| Author |
Message
|
| chanduy9 |
 Posted: Thu Dec 04, 2003 7:26 am Post subject: How to restrict the Remote Access(Admin) |
 |
|
Disciple
Joined: 28 Nov 2001
Posts: 177
Location: USA
|
Hi,
The MQJExplorer and WMQ tool provieds the Remote Access or Admin, even the user Id is not existing on the box or not part of the mqm group. I know by stopping command server we can prevent this, but it causes to the MQ Admin they can't do the Remote administration. I think these tools use PCF commands. How secure MQ from these kind of tools, because they can delete the mq objects with these tools.
Thanks in advance,
Thanks,
Chandra. |
|
| Back to top |
|
 |
| JasonE |
| Posted: Thu Dec 04, 2003 8:39 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
| Channel exits are a good start |
|
| Back to top |
|
|
| mrlinux |
| Posted: Thu Dec 04, 2003 8:56 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
Are you using just windows ???
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
| Reconda |
| Posted: Thu Dec 04, 2003 9:02 am Post subject: |
|
|
Apprentice
Joined: 20 Jun 2002
Posts: 40
|
|
| Back to top |
|
|
| chanduy9 |
| Posted: Thu Dec 04, 2003 9:06 am Post subject: |
|
|
Disciple
Joined: 28 Nov 2001
Posts: 177
Location: USA
|
Hi,
Thanks for your response!!
My Question is, if some one knows (who are in the same network) the Queue Manager name, IP address and Port#, they can delete the MQ Objects. I want to prevent this at MQ side with out effecting the MQ Admins. I am on windows environments.
Thanks,
Chandra. |
|
| Back to top |
|
|
| JasonE |
| Posted: Thu Dec 04, 2003 9:46 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
How can you tell the difference between a hacker who knows the ports and ip addresses, and an MQ admin who knows the ports and IP addresses?
Are they all windows for example in the same domain (in which case NTSidsRequired auth policy may help but impacts more than just this). |
|
| Back to top |
|
|
| chanduy9 |
| Posted: Thu Dec 04, 2003 10:47 am Post subject: |
|
|
Disciple
Joined: 28 Nov 2001
Posts: 177
Location: USA
|
Hi Jason,
I tried that also, but there is no luck. I updated the MQ Serveces..Security Policy to NTSIDsRequired, Entrypoints 10, but there is no luck, am I missing somthing. Pls let me know.
Thanks,
Chandra. |
|
| Back to top |
|
|
| Tibor |
| Posted: Thu Dec 04, 2003 7:38 pm Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
| JasonE wrote: |
| How can you tell the difference between a hacker who knows the ports and ip addresses, and an MQ admin who knows the ports and IP addresses? |
That's why we need a chance setting SSL properties in MQExplorer. I think it would be a very simple task to extend MQCONNX dialog box ('show queue manager'). In the past my support partner sent this requirement to IBM, but nothing happened  .
By contrast, look supportpack MO71 ...
| Quote: |
| Are they all windows for example in the same domain (in which case NTSidsRequired auth policy may help but impacts more than just this). |
...and only works on a windows-only environment...
Tibor |
|
| Back to top |
|
|
| JasonE |
| Posted: Fri Dec 05, 2003 1:57 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Yes, it would make a lot of sense wouldnt it 
Of course, the requirement process is designed to feed in requirements for any possible subsequent release. And I couldnt comment on whether it will be done or not, so dont ask...
And yes, NTSidsRequired is Windows only, but can be useful for a windows only setup if all userids come from the same domain/trusted domains. |
|
| Back to top |
|
|
| Tibor |
| Posted: Fri Dec 05, 2003 2:41 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
| JasonE wrote: |
| ...And I couldnt comment on whether it will be done or not, so dont ask... |
OK, I wrote this story to everyone, maybe other people are interested in this theme (MQExplorer + SSL). I don't know where was the jam in the official procedure...
Tibor |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Tue Dec 09, 2003 3:26 pm Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
I did write a small (and free) security exit, all it does is checking the connection name, and if there are a match, it passes the call, else just die the communication.....
This is not the max security level to archive here, but it's bette than nothing, and it logs even the connection attempt and who did it ;o)
http://home19.inet.tele.dk/m-invent/tips_and_tricks.htm#BlockIP%20security%20exit
I know some friends using it on Solaris...
Just my $0.02 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
|
|
