Announcement

Collapse
No announcement yet.

Credentials exposure - a threat?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Credentials exposure - a threat?

    Hello, people. Brainstorming session ahead.
    I am checking the 2XApplicationServer as a solution for publishing applications to our clients anywhere in the world. The software's client requires credentials to be entered in the Options section (see the attached screenshot).
    I created a user for this matter in the AD and it will be locked down to bare necessities by GPO. The details needed (username, password and domain name) will be available on company's website, so anyone will be able to download the 2X client and log in with these credentials.
    On connection, the user gets an application window, not a desktop. The same scenario is achieved at the moment with Citrix (except the credentials, of course), but I need a change.
    Question: what are the possible threats on this move? Is making my AD world-wide known an adventure?

    TIA.
    Last edited by sorinso; 9th November 2007, 21:09.

    Sorin Solomon

    »»»»»
    In order to succeed, your desire for success should be greater than your fear of failure.
    -
    «««««

  • #2
    Re: Credentials exposure - a threat?

    I think you need to encrypt your authentication for sure, or you will be running into a security risk.

    Best regards,
    Mostafa
    Best regards,
    Mostafa Itani

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Credentials exposure - a threat?

      Thanks, Mostafa, for your response.
      Just to make the issue more clear: the application is a database of written articles, no sensitive info in there (that need to be protected by encryption). But I need to protect it for IP (like in Intelectual Property ) reasons. Also, the user authenticate by IP (like in Internet Protocol ):
      - those that are from inside the company and those connecting by RAS have internal IPs;
      - those who are coming from somewhere else authenticate to the proxy server.

      Sorin Solomon

      »»»»»
      In order to succeed, your desire for success should be greater than your fear of failure.
      -
      «««««

      Comment


      • #4
        Re: Credentials exposure - a threat?

        I am not familiar with 2XApplicationServer, but port 81 is not the AD port. Most likely there is a service that handles requests and then passes them along (internally) to AD. Locking down that username and password via GPO will also have zero impact on security. You have to restrict the use of that username and password via AD to the server only. (I still have to think of how that is done)

        I have no idea how much this program costs but the same can be achieved by creating a web app (ground up), but you are looking at heavy weight development. Also the sharing of user id's and password in any scenario is frowned upon, but you knew that.
        Just my two cents........
        "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

        Comment


        • #5
          Re: Credentials exposure - a threat?

          Originally posted by Lior_S View Post
          I am not familiar with 2XApplicationServer, but port 81 is not the AD port.
          The 2X ApplicationServer works with a client installed on the user's station. This client works on port 81.
          Originally posted by Lior_S View Post
          Locking down that username and password via GPO will also have zero impact on security. You have to restrict the use of that username and password via AD to the server only. (I still have to think of how that is done)
          I might be able to achieve this by closing the user's environment so tight, that even if he manages to get to the Desktop, it will be useless.
          Originally posted by Lior_S View Post
          I have no idea how much this program costs
          Believe me, it's very cheap. First, you get it for free for up to 5 applications. Second, you get it for an unlimited number of concurrent connections for $995. Full list of options is here. I'm not trying to sell it to you
          Originally posted by Lior_S View Post
          sharing of user id's and password in any scenario is frowned upon, but you knew that.
          Yeah, I know. But it's more of a bad feeling, and less based on facts.
          Originally posted by Lior_S View Post
          Just my two cents........
          Your opinion is more than welcomed, Lior, otherwise I wouldn't ask...

          Sorin Solomon

          »»»»»
          In order to succeed, your desire for success should be greater than your fear of failure.
          -
          «««««

          Comment


          • #6
            Re: Credentials exposure - a threat?

            I just did a quick browse through on there site, looks interesting, but only for very specific applications. It appears to be totally based on Terminal Server and TS is considered fairly secure in it self, so you may be alright.
            You may also be interested in this and this though I must say I have not tried either. Proceed at your own risk.
            "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

            Comment


            • #7
              Re: Credentials exposure - a threat?

              Originally posted by Lior_S View Post
              I just did a quick browse through on there site, looks interesting, but only for very specific applications. It appears to be totally based on Terminal Server and TS is considered fairly secure in it self, so you may be alright.
              You may also be interested in this and this though I must say I have not tried either. Proceed at your own risk.
              10nx, again, for your prompt response.
              Looked at the articles you pointed. I was going to check the "Deny logon locally" setting, although I am afraid it will block the TS access too.
              At the moment, I am building a test site on an HP DL360G5 server I borrowed from one of my suppliers. I want to make the applications work first, and then I will start closing this user's profile and starting building performance benchmarks.
              I'm considering publishing my findings in the forum. Do you think people will be interested?

              Sorin Solomon

              »»»»»
              In order to succeed, your desire for success should be greater than your fear of failure.
              -
              «««««

              Comment


              • #8
                Re: Credentials exposure - a threat?

                Originally posted by sorinso View Post
                I was going to check the "Deny logon locally" setting, although I am afraid it will block the TS access too
                Exactly, I am not sure how much this program relies on TS

                I'm considering publishing my findings in the forum. Do you think people will be interested?
                Again depending upon the reliance on TS, I suspect that the performance will be very close to TS, though i would be interested if it where greater then TS.


                Side question, what are the TS licensing requirements for this program?
                "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

                Comment


                • #9
                  Re: Credentials exposure - a threat?

                  As far as I understood (remember I am testing the product at the moment), it relies fully on the TS. It's only an envelope ( or a expansion) that allows application sharing (something TS does not have natively).
                  Regarding TS licenses, it's pretty transparent. You can only connect to it for as much TS licenses you have.

                  Sorin Solomon

                  »»»»»
                  In order to succeed, your desire for success should be greater than your fear of failure.
                  -
                  «««««

                  Comment


                  • #10
                    Re: Credentials exposure - a threat?

                    To get a real security solution you will need:

                    1. Citrix
                    2. Using Citrix web access and SSL VPN solution.
                    3. Two/Three factor authentication.
                    4. GPO that block all users beside special group of users logon into
                    the TS. This can also be done by using Radius server.

                    Otherwise, you will need to open the network to the world, so anyone
                    can try to logon into the domain...
                    Best Regards,

                    Yuval Sinay

                    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

                    Comment


                    • #11
                      Re: Credentials exposure - a threat?

                      Thanks for the response, Yuval.
                      I am using Citrix at the moment. All the 2X issue is to find a replacement for it (it's much too expensive for us).
                      The issue is not the security itself. As I said, there is no sensitive data or user's identity to protect. The only thing I have to check is the Intellectual Property issue.
                      anyone can try to logon into the domain
                      That's exactly the question: what's wrong with that? The user will be castrated to minimum necessary. Is this still a problem?
                      I am using AD at the moment. I cannot use a local user on the server, because there will be more than one server and probably some kind of access to share networked data (with Read Only permissions for this user). Will it be relevant for me to create a child domain to the existing one for this purpose? So the credentials I'll expose world-wide will be of the child-domain?

                      Sorin Solomon

                      »»»»»
                      In order to succeed, your desire for success should be greater than your fear of failure.
                      -
                      «««««

                      Comment


                      • #12
                        Re: Credentials exposure - a threat?

                        Hello,

                        Sorry I have been on vacation for the last coulpe of weeks.
                        I think if you host a "moodle server" this is an application in which you can integrate it with your active directory, and it is open source.

                        This application is an E-Learning application giving you the ability to create seperate shells where you can share your files with the property you are talking about.

                        Best regards,
                        Mostafa
                        Best regards,
                        Mostafa Itani

                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment

                        Working...
                        X