Re: NAI ePolicy Orchestrator

From: morgan.wemanisat_private
Date: Thu Nov 01 2001 - 06:59:35 PST

  • Next message: Windex King: "Re: Using Null Session information from NAT.EXE"

    Hi
    
    I've seen this also, and also wondering about it,
    have you looked at your clients with w3 on port 8081?
    (http://clientmachine:8081)
    
    "ePolicy Orchestrator Agent Log" on this port..
    
    Regards, Morgan
    
    
    -----Ursprungligt meddelande-----
    Från: Blake Frantz [mailto:blakeat_private]
    Skickat: den 30 oktober 2001 22:15
    Till: pen-testat_private
    Ämne: NAI ePolicy Orchestrator
    
    
    
    
    Hello,
    
    I'm looking for a whitepaper on securing NAI ePolicy Orchestrator and
    can't seem to find anything solid.  We are performing an internal audit of
    our machines and found the the ePolicy Orchestrator Servers all listen on
    ports 80,8080,8081 -- Each port redirects back to the same directory
    structure:
    
    EVTFILTR.INI  322     09/20/2001 12:45 AM  
    NAIMSERV.LOG  1094     10/26/2001 06:23 PM  
    SERVER.INI  277     10/10/2001 10:00 PM  
    SITEINFO.INI  268     10/10/2001 10:00 PM  
    
    The contents of two of the files are below:
    
    [SERVER.INI] (I modified the hash, but the length is still the same)
    
    [Server] DataSource=EPOAV Database=ePO_EPOAV UserName=sa
    Password=U3BVmVk4KHxsYFxaYFGRIVDxARHBoGCh8bGBcWBRkSFaQ8QERwaAA==
    UseNTAccount=0 HTTPPort=80 AgentHttpPort=8081 ConsoleHTTPPort=8080
    MaxHttpConnection=1000 EventLogFileSizeLimit=2097152 MaxSoftInstall=25 
    
    [/SERVER.INI]
    
    [SITEINFO.INI]
    
    [SiteInfo] Version=1769 DefaultSite=Current Sites=Current [Current]
    MasterSiteServer=xxxx Servers=xxxx [xxxx] ComputerName=xxxx
    DNSName=xxx.xxx.xxx.xxx LastKnownIP=xxx.xxx.xxx.xxx HTTPPort=80
    AgentHttpPort=8081 ConsoleHTTPPort=8080  
    
    [/SITEINFO.INI]
    
    These files appear to contain connection info to a MSSQL instance
    using the sa account -- the password hash is even there.
    
    My questions are:
    
    Is this how a typical installation is *supposed* to look?  I think not,
    but two of our servers yeild the same info.
    
    Is the hash found in server.ini a MSSQL hash or a hash generated by the
    EPO server itself?  
    
    Does anyone have a whitepaper on properly securing these servers?
    
    Thanks in advance,
    
    -blake
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/
    



    This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 11:22:38 PST