been this way since it has been fixed in release 5.6.

UserInterface , I suggest you contact our support with more details, so what you see can be further investigated

Oded





I have 6.5.08, and am telling you that it is not encrypted in side that file. It is in plain text.

SysAider
38
 
itayH wrote:It's probably not the best way to handle a security threat by telling everyone how to hack your system. But that just me thinking.

You contact us for more info.


I contacted you and you told me that it is not a threat due to these reasons

A. You have to have access to the server machine itself in order to view the file, usually, if you have that ability, you are probably an Administrator on that system and therefore should be able to see the DB password if needed.

B. If you managed to get access to the server by some unthinkable way, you are still probably not a SysAid user and will not know where to look for such information and the probability is that even if you see the ServerConf file you will not know what you are looking at

This not the response that should have been given to me. I think that everyone here will agree to what you say but it is a moot point. The point is that if someone gains access to any of our servers through any means, I do not want any passwords in plain text on my system.. This is why I would like a patch for this asap..

SysAider
10
 
I agree. please make this a feature request. No plain text passwords stored on sysaid servers or clients.
VP Customer Relations
604
 
Hey guys,

I wanted to jump into the conversation with some news:

1. The LDAP information that appears in the serverConf.xml file is not being looked at by the SysAid Server. This information is securely saved in the database. It is showing in the serverConf.xml file for historical reasons. If you setup a new installation of SysAid, it should not store that information in that file. Existing customers that have that information in their serverConf.xml file, could safely remove all lines from <LDAPConf> until </LDAPConf>.

2. The password for the database connection <dbPassword>, which was also stored in clear text, is now (7.0) encrypted in the serverConf.xml file.

I'll keep my eyes on this post, so if anyone has a question...
Joseph
Lev
SysAid Mod
512
 
Joseph Zargari wrote:Hey guys,

I wanted to jump into the conversation with some news:

1. The LDAP information that appears in the serverConf.xml file is not being looked at by the SysAid Server. This information is securely saved in the database. It is showing in the serverConf.xml file for historical reasons. If you setup a new installation of SysAid, it should not store that information in that file. Existing customers that have that information in their serverConf.xml file, could safely remove all lines from <LDAPConf> until </LDAPConf>.

2. The password for the database connection <dbPassword>, which was also stored in clear text, is now (7.0) encrypted in the serverConf.xml file.

I'll keep my eyes on this post, so if anyone has a question...
Joseph


Dear Joseph

Can you think of a good reason not telling your clients this info earlier?
If there was a security issue and it was fixed in new install and upgraded users needed to do any action I would expect Ilient to tell about it ....
Just my 2 cents.

Lev
DONT !!! DONT TOUCH THE KEYBOARD !!!