Securing a Remote Loader install on microsoft windows 2000.

  • 3243550
  • 03-Oct-2007
  • 10-Jun-2013

Environment


Novell Identity Manager 3.0
Novell Identity Manager 3.5
Novell Identity Manager - Remote Loader
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000
Microsoft Windows 2000 Server

Situation

The default installation directory for the Identity Manager (IDM) Remote Loader (RL) is \novell\remoteloader and inherits filesystem permissions from the root of the drive chosen for the installation.  By default microsoft windows 2000 gives Full Control rights to Everyone at the root of all drives.  As a result anybody can write to the driectory where the Remote Loader is installed.  If a Remote Loader is set to run as the SYSTEM or some computer administrator that leaves the possibility for a malicious user to insert their own code which can take over the computer.

Resolution

The Security: Best Practices section of the IDM Administration Guide discusses keeping the system running various IDM components secure.  As part of this be sure to lockdown the directory structure housing these IDM components allowing access only to those users who need it.  This may include some unprivileged users but in a default installation includes just the system administrator and possibly the SYSTEM account.  When setting these rights be sure to overwrite the ACLs from the root of the IDM installation through all of the subcontainers.  Also inheriting rights from the parent directory should not be done since that is what leads to this vulnerable condition.

Windows 2003 and later do not have the same default rights assignments for the entire drive as windows 2000 which prevents an unprivileged user from writing to the directory with IDM files.

 

Please refer to the security guide at https://www.novell.com/documentation/idm35/admin/index.html?page=/documentation/idm35/admin/data/front.html

Status

Security Alert