|
|
Rank: eJadSPM Learner
Groups: Member
Joined: 2/18/2008
Posts: 5
Points: 15
|
Today I have installed eJadSPM.
I see that the installer has created a new user: "eJadSPM_Web"
I also see that this user is member of group called "Administrators"
Developers , are you insane ?
Which programmer configuring such ACL ? we are talking about web application which has access from ANY !!!
Now let's move to the User of the Application Pool which eJadSPM is running under it.
The automatic installer has configured it to run as "local system".
Again , security compromised !!!
why not to use the same user "eJadSPM_Web" ?
The developers need to take the web application back to the sketch desk.
|
|
|
Rank: Management
Groups: Administration
, Member
Joined: 11/11/2007
Posts: 81
Points: 324
Location: Dubai
|
"eJadSPM_Web" user MUST be a Administrators group member because eJadSPM is not just an ordinary web application. It is the control system to manage and run all aspects of your business and for that it requires administrative access to your network and servers. For example, when you configure Network Monitoring the application control panel should be running under Administrative right otherwise it cannot monitor remote servers and ports. Another example is Servers Management, the application cannot show you disk usage graphs, running processes, event logs, etc unless proper permissions are set. eJadSPM's security model is well thought and well designed. The way installer configures application is intentional and a REQUIREMENT for its operations. I hope this help you understand  -- Aziz Paracha Vice President/CTOMachPanel (formerly eJadSPM System) -- SaaS Enabled Hosted Service Delivery Platformwww.machsol.comWe offer world's only affordable consolidated platform for SaaS providers. Is there a company that beats our pricing? let me know!
|
|
|
Rank: eJadSPM Learner
Groups: Member
Joined: 10/19/2008
Posts: 11
Points: 33
Location: NA
|
Quote:eJadSPM's security model is well thought and well designed. The way installer configures application is intentional and a REQUIREMENT for its operations. Although I understand that the web application is required to perform some tasks with administrative privileges, I do agree with the OP that under no circumstances should you run a web application that is exposed to the Internet with those credentials. I believe that you guys tried to keep things as simple as possible and might have took the easy was in terms of designing the security of your application, but I'm pretty sure that this will come back some day to haunt you and when it does... well... it's not going to be pretty. Redesigning the security model now, while your application is still "young", may prove to be a lot easier to do that in about 6 months from now.
|
|
|
Rank: Management
Groups: Administration
, Member
Joined: 11/11/2007
Posts: 81
Points: 324
Location: Dubai
|
Thanks for your comments. One of the major function of eJadSPM is service provisioning which means interaction with many 3rd-party products and performing certain system level operation. These operations cannot be performed without elevated privileges. Since at the moment many calls go directly from the scope of control panel website therefore we must have to set administrative rights. It is however worth mentioning here that we are gradually moving all operations to remoting services and once that is complete we will demote the anonymous user to normal user rights. -- Aziz Paracha Vice President/CTOMachPanel (formerly eJadSPM System) -- SaaS Enabled Hosted Service Delivery Platformwww.machsol.comWe offer world's only affordable consolidated platform for SaaS providers. Is there a company that beats our pricing? let me know!
|
|
|
|
Guest |
YAFPro Theme Created by Jaben Cargman (Tiny Gecko)Powered by YAF 1.9.3 beta |
YAF © 2003-2008, Yet Another Forum.NETThis page was generated in 0.159 seconds.
