Mid Tier administration password
Steve: It is difficult to compare a decade-old open-source enterprise-wide solution (ie Atrium/OpenSSO), that is not well integrated with AR System, with a modern solution built for AR System that sits neatly in Mid Tier and is well supported/respected by BMC customers/partners. :) Matt's found a very nice video and it only goes to highlight the importance of protecting against brute-force attacks, such as automatically locking accounts in AR System after a number of failed login attempts. And of course, changing the default AR#Admin# database password. Joe: An alternative mechanism of integrating Mid Tier and AR System would be to use SSL client certificates. This is how the HP Service Manager web application is integrated with the SM server side application (ie ARS in this world). The down side of this approach is the complexity: SSL client certs is far more complicated to configure than simply entering a password. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Mid Tier administration password
At least YOU get to change your db password. I have to have a DBA come to my desk every xx days to change the password to some super-secret thing that I do not get to know. Just in case I would try to do something to my own system ya know. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jason Miller Sent: Wednesday, March 13, 2013 9:16 AM To: arslist@ARSLIST.ORG Subject: Re: Mid Tier administration password ** Great, now we have to change our production db password. Thanks for publishing it! On Mar 13, 2013 2:06 AM, John Baker jba...@javasystemsolutions.commailto:jba...@javasystemsolutions.com wrote: Steve: It is difficult to compare a decade-old open-source enterprise-wide solution (ie Atrium/OpenSSO), that is not well integrated with AR System, with a modern solution built for AR System that sits neatly in Mid Tier and is well supported/respected by BMC customers/partners. :) Matt's found a very nice video and it only goes to highlight the importance of protecting against brute-force attacks, such as automatically locking accounts in AR System after a number of failed login attempts. And of course, changing the default AR#Admin# database password. Joe: An alternative mechanism of integrating Mid Tier and AR System would be to use SSL client certificates. This is how the HP Service Manager web application is integrated with the SM server side application (ie ARS in this world). The down side of this approach is the complexity: SSL client certs is far more complicated to configure than simply entering a password. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.orghttp://www.arslist.org Where the Answers Are, and have been for 20 years _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Mid Tier administration password
Sorry Jason, but it's public knowledge. A good pen-tester who's done some homework will put it high on the list. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Mid Tier administration password
That could be another good way - only that would mean that you would need to SSL enable your mid tier application as a requirement - and I do not really see a flip side to that other than what you mention - the complexities when using web services etc. Also on most web servers it is not easy to redirect http to https with a simple javascript to re- construct your window location like it is possible on IIS. Cheers Joe -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: Wednesday, March 13, 2013 5:06 AM To: arslist@ARSLIST.ORG Subject: Mid Tier administration password Steve: It is difficult to compare a decade-old open-source enterprise-wide solution (ie Atrium/OpenSSO), that is not well integrated with AR System, with a modern solution built for AR System that sits neatly in Mid Tier and is well supported/respected by BMC customers/partners. :) Matt's found a very nice video and it only goes to highlight the importance of protecting against brute-force attacks, such as automatically locking accounts in AR System after a number of failed login attempts. And of course, changing the default AR#Admin# database password. Joe: An alternative mechanism of integrating Mid Tier and AR System would be to use SSL client certificates. This is how the HP Service Manager web application is integrated with the SM server side application (ie ARS in this world). The down side of this approach is the complexity: SSL client certs is far more complicated to configure than simply entering a password. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Mid Tier administration password
You're funny Jason :-) I recall many years ago, when I was fairly new to Remedy, I was at a site, and waiting on a MS-SQL system administrator on the sa password for something (not an install or upgrade but just to login as sa to do something on the server), and could not get in touch with that person, so for fun I attempted to login into that DB (which was a standalone DB for the AR Server) with sa and a blank password, and it went right in! And later found out that many of the SQL servers on their network were having blank passwords for sa :-) When I brought it to their attention, they had no idea these were unprotected. They had several other network logins into these servers that they had forgotten about the sa login.. Joe _ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jason Miller Sent: Wednesday, March 13, 2013 10:16 AM To: arslist@ARSLIST.ORG Subject: Re: Mid Tier administration password ** Great, now we have to change our production db password. Thanks for publishing it! On Mar 13, 2013 2:06 AM, John Baker jba...@javasystemsolutions.com wrote: Steve: It is difficult to compare a decade-old open-source enterprise-wide solution (ie Atrium/OpenSSO), that is not well integrated with AR System, with a modern solution built for AR System that sits neatly in Mid Tier and is well supported/respected by BMC customers/partners. :) Matt's found a very nice video and it only goes to highlight the importance of protecting against brute-force attacks, such as automatically locking accounts in AR System after a number of failed login attempts. And of course, changing the default AR#Admin# database password. Joe: An alternative mechanism of integrating Mid Tier and AR System would be to use SSL client certificates. This is how the HP Service Manager web application is integrated with the SM server side application (ie ARS in this world). The down side of this approach is the complexity: SSL client certs is far more complicated to configure than simply entering a password. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Mid Tier administration password
I had a similar experience the first day on the job as the first ever dedicated Remedy admin. The role of admin had either been contractors or the Help Desk manager. I was waiting for my account to be created when I decided to try Demo without a password. Built my own account thank you very much. And added a password to Demo shortly after :) And even though I didn't have root access on the app server Remedy was running as root. I built a console to issue command via Remedy as root. Problem solved! I joke about the ARAdmin password but we ran with the default for many years. More years then I would like to admit. Security used to be an afterthought. Even worse other systems were using that account for integrations I took a lot of flak when I finally decided enough is enough and changed it from the default. Jason On Wed, Mar 13, 2013 at 12:32 PM, Joe D'Souza jdso...@shyle.net wrote: ** ** ** You’re funny Jason J ** ** I recall many years ago, when I was fairly new to Remedy, I was at a site, and waiting on a MS-SQL system administrator on the sa password for something (not an install or upgrade but just to login as sa to do something on the server), and could not get in touch with that person, so for fun I attempted to login into that DB (which was a standalone DB for the AR Server) with sa and a blank password, and it went right in! And later found out that many of the SQL servers on their network were having blank passwords for sa J ** ** When I brought it to their attention, they had no idea these were unprotected. They had several other network logins into these servers that they had forgotten about the sa login.. ** ** Joe ** ** -- *From:* Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] *On Behalf Of *Jason Miller *Sent:* Wednesday, March 13, 2013 10:16 AM *To:* arslist@ARSLIST.ORG *Subject:* Re: Mid Tier administration password ** ** ** Great, now we have to change our production db password. Thanks for publishing it! On Mar 13, 2013 2:06 AM, John Baker jba...@javasystemsolutions.com wrote: Steve: It is difficult to compare a decade-old open-source enterprise-wide solution (ie Atrium/OpenSSO), that is not well integrated with AR System, with a modern solution built for AR System that sits neatly in Mid Tier and is well supported/respected by BMC customers/partners. :) Matt's found a very nice video and it only goes to highlight the importance of protecting against brute-force attacks, such as automatically locking accounts in AR System after a number of failed login attempts. And of course, changing the default AR#Admin# database password. Joe: An alternative mechanism of integrating Mid Tier and AR System would be to use SSL client certificates. This is how the HP Service Manager web application is integrated with the SM server side application (ie ARS in this world). The down side of this approach is the complexity: SSL client certs is far more complicated to configure than simply entering a password. John _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Mid Tier administration password
Yup I don't it when some sites do not like to change that default, when even loosing the new password in documentations is not a reason good enough. With the way its designed, you do not need to really know the new password in order to change it. You do not even need to remember the Demo password (thank you arcache). All you need to remember is the system password and given that permission as a AR Admin, you can hack your way in, if all documentations on these passwords is lost. You can't even call that a hack as that tool is designed for accidental loss of admin account recovery. The only good reason I can come up with is that they probably trust their people very much and they can live with that trust and not worry about little things like system passwords :-). Joe _ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jason Miller Sent: Wednesday, March 13, 2013 6:01 PM To: arslist@ARSLIST.ORG Subject: Re: Mid Tier administration password ** I had a similar experience the first day on the job as the first ever dedicated Remedy admin. The role of admin had either been contractors or the Help Desk manager. I was waiting for my account to be created when I decided to try Demo without a password. Built my own account thank you very much. And added a password to Demo shortly after :) And even though I didn't have root access on the app server Remedy was running as root. I built a console to issue command via Remedy as root. Problem solved! I joke about the ARAdmin password but we ran with the default for many years. More years then I would like to admit. Security used to be an afterthought. Even worse other systems were using that account for integrations I took a lot of flak when I finally decided enough is enough and changed it from the default. Jason On Wed, Mar 13, 2013 at 12:32 PM, Joe D'Souza jdso...@shyle.net wrote: ** You're funny Jason :-) I recall many years ago, when I was fairly new to Remedy, I was at a site, and waiting on a MS-SQL system administrator on the sa password for something (not an install or upgrade but just to login as sa to do something on the server), and could not get in touch with that person, so for fun I attempted to login into that DB (which was a standalone DB for the AR Server) with sa and a blank password, and it went right in! And later found out that many of the SQL servers on their network were having blank passwords for sa :-) When I brought it to their attention, they had no idea these were unprotected. They had several other network logins into these servers that they had forgotten about the sa login.. Joe _ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jason Miller Sent: Wednesday, March 13, 2013 10:16 AM To: arslist@ARSLIST.ORG Subject: Re: Mid Tier administration password ** Great, now we have to change our production db password. Thanks for publishing it! On Mar 13, 2013 2:06 AM, John Baker jba...@javasystemsolutions.com wrote: Steve: It is difficult to compare a decade-old open-source enterprise-wide solution (ie Atrium/OpenSSO), that is not well integrated with AR System, with a modern solution built for AR System that sits neatly in Mid Tier and is well supported/respected by BMC customers/partners. :) Matt's found a very nice video and it only goes to highlight the importance of protecting against brute-force attacks, such as automatically locking accounts in AR System after a number of failed login attempts. And of course, changing the default AR#Admin# database password. Joe: An alternative mechanism of integrating Mid Tier and AR System would be to use SSL client certificates. This is how the HP Service Manager web application is integrated with the SM server side application (ie ARS in this world). The down side of this approach is the complexity: SSL client certs is far more complicated to configure than simply entering a password. John _ARSlist: Where the Answers Are and have been for 20 years_ _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Mid Tier administration password
Hello, I found this couple of paragraphs in an SSO Plugin newsletter and thought it was worth sharing. We see a lot of Mid Tier deployments and have noticed that the Mid Tier configuration password is almost never changed from the default value, arsystem. This poses a security risk, particularly when running a Mid Tier on the Internet - it doesn't take long to find a few public Mid Tiers with the default administration password. SSO Plugin displays a warning on the status page when the default password is set, so if you haven't changed your Mid Tier administration password, why not change it now? John -- JSS SSO Plugin for BMC, HP, CA, Kinetic, Jasper and more. http://www.javasystemsolutions.com/jss/ssoplugin ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Mid Tier administration password
Or... We could just go in and change it for them ;-) Ken. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: Tuesday, March 12, 2013 3:56 PM To: arslist@ARSLIST.ORG Subject: Mid Tier administration password Hello, I found this couple of paragraphs in an SSO Plugin newsletter and thought it was worth sharing. We see a lot of Mid Tier deployments and have noticed that the Mid Tier configuration password is almost never changed from the default value, arsystem. This poses a security risk, particularly when running a Mid Tier on the Internet - it doesn't take long to find a few public Mid Tiers with the default administration password. SSO Plugin displays a warning on the status page when the default password is set, so if you haven't changed your Mid Tier administration password, why not change it now? John -- JSS SSO Plugin for BMC, HP, CA, Kinetic, Jasper and more. http://www.javasystemsolutions.com/jss/ssoplugin ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ** This email and any files transmitted with it are confidential and intended solely for the addressee. If you have received this email in error please notify the system manager. Subject to local law, communications (including traffic data) with Hubbell may be monitored by our systems [or a third party's systems on our behalf] for the purposes of security and the assessment of internal compliance with Hubbell policies. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.Hubbell.com - Hubbell Incorporated ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Mid Tier administration password
Good point John. I rarely see a default in a production environment anymore, but in sandbox and development environments... I saw Matt Laurenceau's posted about passwords today as well - https://plus.google.com/u/0/111882191091175150723/posts/42YkKdvjM1M?hl=en Personally, I recommend using something like keepass to generate and maintain passwords like this. It has functionality to set expirations and alert you to change them. It's better if there's an enterprise solution in place, but barring that, keepass is a heck of a lot better than storing the passwords in a shared spreadsheet, using the same password over and over, or trying to remember your password after not using it for a month. it's free/open source: http://keepass.info/ and there are browser integrations and various password generators. Question for you - what's does your SSO solution do that the OOB solution does not? (the one linked in your signature) On Tue, Mar 12, 2013 at 12:55 PM, John Baker jba...@javasystemsolutions.com wrote: Hello, I found this couple of paragraphs in an SSO Plugin newsletter and thought it was worth sharing. We see a lot of Mid Tier deployments and have noticed that the Mid Tier configuration password is almost never changed from the default value, arsystem. This poses a security risk, particularly when running a Mid Tier on the Internet - it doesn't take long to find a few public Mid Tiers with the default administration password. SSO Plugin displays a warning on the status page when the default password is set, so if you haven't changed your Mid Tier administration password, why not change it now? John -- JSS SSO Plugin for BMC, HP, CA, Kinetic, Jasper and more. http://www.**javasystemsolutions.com/jss/**ssopluginhttp://www.javasystemsolutions.com/jss/ssoplugin __**__** ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Mid Tier administration password
Many times I wished that the MT Password along with the other 2 configurable passwords, Application Password and whatever else, were network accounts whose passwords were maintained in the LDAP. Joe _ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Steve Kallestad Sent: Tuesday, March 12, 2013 4:17 PM To: arslist@ARSLIST.ORG Subject: Re: Mid Tier administration password ** Good point John. I rarely see a default in a production environment anymore, but in sandbox and development environments... I saw Matt Laurenceau's posted about passwords today as well - https://plus.google.com/u/0/111882191091175150723/posts/42YkKdvjM1M?hl=en Personally, I recommend using something like keepass to generate and maintain passwords like this. It has functionality to set expirations and alert you to change them. It's better if there's an enterprise solution in place, but barring that, keepass is a heck of a lot better than storing the passwords in a shared spreadsheet, using the same password over and over, or trying to remember your password after not using it for a month. it's free/open source: http://keepass.info/ and there are browser integrations and various password generators. Question for you - what's does your SSO solution do that the OOB solution does not? (the one linked in your signature) On Tue, Mar 12, 2013 at 12:55 PM, John Baker jba...@javasystemsolutions.com wrote: Hello, I found this couple of paragraphs in an SSO Plugin newsletter and thought it was worth sharing. We see a lot of Mid Tier deployments and have noticed that the Mid Tier configuration password is almost never changed from the default value, arsystem. This poses a security risk, particularly when running a Mid Tier on the Internet - it doesn't take long to find a few public Mid Tiers with the default administration password. SSO Plugin displays a warning on the status page when the default password is set, so if you haven't changed your Mid Tier administration password, why not change it now? John -- JSS SSO Plugin for BMC, HP, CA, Kinetic, Jasper and more. http://www.javasystemsolutions.com/jss/ssoplugin ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years