logo
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
17GSupport  
#1 Posted : Sunday, October 29, 2017 4:52:09 PM(UTC)
17GSupport


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 6/9/2014(UTC)
Posts: 10
United Kingdom
Location: London

Was thanked: 2 time(s) in 1 post(s)
Hi All

I was alarmed to noticed recently that web.config has a couple of plain text passwords in it. Examples below:

<add directoryServerOverride="server.domain.co.uk" serviceUserNameOverride="domain\user" servicePasswordOverride="PASSWORD" name="WindowsMembershipProvider" type="ScreenConnect.WindowsMembershipProvider" />

<add server="server.domain.co.uk:636" useSsl="True" serviceUser="CN=user,CN=Users,DC=domain,DC=co,DC=uk" servicePassword="PASSWORD" userRootDN="DC=domain,DC=co,DC=uk" userNameAttribute="sAMAccountName" roleRootDN="DC=domain,DC=co,DC=uk" roleNameAttribute="cn" roleUserDNAttribute="member" userDisplayNameAttribute="name" userRoleNameAttribute="" userEmailAttribute="mail" userPasswordQuestionAttribute="screenConnect" userCommentAttribute="description" userAdditionalFilter="" roleAdditionalFilter="" name="LdapMembershipProvider" type="ScreenConnect.LdapMembershipProvider" enabled="true" />

I spoke with support who said that it was "intended functionality" which made me laugh and that they had received feedback from other customers so I guess they are aware. Now I am reaching out to the community.

1. Can I get completely rid of the "directoryServerOverride" entry? I tried this before and the screenconnect site broke.
2. Is there anything i can do to hide the password of the ldap lookup user or at least minimise this exposure?

Many Thanks!
StrangeWill  
#2 Posted : Tuesday, October 31, 2017 8:24:03 PM(UTC)
StrangeWill


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 8/16/2012(UTC)
Posts: 28

Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
You can look into encrypted web configs https://msdn.microsoft.c...p;MSPPError=-2147217396, but I have no clue if this will work on the Windows install and I'm 99% sure it won't on the Linux install.

Anything else would have to be some weird middleware or officially supported by the team.



The thing is that most encryption methods would be mostly pointless to anyone that knows what they're doing (encrypt with a key stored where the application can access and therefore whoever is tampering with your app can too, so they can just access the key and decrypt the data).


If you can lock the user out of accessing the key, you can generally just lock the user out from accessing that part of the filesystem entirely.
17GSupport  
#3 Posted : Wednesday, November 1, 2017 12:12:52 PM(UTC)
17GSupport


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 6/9/2014(UTC)
Posts: 10
United Kingdom
Location: London

Was thanked: 2 time(s) in 1 post(s)
Thanks - any ideas on "1. Can I get completely rid of the "directoryServerOverride" entry? I tried this before and the screenconnect site broke."?
17GSupport  
#4 Posted : Thursday, November 9, 2017 10:13:16 AM(UTC)
17GSupport


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 6/9/2014(UTC)
Posts: 10
United Kingdom
Location: London

Was thanked: 2 time(s) in 1 post(s)
I deleted the credentials via the GUI "Windows Active Directory (disabled)"

Sorted
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.