| Author |
Message
|
| Vitor |
 Posted: Fri Jun 18, 2010 12:18 pm Post subject: |
 |
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Api123 wrote: |
| Vitor wrote: |
| Api123 wrote: |
| This is unbelievable? |
What is unbelievable is that you've not set MCAUser on the channel. |
Vitor. Did you really read my last post? |
Yes - you clearly said
| Quote: |
| in the absence of security exists, MCAuser |
from which I inferred both were absent. What did you actually mean?
Because if you've left MCAUser blank (i.e. the default setting) then yes, it's perfectly possible for someone to access the queue manager and alter objects. This is why leaving it blank is unbelievable and hence my comment.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
 |
| Api123 |
| Posted: Fri Jun 18, 2010 12:54 pm Post subject: |
|
|
Apprentice
Joined: 26 May 2010
Posts: 31
|
| Vitor wrote: |
| Api123 wrote: |
| Vitor wrote: |
| Api123 wrote: |
| This is unbelievable? |
What is unbelievable is that you've not set MCAUser on the channel. |
Vitor. Did you really read my last post? |
Yes - you clearly said
| Quote: |
| in the absence of security exists, MCAuser |
from which I inferred both were absent. What did you actually mean?
Because if you've left MCAUser blank (i.e. the default setting) then yes, it's perfectly possible for someone to access the queue manager and alter objects. This is why leaving it blank is unbelievable and hence my comment. |
What I was saying: in the absence of security exits -(I'm not discussing security exits here which is addon to a product). MCAuser ( a user with no password). Any one can use administrator as a user and access almost all objects. I know I can user OAM to configure groups\users and restrict what they can do. but What's OAM can really do to minimize the administrator predefine privileges on MQ objects. and if OAM can do nothing to restrict the Administrator authority. What's it really good for? |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jun 18, 2010 12:56 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Api123 wrote: |
| What I was saying: in the absence of security exits -(I'm not discussing security exits here which is addon to a product). MCAuser ( a user with no password). |
No, I'm still not getting your point here. Aside from security exits being an add-on, but that fact (and it's a fact) doesn't seem relevant to this discussion.
| Api123 wrote: |
| Any one can use administrator as a user and access almost all objects. |
Not if MCAUser is correctly set i.e. not blank.
| Api123 wrote: |
| if OAM can do nothing to restrict the Administrator authority. What's it really good for? |
OAM doesn't control the administrator authority. It controls non-administrative access; without it no non-mqm (administrative) user has any access.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Api123 |
| Posted: Fri Jun 18, 2010 1:29 pm Post subject: |
|
|
Apprentice
Joined: 26 May 2010
Posts: 31
|
| What I’m learning is:- With no MCAuser (enough is been said about MCAuser on this forum -good&bad) . And the strange design of allowing a user to login with just because the user name is administrator (or any user who is a member of the administrators group) - and with no password is alarming. For OAM to make sense, I would expect only the mqm group to administrator the objects – no other groups – or ability to disable the administrators groups access. You can search there are so many products that are built around this concept . Thanks All for you valuable comments. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jun 18, 2010 1:51 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Api123 wrote: |
| What I’m learning is:- With no MCAuser (enough is been said about MCAuser on this forum -good&bad) . And the strange design of allowing a user to login with just because the user name is administrator (or any user who is a member of the administrators group) - and with no password is alarming. For OAM to make sense, I would expect only the mqm group to administrator the objects – no other groups – or ability to disable the administrators groups access. You can search there are so many products that are built around this concept . Thanks All for you valuable comments. |
I don't quite get you. Being member of the Administrator group is not sufficient to have mq administrator access. Proof is that we have root locked out of the qmgrs ...
Of course that does not prevent any administrator to impersonate any other user like one of the mqm group and as such obtain MQ admin privileges...
At this point the question comes down to:
DO YOU TRUST YOUR ADMINS? 
If you don't there is no middle ground... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jun 18, 2010 4:34 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| fjb_saper wrote: |
| Being member of the Administrator group is not sufficient to have mq administrator access. |
Well, but it is if you've done nothing otherwise to secure the queue manager, like setup an MCAUSER on *all* of the channels.
Every member of Administrators group on Windows is automatically a member of the mqm group. So if you've done nothing to scope your channels and secure your channels (i.e., if MCAUSER is still blank), then any user in Administrators, or any user that has the same username as a member in Adminstrators, can administer the queue manager fully from any desktop.
At least, any desktop that is allowed by the network firewall to actually establish a network connection to the production network.
Which should be a *very* small set. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jun 18, 2010 7:37 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
oops... I was not getting the fact that he was not setting the MCAUser. It is a well known fact that you can access the qmgr with the priviledges accorded to the user running the MQListener if you do not set the MCAUser...
Well if he really needs to lock it down I guess he will have to use a channel table, SSL and the mcauser...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| VJ |
| Posted: Wed Nov 24, 2010 11:58 pm Post subject: |
|
|
Newbie
Joined: 24 Nov 2010
Posts: 5
|
Hey Api,
This is the property of Windows. If you are an administrator you can do whatever you want in that system and the products installed in that system.
Coming to your point, if you send a message using Administrator user id (even without a password) , no matter what yes MQ is taking it. (Provided you do not set any MCAUSER).
My question is , can a X or Y login as a Administrator or can create a administrator userid in your system? If thats the case , there is a big problem with your environment itself.
Just like MQM group ,windows local Administrators group also has all the access to MQ. There are ways to restrict this as mentioned in this forum through MCAUSER, Channel Exit or whatever.
Everything is working as designed including OAM. I dont know what you are expecting........ |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Nov 25, 2010 5:33 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| fjb_saper wrote: |
| Well if he really needs to lock it down I guess he will have to use a channel table, SSL and the mcauser... |
Of course this will not lock down someone doing a bindings connection. But then you have to trust the admins of the box.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Nov 25, 2010 7:40 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
The OP is from June 2010.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
