Jonas,

You will find that arcache cannot be run from anything but the server that you 
are trying to set the
value on.  It still does connect through the API which is a TCP connection, but 
the server will only allow
the work to be done by someone coming from the same machine.

So, we believe it is as secure as it is possible to make it without making it 
impossible for you to get into
the system in case of accident.


1)      You can configure the system to not allow the program to connect to the 
server so the server will
not accept any commands from these API calls (so even if you try and write a 
custom program
that issues the same API calls, it is blocked).

2)      You cannot run arcache from any machine other than the machine running 
the server you are
trying to update and have it work.

3)      You can update the config setting as an Admin to control the use of 
this utility and you could
manually update the config file and restart the server to change the setting 
but this requires that
you have appropriate, likely Admin, access to the physical machine to be able 
to change those
settings.

We could protect #3 as well, but if we did that, then there would be no way to 
get into the system if
you had no Admin user and there would be no workaround/alternative.  We figure 
having to have
serious levels of access to the physical machine and then the knowledge of the 
config file and changing
it and restarting the server to allow running the utility to give access 
sufficient protection.

Now, if you wanted to be more secure, you could delete the arcache program from 
the system so the
user would then have to bring his own copy of arcache with him and be able to 
save it to the machine to
be able to run it to add an extra level of security.....

I hope this helps,

Doug Mueller

From: Action Request System discussion list(ARSList) 
[mailto:arslist@ARSLIST.ORG] On Behalf Of Jonas Stumph Stevnsvig
Sent: Tuesday, November 15, 2011 2:32 PM
To: arslist@ARSLIST.ORG
Subject: Re: Demo <sigh>

**
Agreed, but I assume that is only completely safe provided that the arcache 
executable connects through a socket and not through tcp connections... I see 
I'll have to RTM about it.

thanks for the prompt answer on my query.

/Jonas Stevnsvig

Den 15-11-2011 23:24, Pierson, Shawn skrev:
**
Since someone would have to have to be on the server to execute that command, 
it should be relatively safe providing that your server itself is secure.

Thanks,

Shawn Pierson
Remedy Developer | Southern Union

From: Action Request System discussion list(ARSList) 
[mailto:arslist@ARSLIST.ORG] On Behalf Of Jonas Stumph Stevnsvig
Sent: Tuesday, November 15, 2011 3:57 PM
To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG>
Subject: Re: Demo <sigh>

**
Now I'm curious - how can you harden the server to prevent this workaround?

Den 15-11-2011 22:47, Kemes, Lisa skrev:
**
Thanks so much!!  I used this and it worked!  <whew!>

Lisa


________________________________
From: Action Request System discussion list(ARSList) 
[mailto:arslist@ARSLIST.ORG] On Behalf Of Nathan Aker
Sent: Tuesday, November 15, 2011 4:38 PM
To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG>
Subject: Re: Demo <sigh>
**
Haven't tried this procedure in a while, but it should create a new Admin 
account.  The last parameter sets it up a as an Admin.  Nate.



Go to a command line, and CD to the install directory.  Look for a binary 
called arcache

When you get to it, type the following:

arcache -Ua -eTEMP999 -lw 1 -n "TEMPADMIN"-p"" -s <servername> -g "1;"


Then, log into the server with a login of TEMPADMIN, no password

Nathan Aker
ITSM Solution Architect
McAfee, Inc.




From: Action Request System discussion list(ARSList) 
[mailto:arslist@ARSLIST.ORG] On Behalf Of Kemes, Lisa
Sent: Tuesday, November 15, 2011 2:43 PM
To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG>
Subject: Demo <sigh>

**
I hope others have done the same thing.

Installed AR System Application Software 7.6.04 SP2 on Windows 2008 server (we 
are using Oracle 11gR2).

After install, I logged on using Demo, then went to the User Form and added my 
account and then changed the Demo Account from Fixed to Read (so I could add 2 
other users).

Logged out and logged in as myself and DOH! I didn't add administrator 
permissions on my account so I don't have admin privileges.

Logged out and then back in as Demo and I guess when I changed the license from 
fixed to Read it took out the Admin Privilege?

I have some info from the ARSlist archives to use arcache to add a fixed 
license back to demo, but will it give it the admin priv's back?


Lisa Kemes
AR System Developer
TEIS - USA
+1 717 810 2408 tel
+1 717 602 9460 mobile
lisa.ke...@te.com<mailto:lisa.ke...@te.com>
100 Amp Drive
Harrisburg, PA 17112

[cid:image001.jpg@01CCA3A5.CFF1BF80]<http://www.te.com/>

www.te.com<http://www.te.com/>

[cid:image001.jpg@01CCA3A5.CFF1BF80]<http://twitter.com/teconnectivity>[cid:image001.jpg@01CCA3A5.CFF1BF80]<http://www.facebook.com/teconnectivity>[cid:image001.jpg@01CCA3A5.CFF1BF80]<http://www.flickr.com/photos/teconnectivity/>[cid:image001.jpg@01CCA3A5.CFF1BF80]<http://www.linkedin.com/groups?gid=1591657>[cid:image001.jpg@01CCA3A5.CFF1BF80]<http://www.youtube.com/teconnectivity>

_attend WWRUG12 www.wwrug.com<http://www.wwrug.com> ARSlist: "Where the Answers 
Are"_
_attend WWRUG12 www.wwrug.com<http://www.wwrug.com> ARSlist: "Where the Answers 
Are"_ _attend WWRUG12 www.wwrug.com<http://www.wwrug.com> ARSlist: "Where the 
Answers Are"_

_attend WWRUG12 www.wwrug.com<http://www.wwrug.com> ARSlist: "Where the Answers 
Are"_
Private and confidential as detailed 
here<http://www.sug.com/disclaimers/default.htm#Mail>. If you cannot access 
hyperlink, please e-mail sender. _attend WWRUG12 
www.wwrug.com<http://www.wwrug.com> ARSlist: "Where the Answers Are"_

_attend WWRUG12 www.wwrug.com ARSlist: "Where the Answers Are"_

_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"

<<inline: image001.jpg>>

Reply via email to