Securing a Remote Loader install on microsoft windows 2000.

The default installation directory for the Identity Manager (IDM) Remote Loader (RL) is \novell\remoteloader and inherits filesystem permissions from the root of the drive chosen for the installation.  By default microsoft windows 2000 gives Full Control rights to Everyone at the root of all drives.  As a result anybody can write to the driectory where the Remote Loader is installed.  If a Remote Loader is set to run as the SYSTEM or some computer administrator that leaves the possibility for a malicious user to insert their own code which can take over the computer.

The Security: Best Practices section of the IDM Administration Guide discusses keeping the system running various IDM components secure.  As part of this be sure to lockdown the directory structure housing these IDM components allowing access only to those users who need it.  This may include some unprivileged users but in a default installation includes just the system administrator and possibly the SYSTEM account.  When setting these rights be sure to overwrite the ACLs from the root of the IDM installation through all of the subcontainers.  Also inheriting rights from the parent directory should not be done since that is what leads to this vulnerable condition.

Windows 2003 and later do not have the same default rights assignments for the entire drive as windows 2000 which prevents an unprivileged user from writing to the directory with IDM files.

 

Please refer to the security guide at https://www.novell.com/documentation/idm35/admin/index.html?page=/documentation/idm35/admin/data/front.html

+ Novell Identity Manager Compliance Management Resource Kit & Analyzer

+ Novell Identity Manager Implementing Password Management