This message is being posted to: BUGTRAQat_private Netw4lat_private Novellat_private Problem: ------------- While granting users permission to use BorderManager proxy service, I noticed that the BorderManager snapin will grant user access through the proxy system with a blank password, by viewing the 'Proxy Authentication' tab and without attempting to assign a password - even if you cancel, you still grant full permission to use the proxy system. Only those who run nwadmin with the BorderManager snapin will be able to see the additional 3 BM tabs, including the above. Discovery: ---------------- Under normal admin circumstances, you would load nwadmin with the BorderManager snapin(only the Win95 version will handle the snapin at this time?) Find the user object and go into details. Click on the 'Proxy Authenication' tab and assign a password. This is the password that you need to supply, along with the username when the browser prompts you. While adding users, I noticed that there wasn't any check box, etc to activate the account, only the 'Allow user to change password' and 'Force password change every...' check boxes and a change password button. So I decided to just click cancel without making any changes to see chat would happen. When I ran the browser(both IE & Netscape) and was prompted for username and password, I typed in the username and no password and out I went :-o Temporary Fix: ---------------------- If you have 'looked' at the Proxy Authenication tab, then change password to some sort of garbage to 'deactivate' the proxy account. This really isn't a fix, and you have to remember to do this, or you open up a doorway to the world for those who you thought could not get there. You still have logging(don't you?) to tell you who is accessing thru the proxy server. Any user can use anothers 'signon', since these signons/objects are not tied together as one in NDS - BM v3.0 I'm told will change this. Conclusion: ------------------ I have spoken with Novell(Sept 30), who checked/verified this with the developers and the answer I received was, we are aware of this, and that is the way it was designed(yes these were their words!). The snapin assumes that you are granting access when you view the Proxy Authentication tab and if you don't assign a password, then a blank will be assigned for you - Even If You Cancel! The tech I spoke with said the developers weren't sure if this was going to be changed in BorderManager v3.0 release. Sorry for taking so long to report this. Best of Luck! Robert * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Robert P. MacDonald (rmacdonaldat_private) Systems, Network & Security Engineer Perrigo Company, Allegan, Michigan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:56 PDT