четверг, 14 апреля 2016 г.

Cache' Backdoors Guide

Installing a 100% Secured Cache' System


Introduction.


Cache' provides a full set of security settings, which allows you to configure Cache' to be protected from any kind of unauthorized access. However right after the installation, there are several ways to get unauthorized access to the system. This document will guide you through all aspects of configuring Cache' after installation to close all these avenues of unauthorized access.

NOTE: This document does not cover aspects of granting particular user access to particular resources such as Globals or Tables.

TOC:


Cache' Direct
Cache' Terminal
ODBC
WebLink and WebLink Developer
License server
System level security settings
Step-By-Step instruction

Cache' Direct


By default any VisM, Cache' Objects GUI application, or the GUI utilties (such as Control Panel) can access Cache' without authentication.

To prevent this, create one or more Cache Direct Users (Control Panel->Security->Cache Direct Users) and set "Enable Security Checking=ON" (Right-Click on "Cache Direct Users" and turn corresponding menu option on). This will be enough to prevent unauthorized access from any kind of GUI application.

If you turn on Enable Security Checking, but do not add any Cache Direct User, you will not be able to connect to Cache' with any GUI application, including Control Panel. So, you will not be able to add users and will not be able to connect to Cache' at all. To fix this problem, log in to Cache in terminal mode and kill the ^%CDUaf global in the %SYS namespace.
USER>zn "%SYS"

%SYS>kill ^%CDUaf
For more information refer to the "Advanced System Administration Guide".

Cache' Terminal


If any kind of terminal access to Cache' is enabled, users can access Cache' by terminal interfaces (Telnet/LAT/COM Ports) with accounts as specified in the "User Accounts" section of Control Panel. (Control Panel->Security->User Accounts). Add one or more users to this list to grant them access.
There is a special "hidden" account, Username="SYS", Password="XXX" which is on by default, but not shown in the User Accounts section, so by default anyone can access Cache' using this account. To turn this "hidden" account off, create a user named SYS and set his password to something different from "XXX".

If you don't plan to use terminal access, you can completely turn off terminal access (Configuration manager->Advanced->Startup procedure->Terminal->[Telnet->Run Telnet=No | LAT->Run LAT=No | Run COM ports=No]

For more information refer to the "Advanced System Administration Guide".

ODBC


By default only one user can access Cache' via ODBC. The account for this user is:
Username: "_SYSTEM"

Password: "SYS"
This user can create other users and grant them access rights. In general, it's possible to delete _SYSTEM user, but it's not recommended as it is usually recreated on upgrade anyway. It's better just to change the password. To change _SYSTEM password to "NewPassword" issue the following command via ODBC:
ALTER USER "_SYSTEM" IDENTIFY BY NewPassword
After doing this you will be the only person, who can access Cache' via ODBC.

Please note: to allow this syntax to be parsed via CacheSQL, you need to allow processing of delimited identifiers. (ConfigMgr->Advanced->SQL->Supported delimited identifiers = Yes)

WebLink and WebLink Developer


WebLink itself does not require any specific configuration to disable unauthorized access, as by default it is configurable only from the localhost machine (127.0.0.1).

However the "Cache WebLink Developer maintenance suite" - the application which is used to create, configure and compile other WLD Applications - is a normal WebLink application itself, and can be activated from any computer. To prevent this, you should enable user authentication for the WLAPP application. A detailed step-by-step description of this procedure is given in the Cache' WebLink Developer Guide (Installation section).

If you don't plan to use WebLink – just do not install the WebLink component on your web server. Even if you don't plan to use WebLink Developer (only "pure WebLink"), always install (and run for the first time) WebLink Developer and enable user authentication for WLAPP application.

For more information see "WebLink Developer Guide"

License Server


It's not possible to use the Cache' license server for unauthorized access to you system, but it's possible to make use of the license server itself. This in fact means that "someone" can use your license, instead of their own one, just by pointing their Cache' installation to use your server's IP as Licence Server for own system.

Now there is no internal way to prevent this. You should protect port 4001 of your computer at the system level (see next chapter).

As a possible, but not complete approach, change the port number of License Server to any random number, other then 4001.

System Level Security Settings


One of Murphy's laws says: "If something bad can happen, it will definitely will". In our case: "If it's possible to find the password, it will definitely be found by someone", even if it takes a zillion attempts. So if it's possible to prevent this "someone" from trying to discover a password, it should be done.

There are number of technologies, which can be used to protect system from external access, such as firewalls and proxy-servers and so on. Ask you system manager about this. The magic words you should say are: "Please prevent access to ports: 23, 1972 and 4001 (or even better – all ports) of this Cache' server from any external network".

Step-By-Step Instruction


Here is the summary of all, you should do right after installation to prevent your Cache' server from unauthorized access.
  1. Create at least one Cache Direct user and enable Security Checking
  2. Add necessary user accounts for terminal mode. Create user SYS with a password other than XXX. Or just disable any terminal access.
  3. Thru ODBC change the password for the _SYSTEM user.
  4. If you are using WebLink, activate WebLink Developer and enable user authentication for WLAPP application.
  5. If it's possible, ask your system engineer to close ports 23, 1972 and 4001 (or even better – all ports) of the Cache' server for access from external network.

Антон Умников
Источник - семинар по каше в Чехии

Комментариев нет:

Отправить комментарий