| Author |
Message
|
| Api123 |
 Posted: Fri Jun 18, 2010 9:16 am Post subject: Disable the Administrator group |
 |
|
Apprentice
Joined: 26 May 2010
Posts: 31
|
Hi All, From MQ manuals and testing, I understand mqm has full access to manage objects as well the Windows local administrator group by default. Apparently if a user is a member of the administrator group –different domain doesn’t matter. Actually just the user name (password not required) can have full access. So I’m trying to deny the administrator group accessing mq objects!
I’m testing with WMQ version 7.0.1.0. .net 3.5/Java and mq explorer all on Windows
Thanks |
|
| Back to top |
|
 |
| Vitor |
| Posted: Fri Jun 18, 2010 9:26 am Post subject: Re: Disable the Administrator group |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Api123 wrote: |
| So I’m trying to deny the administrator group accessing mq objects! |
If the Administrator group has access by default, don't use the default.
But how (if you deny the Administrator group access to mqm) do you plan to prevent them changing it back so they have access? You can't deny Administrators on a Windows box the ability to alter Windows security any more than you could stop root changing membership of the mqm group on Unix.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jun 18, 2010 9:48 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
This is why you need to secure your channels, either using an exit or using SSL.
And also why you need to secure the network that your queue manager is on. Nobody should have access to the MQ listener port on a production box unless they're on the production network. |
|
| Back to top |
|
|
| Api123 |
| Posted: Fri Jun 18, 2010 10:40 am Post subject: Re: Disable the Administrator group |
|
|
Apprentice
Joined: 26 May 2010
Posts: 31
|
| Quote: |
If the Administrator group has access by default, don't use the default.
|
How do I disable the default? in this case Windows Admin group from accessing queue manager, queue objects |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jun 18, 2010 10:59 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
There's nothing you can do to remove the Administrators group from having full administrative access.
Unless you tightly control who can be a member of the local Adminstrators group and then ensure that all channels into the queue manager are secured and that only allowable machines can establish any network connection to the queue manager server, you can do nothing other than trust the people who are in Administrators, or know the userids of people who are in Administrators not to do the wrong thing. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jun 18, 2010 11:03 am Post subject: Re: Disable the Administrator group |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Api123 wrote: |
| How do I disable the default? in this case Windows Admin group from accessing queue manager, queue objects |
You can remove the group like any other. But as I & my worthy associate have pointed out, this doesn't actually help with the security.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Api123 |
| Posted: Fri Jun 18, 2010 11:04 am Post subject: |
|
|
Apprentice
Joined: 26 May 2010
Posts: 31
|
| mqjeff wrote: |
This is why you need to secure your channels, either using an exit or using SSL.
. |
channel/SSl are network layer, security/channel exits are added value. let's concentrate on object authority (Entitlements) Who can do what? I thought that what is OAM for? |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jun 18, 2010 11:09 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Api123 wrote: |
| channel/SSl are network layer, security/channel exits are added value. |
And to do what you want to do, you need to add that value.
| Api123 wrote: |
| let's concentrate on object authority (Entitlements) Who can do what? I thought that what is OAM for? |
It is. Your problem is that you're trying to lock out a group that has superior object authorities to you. Nothing can interfer with the Administrators ability to administer a Windows machine and everything on it.
What you need to do, if you want to do this (which is unusual) is to insititute additional measures to lock unwanted people out of the queue manager.
Even these may not be fully effective against a member of the administratve group who (by coincidence) has some WMQ knowledge.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jun 18, 2010 11:18 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
If you don't trust your sysadmins, fire them.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jun 18, 2010 11:24 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
If you want to stop people who are not logged on to the queue manager server from having administrative rights to the queue manager, you need to secure your channels, either at the plain network level or at the MQ level using ssl or exits to scope them into a user that has been authorized by OAM. Ideally you will secure your channels at BOTH the network level AND the MQ level.
If you want to stop people who *are* logged on the queue manager server, then you must remove them from the Administrators group and limit their authority using OAM.
If you can't do either of the above, then you can't secure your queue manager. |
|
| Back to top |
|
|
| Api123 |
| Posted: Fri Jun 18, 2010 11:27 am Post subject: |
|
|
Apprentice
Joined: 26 May 2010
Posts: 31
|
| Please picture this: Queue manage on Window server, in the absence of security exists, MCAuser (what is the value of a user with no password any way). no group allowed to access administer/context/MQI objects. From a client (using MQI) I can access the queue manage and queues just by passing administrator as a user with no password from any domain!!. This is because administrator is by default part of the administrators group) This is unbelievable? |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jun 18, 2010 11:31 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Api123 wrote: |
| This is unbelievable? |
What is unbelievable is that you've not set MCAUser on the channel.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jun 18, 2010 11:33 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| If you want to stop people who *are* logged on the queue manager server, then you must remove them from the Administrators group and limit their authority using OAM. |
And if these people have the ability to add themselves back (because they're still Windows administrators just not WMQ administrators) then that's not going to fly.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Api123 |
| Posted: Fri Jun 18, 2010 11:34 am Post subject: |
|
|
Apprentice
Joined: 26 May 2010
Posts: 31
|
| Vitor wrote: |
| Api123 wrote: |
| This is unbelievable? |
What is unbelievable is that you've not set MCAUser on the channel. |
Vitor. Did you really read my last post? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jun 18, 2010 11:41 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The value put into MCAUSER on a channel will *replace* all Userids passed into that channel.
That is it's value.
If you can demonstrate that this is not the case, then you should open a PMR.
If you are having issues with people using the wrong user id over a channel, then you have NOT set the MCAUSER on ALL channels. |
|
| Back to top |
|
|
|
|
