Security Holes/Issues

efyorovich

Member
We are currently on B7332 with SP 13.1 running on an AS400 enterprise
server, using SQL 7.0 database.
I was wondering if anyone had any idea as what possible security issues
there may be and what was/could be done to address them. Any feedback would
be appreciated.

Eric Fyorovich
CNC System Administrator
ABM Industries Inc.
[email protected]
 
Eric,
Although I amn't a CNC Administrator or a security specialist, I know some security whole. Here are my coins for you:

1.) Disable Fast Path in the user profiles.
2.) Secure P0085 application which pops up when you want to create a new tab in OneWorld Explorer.
2.) Secure P98305 Batch Versions application e.g. preventing access to RDA starting from the Tools menu of OW Explorer.
3.) Secure P91200 application. This APPL pops up when you access RDA in the mentioned mode and choose Report/New in RDA.

Unfortunately I do not know how can you completly secure the acces to RDA from OW Explorer and/or the Report/Open in RDA when somebody started it from the Explorer.

Zoltán

B7332 SP11, ESU 4116422, Intel NT4, SQL 7 SP1
(working with B7321, B7331, XE too)
 
Eric :

OneWorld is a Swiss Gruyère cheese, plenty of security holes.
OneWorld itself doesn't provide any security at all, it's up to you
to make it a secure product.
AS/400 is very secure if you administer it properly, but...
Your biggest problems come from SQL7 and NT, I suggest you to suscribe
to Microsoft electronic papers on security for these two products.
I don't want do disappoint you but frankly speaking : MS is very weak
on security ...
Have you ever thought why does MSSQL7 cost 1500 u$s and Oracle or
Informix cost more than 50000 u$s?

Sebastian
 
Re: RE: Security Holes/Issues

Sebastian,
While I agree that One World does not come with any security set up, it does come with tools to lock down access to menus, the options on the menus, as well as field and table security. It may take some work but I think the tools are there.
I do agree that sql and nt provide good opportunities for security breaches.
dave


NT 4.0 SP5, SQL 7.0, One World B7321 SP12.4, Citrix 1.8 (XE soon)
 
RE: RE: Security Holes/Issues

Dave :

Yes... you're right.
What I meant was that JDE doesn't provide external security (for O.S., DBMS,
WAN links,
terminals, etc.) but does provide a very comprehensive internal security
structure for
its menus, tables, rows, P.O., UBEs once the user logs in to OneWorld.

Sebastian

-----Mensaje original-----
De: got_to_love_jde [mailto:[email protected]]
Enviado el: Miércoles, 17 de Enero de 2001 09:15 a.m.
Para: [email protected]
Asunto: Re: RE: Security Holes/Issues ~~4071:4122


Sebastian,
While I agree that One World does not come with any security set up, it
does come with tools to lock down access to menus, the options on the menus,
as well as field and table security. It may take some work but I think the
tools are there.
I do agree that sql and nt provide good opportunities for security
breaches.
dave


NT 4.0 SP5, SQL 7.0, One World B7321 SP12.4, Citrix 1.8 (XE soon)
--------------------------
Visit the forum to view this thread at:
http://198.144.193.139/cgi-bin/wwwthreads/showflat.pl?Cat=&Board=OW&Number=4
122
*************************************************************
This is the JDEList One World / XE Mailing List.
Archives and information on how to SUBSCRIBE, and
UNSUBSCRIBE can be found at http://www.JDELIST.com
*************************************************************
 
Eric,

Besides data and application access, also see that you secure the TCP/IP services access to your machines.

Doug
[email protected]

Xe SP13.1, AS400 V4R3, CO-Oracle806, Co-A73c10, Citrix, NT JAS
 
External Call Security for RDA?



--- Zoltan_Gyimesi <[email protected]> wrote:
> Eric,
> Although I amn't a CNC Administrator or a security
> specialist, I know some security whole. Here are my
> coins for you:
>
> 1.) Disable Fast Path in the user profiles.
> 2.) Secure P0085 application which pops up when you
> want to create a new tab in OneWorld Explorer.
> 2.) Secure P98305 Batch Versions application e.g.
> preventing access to RDA starting from the Tools
> menu of OW Explorer.
> 3.) Secure P91200 application. This APPL pops up
> when you access RDA in the mentioned mode and choose
> Report/New in RDA.
>
> Unfortunately I do not know how can you completly
> secure the acces to RDA from OW Explorer and/or the
> Report/Open in RDA when somebody started it from the
> Explorer.
>
> Zoltán
>
> B7332 SP11, ESU 4116422, Intel NT4, SQL 7 SP1
> (working with B7321, B7331, XE too)
> --------------------------
> Visit the forum to view this thread at:
>
http://198.144.193.139/cgi-bin/wwwthreads/showflat.pl?Cat=&Board=OW&Number=4095
>
>
*************************************************************
> This is the JDEList One World / XE Mailing List.
> Archives and information on how to SUBSCRIBE, and
> UNSUBSCRIBE can be found at http://www.JDELIST.com
>
*************************************************************
>


__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices.
http://auctions.yahoo.com/
 
Yes, you can call RDA ones from the menu of OW Explorer twice you can start it like .EXE from b7\system folder like the other tools with .EXE behind them e.g. UTB (Universal Table Browser).
Further RDA tool has an "Open" menu selection in it "Report" menu and an other "Save" of course.
Zoltán

B7332 SP11, ESU 4116422, Intel NT4, SQL 7 SP1
(working with B7321, B7331, XE too)
 
RDA gets my vote for the biggest security and data integrity hole. Since some shops use RDA as a user "report writer" tool, they have opened the door to allow nearly any table to be written to. We were very concerned about the data integrity issues involved in letting users write their own batch programs, so we didn't given them RDA but developed a Crystal Reports based solution instead.

My 2 cents,

Larry Jones
[email protected]
OneWorld B733.1, SP 11.3
HPUX 11, Oracle SE 8.1.6
 
Larry, you are right.
Some additions:
1.) RDA is not ONLY a Report Writer tool but a Batch Application Designer tool too that means, you can not only read data but you CAN change any accessible data too (Update/Insert/Delete)!!!!!

2.) UTB (Universal Table Browser) is a second security whole when you do not want the data in the database to be public for everybody who can run UTB.

Does anybody know how affects OneWorld Row/Column security the work of UTB?
Zoltán

B7332 SP11, ESU 4116422, Intel NT4, SQL 7 SP1
(working with B7321, B7331, XE too)
 
Hi Zoltan,
UTB pays attention to row security (at least in b7321).
dave


NT 4.0 SP5, SQL 7.0, One World B7321 SP12.4, Citrix 1.8 (XE soon)
 
One note on the UTB. I was informed earlier that the UTB does conform to
the JDE security. Therefore, if you have the required row security setup,
UTB should not be an issue. Did this change in the Xe/B733.3 version?

John

B733.2 SP14.1/NT/SQL 7 SP3
 
Hi Zoltan...
About your question on how UTB is affected by row/column security, I can
tell you that if for example you secure the Address Number (AN8) for a user
o group a range of data, lets say - 1 to 4000 - when the user works with
UTB, he will not see the registries containing the range of data you
secured...

Just my little contribution. :)


OW 73.3.2 SP 10.1 / NT 4.0 / SQL 7.0

Greetings.
SI. Ricardo Paz Castañón
Systems Chief
Comercial de Herramientas S.a de C.v.
+52(8)369-35-35
[email protected]
www.cohesa.com


-----Mensaje original-----
De: Zoltan_Gyimesi [mailto:[email protected]]
Enviado el: Martes, 23 de Enero de 2001 01:17 p.m.
Para: [email protected]
Asunto: Re: Security Holes/Issues ~~4071:4468


Larry, you are right.
Some additions:
1.) RDA is not ONLY a Report Writer tool but a Batch Application Designer
tool too that means, you can not only read data but you CAN change any
accessible data too (Update/Insert/Delete)!!!!!

2.) UTB (Universal Table Browser) is a second security whole when you do not
want the data in the database to be public for everybody who can run UTB.

Does anybody know how affects OneWorld Row/Column security the work of UTB?
Zoltán

B7332 SP11, ESU 4116422, Intel NT4, SQL 7 SP1
(working with B7321, B7331, XE too)
--------------------------
Visit the forum to view this thread at:
http://198.144.193.139/cgi-bin/wwwthreads/showflat.pl?Cat=&Board=OW&Number=4
468
*************************************************************
This is the JDEList One World / XE Mailing List.
Archives and information on how to SUBSCRIBE, and
UNSUBSCRIBE can be found at http://www.JDELIST.com
*************************************************************



Lic. Ricardo Paz Castanon
Jefe Sistemas COHESA
 
These may have already been listed.

- If you can create a UBE you can gain access to your master password in
Unix or NT. Have not tried in AS400 yet.

- FastPath on terminal server gives the user access to a desktop on terminal
server.


David Helsley
(317)879-4483 [email protected] (client)
(859)466-6746 [email protected] (me)

These views are my own and are not necessarily held or supported by
my employer.

>
 
Re: RE: Security Holes/Issues

Hi John,
I suppose it did not change but I can not try it because I haven't currently access to any roe secured XE installation.
Zoltán

B7332 SP11, ESU 4116422, Intel NT4, SQL 7 SP1
(working with B7321, B7331, XE too)
 
I would have to say that being able to run any OW Program, INI or PC Program
from the Fast Path is much more of a problem. You do not have to specify
these in 00/FP for this undocumented feature to work. The only way to
prevent this, other than turning off fast path, is to make an entry in 00/FP
and point it to a menu that says "don't do this". Otherwise, you have no
control over what version is used in running the program.

Bill Williams

>
 
Back
Top