How secure will be this configuration?
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: How secure will be this configuration?

  1. #1
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130

    How secure will be this configuration?

    Ok, ive received this configuration:

    - An application needs to run on a windows server (2000 or 2003) and it needs to run with a logged administrator user .
    - That application cant run as a service and it has a "window".
    - That application will be in tcp listening mode on a port choosed by me.
    - No, i cant change the application to run as a service. I didnt write it nor my client. My client bought that sh*t and the vendor have no idea how to run it as a service. The client must run as is (as a foreground application, with an admin user logged)
    - Yes, it must be run as an admin. Ive tried to run it if several "less power" user configuration, but it didnt work. Ive ask the vendor, but only answer that i received was "it must run as an administrator". Why? "because..."
    - I must install it and run on the best way i can.

    What i did:
    - ive disabled all shares, including administrative ones. That machine does not belong to a domain and the only port that is open (aparently) is that i choose to the application.
    - Only local logon is allowed. Only administrators can log on on the server.
    - Ive Disabled autorun for everything. Ive disabled usb ports too.
    - Machine boots, autolog on the admin, starts the application and lock the server. (yes, the user wants that the process to be automatic - if you have a better idea to do that without human intervention, please post here)
    - To shutdown the application: the application has a remote interface (thru that port too) that allow the application administration to shutdown it. When the application shutdowns, it runs AFTER a script the shutdowns the server too.

    My concerns:
    - how safe it is now?
    - what i can do to enhance the security? (dont suggest to change the application - i cant do that)

    Any analysis and/or suggestions will be wellcome.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I would use 2003.

    Does the app have to be "The Administrator" or a member of the admin group??

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Don't you just hate vendors like that?

    The application needs a windows server but they have no clue how to run it as a service. They're also clueless as to what privileges the application needs. Sigh, makes you wonder what kind of programmers they've hired... Makes you wonder about the ports the app is opening too...

    It sounds like how I would setup a server for crap like that.
    One thing though.. physical access?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Does the app have to be "The Administrator" or a member of the admin group??
    the application must have admin priviledges. I suspect that it uses some kind of API that demands that. But unfortunetaly, vendor doesnt know (or doesnt want to reveal) which API is causing that. I did some kind of digging on objects and parts were written in VC, parts in VB and parts in Delphi Go figure if they didnt steal part of application from other companies.
    Anyway, i dont want to go further since my client is paying to secure the environment and not to do reverse engineering on tha cr*p.
    Makes you wonder about the ports the app is opening too...
    i did some scans on the server using several tools and it looks to open only the port that ive choose. However, i will lock all other ports anyway, since it can trigger some malware after i leave my client : - but its kinda useless doing that since the program is running under admin priviledges, so it can undo my "locks". Its the best that i can do without a external firewall.
    One thing though.. physical access?
    rofl. The server is located in the middle of the office. Thats why my concerns about autorun and usb..... and before you suggest, i cant move it either to a safe location. (domain server are there anyway)
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  5. #5
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    rofl. The server is located in the middle of the office. Thats why my concerns about autorun and usb..... and before you suggest, i cant move it either to a safe location. (domain server are there anyway)
    Is locking it in a box a viable option? There are some purpose built security box's on the market. Even a home made one would be better than leaving it open.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #6
    Banned
    Join Date
    May 2003
    Posts
    1,004
    create an operator account, and lock down the administrator account. Lock down one thing at a time though since you have no idea what the account needs.

    cheers,

    catch

  7. #7
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    create an operator account, and lock down the administrator account. Lock down one thing at a time though since you have no idea what the account needs.
    already tried. It looks like that the application needs a high priviledge. But i cant expend a lot of time on that because the client wont pay me to do that. BTW, client demands that i install it as the vendor RECOMENDS....
    Is locking it in a box a viable option? There are some purpose built security box's on the market. Even a home made one would be better than leaving it open
    tks for the idea, but since all other servers (DC include) are in the same situation, "client" doesnt want to put $$$ on that....

    anyone can see other "logical vulnerabilities" on that config? on "Physical side" i cant improve more.. except maybe bomb the vendor
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  8. #8
    Banned
    Join Date
    May 2003
    Posts
    1,004
    already tried. It looks like that the application needs a high priviledge.
    It can need all the priviledge it wants, so long as it doesn't actually use things like "take ownership", access to specific files, etc it'll work just fine.

    anyone can see other "logical vulnerabilities"
    Yeah, your signature on that contract.

    That aside, why? You don't seem to want or be able to fix them. Unless you make an attempt at implementing least priviledge on the Admin account there is no point in worrying about anything else.

    cheers,

    catch

  9. #9
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Yeah, your signature on that contract.

    That aside, why? You don't seem to want or be able to fix them. Unless you make an attempt at implementing least priviledge on the Admin account there is no point in worrying about anything else.
    I cant agree more, but i work for the money. My service is "customize" that crap as best as i can. But i cant kick my clients' butt just because i disagree of his security policies
    On my final report i will report all problems that i see on that config and why i cant fix them.

    But i need feedback from you to see "all" problems that i need to put on my report that i will deliver with my bill...
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  10. #10
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I'd simply state that the limitations of the application make it impossible to determine all liability, so you are accountable for nothing. You did the best you could, but as there are not standards, guidelines, or even best practices for this situation... you cannot be held liable for any security issues.

    cheers,

    catch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •