Jonas, You will find that arcache cannot be run from anything but the server that you are trying to set the value on. It still does connect through the API which is a TCP connection, but the server will only allow the work to be done by someone coming from the same machine.
So, we believe it is as secure as it is possible to make it without making it impossible for you to get into the system in case of accident. 1) You can configure the system to not allow the program to connect to the server so the server will not accept any commands from these API calls (so even if you try and write a custom program that issues the same API calls, it is blocked). 2) You cannot run arcache from any machine other than the machine running the server you are trying to update and have it work. 3) You can update the config setting as an Admin to control the use of this utility and you could manually update the config file and restart the server to change the setting but this requires that you have appropriate, likely Admin, access to the physical machine to be able to change those settings. We could protect #3 as well, but if we did that, then there would be no way to get into the system if you had no Admin user and there would be no workaround/alternative. We figure having to have serious levels of access to the physical machine and then the knowledge of the config file and changing it and restarting the server to allow running the utility to give access sufficient protection. Now, if you wanted to be more secure, you could delete the arcache program from the system so the user would then have to bring his own copy of arcache with him and be able to save it to the machine to be able to run it to add an extra level of security..... I hope this helps, Doug Mueller From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jonas Stumph Stevnsvig Sent: Tuesday, November 15, 2011 2:32 PM To: arslist@ARSLIST.ORG Subject: Re: Demo <sigh> ** Agreed, but I assume that is only completely safe provided that the arcache executable connects through a socket and not through tcp connections... I see I'll have to RTM about it. thanks for the prompt answer on my query. /Jonas Stevnsvig Den 15-11-2011 23:24, Pierson, Shawn skrev: ** Since someone would have to have to be on the server to execute that command, it should be relatively safe providing that your server itself is secure. Thanks, Shawn Pierson Remedy Developer | Southern Union From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jonas Stumph Stevnsvig Sent: Tuesday, November 15, 2011 3:57 PM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: Demo <sigh> ** Now I'm curious - how can you harden the server to prevent this workaround? Den 15-11-2011 22:47, Kemes, Lisa skrev: ** Thanks so much!! I used this and it worked! <whew!> Lisa ________________________________ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Nathan Aker Sent: Tuesday, November 15, 2011 4:38 PM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: Demo <sigh> ** Haven't tried this procedure in a while, but it should create a new Admin account. The last parameter sets it up a as an Admin. Nate. Go to a command line, and CD to the install directory. Look for a binary called arcache When you get to it, type the following: arcache -Ua -eTEMP999 -lw 1 -n "TEMPADMIN"-p"" -s <servername> -g "1;" Then, log into the server with a login of TEMPADMIN, no password Nathan Aker ITSM Solution Architect McAfee, Inc. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Kemes, Lisa Sent: Tuesday, November 15, 2011 2:43 PM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Demo <sigh> ** I hope others have done the same thing. Installed AR System Application Software 7.6.04 SP2 on Windows 2008 server (we are using Oracle 11gR2). After install, I logged on using Demo, then went to the User Form and added my account and then changed the Demo Account from Fixed to Read (so I could add 2 other users). Logged out and logged in as myself and DOH! I didn't add administrator permissions on my account so I don't have admin privileges. Logged out and then back in as Demo and I guess when I changed the license from fixed to Read it took out the Admin Privilege? I have some info from the ARSlist archives to use arcache to add a fixed license back to demo, but will it give it the admin priv's back? Lisa Kemes AR System Developer TEIS - USA +1 717 810 2408 tel +1 717 602 9460 mobile lisa.ke...@te.com<mailto:lisa.ke...@te.com> 100 Amp Drive Harrisburg, PA 17112 [cid:image001.jpg@01CCA3A5.CFF1BF80]<http://www.te.com/> www.te.com<http://www.te.com/> [cid:image001.jpg@01CCA3A5.CFF1BF80]<http://twitter.com/teconnectivity>[cid:image001.jpg@01CCA3A5.CFF1BF80]<http://www.facebook.com/teconnectivity>[cid:image001.jpg@01CCA3A5.CFF1BF80]<http://www.flickr.com/photos/teconnectivity/>[cid:image001.jpg@01CCA3A5.CFF1BF80]<http://www.linkedin.com/groups?gid=1591657>[cid:image001.jpg@01CCA3A5.CFF1BF80]<http://www.youtube.com/teconnectivity> _attend WWRUG12 www.wwrug.com<http://www.wwrug.com> ARSlist: "Where the Answers Are"_ _attend WWRUG12 www.wwrug.com<http://www.wwrug.com> ARSlist: "Where the Answers Are"_ _attend WWRUG12 www.wwrug.com<http://www.wwrug.com> ARSlist: "Where the Answers Are"_ _attend WWRUG12 www.wwrug.com<http://www.wwrug.com> ARSlist: "Where the Answers Are"_ Private and confidential as detailed here<http://www.sug.com/disclaimers/default.htm#Mail>. If you cannot access hyperlink, please e-mail sender. _attend WWRUG12 www.wwrug.com<http://www.wwrug.com> ARSlist: "Where the Answers Are"_ _attend WWRUG12 www.wwrug.com ARSlist: "Where the Answers Are"_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
<<inline: image001.jpg>>
